Search

Literature
Nature
For children
Physics
The world around us
Seasons

The probabilities of independent events are multiplied. Theorem for adding probabilities of joint events

Home Literature

Access control

Parameter name Meaning
Article topic: Access control
Rubric (thematic category) Military affairs

Fig.8.2. Cost and level of authentication technologies

4. The newest direction authentication is proving the authenticity of a remote user by location . Given defense mechanism based on the use of a space navigation system such as GPS (Global Positioning System). A user with GPS equipment repeatedly sends the coordinates of specified satellites located in the line of sight. The authentication subsystem, knowing the satellite orbits, can determine the user’s location with an accuracy of up to a meter. GPS equipment is simple and reliable to use and relatively inexpensive. This allows it to be used in cases where an authorized remote user must be located in a specific location.

Summarizing the capabilities of authentication mechanisms and means, by level information security Let's highlight three types of authentication: 1) static; 2) sustainable; 3) constant.

Static authentication provides protection only against unauthorized access in systems where an attacker cannot read authentication information during a work session. An example of a static authentication tool is traditional persistent passwords. Their effectiveness primarily depends on the difficulty of guessing the passwords and how well they are protected. To compromise static authentication, an attacker can snoop, guess, guess, or intercept authentication data.

Strong authentication uses dynamic authentication data that changes with each session. Implementations of strong authentication are systems that use one-time passwords and electronic signatures. Strong authentication provides protection against attacks where an attacker can intercept authentication information and use it in subsequent sessions. At the same time, strong authentication does not provide protection against active attacks, during which a masquerading attacker can quickly (during the authentication session) intercept, modify information and insert it into the stream of transmitted data.

Constant authentication ensures identification of each block of transmitted data, which protects it from unauthorized modification or insertion. Example implementation specified type authentication is the use of algorithms for generating electronic signatures for each bit of transmitted information.

After identification and authentication have been completed, it is extremely important to establish the powers (set of rights) of the subject for subsequent control of the authorized use of computing resources available in the AS. This process is usually called delimitation ( logic control) access.

Typically, the subject's powers are represented by: a list of resources, accessible to the user, and access rights to each resource from the list. Computing resources include programs, data, logical devices, memory, processor time, priority, etc.

The following can be distinguished access control methods: 1) according to lists; 2) using the authority establishment matrix; 3) by privacy levels and categories; 4) password.

1. When access control based on lists the following correspondences are specified: for each user - a list of resources and access rights to them, or for each resource - a list of users and their access rights to this resource. Lists allow you to set rights down to the user. It is not difficult to add rights or explicitly deny access here. Lists are used in most operating systems and DBMSs.

2. Using the Authority Matrix involves the use of an access matrix (authority table). In the specified matrix, the rows are the identifiers of subjects who have access to the AS, and the columns are the objects (information resources) of the AS. Each matrix element can contain the name and size of the resource provided, access rights (read, write, etc.), a link to another information structure, specifying access rights, a link to the program that manages access rights, etc.
Posted on ref.rf
(Table 8.3). This method provides a more unified and convenient approach, since all information about authorities is stored in the form of a single table, and not in the form of different types of lists. The disadvantages of the matrix are its possible bulkiness and non-optimality (most cells are empty).

Table 8.3

Access control - concept and types. Classification and features of the category "Access Control" 2017, 2018.

Automated system ASOMI provides for the possibility of flexible differentiation of user access rights to stored metrological information. This approach ensures the protection of stored and processed information, namely:

  • limiting rights to read, modify or destroy;
  • the ability to store and transmit information between ASOMI objects in a form that significantly complicates its recognition in case of unauthorized access or maintenance(in particular, using encryption technologies);
  • ensuring the integrity of information, as well as the availability of information for management bodies and authorized users;
  • eliminating information leakage during processing and transmission between computer objects.

Access control for users of the ASOMI system is implemented in the context of the following groups of entities: reporting and operational data (protocols), reference data, history logs (logging user actions and data on the history of changes to entities), accounting data (SI cards). Let us consider each of the groups in detail below.

Access to credentials is defined through the following conceptual concepts:

  • Person responsible for processing current status measuring instruments are an employee of the enterprise who, in the current status of the measuring instrument, must perform the actions determined by this status and transfer the measuring instrument to a subsequent status within the work cycle of one of the metrological works. Determined from the parameters of the current status of the SI. For example, such a person is a person playing the role of a dispatcher (hereinafter referred to as the Dispatcher), who accepted the SI to perform repairs and is then obliged to transfer it to the person playing the role of the repair performer (hereinafter referred to as the Repair Performer).
  • The person materially responsible for the measuring instrument is an employee of the enterprise who is financially responsible for the measuring instrument or operates it. Determined in the SI registration card. As a rule, such a person is the master in charge of this SI.
  • Leaders of the “first two” persons - literally by definition. Determined from organizational structure enterprises for to the following principle: they are the managers of persons from the first two categories “Person responsible for processing the current status of the SI” and “Person materially responsible for the SI”; or they are the heads of a higher division of the enterprise, which includes (subordinates to) a structural unit where persons from the first two categories work as performers. Within the framework of ASOMI, this conceptual principle leads to the fact that information about measuring instruments is available both to all superior managers of the Metrologist and to all senior managers of performers of certain MRs (for example, the head of a workshop has access to information about measuring instruments for which his foremen are responsible).
  • The person responsible for metrological supervision and control is, for example, an employee of a calibration, repair department or a metrologist structural unit, performing duties of supervision and control. In accordance with his duties, he has the right to have access to read accounting information about all SI assigned to him.

Thus, those employees of the enterprise who fall into one of the four (possibly several) categories listed above, in relation to a specific SI, have the opportunity to see at their workplace information about the current status of each SI and, accordingly, the data of the SI registration card, including data on the history of metrological work.

At the same time, an employee of the enterprise who is at the moment time is responsible for processing the current status of the SI, has the right to change the SI information associated with this status, and transfer the SI to a subsequent status corresponding to the current MR work cycle, but does not have the right to influence the history of transitions according to the SI Status Diagram.

Now let's look at the Rules and procedure for accessing reference data. Functions such as viewing and using reference data to fulfill their metrological support responsibilities are available to all ASOMI users.

At the same time, access to replenish and edit reference data is allowed only to enterprise employees who perform the role of administrator or controller in the ASOMI system. They are fully responsible for the relevance and correctness of the information contained in the directories. When filling out directories concerning the structure of access rights in ASOMI, data from the directories included in the reference block “Structure of access rights in ASOMI” is used. When filling out specific (additional) reference books, data from the NTD (normative and technical documentation) on measuring instruments, data from the State Register of measuring instruments approved for use in the Russian Federation, and other reliable sources are used.

The rules and procedure for access to reporting and operational data (protocols) are organized as follows. Access to standard reporting implemented in ASOMI is organized by roles in the system. At the same time, for each position, a list of standard reports is indicated (a selection from the general list of all standard ASOMI reports) that an employee occupying this position can generate from his workplace.

As part of reporting, access to special functions can be organized. An example of such a function could be searching and obtaining information about any of the measuring instruments registered in the system according to its various parameters; for example, the master will be able to display in the form of a report a list of all measuring instruments registered in ASOMI, in order, for example, to find replacement options of your own measuring instrument to the same measuring instrument, which is being preserved in a neighboring workshop.

Access to operational data (user work protocols) is allowed only to ASOMI Administrators and the Chief Metrologist of the enterprise.

The rules and procedure for assigning and changing access to information data can be assigned or changed only by the ASOMI Administrator.


If you are interested in this product or have any questions,
questions you would like to ask, write:

Goal: mastering the techniques of exchanging files between users of a local computer network. Theoretical information To laboratory work Main devices for fast transfer information on long distances currently there are telegraph, radio, telephone, television transmitter, telecommunication networks based on computer systems. The transfer of information between computers has existed since the emergence of computers. It allows you to organize working together separate computers, solve one problem using several computers, share resources and solve many other problems. Under computer network understand the complex of hardware and software designed for information exchange and user access to common resources networks. The main purpose of computer networks is to provide shared access of users to information (databases, documents, etc.) and resources ( hard drives, printers, CD-ROM drives, modems, access to the global network, etc.). Network subscribers– objects that generate or consume information. Network subscribers can be individual computers, industrial robots, CNC machines (computer numerical control machines), etc. Any network subscriber is connected to the station. Station- equipment that performs functions related to transmitting and receiving information. To organize interaction between subscribers and stations, a physical transmission medium is required. Physical transmission medium– communication lines or space in which electrical signals propagate and data transmission equipment. One of the main characteristics of communication lines or channels is the data transfer rate (bandwidth). Data transfer rate– the number of bits of information transmitted per unit of time. Typically, data transfer rates are measured in bits per second (bps) and in multiples of Kbps and Mbps. Relationships between units of measurement: 1 Kbit/s = 1024 bit/s; 1 Mbit/s =1024 Kbit/s; 1 Gbit/s =1024 Mbit/s. A communication network is built on the basis of the physical transmission medium. Thus, a computer network is a collection of subscriber systems and a communication network. Types of networks. According to the type of computers used, there are homogeneous And heterogeneous networks. Heterogeneous networks contain software-incompatible computers. Based on territorial characteristics, networks are divided into local And global. Basic communication network components:
  • transmitter;
  • receiver;
  • messages (digital data of a certain format: database file, table, response to a request, text or image);
  • transmission media (physical transmission medium and special equipment that ensures the transmission of information).
  • Topology of local networks. The topology of a computer network is usually understood as physical location computers on the network relative to each other and the way they are connected by lines.
  • The topology determines the equipment requirements, the type of cable used, communication control methods, operational reliability, and the possibility of network expansion. There are three main types of network topologies: bus, star and ring.
A bus in which all computers are connected in parallel to one communication line, and information from each computer is simultaneously transmitted to all other computers. According to this topology, a peer-to-peer network is created. With such a connection, computers can transmit information only one at a time, since there is only one communication line.
Local networks(LAN, Local Area Network) connect subscribers located within a small area, usually no more than 2–2.5 km. Local computer networks will allow organizing the work of individual enterprises and institutions, including educational ones, and solving the problem of organizing access to common technical and information resources. Global networks(WAN, Wide Area Network) connect subscribers located at considerable distances from each other: in different areas of the city, in different cities, countries, different continents(for example, the Internet). Interaction between subscribers of such a network can be carried out on the basis of telephone communication lines, radio communications and satellite communication systems. Global computer networks will solve the problem of uniting the information resources of all humanity and organizing access to these resources.

Advantages:


  • ease of adding new nodes to the network (this is possible even while the network is running);

  • the network continues to function even if individual computers fail;

  • inexpensive network equipment due to the widespread use of this topology.

Flaws:


  • complexity of network equipment;

  • difficulty diagnosing network equipment malfunctions due to the fact that all adapters are connected in parallel;

  • a cable break leads to the failure of the entire network;

  • limitation on maximum length communication lines due to the fact that signals are weakened during transmission and cannot be restored in any way.

Star (star), in which other peripheral computers are connected to one central computer, each of them using its own separate communication line. All information exchange occurs exclusively through the central computer, which bears a very heavy load, so it is intended only for network maintenance.

Advantages:


  • failure of a peripheral computer does not in any way affect the functioning of the rest of the network;

  • simplicity of the network equipment used;

  • all connection points are collected in one place, which makes it easy to control the operation of the network and localize network faults by disconnecting certain peripheral devices from the center;

  • there is no signal attenuation.

Flaws:


  • failure of the central computer makes the network completely inoperable;

  • strict limitation on the number of peripheral computers;

  • significant cable consumption.

Ring, in which each computer always transmits information to only one computer next in the chain, and receives information only from the previous computer in the chain, and this chain is closed. The peculiarity of the ring is that each computer restores the signal coming to it, so the attenuation of the signal throughout the ring does not matter, only the attenuation between neighboring computers is important.

Advantages:


  • it’s easy to connect new nodes, although this requires pausing the network;

  • large number nodes that can be connected to the network (more than 1000);

  • high resistance to overloads.

Flaws:


  • the failure of at least one computer disrupts the operation of the network;

  • A cable break in at least one place disrupts the operation of the network.

IN in some cases When designing a network, a combined topology is used. For example, a tree is a combination of several stars.

Every computer that operates in local network, must have a network adapter ( network card). The function of the network adapter is to transmit and receive signals distributed through communication cables. In addition, the computer must be equipped with a network operating system.

When constructing networks, the following types of cables are used:

unshielded twisted pair. The maximum distance at which computers connected by this cable can be located reaches 90 m. Information transmission speed is from 10 to 155 Mbit/s; shielded twisted pair. Information transfer speed is 16 Mbit/s over a distance of up to 300 m.

coaxial cable. It is characterized by higher mechanical strength, noise immunity and allows you to transmit information over a distance of up to 2000 m at a speed of 2-44 Mbit/s;

fiber optic cable. An ideal transmission medium, it is not affected by electromagnetic fields, allows you to transmit information over a distance of up to 10,000 m at a speed of up to 10 Gbit/s.

The concept of global networks. Global network – these are associations of computers located at a remote distance for general use world information resources. Today there are more than 200 of them in the world. Of these, the most famous and most popular is the Internet.

Unlike local networks, global networks do not have any single control center. The network is based on tens and hundreds of thousands of computers connected by one or another communication channels. Each computer has a unique identifier, which allows you to “plot a route to it” for the delivery of information. Typically, a global network connects computers running on different rules(having different architecture, system software, etc.). Therefore, gateways are used to transfer information from one type of network to another.

Gateways– These are devices (computers) that serve to connect networks with completely different exchange protocols.

Exchange protocol– this is a set of rules (agreement, standard) that defines the principles of data exchange between different computers on the network.

Protocols are conventionally divided into basic (more low level), responsible for transmitting information of any type, and applied (more high level), responsible for the functioning of specialized services.

The main computer of the network, which provides access to the common database, provides sharing input/output devices and user interaction is called server.

A network computer that only uses network resources, but does not give its resources to the network, is called client(often also called workstation).

To work on the global network, the user must have the appropriate hardware and software.

Software can be divided into two classes:


  • server programs that are located on the network node serving the user’s computer;

  • client programs located on the user's computer and using the services of the server.

Global networks provide users with a variety of services: e-mail, remote access to any computer on the network, searching for data and programs, and so on.

Task No. 1.


  1. Create a folder in the “My Documents” folder called Mail_1 (the number in the name corresponds to the number of your computer).

  2. Using the text editor Word or WordPad, create a letter to your classmates.

  3. Save this text in the Mail_1 folder of your computer in the file letter1.doc, where 1 is the computer number.

  4. Open a folder on another computer, for example, Mail_2 and copy the file letter1 from your Mail_1 folder into it.

  5. In your Mail_1 folder, read letters from other users, for example letter2. Add your answer to them.

  6. Rename the file letter2 .doc to the file letter2_answer1.doc

  7. Move the file letter2_answer1.doc to the Mail _2 folder and delete it from your folder

  8. Next, repeat steps 2-4 for other computers.

  9. Read messages from other users in your folder and repeat steps 5-8 for them.

Task No. 2. Answer the questions and write them down in your notebook:

  1. Indicate the main purpose of a computer network.
  1. Specify an object that is a network subscriber.
  1. Indicate the main characteristics of communication channels.
  1. What is a local area network, a global network?
  1. What is meant by local network topology?
  1. What types of local network topology are there?
  1. Briefly describe the bus, star, and ring topologies.
  1. What is an exchange protocol?
  1. Solve the problem. Maximum speed data transfer in the local network 100 Mbit/s. How many pages of text can be transmitted in 1 second if 1 page of text contains 50 lines and each line has 70 characters

Basic Concepts

When considering information security issues, the concepts of subject and object of access are used. An access subject can perform a certain set of operations on each access object. These operations may be allowed or denied to a specific subject or group of subjects. Access to objects is usually determined at the level operating system its architecture and current security policy. Let's consider some definitions regarding methods and means of delimiting access of subjects to objects.

Definition 1

Object access method– an operation that is defined for a given object. It is possible to restrict access to an object using a restriction possible methods access.

Definition 2

Object owner– the subject who created the object is responsible for the confidentiality of the information contained in the object and for access to it.

Definition 3

Object access right– the right to access an object using one or more access methods.

Definition 4

Access control– a set of rules that determines for each subject, object and method whether or not the right to access using a specified method exists.

Access control models

The most common access control models:

  • discretionary (selective) access control model;
  • authoritative (mandatory) access control model.

Discretionary

  • any object has an owner;
  • the owner has the right to arbitrarily limit the access of subjects to this object;
  • for each set subject – object – method right access is clearly defined;
  • the presence of at least one privileged user (for example, an administrator) who has the ability to access any object using any access method.

In the discretionary model, the definition of access rights is stored in an access matrix: the rows list the subjects, and the columns list the objects. In each cell matrices the access rights of a given subject to a given object are stored. The access matrix of a modern operating system takes up tens of megabytes.

Plenipotentiary The model is characterized by the following rules:

  • Each object is classified as confidential. The secrecy stamp has numeric value: the larger it is, the higher the secrecy of the object;
  • Each access subject has a clearance level.

In this model, a subject receives access to an object only if the subject’s access level value is not less than value classification of the object as confidential.

The advantage of the authoritative model is that there is no need for storage. large volumes information about access control. Each subject stores only the value of its access level, and each object stores the value of its security classification.

Access control methods

Types of access control methods:

    Access control based on lists

    The essence of the method is to set correspondences: for each user a list is specified resources and access rights to them, or for each resource, a list of users and access rights to these resources are determined. Using lists, it is possible to establish rights down to each user. It is possible to add rights or explicitly deny access. The list access method is used in security subsystems operating systems and database management systems.

    Using the Authority Matrix

    When using the authorization matrix, an access matrix (authority table) is used. In the access matrix, the rows record the identifiers of subjects who have access to computer system, and in the columns - objects (resources) of the computer system.

    Each matrix cell may contain the name and size of a resource, an access right (read, write, etc.), a link to another information structure that specifies access rights, a link to a program that manages access rights, etc.

    This method is quite convenient, since all information about authorities is stored in a single table. The disadvantage of the matrix is ​​its possible cumbersomeness.

    Access control by privacy levels and categories

    The distinction according to the degree of secrecy is divided into several levels. The permissions of each user can be set in accordance with the maximum security level to which he is admitted.

    Password access control

    Password separation uses methods for subjects to access objects using a password. Constant use passwords leads to inconvenience for users and time delays. For this reason, password separation methods are used in exceptional situations.

In practice it is common to combine different methods access restrictions. For example, the first three methods are enhanced by password protection. The use of access control is a prerequisite for a secure computer system.



Did you like the article? Share with your friends!
Read also
Lesson summary
Lesson summary "scientific complex of Russia" Brief summary on the topic scientific complex
NATO expansion to the east: stages of advancement Presentation of identification marks of tanks of NATO countries
NATO expansion to the east: stages of advancement Presentation of identification marks of tanks of NATO countries
Unit of length – kilometer
Unit of length - kilometer"
The photograph shows a view of the Earth from lunar orbit.
The photograph shows a view of the Earth from lunar orbit.
Welcome to the Trenkasinskaya Rural Library
Welcome to the Trenkasinskaya Rural Library
A sphere inscribed in a cylinder A sphere is called inscribed in a cylinder if it touches its bases and lateral surface (touches each generatrix)
A sphere inscribed in a cylinder A sphere is called inscribed in a cylinder if it touches its bases and lateral surface (touches each generatrix)
Computer science presentation on the topic
Presentation on computer science on the topic "distance learning at school" Presentation on distance learning in technology lessons
Presentation - troubled times
Presentation - troubled times