ACCESS CONTROL TECHNIQUES
CONTROL TYPES
Controls apply to threat events
Preventative => avoid
Detective =>identify
Deterrent =>discourage
Corrective => Fix
Recovery => restore
CONTROL CATEGORIES
- Physical preventative control
- Badges and access cards
- Technical preventative control
- Database views
- Encryption
- Antivirus software
- Administrative detective control
- LOGS , EVENTS ETC.
SECURITY LABELS
- Assign classification levels to objects
- A subject must hold a clearance at or above the classification level of an object to access it
- Security systems use labels in access tables or in runtime evaluation rules
DISCRETIONARY ACCESS CONTROLS
- Identity-based access control
- Owner specifies which subjects can access objects
- Most common access control in commercial systems
MANDATORY ACCESS CONTROLS
- Rule-based access control
- Each resource and user has a specific label
- Subject's security clearance is compared to object's security label
NONDISCRETIONARY ACCESS CONTROLS
- Role-based access control
- Access is granted based on user's job description
- Lattice-based access control
- Access is granted based on both subject's role and the task
Common in environments with frequent personnel changes
ACCESS CONTROL LISTS
- Specific about which users can access which objects
- Subjects mahy be users , roles or groups
0 Comments:
Post a Comment
<< Home