Question

Principles of Information Security

Using about 1000 words Explain in detail discretionary access controls (DACs) and nondiscretionary access controls (NDACs)

Answer 1

Principles of Information Technology

1. Confidentiality
2. intigrity
3. availability

Confidentiality

• Confidentiality means protecting information from being accessed by unauthorised parties
• unauthorised users cannot access any information only the authorised can view personal data.
• Secure information must remain secret and confidential at all times. When security breaches do happen, they cause irreparable damage.
• A breach is when a person has access to data that they shouldn’t have. If there is a leak of an email address, phone number or credit card account number, there are very few ways to protect yourself.

Integrity

• integrity refers to the nature of the secure information itself. Data should be accurate, up-to-date and trustworthy in the service a business provides.
• Only authorised employees should make alterations to the data.
• In addition, if a mistake was made during an edit, there should be fail-safe measures to reverse the damage.
• All information technology is vulnerable to human error, which is perfectly natural. Therefore, businesses need policies in place to protect security information .this principle also covers a physical computer hardware network. This is because “computer hardware may render data incorrectly or incompletely, limit or eliminate access to data, or make information hard to use”.

Availability

• availability is simply how easy it is to access data on a daily basis.
• A high availability is good for businesses, as they can readily access and process information.
• Both hardware and software pose risks to availability.
• If hardware problems occur, data cannot be accessed. Furthermore, software maintenance should be minimal to avoid long downtime.
• One availability attack is a Distributed Denial of Service (DDoS).
• This means that criminals deny information security by bringing down servers. As a result, neither customers nor employees can access data, even though they are authorised to. Overall, DDoS attacks are becoming common.
• Apple Microsoft, Google and Sony suffering from this DDOS attacks

Discretionary Access Control

• In Discretionary Access Control (DAC) user can have a control access to their own data.
• DAC is typically the default access control mechanism for most desktop operating systems.
• Each resource object on a DAC based system has an Access Control List (ACL) associated with it.
• An ACL contains a list of users and groups to which the user has permitted access together with the level of access for each user or group.
• For example, User P may provide read-only access on one of her files to User Q, read and write access on the same file to User R and full control to any user belonging to Group 1.
• It is important to note that under DAC a user can only set access permissions for resources which they already own.A hypothetical User P cannot, therefore, change the access control for a file that is owned by User Q. User P can, however, set access permissions on a file that she owns.
• Under some operating systems it is also possible for the system or network administrator to dictate which permissions users are allowed to set in the ACLs of their resources.
• Discretionary Access Control provides a much more flexible environment than Mandatory Access Control but also increases the risk that data will be made accessible to users that should not necessarily be given access.

Non discretionary Access Control

• Non discretionary Access Control also known as Role Based Access Control (RBAC) .
• it takes more of a real world approach to structuring access control. Access under NDAC is based on a user's job function within the organization to which the computer system belongs.
• Essentially, NDAC assigns permissions to particular roles in an organization. Users are then assigned to that particular role.
• Roles differ from groups in that while users may belong to multiple groups, a user under NDAC may only be assigned a single role in an organization.
• Additionally, there is no way to provide individual users additional permissions over and above those available for their role.