Question

1) How are authentication and authorization alike and how are they different. What is the relationship...

1) How are authentication and authorization alike and how are they different. What is the relationship between the two? Please explain using example(s).

2) Use example(s) to explain one of the access control models (MAC, DAC, RBAC, Rule-based AC, and ABAC).

Homework Answers

Answer #1

Authentication vs. authorization definitions

Authentication: Authentication is the process of verifying a user’s identity and ability to access a requested account. For instance, entering a password or online banking credentials or answering security questions authenticates a user by identifying her and verifying that she is who she claims to be.

Authorization: Authorization, on the other hand, establishes which permissions the user has within an app, or, in other words, determines what he is able to do — for instance, request or edit data. The authorization process also grants permission to third parties to access data on behalf of users. For example, a user might authorize a financial services app to access his bank transaction history or log into a third-party app using Facebook or Google (see here for a visual). Such authorization makes for easier interactions and increases conversions.


Authentication is about validating your credentials such as Username/User ID and password to verify your identity. The system then checks whether you are what you say you are using your credentials. Whether in public or private networks, the system authenticates the user identity through login passwords. Usually authentication is done by a username and password, although there are other various ways to be authenticated.

Authentication factors determine the many different elements the system uses to verify one’s identity before granting the individual access to anything. An individual’s identity can be determined by what the person knows, and when it comes to security at least two or all the three authentication factors must be verified in order to grant someone permission to the system. Based on the security level, authentication factors can vary from one of the following:

Single- Factor Authentication: This is the simplest form of authentication method which requires a password to grant user access to a particular system such as a website or a network. The person can request access to the system using only one of the credentials to verify one’s identity. For example, only requiring a password against a username would be a way to verify a login credential using single- factor authentication.

Two- Factor Authentication: This authentication requires a two- step verification process which not only requires a username and password, but also a piece of information only the user knows. Using a username and password along with a confidential information makes it that much harder for hackers to steal valuable and personal data.

Multi- Factor Authentication: This is the most advanced method of authentication which requires two or more levels of security from independent categories of authentication to grant user access to the system. This form of authentication utilizes factors that are independent of each other in order to eliminate any data exposure. It is common for financial organizations, banks, and law enforcement agencies to use multiple- factor authentication.

Authorization

Authorization occurs after your identity is successfully authenticated by the system, which therefore gives you full access to resources such as information, files, databases, funds, etc. However authorization verifies your rights to grant you access to resources only after determining your ability to access the system and up to what extent. In other words, authorization is the process to determine whether the authenticated user has access to the particular resources. A good example of this is, once verifying and confirming employee ID and passwords through authentication, the next step would be determining which employee has access to which floor and that is done through authorization.

Access to a system is protected by authentication and authorization, and they are frequently used in conjunction with each other. Although both have different concepts behind then, they are critical to the web service infrastructure, especially when it comes to being granted access to a system. Understanding each term is very important and a key aspect of security.

Q.2: Answer:

Mandatory access control

In computer security, mandatory access control (MAC) refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target. In practice, a subject is usually a process or thread; objects are constructs such as files, directories, TCP/UDP ports, shared memory segments, IO devices, etc. Subjects and objects each have a set of security attributes. Whenever a subject attempts to access an object, an authorization rule enforced by the operating system kernel examines these security attributes and decides whether the access can take place. Any operation by any subject on any object is tested against the set of authorization rules (aka policy) to determine if the operation is allowed. A database management system, in its access control mechanism, can also apply mandatory access control; in this case, the objects are tables, views, procedures, etc.

With mandatory access control, this security policy is centrally controlled by a security policy administrator; users do not have the ability to override the policy and, for example, grant access to files that would otherwise be restricted. By contrast, discretionary access control (DAC), which also governs the ability of subjects to access objects, allows users the ability to make policy decisions and/or assign security attributes. (The traditional Unix system of users, groups, and read-write-execute permissions is an example of DAC.) MAC-enabled systems allow policy administrators to implement organization-wide security policies. Under MAC (and unlike DAC), users cannot override or modify this policy, either accidentally or intentionally. This allows security administrators to define a central policy that is guaranteed (in principle) to be enforced for all users.

Implementations

A few MAC implementations, such as Unisys' Blacker project, were certified robust enough to separate Top Secret from Unclassified late in the last millennium. Their underlying technology became obsolete and they were not refreshed. Today there are no current implementations certified by TCSEC to that level of robust implementation. However, some less robust products exist.

  • Amon Ott's RSBAC (Rule Set Based Access Control) provides a framework for Linux kernels that allows several different security policy / decision modules. One of the models implemented is Mandatory Access Control model. A general goal of RSBAC design was to try to reach (obsolete) Orange Book (TCSEC) B1 level. The model of mandatory access control used in RSBAC is mostly the same as in Unix System V/MLS, Version 1.2.1 (developed in 1989 by the National Computer Security Center of the USA with classification B1/TCSEC). RSBAC requires a set of patches to the stock kernel, which are maintained quite well by the project owner.
  • An NSA research project called SELinux added a Mandatory Access Control architecture to the Linux Kernel, which was merged into the mainline version of Linux in August 2003. It utilizes a Linux 2.6 kernel feature called LSM (Linux Security Modules interface). Red Hat Enterprise Linux version 4 (and later versions) come with an SELinux-enabled kernel. Although SELinux is capable of restricting all processes in the system, the default targeted policy in RHEL confines the most vulnerable programs from the unconfined domain in which all other programs run. RHEL 5 ships 2 other binary policy types: strict, which attempts to implement least privilege, and MLS, which is based on strict and adds MLS labels. RHEL 5 contains additional MLS enhancements and received 2 LSPP/RBACPP/CAPP/EAL4+ certifications in June 2007.
  • TOMOYO Linux is a lightweight MAC implementation for Linux and Embedded Linux, developed by NTT Data Corporation. It has been merged in Linux Kernel mainline version 2.6.30 in June 2009.[8] Differently from the label-based approach used by SELinux, TOMOYO Linux performs a pathname-based Mandatory Access Control, separating security domains according to process invocation history, which describes the system behavior. Policy are described in terms of pathnames. A security domain is simply defined by a process call chain, and represented by a string. There are 4 modes: disabled, learning, permissive, enforcing. Administrators can assign different modes for different domains. TOMOYO Linux introduced the "learning" mode, in which the accesses occurred in the kernel are automatically analyzed and stored to generate MAC policy: this mode could then be the first step of policy writing, making it easy to customize later.
Know the answer?
Your Answer:

Post as a guest

Your Name:

What's your source?

Earn Coins

Coins can be redeemed for fabulous gifts.

Not the answer you're looking for?
Ask your own homework help question
Similar Questions
The HIPAA Security Rule is a critical document for Health care Information Technology professionals to understand...
The HIPAA Security Rule is a critical document for Health care Information Technology professionals to understand and support. Review the HIPAA Security Rule and discuss: (1) importance of access controls in addition to audit controls, (2) what “emergency access procedures” mean under the Access Control standard, (3) how role-based access controls meet the HIPAA Privacy Rule Minimum Necessary standard, (4) what form of authentication best meets the Person or Entity Authentication standard for different healthcare applications.
1. What is the relationship between price elasticity of demand and revenues? How do you find...
1. What is the relationship between price elasticity of demand and revenues? How do you find the elasticity at any point on a linear demand curve? 2. What is the marginal utility of a dollar? How does our understanding of the rational consumer allow us to interpret demand as a schedule of marginal benefits? 3. Solve the consumer’s problem when utility is logarithmic, so that the marginal utility of an apple, say, is equal to 1/Qa, where Qa is the...
1. Is impulse the same as momentum or is it different?  Explain. 2. How are the units...
1. Is impulse the same as momentum or is it different?  Explain. 2. How are the units for momentum  compared to the units for impulse? 3. There is a formula that describes the relationship between impulse and momentum, what is it?  Write it down below and briefly explain what it means.
1- What is the Probability Mass Functions & how to calculate and give two different example?...
1- What is the Probability Mass Functions & how to calculate and give two different example? 2- What is Poisson Distribution and how to calculate and give two different example?
At Pizza Hut, a customer wants to buy some pizza. How many different ways can a...
At Pizza Hut, a customer wants to buy some pizza. How many different ways can a customer buy 4 different types of pizzas out of 11? a. For this example, what formula will we need to use? Permutation : n P r = n ! ( n − r ) ! Perumtation Rule #2 : n ! r 1 ! ⋅ r 2 ! ⋅ r 3 ! ⋅ ... ⋅ r p ! Fundamental Counting Rule : k 1...
5. a. Describe the relationship between the interest rates on bonds of different maturities. b. If...
5. a. Describe the relationship between the interest rates on bonds of different maturities. b. If we follow the Expectation Hypothesis, calculate the interest rate on a 3-year bond if a 1-year bond has an interest rate of 2% and is expected to have an interest rate of 3% next year, and 5% in two years. c. How does the Liquidity Premium Theory explain an upward-sloping yield curve during normal economic environment? d. Explain the economic implications of an inverted...
Part I In the first part of this homework, you are going to derive a relationship...
Part I In the first part of this homework, you are going to derive a relationship between pressure, temperature and height in the atmosphere. The equation that you will derive is called the Hypsometric Equation (or sometimes the Thickness Equation) and it has practical uses as well as being helpful for understanding why the general air flow in the midlatitudes is from the west so once you have derived the equation, you will apply it to a real-life example. Begin...
1. (a) In decision analysis models, what do the terms decision alternatives, states of nature, and...
1. (a) In decision analysis models, what do the terms decision alternatives, states of nature, and payoff represent? Give a real world example and identify these terms in your example. (b) What are the different types of integer programming problems? Briefly describe each type and give one real world example for each type. (c) How is the simulation process used in the Decision Sciences models? What are the advantages of using simulation? What are its limitations? How can a simulation...
1. What is the causative relationship between economic growth and economic development? Your answer should be...
1. What is the causative relationship between economic growth and economic development? Your answer should be structured in terms of the general factors necessary for economic growth 2. Using a Lewis labor surplus framework show graphically and explain how an increase in capital-augmenting agricultural (traditional sector) technology affects a country’s ability to achieve self-sustaining growth that is driven by modern sector capital accumulation. 3.  Show graphically and explain how a country’s level of capital augmenting technology affects its output per worker...
Creating Confidence Intervals 1. What is the relationship between the Empirical Rule and a 95% confidence...
Creating Confidence Intervals 1. What is the relationship between the Empirical Rule and a 95% confidence interval? 2. How are confidence and margin of error related? Explain with examples. 3. Explain with words and steps how to create a confidence interval for estimating the true value of the population mean of the number of cars owned by Beverly Hills households. Don't forget to write an interpretation of the confidence interval. The sample results were: a. Sample size of 100 people...