Information Security Access Control Strategy
1. Autonomous access control
Make decisions based on the identity of the subject and the permissions allowed to access.
- Autonomy means that subjects with certain access capabilities can autonomously grant a certain subset of access rights to other subjects.
- It is highly flexible and is widely adopted.
Disadvantage:
The access authority relationship of information will be changed during the movement. For example, user A can pass its access authority to target O to user B, so that B who does not have access authority to O can access O.
2. Mandatory access control
Each user and file is assigned a certain security level. Users cannot change the security level of themselves or any object, that is, individual users are not allowed to determine access rights, and only the system administrator can determine the access rights of users and groups. The system determines whether the user can access the file by comparing the security level of the user and the accessed file.
There are generally five security levels :
- Top Secret (Top Secret, T)
- Secret level (Secret, S)
- Confidential (Confidential, C)
- Restricted (Restricted, R)
- Unclassified (U)
Where T>S>C>R>U.
3. Role-based access control
Role-based Access,RBAC
- Basic idea: Assign access permissions to certain roles, and users can obtain access permissions owned by roles by playing different roles.
- The role becomes a bridge between the visiting subject and the controlled object in access control.
- The role is defined by the system administrator, and the addition and reduction of role members can only be performed by the system administrator, that is, only the system administrator has the right to define and assign roles.
- The user has no direct connection with the object, he can only enjoy the permissions corresponding to the role through the role, and thus access the corresponding object. Therefore, the user cannot autonomously grant access rights to other users.
4. Task-based access control
Task-based Access Control,TBAC
- The object's access permission control is not static, but changes with the context of the execution of the task.
- The TBAC model consists of four parts: workflow, authorization structure, trustee set, and permission set.
- The TBAC model is generally represented by a five-tuple (S, O, P, L, AS), where S represents the subject, O represents the object, P represents the license, L represents the life (Lifecycle), and AS represents the authorization step.
- TBAC models from the perspective of tasks in the workflow, and can dynamically manage permissions based on different tasks and task states. Therefore, TBAC is very suitable for information processing control of distributed computing and multipoint access control, as well as decision making in workflow, distributed processing and transaction management systems.
5. Object-based access control
Object-based Access Control,OBAC
- Associate the access control list with the controlled object or the attributes of the controlled object, and design the access control options as a collection of users, groups or roles and their corresponding permissions.
- Allows reuse, inheritance, and derivation of policies and rules. Derived objects can inherit the access control settings of the parent object.
- It can reduce the workload of assigning and setting role permissions due to the derivation, evolution and reorganization of information resources.