1) How are authentication and authorization alike and how are they different. What is the relationship...

Authentication vs. authorization definitions

Authentication: Authentication is the process of verifying a user’s identity and ability to access a requested account. For instance, entering a password or online banking credentials or answering security questions authenticates a user by identifying her and verifying that she is who she claims to be.

Authorization: Authorization, on the other hand, establishes which permissions the user has within an app, or, in other words, determines what he is able to do — for instance, request or edit data. The authorization process also grants permission to third parties to access data on behalf of users. For example, a user might authorize a financial services app to access his bank transaction history or log into a third-party app using Facebook or Google (see here for a visual). Such authorization makes for easier interactions and increases conversions.

Authentication is about validating your credentials such as Username/User ID and password to verify your identity. The system then checks whether you are what you say you are using your credentials. Whether in public or private networks, the system authenticates the user identity through login passwords. Usually authentication is done by a username and password, although there are other various ways to be authenticated.

Authentication factors determine the many different elements the system uses to verify one’s identity before granting the individual access to anything. An individual’s identity can be determined by what the person knows, and when it comes to security at least two or all the three authentication factors must be verified in order to grant someone permission to the system. Based on the security level, authentication factors can vary from one of the following:

Single- Factor Authentication: This is the simplest form of authentication method which requires a password to grant user access to a particular system such as a website or a network. The person can request access to the system using only one of the credentials to verify one’s identity. For example, only requiring a password against a username would be a way to verify a login credential using single- factor authentication.

Two- Factor Authentication: This authentication requires a two- step verification process which not only requires a username and password, but also a piece of information only the user knows. Using a username and password along with a confidential information makes it that much harder for hackers to steal valuable and personal data.

Multi- Factor Authentication: This is the most advanced method of authentication which requires two or more levels of security from independent categories of authentication to grant user access to the system. This form of authentication utilizes factors that are independent of each other in order to eliminate any data exposure. It is common for financial organizations, banks, and law enforcement agencies to use multiple- factor authentication.

Authorization

Authorization occurs after your identity is successfully authenticated by the system, which therefore gives you full access to resources such as information, files, databases, funds, etc. However authorization verifies your rights to grant you access to resources only after determining your ability to access the system and up to what extent. In other words, authorization is the process to determine whether the authenticated user has access to the particular resources. A good example of this is, once verifying and confirming employee ID and passwords through authentication, the next step would be determining which employee has access to which floor and that is done through authorization.

Access to a system is protected by authentication and authorization, and they are frequently used in conjunction with each other. Although both have different concepts behind then, they are critical to the web service infrastructure, especially when it comes to being granted access to a system. Understanding each term is very important and a key aspect of security.

Q.2: Answer:

Mandatory access control

In computer security, mandatory access control (MAC) refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target. In practice, a subject is usually a process or thread; objects are constructs such as files, directories, TCP/UDP ports, shared memory segments, IO devices, etc. Subjects and objects each have a set of security attributes. Whenever a subject attempts to access an object, an authorization rule enforced by the operating system kernel examines these security attributes and decides whether the access can take place. Any operation by any subject on any object is tested against the set of authorization rules (aka policy) to determine if the operation is allowed. A database management system, in its access control mechanism, can also apply mandatory access control; in this case, the objects are tables, views, procedures, etc.

With mandatory access control, this security policy is centrally controlled by a security policy administrator; users do not have the ability to override the policy and, for example, grant access to files that would otherwise be restricted. By contrast, discretionary access control (DAC), which also governs the ability of subjects to access objects, allows users the ability to make policy decisions and/or assign security attributes. (The traditional Unix system of users, groups, and read-write-execute permissions is an example of DAC.) MAC-enabled systems allow policy administrators to implement organization-wide security policies. Under MAC (and unlike DAC), users cannot override or modify this policy, either accidentally or intentionally. This allows security administrators to define a central policy that is guaranteed (in principle) to be enforced for all users.

Implementations

A few MAC implementations, such as Unisys' Blacker project, were certified robust enough to separate Top Secret from Unclassified late in the last millennium. Their underlying technology became obsolete and they were not refreshed. Today there are no current implementations certified by TCSEC to that level of robust implementation. However, some less robust products exist.

• Amon Ott's RSBAC (Rule Set Based Access Control) provides a framework for Linux kernels that allows several different security policy / decision modules. One of the models implemented is Mandatory Access Control model. A general goal of RSBAC design was to try to reach (obsolete) Orange Book (TCSEC) B1 level. The model of mandatory access control used in RSBAC is mostly the same as in Unix System V/MLS, Version 1.2.1 (developed in 1989 by the National Computer Security Center of the USA with classification B1/TCSEC). RSBAC requires a set of patches to the stock kernel, which are maintained quite well by the project owner.
• An NSA research project called SELinux added a Mandatory Access Control architecture to the Linux Kernel, which was merged into the mainline version of Linux in August 2003. It utilizes a Linux 2.6 kernel feature called LSM (Linux Security Modules interface). Red Hat Enterprise Linux version 4 (and later versions) come with an SELinux-enabled kernel. Although SELinux is capable of restricting all processes in the system, the default targeted policy in RHEL confines the most vulnerable programs from the unconfined domain in which all other programs run. RHEL 5 ships 2 other binary policy types: strict, which attempts to implement least privilege, and MLS, which is based on strict and adds MLS labels. RHEL 5 contains additional MLS enhancements and received 2 LSPP/RBACPP/CAPP/EAL4+ certifications in June 2007.
• TOMOYO Linux is a lightweight MAC implementation for Linux and Embedded Linux, developed by NTT Data Corporation. It has been merged in Linux Kernel mainline version 2.6.30 in June 2009.[8] Differently from the label-based approach used by SELinux, TOMOYO Linux performs a pathname-based Mandatory Access Control, separating security domains according to process invocation history, which describes the system behavior. Policy are described in terms of pathnames. A security domain is simply defined by a process call chain, and represented by a string. There are 4 modes: disabled, learning, permissive, enforcing. Administrators can assign different modes for different domains. TOMOYO Linux introduced the "learning" mode, in which the accesses occurred in the kernel are automatically analyzed and stored to generate MAC policy: this mode could then be the first step of policy writing, making it easy to customize later.