Authorization

and Access
Control
Authorization

• Allows us to specify where the

party should be allowed or denied
access .
Principle of Least Privilege

• We should only allow the bare minimum of access to a party to

perform the functionality needed of it.
Access control

• allowing access
• denying access
• limiting access
• revoking access
Methods to implement access control

Access Control List

• Referred to as “ackles”
• Used to control access in the file
systems and to control the flow of
traffic in the networks.
File Systems aCls

• read, write, and execute,

• rwxrwxrwx
• user, group, and other ACLs
network aCls access controlled by the identifiers we use for
network transactions, such as Internet Protocol
(IP) addresses, Media Access Control (MAC)
addresses, and ports.

The simplest forms of network-oriented is MAC

address filtering.
Capability-based security

The right to access a

Oriented around the use
resource is based entirely
of a token that controls
on possession of the
our access.
token.
Confused
Common in systems that use ACLs.
deputy problem

Seen when the software with access to a

resource has a greater level of permission to
access the resource than the user who is
controlling the software.
Client-side • Attacks that take advantage of weaknesses in applications
that are running on the computer being operated directly by
attacks the user, often referred to as the client.
CSRF (cross-site
request forgery)
• attack that misuses the authority
of the browser on the user’s
computer.
Clickjacking

• Also known as user interface

redressing.
Access Control Methodologies

• Means by which we implement authorization and deny or allow

access to parties, based on what resources we have determined they
should be allowed access to.
Access Control Models

Discretionary Access Control

• Model of access control based on
access being determined by the
owner of the resource in question.
Mandatory Access Control

• The owner of the resource does

not get to decide who gets to
access it, but instead access is
decided by a group or individual
who has the authority to set access
on resources.
Role-based access
control
• Based on the role the individual
being granted access is
performing.
Attribute-based Access Control

• Logically based on attributed

• CAPTCHA
Completely Automated Public Turing Test to Tell Humans and Computers
Apart
Physical Access Controls

• Access control for individuals often revolves around controlling movement into and out of
buildings or facilities .
THANK YOU!