Introduction
Access control is to provide a set of methods to identify, organize, and host all functions in the system, organize, and identify all data, and then offer a unique and straightforward interface. One end of this interface is the application. At one end of the system is the permission engine. The permission engine only answers: Does anyone have the authority to perform a particular action (motion, calculation) on a resource? The returned results are only: yes, no, or the permission engine does not function.
Access control is a technology required by almost all systems (including computer systems and non-computer systems). Access control is a technology that restricts the user’s access to certain information items or restricts the use of specific control functions according to the user’s identity and a defined group to which it belongs. Access control is usually used by system administrators to control user access to network resources such as servers, directories, and files.
Access control model
- Autonomous access control DAC
Authorized users can autonomously transfer their authority to others, and privileged users modify the modification of authority. Linux, Unix, and windows all use this form.
Permission information storage (access permission table):
(1) Access control list (ACL): The object is the core, and then all the subjects and their corresponding permissions are contacted to the object.
(2) Access Capability Control List (ACCL): With the subject as the core, list all the objects and permissions that are allowed to access.
(3) Access Control Matrix (ACM): The binary matrix represents the permission relationship and will have redundancy.
Features: The data access method is flexible, allowing the free transfer of permissions, but at the same time will bring security problems and low data protection.
- Mandatory access control MAC
It is more strict permission management, which assigns a certain level of security to the subject and object. Each user will have all their access permissions according to their security level. Such permission is strictly linked to the security level and is not allowed to be transferred. Nor is it allowed to change for a single user.
Examples of read and write permissions: (Two strict mechanisms commonly used by the military)
(1) Write up, read down: effectively prevent information from leaking to a low-security level, and protect confidentiality.
(2) Write down, read up: effectively prevent the subordinates from tampering with information, and protect integrity.
- Role-based access control RBAC
Users are no longer considered individually but are organized into groups, and the permissions of objects are also set to roles. A role has its own specific capabilities, so users can obtain permission by acting as roles instead of getting permission directly.
In this way, the flexibility of freedom is retained, that is, the user can assume different roles to obtain different permissions, and the strictness of permission acquisition is guaranteed, that is, the role is fixed, and no freely combined roles can appear, and the role of Access is controllable.
The acquisition, addition, and deletion of roles are decided by the administrator, not freely obtained. This is the difference between RBAC and DAC.
Roles organize permissions. A role may obtain permissions at different security levels, so there is no concept of security levels, and roles are added as needed. This is the difference between RBAC and DAC.
Basic principles of the access control model
(1) The principle of least privilege: according to the minimum distribution of power required by the subject, there can be no less.
(2) The principle of least leakage: During the exercise of authority, the information obtained is minimized.
(3) Multi-level security strategy: Consider the level of information security to avoid high-level information leakage to low-level subjects.
Implementation strategy
- Access control
- Network permission restrictions
- Directory-level security control
- Attribute security control
- Web server security control
- Network monitoring and lock control
- Security control of network ports and nodes
- Firewall control