分類
CISSP

Content-Dependent Control 依賴內容的控制 &Context-Dependent Control 依賴上下文的控 制

Basic concepts

One of the primary concepts in access control is to understand the subject and the object.

subject may be a person, a process, or a technology component that either seeks access or controls the access. For example, an employee trying to access his business email account is a subject. Similarly, the system that verifies the credentials such as username and password is also termed as a subject.

An object can be a file, data, physical equipment, or premises which need controlled access. For example, the email stored in the mailbox is an object that a subject is trying to access.

Controlling access to an object by a subject is the core requirement of an access control process and its associated mechanisms. In a nutshell, a subject either seeks or controls access to an object.

基本概念
訪問控制的主要概念之一是理解主體和客體。主體可以是尋求訪問或控制訪問的人、過程或技術組件。例如,試圖訪問其企業電子郵件帳戶的員工就是一個主題。同樣,驗證用戶名和密碼等憑據的系統也稱為主體。對象可以是需要受控訪問的文件、數據、物理設備或場所。例如,存儲在郵箱中的電子郵件是主題試圖訪問的對象。控制主體對對象的訪問是訪問控製過程及其相關機制的核心要求。簡而言之,主體尋求或控制對客體的訪問。

An access control mechanism can be classified broadly into the following two types:

  1. If access to an object is controlled based on certain contextual parameters, such as location, time, sequence of responses, access history, and so on, then it is known as a context-dependent access control. In this type of control, the value of the asset being accessed is not a primary consideration. Providing the username and password combination followed by a challenge and response mechanism such as CAPTCHA, filtering the access based on MAC adresses in wireless connections, or a firewall filtering the data based on packet analysis are all examples of context-dependent access control mechanisms.Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) is a challenge-response test to ensure that the input to an access control system is supplied by humans and not by machines. This mechanism is predominantly used by web sites to prevent Web Robots(WebBots) to access the controlled section of the web site by brute force methods

訪問控制機制可以大致分為以下兩種類型:
如果對對象的訪問是基於某些上下文參數(例如位置、時間、響應順序、訪問歷史等)來控制的,那麼它被稱為上下文相關的訪問控制。在這種類型的控制中,被訪問資產的價值不是主要考慮因素。提供用戶名和密碼組合,然後是驗證碼等質詢和響應機制,根據無線連接中的 MAC 地址過濾訪問,或基於數據包分析過濾數據的防火牆都是上下文相關訪問控制機制的示例。完全自動化的公共圖靈測試來區分計算機和人類 (CAPTCHA) 是一種挑戰-響應測試,以確保訪問控制系統的輸入由人類而非機器提供。該機制主要由網站使用,以防止網絡機器人(WebBots)通過蠻力方法訪問網站的受控部分

2.If the access is provided based on the attributes or content of an object,then it is known as a content-dependent access control. In this type of control, the value and attributes of the content that is being accessed determines the control requirements. For example, hiding or showing menus in an application, views in databases, and access to confidential information are all content-dependent.

如果訪問是基於對象的屬性或內容提供的,則稱為內容相關訪問控制。在這種類型的控制中,被訪問的內容的值和屬性決定了控制要求。例如,隱藏或顯示應用程序中的菜單、數據庫中的視圖以及對機密信息的訪問都取決於內容。

資料來源:https://hub.packtpub.com/cissp-security-measures-access-control/

資料庫的資料給不給看, 或給多少資料看, 都是一種存取控制. Context這個字, 可以解釋成subject及object以外的東西, 都是context. (ABAC以屬性為基礎的存取控制就是這樣的觀點, 依subject, object, 及context/environment的屬性來授權).
除了控制資料要揭露多少以外(content-dependent), 也可以由環境來控制(存取的時間, 位置等).

作者: stevencho

從事資訊工作二十多年,對資安極具熱情,在 Network Security, Endpoint Security, 及 Mobile Security 等資安領域有超過十年以 上的經驗。曾任職精誠資訊資安產品代理部門技術經理,負責 資安產品之技術支援與大型企業導入專案。此外,他也取得了 ISO 27001 主導稽核員證書及 Check Point 的 CCSA 與 CCSE 等防 火牆產品的專業證照。