My Blog.

Trusted Systems and Access Control

Trusted Systems and Access Control: Basic Concepts

Trusted Systems and Access Control are foundational concepts in information security, designed to ensure that computer systems and networks operate securely and only authorized users can access sensitive data.

Trusted Systems

Trusted Systems:

  • Trusted systems are computer systems designed to operate securely under a defined set of policies. They provide a secure environment where sensitive operations and data are protected from unauthorized access and malicious activities.

Key Concepts:

  1. Trusted Computing Base (TCB):

    • Definition: The TCB includes all the hardware, software, and firmware components that are critical to the system's security. It enforces the system's security policy and ensures correct operation.
    • Components: Operating system kernel, security policies, access control mechanisms, and any hardware or firmware components that enforce security.

  2. Security Policies:

    • Definition: Rules and guidelines that dictate how resources are managed, protected, and distributed within the system. Security policies define what is allowed and what is not.
    • Types:
      • Discretionary Access Control (DAC): Users have control over the access rights to their own resources.
      • Mandatory Access Control (MAC): Access rights are enforced by the system based on a fixed policy, and users cannot alter these rights.

  3. Security Models:

    • Bell-LaPadula Model: Focuses on data confidentiality. It enforces "no read up" (simple security property) and "no write down" (star property) to prevent unauthorized access to higher-level classified information.
    • Biba Model: Focuses on data integrity. It enforces "no write up" and "no read down" to prevent data contamination from less trustworthy sources.
    • Clark-Wilson Model: Ensures data integrity through well-formed transactions and separation of duties. It uses access control triples (subject, program, object) to enforce integrity constraints.

  4. Trusted Path:

    • Definition: A secure communication channel between the user and the TCB. It ensures that users can interact with the TCB without interference or eavesdropping by malicious software or entities.

  5. Evaluation Criteria:

    • Common Criteria (CC): An international standard for evaluating the security of IT products and systems. It provides a framework for specifying, implementing, and evaluating security features and capabilities.
    • Trusted Computer System Evaluation Criteria (TCSEC): Also known as the Orange Book, it was a U.S. government standard that defined criteria for assessing the security of computer systems.

Access Control

Access Control:

  • Access control mechanisms are designed to restrict unauthorized users from accessing resources and data within a system. They ensure that only authorized users can perform specific actions on resources.

Key Concepts:

  1. Access Control Lists (ACLs):

    • Definition: ACLs are lists associated with each resource that specify which users or groups can access the resource and what actions they can perform.
    • Components: Each entry in an ACL specifies a subject (user or group) and the permissions (read, write, execute) granted to that subject.

  2. Role-Based Access Control (RBAC):

    • Definition: RBAC assigns permissions to roles rather than to individual users. Users are then assigned roles, which determine their access rights.
    • Components:
      • Roles: Defined sets of permissions.
      • Users: Individuals who are assigned to roles.
      • Permissions: Access rights associated with roles.
      • Sessions: Instances of users activating roles to perform actions.

  3. Attribute-Based Access Control (ABAC):

    • Definition: ABAC grants access based on attributes of the user, resource, and environment. Policies are defined using these attributes to make access control decisions.
    • Components:
      • Attributes: Characteristics of users, resources, and the environment (e.g., user role, resource type, time of day).
      • Policies: Rules that evaluate attributes to grant or deny access.

  4. Discretionary Access Control (DAC):

    • Definition: DAC allows resource owners to specify who can access their resources. Access rights can be transferred from one user to another.
    • Characteristics: Flexible but can be less secure if users are not cautious about sharing access rights.

  5. Mandatory Access Control (MAC):

    • Definition: MAC enforces access controls based on predefined policies set by the system, not by individual users. Access decisions are based on security labels assigned to users and resources.
    • Characteristics: Provides strong security by preventing users from making arbitrary changes to access rights.

  6. Multi-Factor Authentication (MFA):

    • Definition: MFA requires users to provide multiple forms of verification to access a resource, enhancing security by combining something the user knows (password), something the user has (security token), and something the user is (biometric verification).

Summary

Trusted systems and access control are essential for maintaining the security and integrity of computer systems and networks. Trusted systems ensure secure operation through a robust TCB and adherence to strict security policies. Access control mechanisms restrict unauthorized access to resources by enforcing permissions based on user identities, roles, attributes, and predefined policies. Together, they form a comprehensive approach to safeguarding sensitive data and preventing unauthorized activities in digital environments.

If you have further questions or need additional details on specific aspects, feel free to ask!