WEBVTT 00:00.000 --> 00:01.680 >> Welcome back. 00:01.680 --> 00:04.380 >> Now we'll talk about authorization. 00:04.380 --> 00:06.780 >> I always think of authorization as 00:06.780 --> 00:10.200 the so what of all of the IAM stuff. 00:10.200 --> 00:14.145 You have identified and authenticated. 00:14.145 --> 00:16.470 The important thing is that you are 00:16.470 --> 00:18.720 now authorized to access. 00:18.720 --> 00:21.420 Authorization is what you're allowed to do 00:21.420 --> 00:23.650 >> based on your identity. 00:23.929 --> 00:26.630 >> Ultimately, how is it 00:26.630 --> 00:28.999 >> that you gain access to resources? 00:28.999 --> 00:30.770 >> The way that happens is through 00:30.770 --> 00:33.939 >> what we refer to you as an access control model. 00:33.939 --> 00:36.440 >> Operating systems and other applications 00:36.440 --> 00:38.660 >> are built on these models and the models 00:38.660 --> 00:41.400 >> dictate how subjects can access an object. 00:41.400 --> 00:43.760 These are built into the operating system 00:43.760 --> 00:47.670 >> and are part of the security policy of the system. 00:47.829 --> 00:50.390 >> One of the earliest references 00:50.390 --> 00:53.014 >> for computer system evaluation criteria 00:53.014 --> 00:55.370 >> was referred to as the Orange Book. 00:55.370 --> 00:58.100 It hasn't been used since the 1990s, 00:58.100 --> 00:59.270 but there was a book called 00:59.270 --> 01:02.525 the Trusted Computer System Evaluation Criteria. 01:02.525 --> 01:04.430 It was a part of a collection of books 01:04.430 --> 01:06.129 >> called The Rainbow Series. 01:06.129 --> 01:09.350 >> Every book in the series had a different color cover, 01:09.350 --> 01:11.495 and this one was orange. 01:11.495 --> 01:12.860 But the point of this book 01:12.860 --> 01:15.200 >> was to allow for systems to be certified 01:15.200 --> 01:19.684 >> based on their security criteria or security functions. 01:19.684 --> 01:22.035 >> How secure a system was 01:22.035 --> 01:24.525 would dictate its Orange Book rating. 01:24.525 --> 01:26.810 If I were a government agency, 01:26.810 --> 01:28.700 perhaps I could only work with a vendor 01:28.700 --> 01:30.740 >> who had a C2 rating on it's system 01:30.740 --> 01:32.184 >> or something like that. 01:32.184 --> 01:34.310 >> It's very desirable for vendors 01:34.310 --> 01:36.679 >> to get certified via the Orange Book. 01:36.679 --> 01:40.105 >> We go into this more in the CISSP course. 01:40.105 --> 01:42.350 But for now, it's good for you to know that 01:42.350 --> 01:44.180 >> this was an important book to determine 01:44.180 --> 01:45.620 >> whether or not certain systems 01:45.620 --> 01:48.455 >> could be used in federal environments. 01:48.455 --> 01:52.315 They specified two security levels in the Orange Book. 01:52.315 --> 01:56.775 One was Discretionary Access Control or DAC. 01:56.775 --> 02:00.770 The other was Mandatory Access Control or MAC. 02:00.770 --> 02:04.355 Obviously, mandatory is going to be more secure. 02:04.355 --> 02:06.590 But keep in mind that on every system 02:06.590 --> 02:09.260 has to be the most secure system on the planet. 02:09.260 --> 02:12.945 There's a place for Mandatory Access Control systems, 02:12.945 --> 02:14.910 but Discretionary Access systems 02:14.910 --> 02:16.960 have their place as well. 02:16.960 --> 02:18.980 Now, there are also 02:18.980 --> 02:20.750 some other access control models 02:20.750 --> 02:23.180 that were not defined by the Orange Book. 02:23.180 --> 02:25.550 These are ways that certain environments allow 02:25.550 --> 02:28.160 access from a subject to an object. 02:28.160 --> 02:31.110 They are really not on par with DAC and MAC, 02:31.110 --> 02:33.740 but we'll talk about these last three as well. 02:33.740 --> 02:39.720 RBAC, ABAC, and RuBAC or RuBAC. 02:39.720 --> 02:44.384 >> Let's start with DAC. 02:44.384 --> 02:46.140 >> Most of us have experience with 02:46.140 --> 02:48.705 Discretionary Access Control systems, 02:48.705 --> 02:51.390 Windows-based systems or DAC, 02:51.390 --> 02:55.035 Linux systems with the exception of Secure Linux, 02:55.035 --> 02:58.160 and iOS systems or DAC systems. 02:58.160 --> 03:01.330 Discretionary Access Control is called that because 03:01.330 --> 03:03.040 the security of the object is 03:03.040 --> 03:05.725 at the discretion of the object's owner. 03:05.725 --> 03:07.735 If you create a folder, 03:07.735 --> 03:11.170 you own the folder and you control access to it. 03:11.170 --> 03:13.460 You can give access to anyone you want. 03:13.460 --> 03:14.870 Since you own the folder, 03:14.870 --> 03:17.480 you get to choose the security for that object. 03:17.480 --> 03:19.638 You could put highly sensitive information 03:19.638 --> 03:21.440 >> in the folder and then you could share it 03:21.440 --> 03:22.804 >> with whomever you like. 03:22.804 --> 03:24.890 >> It's not really geared towards security 03:24.890 --> 03:27.930 >> as much as it is towards ease of use. 03:28.149 --> 03:31.910 >> These Access Control Lists, or ACLs, 03:31.910 --> 03:34.849 >> contain the rules of how permissions are granted. 03:34.849 --> 03:37.730 >> You know how you can right-click on a file or folder 03:37.730 --> 03:39.034 >> and you go to Properties 03:39.034 --> 03:41.597 >> and you can see the list of users who have full control 03:41.597 --> 03:43.819 >> or read-only control and so forth? 03:43.819 --> 03:45.635 >> Those are ACLs. 03:45.635 --> 03:49.410 You'll always associate them with the DAC environment. 03:50.540 --> 03:53.870 A MAC environment is much more secure 03:53.870 --> 03:56.839 >> and it's designed for the protection of sensitive data 03:56.839 --> 03:59.095 >> or classified information. 03:59.095 --> 04:02.435 In a MAC system, as an object is created, 04:02.435 --> 04:05.155 that object gets a security label. 04:05.155 --> 04:08.475 If the object contains top-secret information, 04:08.475 --> 04:10.400 it gets a top-secret label. 04:10.400 --> 04:12.770 Then if you have a user who has 04:12.770 --> 04:15.050 access to secret level information, 04:15.050 --> 04:17.210 that person would have a security label 04:17.210 --> 04:19.300 for secret information. 04:19.300 --> 04:21.600 When that person tries to access 04:21.600 --> 04:23.299 >> the top-secret information, 04:23.299 --> 04:25.340 >> the user wouldn't be able to access it 04:25.340 --> 04:27.749 >> because the labels don't match. 04:27.749 --> 04:29.735 >> Unlike a DAC environment, 04:29.735 --> 04:31.730 the owner of the information doesn't have 04:31.730 --> 04:34.750 the ability to add a user or change a label. 04:34.750 --> 04:38.150 The operating system is in charge in a MAC environment. 04:38.150 --> 04:41.030 All decisions are made by the operating system 04:41.030 --> 04:43.189 >> based on comparing the labels. 04:43.189 --> 04:45.320 >> With MAC, you'll be using 04:45.320 --> 04:49.185 an operating system like Secure Linux or Solaris, 04:49.185 --> 04:50.810 which are software extensions 04:50.810 --> 04:53.719 >> that are referred to as trusted extensions. 04:53.719 --> 04:56.810 >> That allows Solaris to look at security labels 04:56.810 --> 04:59.924 >> and make decisions and operate in a MAC environment. 04:59.924 --> 05:03.620 >> The labels indicate clearance level and classification. 05:03.620 --> 05:06.025 Or they can indicate need to know. 05:06.025 --> 05:08.125 There could be other label types. 05:08.125 --> 05:11.005 But these are the ones we are the most familiar with. 05:11.005 --> 05:13.280 You have a much more secure environment 05:13.280 --> 05:15.770 with Mandatory Access Control. 05:15.770 --> 05:18.290 I really think of DAC and MAC as 05:18.290 --> 05:20.375 being in a category by themselves. 05:20.375 --> 05:23.875 An operating system is designed to be MAC or DAC. 05:23.875 --> 05:25.700 It's built into the security code 05:25.700 --> 05:27.930 of the operating system. 05:28.460 --> 05:31.770 There are other access control models. 05:31.770 --> 05:35.085 To me, these are more like implementations. 05:35.085 --> 05:38.420 By that, we could provide access to someone 05:38.420 --> 05:40.520 based on their role in the organization 05:40.520 --> 05:42.190 instead of their name. 05:42.190 --> 05:45.000 Like instead of giving Jane Doe access 05:45.000 --> 05:46.084 >> based on her name, 05:46.084 --> 05:49.390 >> she could be given access based on being Trainer 1. 05:49.390 --> 05:52.155 That would be Role Based Access Control. 05:52.155 --> 05:54.530 That isn't built into the operating system. 05:54.530 --> 05:57.020 But we could administer that operating system 05:57.020 --> 05:58.760 >> using Role Based Access Control. 05:58.760 --> 06:00.969 >> A lot of places do. 06:00.969 --> 06:02.780 >> Your group users based on 06:02.780 --> 06:05.195 their role within the organization. 06:05.195 --> 06:08.975 That's RBAC or RBAC. 06:08.975 --> 06:10.715 There's also something called 06:10.715 --> 06:12.785 Attribute Based Access Control, 06:12.785 --> 06:15.535 or ABAC or ABAC. 06:15.535 --> 06:18.320 This uses certain characteristics of the user, 06:18.320 --> 06:20.090 like the person's location or 06:20.090 --> 06:22.220 tenure within the organization. 06:22.220 --> 06:24.860 In this case, we're basing the access on 06:24.860 --> 06:28.470 some characteristics associated with the account. 06:29.150 --> 06:31.500 We also have RuBAC, 06:31.500 --> 06:33.820 which is Rule-based Access Control. 06:33.820 --> 06:35.930 Now, don't worry about getting 06:35.930 --> 06:39.575 an RBAC or ABAC and RuBAC confused, 06:39.575 --> 06:41.210 because they will normally spell 06:41.210 --> 06:42.969 >> the acronym on the test. 06:42.969 --> 06:45.470 >> Now, Rule-based Access Control 06:45.470 --> 06:47.660 is simply what firewalls use. 06:47.660 --> 06:50.930 Firewalls use rules to determine access. 06:50.930 --> 06:53.270 If traffic is from the 10 network, 06:53.270 --> 06:54.544 >> then block it. 06:54.544 --> 06:57.515 >> If traffic is coming in on port 80, 06:57.515 --> 06:58.370 then allow it. 06:58.370 --> 07:01.080 >> That's RuBAC. 07:02.659 --> 07:05.360 >> To recap on authorization, 07:05.360 --> 07:06.920 we talked about how a subject is 07:06.920 --> 07:09.125 authorized to access an object. 07:09.125 --> 07:10.970 We talked about how that is driven 07:10.970 --> 07:12.230 >> by the operating system 07:12.230 --> 07:15.534 >> and the means of access control that gets configured. 07:15.534 --> 07:18.380 >> Your operating systems are primarily going to be 07:18.380 --> 07:21.109 >> based on either Discretionary Access Control 07:21.109 --> 07:23.360 >> or Mandatory Access Control. 07:23.360 --> 07:25.415 Most of the really common ones, 07:25.415 --> 07:28.085 like Windows systems are on DAC. 07:28.085 --> 07:29.720 But MAC is found on 07:29.720 --> 07:32.420 high-security systems that use security labels 07:32.420 --> 07:34.460 >> and run on operating systems like 07:34.460 --> 07:38.420 >> Secure Linux or Solaris with trust extensions. 07:38.420 --> 07:41.785 Finally, we have Rule-based Access Control, 07:41.785 --> 07:43.620 Role Based Access Control, 07:43.620 --> 07:47.920 and Attribute Based Access Control as well.