WEBVTT

1
00:00:00.000 --> 00:00:01.350
In this lesson,

2
00:00:01.350 --> 00:00:05.280
we will learn about Rule-Based Access Control.

3
00:00:05.280 --> 00:00:09.750
Rule-Based Access Control is used to manage user access

4
00:00:09.750 --> 00:00:14.010
to resources based on predefined rules and conditions.

5
00:00:14.010 --> 00:00:17.130
An example of Rule-Based Access Control

6
00:00:17.130 --> 00:00:20.490
is the Mandatory Access Control model.

7
00:00:20.490 --> 00:00:23.340
Mandatory Access Control or MAC

8
00:00:23.340 --> 00:00:26.040
enforces strict access policies

9
00:00:26.040 --> 00:00:29.910
based on predefined security classifications.

10
00:00:29.910 --> 00:00:33.960
This limits user access based on the classification

11
00:00:33.960 --> 00:00:37.710
of information and the user's clearance level.

12
00:00:37.710 --> 00:00:40.260
Other access control models include

13
00:00:40.260 --> 00:00:43.290
Discretionary Access Control or DAC

14
00:00:43.290 --> 00:00:45.930
and Attribute-Based Access Control.

15
00:00:45.930 --> 00:00:49.770
Discretionary Access Control allows resource owners

16
00:00:49.770 --> 00:00:54.210
full control of resource access, enabling them to grant

17
00:00:54.210 --> 00:00:58.080
or deny anyone access to their resources.

18
00:00:58.080 --> 00:01:02.640
Attribute-Based Access Control uses the attributes of users,

19
00:01:02.640 --> 00:01:05.160
resources, and the environment

20
00:01:05.160 --> 00:01:08.670
to determine access permissions dynamically.

21
00:01:08.670 --> 00:01:11.670
Let's learn about Rule-Based Access Control,

22
00:01:11.670 --> 00:01:16.080
Mandatory Access Control, Discretionary Access Control,

23
00:01:16.080 --> 00:01:18.660
and Attribute-Based Access Control.

24
00:01:18.660 --> 00:01:20.970
Then we will have a demonstration

25
00:01:20.970 --> 00:01:25.020
of Discretionary Access Control on a Linux machine.

26
00:01:25.020 --> 00:01:28.350
First, we have Rule-Based Access Control.

27
00:01:28.350 --> 00:01:31.920
Rule-Based Access Control manages user access

28
00:01:31.920 --> 00:01:36.270
to resources based on predefined rules and conditions.

29
00:01:36.270 --> 00:01:39.240
These rules are configured by administrators

30
00:01:39.240 --> 00:01:42.570
and dictate who can access what and when.

31
00:01:42.570 --> 00:01:44.670
Rule-based systems are flexible

32
00:01:44.670 --> 00:01:48.270
and are often used in environments, where access needs

33
00:01:48.270 --> 00:01:50.010
to be tightly controlled

34
00:01:50.010 --> 00:01:53.370
based on specific conditions or actions.

35
00:01:53.370 --> 00:01:56.760
For example, an enterprise might set a rule

36
00:01:56.760 --> 00:02:00.270
that allows access to financial records only

37
00:02:00.270 --> 00:02:01.830
during business hours.

38
00:02:01.830 --> 00:02:05.640
With Rule-Based Access Control, administrators can also

39
00:02:05.640 --> 00:02:09.690
implement security policies that apply to all users.

40
00:02:09.690 --> 00:02:13.890
This makes it easy to change and update rules as needed.

41
00:02:13.890 --> 00:02:16.890
For instance, access control lists on routers

42
00:02:16.890 --> 00:02:20.760
or firewalls are examples of Rule-Based Access Control.

43
00:02:20.760 --> 00:02:23.370
When administrators configure these rules,

44
00:02:23.370 --> 00:02:27.000
they affect all users on a specific network segment,

45
00:02:27.000 --> 00:02:30.210
applying the rules equally across the board

46
00:02:30.210 --> 00:02:32.310
based on the policy set.

47
00:02:32.310 --> 00:02:36.750
This approach provides consistent control over user access

48
00:02:36.750 --> 00:02:39.450
within an organization's network.

49
00:02:39.450 --> 00:02:43.530
Second, we have Mandatory Access Control or MAC.

50
00:02:43.530 --> 00:02:47.520
MAC is a strict Rule-Based Access Control model

51
00:02:47.520 --> 00:02:51.750
that enforces security policies based on classifications.

52
00:02:51.750 --> 00:02:56.490
Users cannot change or alter these policies on their own.

53
00:02:56.490 --> 00:03:00.810
Mandatory Access Control is commonly used in highly secure

54
00:03:00.810 --> 00:03:02.550
environments like government

55
00:03:02.550 --> 00:03:04.635
or military systems, where access

56
00:03:04.635 --> 00:03:07.950
to sensitive information depends on a user's

57
00:03:07.950 --> 00:03:09.780
security clearance.

58
00:03:09.780 --> 00:03:11.790
Only administrators can set

59
00:03:11.790 --> 00:03:14.100
and modify these access rules,

60
00:03:14.100 --> 00:03:16.050
ensuring that users have access

61
00:03:16.050 --> 00:03:18.900
to only the information they are authorized

62
00:03:18.900 --> 00:03:21.600
to see based on their clearance level.

63
00:03:21.600 --> 00:03:24.210
Mandatory Access Control operates

64
00:03:24.210 --> 00:03:27.450
by assigning security classification labels

65
00:03:27.450 --> 00:03:30.000
to both users and resources.

66
00:03:30.000 --> 00:03:31.980
Each resource is classified

67
00:03:31.980 --> 00:03:34.440
and users then must have an equal

68
00:03:34.440 --> 00:03:37.620
or higher classification level to access it.

69
00:03:37.620 --> 00:03:40.680
This type of access control is complex

70
00:03:40.680 --> 00:03:42.720
and expensive to configure,

71
00:03:42.720 --> 00:03:44.790
which is why it's typically reserved

72
00:03:44.790 --> 00:03:46.569
for high security systems.

73
00:03:46.569 --> 00:03:50.700
Every user and resource must have a security clearance

74
00:03:50.700 --> 00:03:53.610
label, and access must be granted

75
00:03:53.610 --> 00:03:56.340
based on matching those labels.

76
00:03:56.340 --> 00:04:00.150
So for the system to function, users and objects

77
00:04:00.150 --> 00:04:02.010
must be correctly labeled.

78
00:04:02.010 --> 00:04:05.970
If a user's clearance does not meet the classification level

79
00:04:05.970 --> 00:04:08.790
of a resource, access is blocked.

80
00:04:08.790 --> 00:04:12.450
For example, if a user holds a secret clearance,

81
00:04:12.450 --> 00:04:15.900
they can access resources classified as secret,

82
00:04:15.900 --> 00:04:18.300
confidential, or unclassified,

83
00:04:18.300 --> 00:04:20.100
but they will be denied access

84
00:04:20.100 --> 00:04:22.530
to anything labeled top secret.

85
00:04:22.530 --> 00:04:25.920
The configuration of Mandatory Access Control

86
00:04:25.920 --> 00:04:28.080
requires predefined rules,

87
00:04:28.080 --> 00:04:30.300
which are rigid and cannot be changed

88
00:04:30.300 --> 00:04:33.120
by individual users; only the system

89
00:04:33.120 --> 00:04:36.420
and its administrators can modify these labels.

90
00:04:36.420 --> 00:04:39.390
Mandatory Access Control is supported

91
00:04:39.390 --> 00:04:42.450
by specialized systems like SELinux,

92
00:04:42.450 --> 00:04:44.610
which is a security enhanced version

93
00:04:44.610 --> 00:04:46.890
of Linux developed by Red Hat.

94
00:04:46.890 --> 00:04:50.160
In partnership with the National Security Agency,

95
00:04:50.160 --> 00:04:53.670
SELinux provides Mandatory Access Controls

96
00:04:53.670 --> 00:04:58.080
and other security policies by modifying the Linux kernel,

97
00:04:58.080 --> 00:05:00.750
offering additional layers of protection.

98
00:05:00.750 --> 00:05:05.100
Third, we have Discretionary Access Control or DAC.

99
00:05:05.100 --> 00:05:09.390
DAC is the default access control method used in both

100
00:05:09.390 --> 00:05:12.360
Windows and Linux operating systems.

101
00:05:12.360 --> 00:05:16.740
Discretionary Access Control allows the owner of a resource,

102
00:05:16.740 --> 00:05:18.150
like a file or folder,

103
00:05:18.150 --> 00:05:21.240
to control who can access that resource.

104
00:05:21.240 --> 00:05:24.540
In an enterprise, a user might create a document

105
00:05:24.540 --> 00:05:28.080
and then decide who can read, edit, or delete it.

106
00:05:28.080 --> 00:05:32.160
This flexibility makes Discretionary Access Control easy

107
00:05:32.160 --> 00:05:34.200
to manage as the resource owner

108
00:05:34.200 --> 00:05:36.930
has full control over its permissions.

109
00:05:36.930 --> 00:05:39.210
With Discretionary Access Control,

110
00:05:39.210 --> 00:05:43.080
the resource owner can specify which users have access

111
00:05:43.080 --> 00:05:45.840
to each resource they own based on their

112
00:05:45.840 --> 00:05:47.430
identity or profile.

113
00:05:47.430 --> 00:05:50.670
This is often considered a need to know model

114
00:05:50.670 --> 00:05:54.510
where access is granted based on the owner's discretion.

115
00:05:54.510 --> 00:05:58.560
So while Discretionary Access Control provides flexibility

116
00:05:58.560 --> 00:06:01.140
for the owner, it can be less secure

117
00:06:01.140 --> 00:06:04.020
as users can grant permissions freely,

118
00:06:04.020 --> 00:06:06.000
which if not managed carefully,

119
00:06:06.000 --> 00:06:08.490
could lead to unauthorized access.

120
00:06:08.490 --> 00:06:10.530
Fourth and last, we have

121
00:06:10.530 --> 00:06:13.950
Attribute-Based Access Control or ABAC.

122
00:06:13.950 --> 00:06:16.530
ABAC is more dynamic and flexible

123
00:06:16.530 --> 00:06:18.930
than both Mandatory Access Control

124
00:06:18.930 --> 00:06:21.420
and Discretionary Access Control.

125
00:06:21.420 --> 00:06:24.870
Attribute-Based Access Control or ABAC grants

126
00:06:24.870 --> 00:06:27.120
access based on a combination

127
00:06:27.120 --> 00:06:30.570
of attributes related to the user, the resource,

128
00:06:30.570 --> 00:06:31.860
and the environment.

129
00:06:31.860 --> 00:06:34.440
For instance, in an enterprise setting,

130
00:06:34.440 --> 00:06:38.010
Attribute-Based Access Control might allow access

131
00:06:38.010 --> 00:06:42.030
to a system based on a user's role, department,

132
00:06:42.030 --> 00:06:44.850
and the location they are logging in from.

133
00:06:44.850 --> 00:06:47.910
This flexibility allows organizations

134
00:06:47.910 --> 00:06:51.090
to configure detailed access policies

135
00:06:51.090 --> 00:06:54.300
such as granting access to human resources

136
00:06:54.300 --> 00:06:56.790
documents only if the user is part

137
00:06:56.790 --> 00:06:58.800
of the human resources team,

138
00:06:58.800 --> 00:07:01.860
and if they're logging in from the corporate office

139
00:07:01.860 --> 00:07:03.720
during business hours.

140
00:07:03.720 --> 00:07:08.010
This makes Attribute-Based Access Control highly adaptable

141
00:07:08.010 --> 00:07:09.750
in complex environments,

142
00:07:09.750 --> 00:07:12.360
where many factors must be considered.

143
00:07:12.360 --> 00:07:16.710
Attribute-Based Access Control relies on various attributes

144
00:07:16.710 --> 00:07:19.380
to make access control decisions.

145
00:07:19.380 --> 00:07:23.820
User attributes can include details like username, role,

146
00:07:23.820 --> 00:07:27.510
organization, ID, or security clearance.

147
00:07:27.510 --> 00:07:31.290
Environmental attributes might involve the time of access,

148
00:07:31.290 --> 00:07:32.820
the user's location,

149
00:07:32.820 --> 00:07:36.330
or the current security level of the organization.

150
00:07:36.330 --> 00:07:39.270
Resource attributes could also include the file's

151
00:07:39.270 --> 00:07:42.720
creation date, the resource owner, the file name,

152
00:07:42.720 --> 00:07:45.390
or the data sensitivity level.

153
00:07:45.390 --> 00:07:48.480
Based on these attributes, access is granted

154
00:07:48.480 --> 00:07:51.870
or denied depending on the specific combination

155
00:07:51.870 --> 00:07:53.880
of factors being evaluated.

156
00:07:53.880 --> 00:07:57.810
For example, your company's SharePoint site might display

157
00:07:57.810 --> 00:08:00.900
different content based on your user profile

158
00:08:00.900 --> 00:08:04.110
and whether you are accessing it from the corporate office

159
00:08:04.110 --> 00:08:07.080
or remotely through a Virtual Private Network.

160
00:08:07.080 --> 00:08:11.232
This dynamic approach allows Attribute-Based Access Control

161
00:08:11.232 --> 00:08:16.050
to adjust access in real time, making it an ideal choice

162
00:08:16.050 --> 00:08:19.800
for organizations with complex security needs.

163
00:08:19.800 --> 00:08:22.890
I am on a Kali Linux virtual machine

164
00:08:22.890 --> 00:08:25.113
and am opening up a terminal.

165
00:08:28.050 --> 00:08:33.000
Let's explore Discretionary Access Control or DAC,

166
00:08:33.000 --> 00:08:35.130
meaning that the owner of a file

167
00:08:35.130 --> 00:08:38.220
has full control of its permissions.

168
00:08:38.220 --> 00:08:43.053
First, I'll create a file called myDACfile.text.

169
00:08:48.360 --> 00:08:53.360
In Linux, file extensions like Doc TXT are not required,

170
00:08:53.670 --> 00:08:56.970
but may still be used by convention.

171
00:08:56.970 --> 00:09:00.783
Next, let's take a look at the current file permissions.

172
00:09:04.410 --> 00:09:08.820
As you can see, the owner, me, which is the Kali user,

173
00:09:08.820 --> 00:09:12.240
has read write permissions on the file.

174
00:09:12.240 --> 00:09:14.880
The group associated with this file,

175
00:09:14.880 --> 00:09:19.410
Also, the Kali user group has read write permissions

176
00:09:19.410 --> 00:09:22.187
as well, and everyone else,

177
00:09:22.187 --> 00:09:27.187
all others has only read permissions.

178
00:09:27.210 --> 00:09:29.550
In Discretionary Access control,

179
00:09:29.550 --> 00:09:31.926
the owner, me, the Kali user,

180
00:09:31.926 --> 00:09:35.640
has full control over the permissions of the file

181
00:09:35.640 --> 00:09:38.610
that I, the owner just created.

182
00:09:38.610 --> 00:09:42.510
To demonstrate this, I'm going to give myself read, write,

183
00:09:42.510 --> 00:09:45.270
and execute permissions on this file

184
00:09:45.270 --> 00:09:48.570
and take all permissions away from all groups

185
00:09:48.570 --> 00:09:50.940
and all other users.

186
00:09:50.940 --> 00:09:53.463
I'll do that with the chmod command.

187
00:09:59.430 --> 00:10:00.780
Alright, let's take a look

188
00:10:00.780 --> 00:10:03.690
and see what permissions have changed.

189
00:10:03.690 --> 00:10:07.560
As you can see, I, the Kali owner and user

190
00:10:07.560 --> 00:10:11.127
have read, write, and execute permissions

191
00:10:11.127 --> 00:10:15.000
and all other permissions from all other users

192
00:10:15.000 --> 00:10:16.443
have been taken away.

193
00:10:17.400 --> 00:10:22.230
Next, I'll assign ownership of the myDACfile

194
00:10:22.230 --> 00:10:24.150
to the root user.

195
00:10:24.150 --> 00:10:25.830
Since it's my file

196
00:10:25.830 --> 00:10:29.430
and we are using Discretionary Access Control,

197
00:10:29.430 --> 00:10:31.740
I can change file group assignments

198
00:10:31.740 --> 00:10:34.830
or even give away file ownership.

199
00:10:34.830 --> 00:10:37.293
I'll do this with the chown command,

200
00:10:39.240 --> 00:10:41.733
and I'll assign it to the root user.

201
00:10:43.680 --> 00:10:46.140
All right, let me enter in my password

202
00:10:46.140 --> 00:10:49.590
and let's take a look at the file permissions,

203
00:10:49.590 --> 00:10:51.630
which have changed.

204
00:10:51.630 --> 00:10:56.010
As you can see here, I've given away ownership of the file

205
00:10:56.010 --> 00:10:58.050
to the root user.

206
00:10:58.050 --> 00:11:01.590
In Discretionary Access Control, ownership

207
00:11:01.590 --> 00:11:03.930
was mine to give away.

208
00:11:03.930 --> 00:11:08.930
So remember, Rule-Based Access Control manages user access

209
00:11:09.690 --> 00:11:13.920
by enforcing predefined rules set by administrators.

210
00:11:13.920 --> 00:11:17.550
These rules determine who can access resources

211
00:11:17.550 --> 00:11:21.210
and under what conditions, offering flexibility

212
00:11:21.210 --> 00:11:23.220
and control in environments,

213
00:11:23.220 --> 00:11:25.920
where access must be tightly managed.

214
00:11:25.920 --> 00:11:30.180
Mandatory Access Control is a strict rule-based model

215
00:11:30.180 --> 00:11:32.460
that enforces security policies

216
00:11:32.460 --> 00:11:34.410
based on classifications.

217
00:11:34.410 --> 00:11:38.820
Only administrators can modify access rules making MAC

218
00:11:38.820 --> 00:11:41.610
or Mandatory Access Control ideal

219
00:11:41.610 --> 00:11:45.330
for high security environments like government systems.

220
00:11:45.330 --> 00:11:49.530
Next, Discretionary Access Control gives resource owners

221
00:11:49.530 --> 00:11:53.820
full control over who can access their files, allowing them

222
00:11:53.820 --> 00:11:57.450
to grant or deny access at their discretion.

223
00:11:57.450 --> 00:12:01.500
While flexible Discretionary Access Control can be less

224
00:12:01.500 --> 00:12:04.590
secure as permissions are freely assigned

225
00:12:04.590 --> 00:12:06.480
by the content owners.

226
00:12:06.480 --> 00:12:10.860
Finally, Attribute-Based Access Control is more dynamic

227
00:12:10.860 --> 00:12:15.030
granting access based on a combination of attributes related

228
00:12:15.030 --> 00:12:17.910
to the user, resource, and environment,

229
00:12:17.910 --> 00:12:19.890
making it highly adaptable

230
00:12:19.890 --> 00:12:22.593
for complex security needs.