Access Controls Part 1: Computer Security Lectures 2014/15 S2

Z. Cliffe Schreuders

13 Jun 201538:40

Summary

TLDRThe video script delves into the critical concept of access controls, which are mechanisms that regulate what users and programs can do within a computer system. It emphasizes the significance of access controls for security, highlighting the importance of authentication before authorization. The lecture distinguishes between physical and digital access controls, focusing on the latter. It outlines the necessity of a security policy, the trusted computing base, and the role of the reference monitor in mediating access to resources. The script also explains the access control matrix, a theoretical model for describing security states, and contrasts it with real-world implementations like access control lists (ACLs) and capabilities. The discussion further explores various access control models, including mandatory access control, discretionary access control, and role-based access control. It concludes with practical advice on using access controls, particularly the risks of operating as an administrator and the benefits of user access control in modern operating systems.

Takeaways

🔒 **Access Controls** are critical for computer security, determining what users and programs can do within a system.
🛡️ **Authentication** is the first step, confirming the identity of a user or process before access control can be enforced.
📜 **Authorization** follows authentication, defining what actions an authenticated subject is permitted to perform.
🏢 **Physical Security** can be thought of as access control in the physical world, like using a badge to enter a room.
📐 **Digital Access Control** is analogous to physical security, but it applies to digital resources and processes.
📋 **Access Control Matrix** is a theoretical model that details every possible access permission in a system, though not practical for large systems.
🔑 **Trusted Computing Base (TCB)** includes all the software and hardware responsible for enforcing security policy.
🚪 **Complete Mediation** ensures that all access to resources is controlled and that there are no backdoors or unguarded paths.
📁 **Subjects and Objects** are fundamental to access control; subjects are the entities performing actions, and objects are the resources being acted upon.
📝 **Security Context** includes the identity and related information assigned to each subject, which informs access decisions.
📊 **Access Control Policies** can be formal or informal and are defined by an organization to ensure confidentiality, integrity, and availability of information.
🏗️ **Access Control Mechanisms** are the tools or technologies that enforce the policy, such as firewalls or access control lists (ACLs).
📈 **Role-Based Access Control (RBAC)** assigns permissions based on roles within an organization, allowing for flexible and manageable access control.
🤝 **Discretionary Access Control (DAC)** allows users to control access to their own files, which is common in consumer operating systems like Windows and Linux.
📍 **Mandatory Access Control (MAC)** is where access is strictly defined and enforced by a central authority, often used in military or government settings.