Page 190 - DCAP403_Operating System
P. 190
Unit 10: System Protection
This used to be enforced mainly through a physical security guard. Then, with the advent of Notes
electronic devices, access control has evolved into the use of physical card access systems of a
wide variety including biometric activated devices.
As computers evolved the meaning of access control began to change. Initially “access control
lists” evolved specifying the user identities and the privileges granted to them in order to access
a network operating system or an application.
Access control further evolved into the authentication, authorization and audit of a user for
a session. Access control authentication devices evolved to include id and password, digital
certificates, security tokens, smart cards and biometrics.
Access control authorization meanwhile evolved into Role Based Access Control (RBAC). This
normally involves “mandatory access control”. Mandatory access control is access control policies
that are determined by the system and not the application or information owner.
RBAC is commonly found in government, military and other enterprises where the role
definitions are well defined, the pace of change is not that fast and the supporting human resource
environment is capable of keeping up with changes to an identity re their roles and privileges.
Access control is the process by which users are identified and granted certain privileges to
information, systems, or resources. Understanding the basics of access control is fundamental to
understanding how to manage proper disclosure of information.
10.1 System Protection
The use of computers to store and modify information can simplify the composition, editing,
distribution, and reading of messages and documents. These benefits are not free, however,
part of the cost is the aggravation of some of the security problems discussed above and the
introduction of some new problems as well. Most of the difficulties arise because a computer and
its programs are shared amongst several users.
Example: Consider a computer program that displays portions of a document on a
terminal. The user of such a program is very likely not its developer. It is, in general, possible for
the developer to have written the program so that it makes a copy of the displayed information
accessible to himself (or a third party) without the permission or knowledge of the user who
requested the execution of the program. If the developer is not authorised to view this information,
security has been violated.
In compensation for the added complexities automation brings to security, an automated system,
if properly constructed, can bestow a number of benefits as well.
Example: A computer system can place stricter limits on user discretion. In the paper
system, the possessor of a document has complete discretion over its further distribution. An
automated system that enforces distribution constraints strictly can prevent the recipient of a
message or document from passing it to others. Of course, the recipient can always copy the
information by hand or repeat it verbally, but the inability to pass it on directly is a signifi cant
barrier.
An automated system can also offer new kinds of access control. Permission to execute certain
programs can be granted or denied so that specific operations can be restricted to designated
users. Controls can be designed so that some users can execute a program but cannot read or
modify it directly. Programs protected in this way might be allowed to access information not
directly available to the user, filter it, and pass the results back to the user.
LOVELY PROFESSIONAL UNIVERSITY 183
