Which Statement About Rule-based Access Control Is True?

Buy and download the full PDF and ePub versions of this Security+ eBook for only $8.99

One of the key foundations of a comprehensive Information technology security strategy involves implementing an advisable level of access control to all computer systems in an organization or enterprise. This affiliate of Security+ Essentials will provide an overview of four types of access command for which an understanding is required to achieve CompTIA Security+ certification:

Mandatory Access Control

Discretionary Access Command

Dominion-Based Access Control

Role-Based Admission Control

Contents

An Overview of Access Control

The term Access Command is something of an cryptic term. To some it could be interpreted as controlling the access to a system from an external source (for example controlling the login process via which users gain access to a server or desktop system). In fact, such access control is really referred to every bit Authentication or Identity Verification and is not what is meant by Access Control in this context (hallmark is covered in detail in the Authentication and Identity Verification affiliate of this book).

The term Access Control actually refers to the control over access to system resources later on a user'south account credentials and identity have been authenticated and admission to the system granted. For instance, a particular user, or group of users, might simply be permitted access to certain files after logging into a system, while simultaneously existence denied access to all other resources.

Ezoic

Mandatory Access Command

Mandatory Access Control (MAC) is the strictest of all levels of control. The blueprint of MAC was defined, and is primarily used by the government.

MAC takes a hierarchical approach to controlling access to resource. Under a MAC enforced environment access to all resources objects (such as information files) is controlled by settings defined by the arrangement administrator. Equally such, all access to resource objects is strictly controlled by the operating system based on system ambassador configured settings. It is not possible under MAC enforcement for users to change the access control of a resource.

Mandatory Access Control begins with security labels assigned to all resource objects on the organisation. These security labels incorporate two pieces of information - a nomenclature (top underground, confidential etc) and a category (which is substantially an indication of the management level, department or projection to which the object is bachelor).

Similarly, each user account on the organisation also has classification and category properties from the same set up of properties applied to the resource objects. When a user attempts to access a resource nether Mandatory Access Control the operating arrangement checks the user'southward classification and categories and compares them to the properties of the object'due south security label. If the user's credentials match the MAC security characterization properties of the object access is allowed. It is important to notation that both the classification and categories must match. A user with top secret classification, for instance, cannot admission a resource if they are non too a fellow member of one of the required categories for that object.

Mandatory Access Control is by far the well-nigh secure access command environs but does non come up without a cost. Firstly, MAC requires a considerable amount of planning before it tin can be effectively implemented. In one case implemented it also imposes a high system management overhead due to the need to constantly update object and business relationship labels to accommodate new data, new users and changes in the categorization and classification of existing users.

Discretionary Admission Control

Dissimilar Mandatory Admission Control (MAC) where access to organization resources is controlled by the operating system (under the control of a arrangement administrator), Discretionary Access Control (DAC) allows each user to command access to their own data. DAC is typically the default access command machinery for most desktop operating systems.

Instead of a security label in the case of MAC, each resource object on a DAC based organization has an Admission Command Listing (ACL) associated with information technology. An ACL contains a list of users and groups to which the user has permitted access together with the level of admission for each user or group. For example, User A may provide read-just access on one of her files to User B, read and write access on the same file to User C and full control to whatever user belonging to Group 1.

It is important to note that under DAC a user can simply set up admission permissions for resources which they already own. A hypothetical User A cannot, therefore, change the admission control for a file that is endemic by User B. User A can, however, set up access permissions on a file that she owns. Under some operating systems information technology is likewise possible for the system or network administrator to dictate which permissions users are allowed to fix in the ACLs of their resources.

Discretionary Access Control provides a much more flexible surround than Mandatory Access Control but too increases the risk that data will be made accessible to users that should not necessarily be given admission.

Role Based Access Control

Office Based Access Command (RBAC), too known every bit Non discretionary Admission Command, takes more than of a existent world approach to structuring admission control. Admission under RBAC is based on a user'south job function within the organization to which the figurer arrangement belongs.

Essentially, RBAC assigns permissions to detail roles in an organization. Users are then assigned to that particular role. For example, an accountant in a company volition be assigned to the Accountant office, gaining admission to all the resources permitted for all accountants on the organisation. Similarly, a software engineer might be assigned to the developer role.

Roles differ from groups in that while users may belong to multiple groups, a user under RBAC may only be assigned a unmarried function in an organization. Additionally, there is no way to provide individual users additional permissions over and above those available for their part. The accountant described higher up gets the same permissions as all other accountants, aught more than and cipher less.

Rule Based Admission Control

Dominion Based Access Control (RBAC) introduces acronym ambivalence by using the same four letter abbreviation (RBAC) every bit Role Based Access Control.

Under Rules Based Access Control, access is immune or denied to resource objects based on a set of rules defined by a system administrator. Equally with Discretionary Access Control, admission properties are stored in Access Command Lists (ACL) associated with each resource object. When a particular business relationship or group attempts to access a resource, the operating system checks the rules contained in the ACL for that object.

Examples of Rules Based Access Command include situations such every bit permitting access for an account or group to a network connection at certain hours of the day or days of the week.

Every bit with MAC, admission command cannot exist changed by users. All admission permissions are controlled solely by the system administrator.

Purchase and download the full PDF and ePub versions of this Security+ eBook for only $8.99