Time
7 hours 35 minutes
Difficulty
Intermediate
CEU/CPE
12

Video Transcription

00:03
Hey, guys. Welcome to the first video in the S S C P Exam prep series.
00:08
I'm your host, Peter. Simple up. This is going to be the first lesson off the first of May.
00:16
So
00:17
in this lesson, since we don't have any objectives as of yet, we're gonna look at the
00:22
access, control, fundamental concepts. We're going to take a look at subjects and objects and how they interact with each other. And we're also going to take a look at the different types of access control discretionary access control, which is access control with the permission specified by the user
00:41
and non discretionary access control
00:43
in which permissions are specified by administrators.
00:47
Let's get started.
00:51
Access control really comes down to two basic concepts. There are objects and subjects. An object is a passive entity that contains information. So this is things such as applications, data systems and networks.
01:07
A subject, on the other hand, is an active entity that request access to an object or the data within an object.
01:15
Things of subjects are authorized users, unauthorized users, applications, systems and networks.
01:26
Now
01:26
of there are certain things like the application systems and networks are considered to be objects and subjects. How can this be? Well, there's no riel Stephan Ishan off Anakin object or a subject as long as the object
01:45
is the one that contains information, and the subject is the one that's requesting the information.
01:49
So the subject is always the entity that is doing the accessing, and the object is the entity that is being access port.
02:00
Let's take a look at an example in this example below, we have a student and a teacher at a local school.
02:08
Now, usually the teacher asks the student questions on. Then the student gives answers. So in this example, the professor would be considered the subject and the student would be considered the object. Since the teacher
02:29
is asking for information
02:30
fromthe student
02:31
now, every once in a while, the student might have a question for the teacher,
02:38
and in this case, the student would be the subject on dhe. The teacher would be the object since the teacher is being asked the question.
02:50
There are two different types of access control. The first is discretionary access control.
02:57
Discretionary access control is access control. Where the users decide the permissions.
03:05
There are two kinds of discretionary access control. There is discretionary access control, which is a means of assigning access right based on rule specified users.
03:15
And then there's also rule set based access control, which is more of a framework which gives data owners the discretion to determine access control rules.
03:24
So if you look a little bit further at access control, the access control, the owner sets the permissions. So I'm sure you've seen this is this is an example of Lennox permissions for a file.
03:38
So the data owner construct these permission to give everyone group members and the owner read, write and access. So from this example, you can see that the owner can read, write and execute whatever is in this file.
03:51
Group members to people attach to the group can read and execute,
03:54
and then everyone else can read and execute as well
04:00
with rules set based access control. This is how the framework works.
04:04
The subject enters the enforcement area
04:08
and request access to an object
04:12
enforcement area, goes and checks the rules that have been written or constructed by the data owner to determine whether or not the subject should be granted access.
04:23
The rules come back with a yes or no,
04:26
and then the enforcement area returns. Ah, yes or no to the subject.
04:30
If the answer is yes, the subject can, then
04:33
I'll get access to the object. What if it's a no? Then the subject cannot get access to the object.
04:43
The other type off access control is nondiscretionary access control
04:48
everything that is not discretionary access control is considered nondiscretionary access control.
04:55
So these are, um,
04:58
controls that can't be changed by users, but rather they have to be a changed by E administration. So the first kind is role based access control. This is where access decisions are based on the rules that individuals have as a part of the organization.
05:15
So, um, people in certain departments can only access information that pertains to that department. So in this example, in the Payroll Documents folder, anyone from the marketing department cannot get access to the payroll documents. But anyone from
05:33
the payroll department can
05:36
content dependent access control works by permitting or denying subjects based on the content within the object.
05:45
Contacts based access control concerns on Lee with the context of sequence of events surrounding the access tent.
05:54
Now it's very easy to get these two interchanged or confused, so it's important to know the difference. Content dependent access control on Lee concerns itself with what's inside the object.
06:06
What, what, what is the information? And that's how they determine who gets a look at it and who doesn't.
06:14
Context based Access Control is only concerned with sequence of events surrounding the access A 10.
06:23
There's also time based access control, which applies in time limitation to when a given role can be activated for control something
06:30
this is to prevent people from logging 12 systems or networks at odd hours are really early in the morning or things like that, especially if they have no need for that. So basically, time based access control on Lee allows users to access things within a certain time. Frame,
06:50
for example,
06:51
only can only lets users access information between nine and five.
06:58
Mandatory accent control subjects are given clearance labels and objects are given sensitivity labels,
07:03
access rights or given based on the comparison of clearance and sensitivity labels.
07:11
This is used a lot in a government institutions and implement the concept off need to know
07:17
this is where you have your confidential secret and top secret clearance labels. And then objects have sensitivity labels and then access rights are given depending on the comparison.
07:33
Actually based access control this access control method. It's where subjects request to perform operations on objects are granted or denied based on the assigned attributes off. Yeah, now this is similar to mandatory access control, but it's instead off sensitivity labels.
07:54
There are
07:55
attributes on yonder, so these are characteristics that my board like a small description on the particular object and then
08:03
a user comes in. Looks at the characteristics are the descriptions.
08:09
And if there are the correct environment conditions, if they're allowed to access it and the policies say they're allowed to access it, then they will be allowed to access these objects.
08:20
In today's lecture, we discussed access control, fundamental concepts and different types of access control
08:28
Quiz time.
08:30
Sure, false subjects can be objects and objects can be subjects.
08:37
If you said true that you are correct, remember, subjects and objects can be interchanged depending on what they are doing.
08:46
Subjects request access to information, and objects are the thing that's being access to Poland.
08:54
Another question.
08:56
What type of access control grant access based on rule specified by the user.
09:01
Is it a mandatory access control? Be discretionary access control. See context based access control or D content dependent access control.
09:13
If you said be discretionary access control, then you are correct.
09:18
Remember discretionary access control on his based on rules that are specified at the discretion of the user.
09:28
Thanks for watching guys. I hope you learned a lot in this video and I'll see you next time.

Up Next

Systems Security Certified Professional (SSCP)

Obtaining your SSCP certification signifies that you possess the ability to tackle the operational demands and responsibilities of security practitioners, including authentication, security testing, intrusion detection/prevention, incident response and recovery, attacks and countermeasures, cryptography, malicious code countermeasures, and more.

Instructed By

Instructor Profile Image
Pete Cipolone
Cyber Security Analyst and Programmer
Instructor