Access Control

Information about Access Control

For access control on a highway, see limited-access highway.

Access control is the ability to permit or deny the use of something by someone.

Physical access

Physical access of a person may be allowed depending on payment, authorization, etc. Also there may be one-way traffic of people. These can be enforced by personnel such as a border guard, a doorman, a ticket checker, etc., or with a device such as a turnstile. There may be fences to avoid circumventing this access control. An alternative of access control in the strict sense (physically controlling access itself) is a system of checking authorized presence, see e.g. Ticket controller (transportation). A variant is exit control, e.g. of a shop (checkout) or a country.

In physical security, the term access control refers to the practice of restricting entrance to a property, a building, or a room to authorized persons. Physical access control can be achieved by a human (a guard, bouncer, or receptionist), through mechanical means such as locks and keys, or through technological means such as a card access system or biometric identification.

Computer security

In computer security, access control includes authentication, authorization and audit. It also includes measures such as physical devices, including biometric scans and metal locks, hidden paths, digital signatures, encryption, social barriers, and monitoring by humans and automated systems.

In any access control model, the entities that can perform actions in the system are called subjects, and the entities representing resources to which access may need to be controlled are called objects (see also Access Control Matrix). Subjects and objects should both be considered as software entities, rather than as human users: any human user can only have an effect on the system via the software entities that they control. Although some systems equate subjects with user IDs, so that all processes started by a user by default have the same authority, this level of control is not fine-grained enough to satisfy the Principle of least privilege, and arguably is responsible for the prevalence of malware in such systems (see computer insecurity).

In some models, for example the object-capability model, any software entity can potentially act as both a subject and object.

Access control models used by current systems tend to fall into one of two classes: those based on capabilities and those based on access control lists (ACLs). In a capability-based model, holding an unforgeable reference or capability to an object provides access to the object (roughly analogous to how possession of your house key grants you access to your house); access is conveyed to another party by transmitting such a capability over a secure channel. In an ACL-based model, a subject's access to an object depends on whether its identity is on a list associated with the object (roughly analogous to how a bouncer at a private party would check your ID to see if your name is on the guest list); access is conveyed by editing the list. (Different ACL systems have a variety of different conventions regarding who or what is responsible for editing the list and how it is edited.)

Both capability-based and ACL-based models have mechanisms to allow access rights to be granted to all members of a group of subjects (often the group is itself modeled as a subject).

Access control systems provide the essential services of identification and authentication (I&A), authorization, and accountability where:

identification and authentication determine who can log on to a system, and the association of users with the software subjects that they are able to control as a result of logging in;
authorization determines what a subject can do;
accountability identifies what a subject (or all subjects associated with a user) did.

Identification and authentication (I&A)

Identification and authentication (I&A) is the process of verifying that an identity is bound to the entity that asserts it. The I&A process assumes that there was an initial vetting of the identity, during which an authenticator was established. Subsequently, the entity asserts an identity together with an authenticator as a means for validation. The only requirements for the identifier is that it must be unique within its security domain.

Authenticators are commonly based on at least one of these four factors:

Something you know, such as a password or a personal identification number (PIN). This assumes that only the owner of the account knows the password or PIN needed to access the account.
Something you have, such as a smart card or token. This assumes that only the owner of the account has the necessary smart card or token needed to unlock the account.
Something you are, such as fingerprint, voice, retina, or iris characteristics.
Where you are, for example inside or outside a company firewall, or proximity of login location to a personal GPS device.

Authorization

Authorization applies to subjects rather than to users (the association between a user and the subjects initially controlled by that user having been determined by I&A). Authorization determines what a subject can do on the system.

Most modern operating systems define sets of permissions that are variations or extensions of three basic types of access:

Read (R): The subject can
Read file contents
List directory contents
Write (W): The subject can change the contents of a file or directory with these tasks:
Add
Create
Delete
Rename
Execute (X): If the file is a program, the subject can cause the program to be run. (In Unix systems, the 'execute' permission doubles as a 'traverse directory' permission when granted for a directory.)

These rights and permissions are implemented differently in systems based on discretionary access control (DAC) and mandatory access control (MAC).

Accountability

Accountability uses such system components as audit trails (records) and logs to associate a subject with its actions. The information recorded should be sufficient to map the subject to a controlling user. Audit trails and logs are important for

Detecting security violations
Re-creating security incidents

If no one is regularly reviewing your logs and they are not maintained in a secure and consistent manner, they may not be admissible as evidence.

Many systems can generate automated reports based on certain predefined criteria or thresholds, known as clipping levels. For example, a clipping level may be set to generate a report for the following:

More than three failed logon attempts in a given period
Any attempt to use a disabled user account

These reports help a system administrator or security administrator to more easily identify possible break-in attempts.

Access Control Techniques

Access control techniques are sometimes categorized as either discretionary or mandatory.

Discretionary Access Control

Discretionary access control (DAC) is an access policy determined by the owner of an object. The owner decides who is allowed to access the object and what privileges they have.

Two important concepts in DAC are

File and data ownership: Every object in the system has an owner. In most DAC systems, each object's initial owner is the subject that caused it to be created. The access policy for an object is determined by its owner.
Access rights and permissions: These are the controls that an owner can assign to other subjects for specific resources.

Access controls may be discretionary in ACL-based, capability-based, or Role-based access control systems. (In capability-based systems, there is usually no explicit concept of 'owner', but the creator of an object has a similar degree of control over its access policy.)

Mandatory Access Control

Mandatory access control (MAC) is an access policy determined by the system, not the owner. MAC is used in multilevel systems that process highly sensitive data, such as classified government and military information. A multilevel system is a single computer system that handles multiple classification levels between subjects and objects.

Sensitivity labels: In a MAC-based system, all subjects and objects must have labels assigned to them. A subject's sensitivity label specifies its level of trust. An object's sensitivity label specifies the level of trust required for access. In order to access a given object, the subject must have a sensitivity level equal to or higher than the requested object.
Data import and export: Controlling the import of information from other systems and export to other systems (including printers) is a critical function of MAC-based systems, which must ensure that sensitivity labels are properly maintained and implemented so that sensitive information is appropriately protected at all times.

Two methods are commonly used for applying mandatory access control:

Rule-based access controls: This type of control further defines specific conditions for access to a requested object. All MAC-based systems implement a simple form of rule-based access control to determine whether access should be granted or denied by matching:
An object's sensitivity label
A subject's sensitivity label
Lattice-based access controls: These can be used for complex access control decisions involving multiple objects and/or subjects. A lattice model is a mathematical structure that defines greatest lower-bound and least upper-bound values for a pair of elements, such as a subject and an object.

Few systems implement MAC. XTS-400 is an example of one that does.

Telecommunication

In telecommunication, the term access control is defined in U.S. Federal Standard 1037C [1] with the following meanings:

A service feature or technique used to permit or deny use of the components of a communication system.
A technique used to define or restrict the rights of individuals or application programs to obtain data from, or place data onto, a storage device.
The definition or restriction of the rights of individuals or application programs to obtain data from, or place data into, a storage device.
The process of limiting access to the resources of an AIS to authorized users, programs, processes, or other systems.
That function performed by the resource controller that allocates system resources to satisfy user requests.

Notice that this definition depends on several other technical terms from Federal Standard 1037C.

Public Policy

In public policy, access control to restrict access to systems ("authorization") or to track or monitor behavior within systems ("accountability") is an implementation feature of using trusted systems for security or social control.

References

U.S. Federal Standard 1037C
U.S. MIL-STD-188
U.S. National Information Systems Security Glossary
Harris, Shon, All-in-one CISSP Exam Guide, Third Edition, McGraw Hill Osborne, Emeryvill, California, 2005.

External links

Access Control: Guide to CISSP, Information Security Certification
eXtensible Access Control Markup Language. An OASIS standard language/model for access control. Also XACML.

Highway is a term commonly used to designate major roads intended for travel by the public between important destinations, such as cities. The term highway can also be varied country-to-country, and can be referred to a road, freeway, superhighway,
..... Click the link for more information.

worldwide view of the subject.
Please [ improve this article] or discuss the issue on the talk page.

A limited-access road or controlled-access road is a road to which access from adjacent properties is limited in some way.
..... Click the link for more information.

Admission to an event or establishment may be subject to paying an entrance fee / buying a ticket.

Apart from that, there may be other restrictions:

Admission to a movie may be subject to a motion picture rating system.

..... Click the link for more information.

Border Guard, Border Patrol, Border police, or Frontier police is a state security agency that performs border control, i.e., enforces the security of national borders. In various states these forces have different official names, subordination and jurisdiction.
..... Click the link for more information.

A Doorkeeper, also known as doorman (plural doormen), is someone who is posted at, and often guards, a door, or by extension another entrance (specific similar terms exist, e.g.
..... Click the link for more information.

A ticket is a voucher to indicate that one has paid for admission to an event or establishment such as a theatre, movie theater, amusement park, zoo, museum, concert, or other attraction, or permission to travel on a vehicle such as an airliner, train, bus, or boat, typically
..... Click the link for more information.

turnstile, also called a baffle gate, is a form of gate which allows one person to pass at a time. It can also be made so as to enforce one-way traffic of people, and in addition, it can restrict passage to people who insert a coin, a ticket, a pass, or similar.
..... Click the link for more information.

fence is a freestanding structure designed to restrict or prevent movement across a boundary. It is generally distinguished from a wall by the lightness of its construction: a wall is usually restricted to such barriers made from solid brick or concrete, blocking vision as well as
..... Click the link for more information.

ticket controller is a person who randomly checks tickets on public transport in systems where one can enter the vehicle without being checked (proof-of-payment system). Either there is a conductor having this as one of his or her tasks, or special personnel.
..... Click the link for more information.

Checkout redirects here; for the game featured on The Price Is Right, see Check-Out.

Point of sale or point of service (POS or PoS) can mean a retail shop, a checkout counter in a shop, or the location where a transaction occurs.
..... Click the link for more information.

Physical security describes measures that prevent or deter attackers from accessing a facility, resource, or information stored on physical media. It can be as simple as a locked door or as elaborate as multiple layers of armed guardposts.
..... Click the link for more information.

authorization is a part of the operating system that protects computer resources by only allowing those resources to be used by resource consumers that have been granted authority to use them.
..... Click the link for more information.

Biometrics (ancient Greek: bios ="life", metron ="measure") is the study of methods for uniquely recognizing humans based upon one or more intrinsic physical or behavioral traits.
..... Click the link for more information.

Computer security is a branch of information security applied to both theoretical and actual computer systems. Computer security is a branch of computer science that addresses enforcement of 'secure' behavior on the operation of computers.
..... Click the link for more information.

Authentication (from Greek αυθεντικός; real or genuine, from authentes; author) is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the thing are true.
..... Click the link for more information.

An audit trail or audit log is a chronological sequence of audit records, each of which contains evidence directly pertaining to and resulting from the execution of a business process or system function.
..... Click the link for more information.

lock is a mechanical fastening device which may be used on a door, vehicle, or container, restricting access to the area or property enclosed. Commonly, it can be released by using a key or combination.
..... Click the link for more information.

digital signature or digital signature scheme is a type of asymmetric cryptography used to simulate the security properties of a signature in digital, rather than written, form.
..... Click the link for more information.

encryption is the process of transforming information (referred to as plaintext) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key.
..... Click the link for more information.

Access Control Matrix or Access Matrix is an abstract, formal computer protection^[] and security model used in computer systems, that characterizes the rights of each subject with respect to every object in the system. It was first introduced by Butler W.
..... Click the link for more information.

In computer science and other fields the principle of minimal privilege, also known as the principle of least privilege or just least privilege, requires that in a particular abstraction layer of a computing environment every module (such as a process, a user or a
..... Click the link for more information.

Malware is software designed to infiltrate or damage a computer system without the owner's informed consent. It is a portmanteau of the words "malicious" and "software". The expression is a general term used by computer professionals to mean a variety of forms of hostile,
..... Click the link for more information.

This article is written like a personal reflection or and may require .
Please [ improve this article] by rewriting this article in an . (, talk)

Many current computer systems have only limited security precautions in place.
..... Click the link for more information.

The object-capability model is a computer security model based on an object-oriented model of computation. The name "object-capability model" is due to the idea that idealized object-based programming and capability-based programming are two ways of looking at the same thing.
..... Click the link for more information.

Capability-based security is a concept in the design of secure computing systems. A capability (known in some systems as a key) is a communicable, unforgeable token of authority.
..... Click the link for more information.

In computer security, an access control list (ACL) is a list of permissions attached to an object. The list specifies who or what is allowed to access the object and what operations are allowed to be performed on the object.
..... Click the link for more information.

In computer security, discretionary access control (DAC) is a kind of access control defined by the Trusted Computer System Evaluation Criteria^[1] as "a means of restricting access to objects based on the identity of subjects and/or groups to which they belong.
..... Click the link for more information.

This article is copied from an article on Wikipedia.org - the free encyclopedia created and edited by online user community. The text was not checked or edited by anyone on our staff. Although the vast majority of the wikipedia encyclopedia articles provide accurate and timely information please do not assume the accuracy of any particular article. This article is distributed under the terms of GNU Free Documentation License.

Herod_Archelaus

iPedia Free Information Center