What is Access Control?

Traditional computer security revolves around access control.

“It is where security engineering meets computer science.” —Ross Anderson, Security Engineering

Access control is to control whom or who, has access to which resources in a system.

Access control works at a number of levels from Hardware at the base, up through the Operating System, then Middleware, and up to the Application level.

“As we work up from the hardware through the operating system and middleware to the application layer, the controls become progressively more complex and less reliable.” —Ross Anderson, Security Engineering

Complexity tends to be at opposites with security.

“Now now of the biggest challenges in computer security is preventing one program from interfering with another.” Ross Anderson, Security Engineering

It is very hard to do this when many end-users want applications that interact with each other. happy

Operating System Access Controls

These are the access controls typically provided with an operating system.

Groups & Roles

3 Advanced Protection Techniques are:

• Sandboxing
• Virtualization
• ”Trusted Copmuting”

Sandboxing is an application-level control; Ex: Run in a browser to restrict what mobile code cad do.

Virtualization runs underneath the operating system; creating two or more independent virtual machines between which information flows can be controlled or prevented.

“Trusted Computing” is a project to create two virtual machines side-by-side, one being the ‘old, insecure’ version of an operating system and the second being a more restricted environment in which security-critical operations such as cryptography can be carried out.