Compare and contrast access control models. Select an access control model that

Question

Compare and contrast access control models. Select an access control model that best prevents unauthorized access for each of the five scenarios given below. Which types of logical access controls should be used in each scenario? Justify your recommendations. Access Control Models Mandatory access controls Discretionary access controls Role-based access controls Rule-based access controls Content-dependent access controls Nondiscretionary access controls Scenarios Shovels and Shingles is a small construction company consisting of 12 computers that have Internet access. Top Ads is a small advertising company consisting of 12 computers that have Internet access. All employees communicate using smartphones. NetSecIT is a multinational information technology (IT) services company consisting of 120,000 computers that have Internet access and 45,000 servers. All employees communicate using smartphones and e-mail. Many employees work from home and travel extensively. Backordered Parts is a defense contractor that builds communications parts for the military. All employees communicate using smartphones and e-mail. Confidential Services Inc. is a military support branch consisting of 14,000,000 computers with Internet access and 250,000 servers. All employees must have security clearances, and they communicate mainly using smartphones and e-mail.

Explanation / Answer

Parts of the Access Control Model

There are two basic parts of the access control model:

When a user logs on, the system authenticates the user's account name and password. If the logon is successful, the system creates an access token. Every process executed on behalf of this user will have a copy of this access token. The access token contains security identifiers that identify the user's account and any group accounts to which the user belongs. The token also contains a list of the privileges held by the user or the user's groups. The system uses this token to identify the associated user when a process tries to access a securable object or perform a system administration task that requires privileges.

When a securable object is created, the system assigns it a security descriptor that contains security information specified by its creator, or default security information if none is specified. Applications can use functions to retrieve and set the security information for an existing object.

A security descriptor identifies the object's owner and can also contain the following access control lists:

An ACL contains a list of access control entries (ACEs). Each ACE specifies a set of access rights and contains a SID that identifies a trustee for whom the rights are allowed, denied, or audited. A trustee can be a user account, group account, or logon session.

Use functions to manipulate the contents of security descriptors, SIDs, and ACLs rather than accessing them directly. This helps ensure that these structures remain syntactically accurate and prevents future enhancements to the security system from breaking existing code.

The following topics provide information about parts of the access control model:

Related Questions

Navigate

• Browse (All)
• Browse C
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.