Question

In: Computer Science

Explain discretionary access controls (DACs) and nondiscretionary access controls (NDACs) (30 marks)

Explain discretionary access controls (DACs) and nondiscretionary access controls (NDACs)

Solutions

Expert Solution

Explain discretionary access controls (DACs) and nondiscretionary access controls (NDACs)

Discertionary Access Contorls (DACs)

It is a type of security acess control that grants or restricts object access via access policy detrmined by an object's owner and group subjects. DAC mechanism controls are defined by the user indentification with suppiled credentials during authentication, such as username and password. DACs are discertionary because the subject (owner) can transfer authenticated objects or information access to other users. In other words detrmines object access privileges.

In DAC, each system object (file or data object) has an owner, and each initial object owner is the subject that causes its creation. Thus, an object's access policy is determined by its owner. A typical example of DAC is Unix file mode, which defines the read, write and execute permissions in each of the three bits for each user, group and others.


DAC attributes include:

User may transfer object ownership to another user(s).

User may determine the access type of other users.

After several attempts, authorization failures restrict user access.

Unauthorized users are blind to object characteristics, such as file size, file name and directory path.

Object access is determined during access control list (ACL) authorization and based on user identification and/or group membership.

DAC is easy to implement and intuitive but has certain disadvantages, including:

Inherent vulnerabilities (Trojan horse)

ACL maintenance or capability

Grant and revoke permissions maintenance

Limited negative authorization power

Nondiscretionary Access Controls (NDACs) :

Non Discretionary Access Control include Role Based Access Control (RBAC) and Rule Based Access Control (RBAC or RuBAC). RABC being a subset of NDAC, it was easy to eliminate RBAC as it was covered under NDAC already. Some people think that RBAC is synonymous with NDAC but RuBAC would also fall into this category. Non-Discretionary Access Control, this is probably one of the most demanded and successful technologies utilized in access control systems. Not only is it popular among households, but has also created waves across the business world.

In this figure it is represent the RUBAC structure of NDACs.

Examples:

At Stor-Guard, we strive to make self-storage facilities secure. Therefore, offer a range of access control systems, door alarms, keypads, fingerprint readers and scanners, and other password-protected security solutions.


Related Solutions

Principles of Information Security Using about 1000 words Explain in detail discretionary access controls (DACs) and...
Principles of Information Security Using about 1000 words Explain in detail discretionary access controls (DACs) and nondiscretionary access controls (NDACs)
- What is the order of precedence between discretionary access check and Mandatory integrity check? Please...
- What is the order of precedence between discretionary access check and Mandatory integrity check? Please explain? - Suppose kkk.exe running with low integrity downloads an executable from unknownsite.com. can the download executable write to %SystemRoot%\System32? Why or Why not?
1. T/F. Under non-discretionary access control, a third-party security administrator determines what users have access to...
1. T/F. Under non-discretionary access control, a third-party security administrator determines what users have access to certain network and system resources. 2. T/F. When establishing firewall rules, the most prudent configuration is to implicitly deny by blocking all traffic by default then rely on business need and justification to create new rules as exceptions. 3. T/F. By default, all virtual private network (VPN) client software encrypts network traffic. 4. T/F. Asymmetric encryption is more secure than symmetric encryption.
What is the difference between discretionary versus non-discretionary fixed costs, and can they be changed? Explain
What is the difference between discretionary versus non-discretionary fixed costs, and can they be changed? Explain
Authentication controls can be used to verify the identity of the person attempting to access an...
Authentication controls can be used to verify the identity of the person attempting to access an AIS. Identify the different types of authentication controls, the problems related to each control and how they can be used to provide effective protection from unauthorised access to an AIS.
Entity-Level Controls from AS5 A. Access control and monitoring software. B. Budgetary controls. C. Report highlighting...
Entity-Level Controls from AS5 A. Access control and monitoring software. B. Budgetary controls. C. Report highlighting credit sales, returns, and allowances over the complete and entire reporting period, including 30 days after the close of a financial reporting period. D. Use of control frameworks such as those provided by COSO and COBIT. E. A report of all employees not taking required vacation days. F. Development of a business interruption plan. G. Program change controls. H. Supervision. 1. Controls related to...
Consider using mandatory access controls and compartments to implement an ORCON control. Assume that there are...
Consider using mandatory access controls and compartments to implement an ORCON control. Assume that there are k different organizations. Organization i will produce n(i, j) documents to be shared with organization j. a. How many compartments are needed to allow any organization to share a document with any other organization? b. Now assume that organization i will need to share nm(i, i1, ..., im) documents with organizations i1, ..., im. How many compartments will be needed?
What IT controls should prevent/detect the following threats? Explain (5 marks) 1. The data entry clerk...
What IT controls should prevent/detect the following threats? Explain 1. The data entry clerk mis-keys the customer number for a customer order, so the goods are sent to the wrong address and charged to the wrong customer. 2.An accounts payable clerk changes the bank details for a vendor to her own, enters a duplicate vendor invoice, and pays the amount to herself. 3.The sales system generates shipping documents as authority for shipment to customers, but some shipments are not invoiced...
Explain the findings of Sloan (1996) in relation to discretionary accruals.
Explain the findings of Sloan (1996) in relation to discretionary accruals.
Explain the difference between discretionary an automatic spending by the government
Explain the difference between discretionary an automatic spending by the government
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT