Lec 11-12 Access Control

Subject vs Object.

Subject: users, systems, applications.

Objects: Data, devices.

Subject access object. Access control is process of controlling access from subjects to objects. Large organizations must ensure access control to avoid disclosure of information. Organization mus authenticate users, authorize and account for usage of assets.

Best practices

  • Least privilege
  • Implicit deny
  • Separation of duties
  • Job Rotation

Access Control Models


Mandatory Access Control. Least privileges with strict rules, share information based on need to know.


Discretionary Access Control, user as owner or having access to certain asset have freedom of decision to grant or revoke access to other users/applications.

Role Based Access Control

User is granted access to object if have required role. Roles are created first, and permissions are assigned to roles. Users are not assigned direct access to objects. In Role Based Access control we have:

Subject, Role, Permissions, Object, subject assignment, permission assignment.

Rule Based Access Control

Rule based access is not RBAC. Rule based access is combination of MAC and DAC. Like MAC, users can not change access control, but admin can. Access is granted based on rules defined by administrator, and stored in ACL.

Access Control Lists.

List of permissions/policies attached to an object.

Authentication Models

Single Factor

Something you know, or something you have.

Two Factor

1- Something you know and something have.

2- Something you know, someone you are.

Three Factor

something you know, something you have, and someone you are(biometric, thumb, facial scanning).

Single Sign on, SSO

Singing in one time with ticket granting system. Later, tickets are granted by ticket granting system to access other resources.

Google SSO after authentication allow access to enterprise cloud applications.

Kerberos is also single sing-on.

Authentication components and protocols

Radius and Tacacs+

Centralized authentication of subjects. Microsoft use RADIUS. Cisco user Tacacs+.

PAP, Password Authentication Protocol. Works like standard username and password authentication.

CHAP, Challenge Handshake Authentication protocol is more secure than PAP. Password does not travel over internet.

MS-CHAP, is microsoft version of CHAP.

VPN, Virtual private network.

Identification vs authentication

Identification is when user claims an identity. and Authentication is, when user proves his identity.

Physical acess security methods

  • Access Logs, Lists
  • Hardware Locks
  • ID Badges
  • Door access systems
  • Man Trap, two door method. After one door crossed by trespasser, use authentication mechanism, then open second door. If authentication failed, then intruder is trapped.
  • Videos surveillance

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s