1 00:00:00,660 --> 00:00:02,550 Access Control Models. 2 00:00:02,550 --> 00:00:04,020 In this lesson, we are going to talk 3 00:00:04,020 --> 00:00:06,210 about the four access control models. 4 00:00:06,210 --> 00:00:09,750 They are DAC, MAC, RBAC, and ABAC. 5 00:00:09,750 --> 00:00:11,870 The first one we're going to talk about is DAC. 6 00:00:11,870 --> 00:00:14,300 DAC is Discretionary Access Control. 7 00:00:14,300 --> 00:00:15,950 This is an access control policy 8 00:00:15,950 --> 00:00:17,920 that's determined by the owner. 9 00:00:17,920 --> 00:00:20,060 Every file out there and every folder 10 00:00:20,060 --> 00:00:22,390 is considered an object, and then you, 11 00:00:22,390 --> 00:00:24,450 the user, is considered an owner 12 00:00:24,450 --> 00:00:26,460 or whoever owns that file or folder. 13 00:00:26,460 --> 00:00:27,730 Now, the owner gets to decide 14 00:00:27,730 --> 00:00:28,780 who gets to read that. 15 00:00:28,780 --> 00:00:30,340 So, on this example, for instance, 16 00:00:30,340 --> 00:00:32,490 I have a folder and inside this folder 17 00:00:32,490 --> 00:00:33,940 it's owned by Jason. 18 00:00:33,940 --> 00:00:36,110 Jason has decided that I can read 19 00:00:36,110 --> 00:00:37,610 and write it because I'm Jason 20 00:00:37,610 --> 00:00:39,720 but my staff members can only read it, 21 00:00:39,720 --> 00:00:41,150 and everybody else on the network 22 00:00:41,150 --> 00:00:42,410 can only read it. 23 00:00:42,410 --> 00:00:44,110 This is why DAC is commonly used 24 00:00:44,110 --> 00:00:46,110 because you have very granular control 25 00:00:46,110 --> 00:00:47,680 to decide who has access 26 00:00:47,680 --> 00:00:49,140 to the things you've created. 27 00:00:49,140 --> 00:00:51,440 This works great if you want to be able to tell 28 00:00:51,440 --> 00:00:53,990 who can use which files and which folders, 29 00:00:53,990 --> 00:00:55,830 as the person who created it. 30 00:00:55,830 --> 00:00:57,730 Now, the problem with this is that you have 31 00:00:57,730 --> 00:00:59,530 to have two things being met. 32 00:00:59,530 --> 00:01:01,450 First, every object in a system 33 00:01:01,450 --> 00:01:02,690 has to have an owner. 34 00:01:02,690 --> 00:01:04,100 Nothing can be out there without an owner 35 00:01:04,100 --> 00:01:05,660 because if it had no owner, 36 00:01:05,660 --> 00:01:06,650 nobody would know who had 37 00:01:06,650 --> 00:01:07,830 the right permissions to it 38 00:01:07,830 --> 00:01:09,960 because the owner sets the permissions. 39 00:01:09,960 --> 00:01:11,400 And second, you need to make sure 40 00:01:11,400 --> 00:01:13,100 that each owner determines the access 41 00:01:13,100 --> 00:01:15,160 rights and permissions for each object. 42 00:01:15,160 --> 00:01:16,390 If I'm the owner of a file 43 00:01:16,390 --> 00:01:17,870 and I never set permissions on it, 44 00:01:17,870 --> 00:01:19,290 nobody is going to be able to read it. 45 00:01:19,290 --> 00:01:21,040 And if I set those permissions too tightly, 46 00:01:21,040 --> 00:01:22,200 I can keep people out. 47 00:01:22,200 --> 00:01:23,250 Or if I set them too loosely, 48 00:01:23,250 --> 00:01:25,050 everyone can get access to it. 49 00:01:25,050 --> 00:01:27,380 So, the owner really has a lot of control here. 50 00:01:27,380 --> 00:01:29,580 So, in corporate systems, this can be dangerous 51 00:01:29,580 --> 00:01:30,470 and you have to think about 52 00:01:30,470 --> 00:01:32,040 if you want to use this model. 53 00:01:32,040 --> 00:01:33,410 Now, the next model we're going to have 54 00:01:33,410 --> 00:01:34,510 is called MAC. 55 00:01:34,510 --> 00:01:36,720 It goes all the way on the other extreme. 56 00:01:36,720 --> 00:01:39,720 MAC is going to be Mandatory Access Control. 57 00:01:39,720 --> 00:01:41,350 It's an access control policy 58 00:01:41,350 --> 00:01:43,360 where the computer system gets to decide 59 00:01:43,360 --> 00:01:45,490 who gets access to what objects. 60 00:01:45,490 --> 00:01:47,030 Now, how does it do that? 61 00:01:47,030 --> 00:01:49,230 Well, with Discretionary Access Control 62 00:01:49,230 --> 00:01:51,840 you, the owner, got to choose who got permissions. 63 00:01:51,840 --> 00:01:54,250 But in MAC, the computer's going to do that for you 64 00:01:54,250 --> 00:01:56,450 and it does this through data labels. 65 00:01:56,450 --> 00:01:59,890 So, with MAC, data labels create this trust level 66 00:01:59,890 --> 00:02:02,300 for all subjects and all objects. 67 00:02:02,300 --> 00:02:04,420 So, every person out there gets a label 68 00:02:04,420 --> 00:02:06,860 of if we have high trust, medium trust 69 00:02:06,860 --> 00:02:07,860 or low trust for them, 70 00:02:07,860 --> 00:02:10,010 and each data object gets a label, as well, 71 00:02:10,010 --> 00:02:12,180 high trust, medium trust, or low trust. 72 00:02:12,180 --> 00:02:14,100 So, how does this work in the real world? 73 00:02:14,100 --> 00:02:15,360 Well, the most common use 74 00:02:15,360 --> 00:02:18,330 of Mandatory Access Control is in military context 75 00:02:18,330 --> 00:02:19,910 for high security systems. 76 00:02:19,910 --> 00:02:21,240 So, if you've seen a war movie 77 00:02:21,240 --> 00:02:22,240 at any time in your life, 78 00:02:22,240 --> 00:02:23,460 you've probably seen the words 79 00:02:23,460 --> 00:02:25,290 'top secret' on some document. 80 00:02:25,290 --> 00:02:27,510 Well, there's really four levels of documentation 81 00:02:27,510 --> 00:02:29,430 inside the military context. 82 00:02:29,430 --> 00:02:31,400 They have the unclassified level. 83 00:02:31,400 --> 00:02:32,900 They have the confidential level. 84 00:02:32,900 --> 00:02:33,980 They have the secret level. 85 00:02:33,980 --> 00:02:35,360 And then, they have the top secret, 86 00:02:35,360 --> 00:02:36,950 which is the most secret. 87 00:02:36,950 --> 00:02:39,600 Now, each person gets a clearance level 88 00:02:39,600 --> 00:02:41,210 of what they're allowed to see. 89 00:02:41,210 --> 00:02:43,130 So, maybe the private only gets to see 90 00:02:43,130 --> 00:02:44,510 confidential information, 91 00:02:44,510 --> 00:02:46,410 and maybe the colonel, he gets to see 92 00:02:46,410 --> 00:02:47,560 the top secret information, 93 00:02:47,560 --> 00:02:49,400 and the captain only gets to see the secret. 94 00:02:49,400 --> 00:02:50,960 And so, each person gets a label 95 00:02:50,960 --> 00:02:52,880 associated with them and their clearance, 96 00:02:52,880 --> 00:02:54,500 and then the documents all get labeled 97 00:02:54,500 --> 00:02:55,560 with whatever they are, 98 00:02:55,560 --> 00:02:58,410 unclassified, confidential, secret, or top secret. 99 00:02:58,410 --> 00:03:01,050 Now, if somebody wants to see a top secret document, 100 00:03:01,050 --> 00:03:02,040 they can only read it 101 00:03:02,040 --> 00:03:04,000 if they have a top secret clearance. 102 00:03:04,000 --> 00:03:05,710 If they have a confidential clearance, 103 00:03:05,710 --> 00:03:07,800 that's too low, they can't see it. 104 00:03:07,800 --> 00:03:09,330 If I had a secret document, 105 00:03:09,330 --> 00:03:11,320 then secret people and top secret people 106 00:03:11,320 --> 00:03:12,153 could read it. 107 00:03:12,153 --> 00:03:13,100 And so, that's the way it works. 108 00:03:13,100 --> 00:03:14,360 It compares the labels 109 00:03:14,360 --> 00:03:16,150 and if you have a minimum or above, 110 00:03:16,150 --> 00:03:17,280 you can get to it. 111 00:03:17,280 --> 00:03:18,770 Now, in MAC systems, they add 112 00:03:18,770 --> 00:03:19,990 another piece to that, though. 113 00:03:19,990 --> 00:03:21,410 If you want to access something, 114 00:03:21,410 --> 00:03:23,660 you need to not just meet the minimum level, 115 00:03:23,660 --> 00:03:25,010 but you also have to have what's called 116 00:03:25,010 --> 00:03:26,310 a need-to-know. 117 00:03:26,310 --> 00:03:27,520 So, for instance, let's say I have 118 00:03:27,520 --> 00:03:29,510 an army guy and a navy guy, 119 00:03:29,510 --> 00:03:31,430 and they both have a top secret clearance 120 00:03:31,430 --> 00:03:33,150 but it's about a navy operation. 121 00:03:33,150 --> 00:03:34,460 Then, maybe that army guy 122 00:03:34,460 --> 00:03:35,420 doesn't need to know about it, 123 00:03:35,420 --> 00:03:37,130 and he's not going to get access. 124 00:03:37,130 --> 00:03:38,580 Even though he has that clearance, right? 125 00:03:38,580 --> 00:03:40,340 So, these labels are very in-depth 126 00:03:40,340 --> 00:03:42,080 and they get very, very complicated. 127 00:03:42,080 --> 00:03:43,550 That's the idea here with MAC. 128 00:03:43,550 --> 00:03:45,760 Now, MAC is implemented through one of two ways. 129 00:03:45,760 --> 00:03:48,540 It can be Rule-based or it can be Lattice-based, 130 00:03:48,540 --> 00:03:50,270 and these are two different access control methods 131 00:03:50,270 --> 00:03:53,260 that are sub-methods of Mandatory Access Control. 132 00:03:53,260 --> 00:03:55,310 So, if you see rule-based or lattice-based, 133 00:03:55,310 --> 00:03:57,550 those are both Mandatory Access Control 134 00:03:57,550 --> 00:03:59,520 and rely on data labels. 135 00:03:59,520 --> 00:04:01,470 Now, in Rule-based Access Control, 136 00:04:01,470 --> 00:04:03,820 this is a label-based access control system 137 00:04:03,820 --> 00:04:05,720 that defines whether access should be granted 138 00:04:05,720 --> 00:04:07,550 or denied to objects by comparing 139 00:04:07,550 --> 00:04:09,710 the object's label and the subject's label. 140 00:04:09,710 --> 00:04:11,950 So, if I compare your label, top secret, 141 00:04:11,950 --> 00:04:13,990 versus this document, top secret, 142 00:04:13,990 --> 00:04:16,860 you then get access because it meets that rule. 143 00:04:16,860 --> 00:04:18,510 Now, when I talk about lattice-based, 144 00:04:18,510 --> 00:04:21,140 this is going to use a complex mathematics 145 00:04:21,140 --> 00:04:23,050 to create a set of objects and subjects 146 00:04:23,050 --> 00:04:24,970 and define how they all interact. 147 00:04:24,970 --> 00:04:27,930 This tries to get after that need-to-know piece, as well. 148 00:04:27,930 --> 00:04:29,590 Again, for the exam, if you remember 149 00:04:29,590 --> 00:04:31,440 that lattice and rule-based 150 00:04:31,440 --> 00:04:33,810 are both types of Mandatory Access Control, 151 00:04:33,810 --> 00:04:35,920 that's about as far as you need to get on that. 152 00:04:35,920 --> 00:04:38,350 Now, Mandatory Access Control does exist 153 00:04:38,350 --> 00:04:40,000 in a couple of operating systems. 154 00:04:40,000 --> 00:04:40,833 You can implement it 155 00:04:40,833 --> 00:04:42,940 inside the FreeBSC operating system 156 00:04:42,940 --> 00:04:45,290 and you can implement it in SELinux. 157 00:04:45,290 --> 00:04:46,870 Notice, I didn't say Windows. 158 00:04:46,870 --> 00:04:48,421 That's because Windows uses 159 00:04:48,421 --> 00:04:50,520 Discretionary Access Control, 160 00:04:50,520 --> 00:04:51,820 as well as some other types 161 00:04:51,820 --> 00:04:53,560 we're going to talk about in the future. 162 00:04:53,560 --> 00:04:56,200 Now, we only see this Mandatory Access Control, 163 00:04:56,200 --> 00:04:58,950 this data labeling used in high-security systems 164 00:04:58,950 --> 00:05:00,220 because it's very expensive 165 00:05:00,220 --> 00:05:01,950 and very complex to maintain, 166 00:05:01,950 --> 00:05:04,550 and for that reason, we don't usually use it. 167 00:05:04,550 --> 00:05:05,650 Now, in an organization, 168 00:05:05,650 --> 00:05:07,610 the one that we use almost exclusively 169 00:05:07,610 --> 00:05:10,960 is known as RBAC, Role-Based Access Control. 170 00:05:10,960 --> 00:05:13,470 Role-Based Access Control is an access model 171 00:05:13,470 --> 00:05:14,760 that's controlled by the system, 172 00:05:14,760 --> 00:05:17,380 like MAC does, but instead, it focuses 173 00:05:17,380 --> 00:05:18,810 on a set of permissions 174 00:05:18,810 --> 00:05:21,070 vice an individual's permissions. 175 00:05:21,070 --> 00:05:22,500 So, we don't have to actually label 176 00:05:22,500 --> 00:05:25,330 each individual person on every single file. 177 00:05:25,330 --> 00:05:27,930 Instead, we can use roles for those people. 178 00:05:27,930 --> 00:05:29,510 So, the way I like to think about this 179 00:05:29,510 --> 00:05:31,700 is we create roles for each job function, 180 00:05:31,700 --> 00:05:32,920 and then we assign roles 181 00:05:32,920 --> 00:05:35,950 for each person's permissions to each object. 182 00:05:35,950 --> 00:05:37,490 So, let me give you an example. 183 00:05:37,490 --> 00:05:38,800 Let's say you go in your company, 184 00:05:38,800 --> 00:05:40,100 there's the sales department, 185 00:05:40,100 --> 00:05:41,820 and then there's the HR department, 186 00:05:41,820 --> 00:05:43,150 and then there's the IT department. 187 00:05:43,150 --> 00:05:44,670 So, we've got these three departments. 188 00:05:44,670 --> 00:05:46,570 Does the sales people need to have access 189 00:05:46,570 --> 00:05:49,100 to the human resource people's files? 190 00:05:49,100 --> 00:05:50,490 Probably not. 191 00:05:50,490 --> 00:05:52,560 Does the HR people need to have access 192 00:05:52,560 --> 00:05:54,050 to the sales people's files? 193 00:05:54,050 --> 00:05:55,230 Probably not. 194 00:05:55,230 --> 00:05:58,080 Does IT need to have access to everybody's files? 195 00:05:58,080 --> 00:05:58,950 Probably, if they're going to do 196 00:05:58,950 --> 00:06:00,810 all the data backups and maintenance, right? 197 00:06:00,810 --> 00:06:02,240 And so, what we do is we create 198 00:06:02,240 --> 00:06:03,310 these different groups, 199 00:06:03,310 --> 00:06:05,360 and then those groups get a set of permissions, 200 00:06:05,360 --> 00:06:06,193 and those are applied 201 00:06:06,193 --> 00:06:07,980 to the different files and folders. 202 00:06:07,980 --> 00:06:09,000 Also, when we do this, 203 00:06:09,000 --> 00:06:11,590 we add or remove people into these roles 204 00:06:11,590 --> 00:06:13,990 instead of onto those particular files. 205 00:06:13,990 --> 00:06:15,470 So, going back to my earlier example, 206 00:06:15,470 --> 00:06:17,050 I had a file on the shared drive 207 00:06:17,050 --> 00:06:18,040 and you saw that Jason 208 00:06:18,040 --> 00:06:19,650 was added to it individually. 209 00:06:19,650 --> 00:06:21,020 That's a bad practice. 210 00:06:21,020 --> 00:06:22,640 In role-based, we would, instead, 211 00:06:22,640 --> 00:06:24,010 have an owners group. 212 00:06:24,010 --> 00:06:25,750 We would have an admin group. 213 00:06:25,750 --> 00:06:26,870 We would have an IT group. 214 00:06:26,870 --> 00:06:28,020 We would have a sales group, 215 00:06:28,020 --> 00:06:29,230 whatever all those groups are. 216 00:06:29,230 --> 00:06:31,100 And we put the people who have the same job 217 00:06:31,100 --> 00:06:32,510 into the same functions, 218 00:06:32,510 --> 00:06:34,600 and we control permissions that way. 219 00:06:34,600 --> 00:06:36,500 So, the whole idea here with role-based 220 00:06:36,500 --> 00:06:37,670 is that we set permissions 221 00:06:37,670 --> 00:06:39,470 based on the job function. 222 00:06:39,470 --> 00:06:41,410 What is the role that person is doing? 223 00:06:41,410 --> 00:06:42,440 I'll give you a good example of this. 224 00:06:42,440 --> 00:06:45,310 There's a role-based group called power users. 225 00:06:45,310 --> 00:06:48,150 Power users are people who aren't a normal user 226 00:06:48,150 --> 00:06:49,560 but they're not an administrator, either. 227 00:06:49,560 --> 00:06:51,040 They're somewhere in the middle. 228 00:06:51,040 --> 00:06:52,610 For example, an administrator might have 229 00:06:52,610 --> 00:06:55,210 full access to do whatever they want on a system, 230 00:06:55,210 --> 00:06:56,560 whereas a user might only be able 231 00:06:56,560 --> 00:06:58,620 to operate the programs that currently exist, 232 00:06:58,620 --> 00:07:00,320 but they can't make configuration changes 233 00:07:00,320 --> 00:07:02,600 like changing the time or adding a printer. 234 00:07:02,600 --> 00:07:04,700 Well, a power user has a little bit 235 00:07:04,700 --> 00:07:06,430 more permissions than a regular user 236 00:07:06,430 --> 00:07:08,690 and they can do things like changing the time, 237 00:07:08,690 --> 00:07:10,820 or they can add a printer to the network. 238 00:07:10,820 --> 00:07:11,830 That's the idea here. 239 00:07:11,830 --> 00:07:13,400 So, we can put different users 240 00:07:13,400 --> 00:07:15,050 into that power users group 241 00:07:15,050 --> 00:07:17,020 and they would then inherit those permissions 242 00:07:17,020 --> 00:07:18,530 and be able to do those functions. 243 00:07:18,530 --> 00:07:20,710 That's the idea here with role-based permissions. 244 00:07:20,710 --> 00:07:22,310 The last one we have is ABAC, 245 00:07:22,310 --> 00:07:25,480 and ABAC stands for Attribute-Based Access Control. 246 00:07:25,480 --> 00:07:27,020 This is an access control model 247 00:07:27,020 --> 00:07:29,140 that's dynamic and context-aware, 248 00:07:29,140 --> 00:07:30,670 and uses if-then statements 249 00:07:30,670 --> 00:07:32,450 to decide on what permissions to use. 250 00:07:32,450 --> 00:07:34,690 So, the idea here is that we have something like, 251 00:07:34,690 --> 00:07:37,540 if Jason is in HR, then we'll give him access 252 00:07:37,540 --> 00:07:40,600 to the file server that contains the HR files. 253 00:07:40,600 --> 00:07:42,530 Attributes are going to use these tags 254 00:07:42,530 --> 00:07:43,920 and dynamic authentication 255 00:07:43,920 --> 00:07:45,470 to combine different attributes, 256 00:07:45,470 --> 00:07:47,220 and they can do this using all sorts 257 00:07:47,220 --> 00:07:48,480 of different software automation, 258 00:07:48,480 --> 00:07:50,980 and this is one of the newest forms of access control. 259 00:07:50,980 --> 00:07:52,640 It's not heavily used in a lot of places yet 260 00:07:52,640 --> 00:07:54,700 but it is trying to gain a lot of traction. 261 00:07:54,700 --> 00:07:56,490 The idea here is that we can look at Jason 262 00:07:56,490 --> 00:07:58,200 and we can start saying, is he part of this, 263 00:07:58,200 --> 00:07:59,940 is he part of this, is he part of this? 264 00:07:59,940 --> 00:08:01,950 And if so, we can get a consolidated list 265 00:08:01,950 --> 00:08:03,590 of all the things Jason can do 266 00:08:03,590 --> 00:08:05,170 and give him permissions to that. 267 00:08:05,170 --> 00:08:06,640 That's the idea with attribute-based. 268 00:08:06,640 --> 00:08:08,170 When you think of attribute-based, 269 00:08:08,170 --> 00:08:11,110 I want you to think of dynamic authentication and tags 270 00:08:11,110 --> 00:08:12,910 because this is all about tagging things 271 00:08:12,910 --> 00:08:14,883 so you can give them the right permissions.