In any given social network, the number of users might be significant, the number of resources that must be protected might be in millions, and hence the number of access control policies that need to be defined might be in billions. If only one permission is incorrectly granted, a user will be given unsupervised access to information and resources which could jeopardize the security of the entire given social network.
Presently, security of information is an indispensable responsibility for all media keeping and sharing information with others. In practice, all applications employ access control methods to protect their information. Access control identifies activities of legal users and governs every attempt performed by these users to
…show more content…
Hence, the following metrics are classified based upon the four categories mentioned above:
1. Ability to combine several related rules. The PBAAC decision engine is able to collect different access control rules, consolidate similar rules and derive a result under the specified condition. These rules can be defined by the controlling user, the target user, and the supervisor of the social network.
2. Ability to combine access control models. Under our approach, two access control models are combined, namely ABAC and PBAC models. By using the ABAC model, access constraints will be defined for each entity, and by using PBAC, policies enforcing access to a resource will be defined. Under our model, policies will be defined by controlling user, the target user, or the supervisor of the social network.
3. Ability to enforce the least privilege principle. Our model includes an entity as supervisor who is the administrator of the social network. The minimum privilege principle will be provided by rules defined by the supervisor. Our model accepts new users with various associated attributes. In order to access control mechanisms supporting the principle of the least privilege, constraints are placed on the attributes belonging to a user.
4. Ability to resolve conflict rules. Rule
Formal user access control procedures must be documented, implemented and kept up to date for each application and information system to ensure authorised user access and to prevent unauthorised access. They must cover all stages of the lifecycle of user access, from the initial registration of new users to the final de-registration of users who no longer require access. These must be agreed by IDI. User access rights must be reviewed at regular intervals to ensure that the appropriate rights are still allocated. System administration accounts must only be provided to users that are required to perform system administration tasks.
• Prepare a 5 to 10 minute PowerPoint assisted presentation on important access control infrastructure, and
Access control refers to the mechanisms that identify who can and cannot access a network, resource, application, specific action.
Discretionary access control means only certain permitted users are allowed access to specific things. However, someone with permitted access can let another user use their access. The least privilege principal is where access is only granted to certain systems and certain data that is needed to do the users job. Sometimes temporary access is given to data that is required to access random jobs or to see what that user is doing. When this happens, the access is only temporary, it is imperative to uphold the principal of least privilege to ensure that user does not have access to the data when the job finished.
C1 - Discretionary Security Protection: In this sub division Access Control Lists (ACLs) security which protect User/Group/World. Security will protect following Users who are all on the same security level, Username and Password protection and secure authorisations database (ADB), Protected operating system and system operations mode, Periodic integrity checking of TCB, Tested security mechanisms with no obvious bypasses, Documentation for User Security, Documentation for Systems Administration Security, Documentation for Security Testing, TCB design documentation and Typically for users on the same security level.
Spiekermann and Cranor [Spiekermann2009] mention three spheres of privacy control based on access to data; the user sphere includes data on devices that are entirely under the user’s control, the recipient sphere includes service servers entirely under the control of a service provider where the user has no access and the joint sphere where users store data on recipients’ servers where both users and data recipients have access to data (such as email, file hosting services, social networks). Users can control the information flow from the user sphere to the other spheres with appropriate and intelligent access control mechanisms. Information processing and sharing in the recipient and joint spheres must be performed according to privacy policies
mandatory and discretionary access control policies. ACM Transactions on Information and System Security, Vol. 3, No. 2.
Access control system is a system designed to control entry to prevent intruders into selected areas and manage movement of people/vehicles within. Its purpose is to increase security by determining who, when and where are they allowed to enter or exit.
The organization has a security objective of protecting the database from being altered. Since the data is held in the system, there are regulations that have been set to the users, and there are also limits to the functions that each user performs. In this case, there are three categories of users each with clearly defined responsibilities. For instance, the administration team has been given full control of the application in that they can even alter codes and perform any variations to the database objects. The other groups of users are the executives; these have the ability to access all the information
Policy Enforcement Point (PEP) is the system entity that controls access in accordance to a policy, by making requests to a PDP and enforcing the decision which is the result of evaluating a set of XACML policies to "Sanction", "Gainsay", "Indeterminate", or "Not Applicable". PEP was enhanced to handle session management and to enforce Conditional Active Session Access (CASA).
This week the company’s Chief Security Officer (CSO) tasked the IT security and audit group with auditing the company’s current IT system configuration policy and system settings with an emphasis on access control configurations. In a multiple user environment, such as our company and its various business units it is important that the appropriate access restrictions enforce the least privilege model to ensure that employees can only access the data needed for their particular job functions and roles. Without these security configurations and access controls in place, it could be possible for employees to access corporate or customer information when they do not have a valid need. Our security audit will require a detailed analysis of the
Role based access control is an ideology through which access to systems is restricted based on authority given. It is used by organizations with a relatively large number of employees ranging from five hundred to one thousand and above (Sieunarine & University of Oxford, 2011). This is implemented through the mandatory access control or through the discretionary access control. These are the only two ways through which role based access control can be implemented.
As the use of computers, databases, and technology in general, security has grown to be a powerful tool that has to be used. The threat of outside sources intruding and exploiting crucial information is a threat that is present on a daily basis. As a part of creating and implementing a security policy, a user must consider access control. Access Control is a security tool that is used to control who can use or gain access to the protected technology. Access control security includes two levels; logical and physical. Though database intrusions can happen at any moment, access control provides another security barrier that is needed.
Confidentiality: Access controls help ensure that only authorized subjects can access objects. When unauthorized entities are able to access systems or data, it results in a loss of confidentiality.
Access matrix model: Provides object access rights (read/write/execute, or R/W/X) to subjects in a discretionary access control (DAC) system. An access