Tuesday, December 28, 2010

CompTIA Security+ Exam Objectives 3.2

Access Control 

3.2 Common Access Control Models


Access control is simply the mechanism in which users are given or denied with use and interaction of resources. Access control and authorization are often times interchangeably used as the first part of the process is that the user is given authorization or not to do certain things. Without access control there is no way to prevent. Below are the 3 commonly known access control models that you will need to know:

  • ·         MAC – Mandatory access control is often used by military and government environments. MAC is simply the access given based on set rules rather than user discretion. These rules are set in a hierarchical way and are referred to as classifications or security domains. For example, think of unclassified, secret, top secret, and so on. MAC is also used outside of these two entities in the public sector. Many times classifications include public, sensitive, private, and confidential.

The main purpose of using MAC is to avoid disclosure, meaning disclosing confidential information. Think of it like top secret government information being leaked to the public. This event poses a huge national security threat. Consider something like Wikileaks.

  • ·         DAC – Discretionary access control is more widely used in the private sector as well as in commercial and home environments. DAC is user controlled but the control mainly lies within the owner’s and creators of resources in the set environment. It is entirely identity based and the model uses access control lists which define which users or given or denied certain accesses. Individual user accounts are often added to DAC to define accesses.

  • ·         Role & Rule based access control – Sometimes simply known as RBAC, role & rule based access control differ from each other despite having the same acronym. Role based access control is often known as non-discretionary access control. The access control is based on a user’s job function within the organization that owns the computer system. In essence, role based access control assigns permissions to particular roles or jobs within an organization.

On the other hand, rule based access control depends on rules set by the system administrator. These rules will either allow or deny access to certain resource objects on a computer system. These accesses are stored in Access Control Lists (ACL) and before permission is granted or denied, the operating system checks the rules within the ACL
GetCertify4Less and GetCertified4Less

No comments: