Protecting Applications and Data: Managerial Controls and Access Controls
| English | Chinese | Pinyin |
|---|---|---|
| at rest | 静态数据 | jìng tài shù jù |
| in transit | 传输中数据 | chuán shū zhōng shù jù |
| in use | 使用中数据 | shǐ yòng zhōng shù jù |
| PII | 个人身份信息 | gè rén shēn fèn xìn xī |
| PHI | 受保护健康信息 | shòu bǎo hù jiàn kāng xìn xī |
| PCI | 支付卡信息 | zhī fù kǎ xìn xī |
| RBAC | 基于角色的访问控制 | jī yú jué sè de fǎng wèn kòng zhì |
| RuBAC | 基于规则的访问控制 | jī yú guī zé de fǎng wèn kòng zhì |
| DAC | 自主访问控制 | zì zhǔ fǎng wèn kòng zhì |
| MAC | 强制访问控制 | qiáng zhì fǎng wèn kòng zhì |
| principle of least privilege | 最小权限原则 | zuì xiǎo quán xiàn yuán zé |
Data states and laws
- Data can be at rest 静态数据, in transit 传输中数据, or in use 使用中数据.
- Laws protect PII 个人身份信息, PHI 受保护健康信息, and PCI 支付卡信息.
- Sensitive data earns stronger controls.
Four access-control models
- RBAC 基于角色的访问控制: access follows your role.
- RuBAC 基于规则的访问控制: access follows a condition (like time).
- DAC 自主访问控制: the owner decides. MAC 强制访问控制: a central admin sets levels.
Which access-control model fits the rule?
RBAC follows your role; RuBAC follows a condition; DAC lets the owner decide; MAC uses central levels.
"Allow access only during business hours" describes which model?
A condition (time) = RuBAC.
In ____ access control, the owner of a file decides who else may use it.
DAC = the owner decides.
Linux permissions
- Each file has read (4), write (2), execute (1) for owner, group, others.
chmod 640= owner read+write (6), group read (4), others none (0).- The principle of least privilege 最小权限原则 guides every model.
Tell the four access models apart by their decider, not their name. RBAC = your role, RuBAC = a condition, DAC = the file's owner, MAC = a central admin. Exam questions describe the rule and ask you to name the model.
What single number sets owner read+write, group read, others none? (chmod ___)
6 (4+2), 4, 0 → 640.
The principle of least privilege gives each entity exactly the access it needs, no more.
Least privilege limits access to what is needed.
Match each access model to its decider.
Each model has a different decider.
To set report.txt so the owner can read and write, the group can only read, and others get nothing: read+write = 4+2 = 6, read = 4, none = 0. The command is chmod 640 report.txt.
Data is protected by its state and by law (PII/PHI/PCI). Access control uses four models — RBAC (role), RuBAC (condition), DAC (owner), MAC (admin levels) — all guided by least privilege. On Linux, permissions add read 4 + write 2 + execute 1 per group.