Authorization
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Welcome back.
00:00
>> Now we'll talk about authorization.
00:00
>> I always think of authorization as
00:00
the so what of all of the IAM stuff.
00:00
You have identified and authenticated.
00:00
The important thing is that you are
00:00
now authorized to access.
00:00
Authorization is what you're allowed to do
00:00
>> based on your identity.
00:00
>> Ultimately, how is it
00:00
>> that you gain access to resources?
00:00
>> The way that happens is through
00:00
>> what we refer to you as an access control model.
00:00
>> Operating systems and other applications
00:00
>> are built on these models and the models
00:00
>> dictate how subjects can access an object.
00:00
These are built into the operating system
00:00
>> and are part of the security policy of the system.
00:00
>> One of the earliest references
00:00
>> for computer system evaluation criteria
00:00
>> was referred to as the Orange Book.
00:00
It hasn't been used since the 1990s,
00:00
but there was a book called
00:00
the Trusted Computer System Evaluation Criteria.
00:00
It was a part of a collection of books
00:00
>> called The Rainbow Series.
00:00
>> Every book in the series had a different color cover,
00:00
and this one was orange.
00:00
But the point of this book
00:00
>> was to allow for systems to be certified
00:00
>> based on their security criteria or security functions.
00:00
>> How secure a system was
00:00
would dictate its Orange Book rating.
00:00
If I were a government agency,
00:00
perhaps I could only work with a vendor
00:00
>> who had a C2 rating on it's system
00:00
>> or something like that.
00:00
>> It's very desirable for vendors
00:00
>> to get certified via the Orange Book.
00:00
>> We go into this more in the CISSP course.
00:00
But for now, it's good for you to know that
00:00
>> this was an important book to determine
00:00
>> whether or not certain systems
00:00
>> could be used in federal environments.
00:00
They specified two security levels in the Orange Book.
00:00
One was Discretionary Access Control or DAC.
00:00
The other was Mandatory Access Control or MAC.
00:00
Obviously, mandatory is going to be more secure.
00:00
But keep in mind that on every system
00:00
has to be the most secure system on the planet.
00:00
There's a place for Mandatory Access Control systems,
00:00
but Discretionary Access systems
00:00
have their place as well.
00:00
Now, there are also
00:00
some other access control models
00:00
that were not defined by the Orange Book.
00:00
These are ways that certain environments allow
00:00
access from a subject to an object.
00:00
They are really not on par with DAC and MAC,
00:00
but we'll talk about these last three as well.
00:00
RBAC, ABAC, and RuBAC or RuBAC.
00:00
>> Let's start with DAC.
00:00
>> Most of us have experience with
00:00
Discretionary Access Control systems,
00:00
Windows-based systems or DAC,
00:00
Linux systems with the exception of Secure Linux,
00:00
and iOS systems or DAC systems.
00:00
Discretionary Access Control is called that because
00:00
the security of the object is
00:00
at the discretion of the object's owner.
00:00
If you create a folder,
00:00
you own the folder and you control access to it.
00:00
You can give access to anyone you want.
00:00
Since you own the folder,
00:00
you get to choose the security for that object.
00:00
You could put highly sensitive information
00:00
>> in the folder and then you could share it
00:00
>> with whomever you like.
00:00
>> It's not really geared towards security
00:00
>> as much as it is towards ease of use.
00:00
>> These Access Control Lists, or ACLs,
00:00
>> contain the rules of how permissions are granted.
00:00
>> You know how you can right-click on a file or folder
00:00
>> and you go to Properties
00:00
>> and you can see the list of users who have full control
00:00
>> or read-only control and so forth?
00:00
>> Those are ACLs.
00:00
You'll always associate them with the DAC environment.
00:00
A MAC environment is much more secure
00:00
>> and it's designed for the protection of sensitive data
00:00
>> or classified information.
00:00
In a MAC system, as an object is created,
00:00
that object gets a security label.
00:00
If the object contains top-secret information,
00:00
it gets a top-secret label.
00:00
Then if you have a user who has
00:00
access to secret level information,
00:00
that person would have a security label
00:00
for secret information.
00:00
When that person tries to access
00:00
>> the top-secret information,
00:00
>> the user wouldn't be able to access it
00:00
>> because the labels don't match.
00:00
>> Unlike a DAC environment,
00:00
the owner of the information doesn't have
00:00
the ability to add a user or change a label.
00:00
The operating system is in charge in a MAC environment.
00:00
All decisions are made by the operating system
00:00
>> based on comparing the labels.
00:00
>> With MAC, you'll be using
00:00
an operating system like Secure Linux or Solaris,
00:00
which are software extensions
00:00
>> that are referred to as trusted extensions.
00:00
>> That allows Solaris to look at security labels
00:00
>> and make decisions and operate in a MAC environment.
00:00
>> The labels indicate clearance level and classification.
00:00
Or they can indicate need to know.
00:00
There could be other label types.
00:00
But these are the ones we are the most familiar with.
00:00
You have a much more secure environment
00:00
with Mandatory Access Control.
00:00
I really think of DAC and MAC as
00:00
being in a category by themselves.
00:00
An operating system is designed to be MAC or DAC.
00:00
It's built into the security code
00:00
of the operating system.
00:00
There are other access control models.
00:00
To me, these are more like implementations.
00:00
By that, we could provide access to someone
00:00
based on their role in the organization
00:00
instead of their name.
00:00
Like instead of giving Jane Doe access
00:00
>> based on her name,
00:00
>> she could be given access based on being Trainer 1.
00:00
That would be Role Based Access Control.
00:00
That isn't built into the operating system.
00:00
But we could administer that operating system
00:00
>> using Role Based Access Control.
00:00
>> A lot of places do.
00:00
>> Your group users based on
00:00
their role within the organization.
00:00
That's RBAC or RBAC.
00:00
There's also something called
00:00
Attribute Based Access Control,
00:00
or ABAC or ABAC.
00:00
This uses certain characteristics of the user,
00:00
like the person's location or
00:00
tenure within the organization.
00:00
In this case, we're basing the access on
00:00
some characteristics associated with the account.
00:00
We also have RuBAC,
00:00
which is Rule-based Access Control.
00:00
Now, don't worry about getting
00:00
an RBAC or ABAC and RuBAC confused,
00:00
because they will normally spell
00:00
>> the acronym on the test.
00:00
>> Now, Rule-based Access Control
00:00
is simply what firewalls use.
00:00
Firewalls use rules to determine access.
00:00
If traffic is from the 10 network,
00:00
>> then block it.
00:00
>> If traffic is coming in on port 80,
00:00
then allow it.
00:00
>> That's RuBAC.
00:00
>> To recap on authorization,
00:00
we talked about how a subject is
00:00
authorized to access an object.
00:00
We talked about how that is driven
00:00
>> by the operating system
00:00
>> and the means of access control that gets configured.
00:00
>> Your operating systems are primarily going to be
00:00
>> based on either Discretionary Access Control
00:00
>> or Mandatory Access Control.
00:00
Most of the really common ones,
00:00
like Windows systems are on DAC.
00:00
But MAC is found on
00:00
high-security systems that use security labels
00:00
>> and run on operating systems like
00:00
>> Secure Linux or Solaris with trust extensions.
00:00
Finally, we have Rule-based Access Control,
00:00
Role Based Access Control,
00:00
and Attribute Based Access Control as well.
Up Next
Similar Content
