Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL

Access control models > Access control models - Pg. 90

90 Eleventh Hour Security : Exam SY0-201 Study Guide Access Control Subjects--The users, programs, and processes that are requesting permission to access control objects. Access Control Systems--The procedures, processes, and controls in place to verify the authenticity of the request, the identity of the access control subject, and determine the levels of access that the subject should be granted to the object. Access control can be implemented in many different ways, all of which have the end result of controlling access to data, systems, or hardware. Physical (i.e., biometric device to secure a door) Hardware (i.e., a dedicated firewall) Software (i.e., built-in application security) Policy (i.e., a workplace security policy) Network (i.e., secure networking protocols) Access control models Most access control systems are based off of several basic access control mod- els. These models define the operating parameters for the access control sys- tem and define the manner in which they operate. The access control model also defines the way that permissions are set on access control objects and how authorization is handled in the access control system. One of the first serious efforts to define the effectiveness of security controls in computing was the U.S. Department of Defense Trusted Computing System Evaluation Criteria (TCSEC). The centerpiece of TCSEC was the "Orange" book (named that way for the color of its cover) as well as another one, "Trusted Network Interpretation" (also known as the "Red" book). The Orange and Red books were superseded in 2005 by the Common Criteria for Information Technology Security Evaluation, also known as the Common Criteria or CC. Using the CC, software and hardware can be certified at a variety of evaluation assurance levels (EAL) simi- lar to those available with the Orange and Red books. These levels range from EAL1 through EAL7. Using these criteria, Microsoft Windows Vista and Windows Server 2008 were graded as EAL1, the first level of certification. The formal models of access control are theoretical applications of access con- trol methods. These do not specify specific methods of controlling access, but rather specific guidelines that should be followed. They work best with static environments and are difficult to implement within dynamic systems that are constantly changing, such as those in most enterprising environments. The documentation on how these models are supposed to be implemented is very limited and does not give any specific examples. Biba : The Biba formal model was written by K. J. Biba in 1977 and is unique as it was the first formal model to address integrity. The Biba model