4.3 Implement identity and access management controls Flashcards
Access control models
Select an appropriate model from DAC, RBAC, ABAC, and MAC based on the security requirement and available resources.
A model like MAC, RBAC, or ABAC needs support in the underlying OS and applications software to implement, so identify how provisioning this software will affect the decision.
Identify user account types to implement within the model, such as standard users and types of privileged users.
Identify what service accounts will be needed and how they will be secured against misuse.
Identify group or role account types and how users will be allocated to them.
Ideally, eliminate any dependency on shared and generic account types.
MAC
(mandatory access control) An access control model where resources are protected by inflexible, system defined rules. Resources (objects) and users (subjects) are allocated a clearance level (or label).
DAC
(discretionary access control) Access control model where each resource is protected by an Access Control List (ACL) managed by the resource’s owner (or owners).
ABAC
(attribute-based access control) An access control technique that evaluates a set of attributes that each subject possesses to determine if access should be granted.
Role-based access control
A set of organizational roles are defined, and users allocated to those roles. Under this system, the right to modify roles is reserved to administrative accounts.
Rule-based access control
Refer to any sort of access control model where access control policies are determined by system-enforced rules rather than system users.
Proximity cards
A contactless smart card that can transfer data using a tiny antenna embedded in the card.
Smart cards
A credit card-sized device with an integrated chip and data interface.
False acceptance rate
False positives or Type II error
False rejection rate
False negatives or Type I error
Crossover error rate
The point at which false rejection rate and false acceptance rate meet. The lower the CER, the more efficient and reliable the technology.
HOTP/TOTP
(HMAC-based One-time Password) An algorithm that generates a one-time password using a hash-based authentication code to verify the authenticity of the message.
PIV/CAC/smart card
(Personal Identity Verification card) A smart card that meets the standards for FIPS 201, in that it is resistant to tampering and provides quick electronic authentication of the card’s owner.
IEEE 802.1x
Port-based network access control framework works with smart cards and other token based systems.
