5. Identity And Access Mangement Flashcards
What does IAAA stand for?
Identification, Authentication, authorization, and Accounting
Define identity and access management
Services/policies/procedures for managing a digital identity.
What is the regulation that dictates that security controls must be audited annually?
Sarbanes-Oxley (SOX)
Define authorization
Confirms that the Authenticated entity (user) has the privileges and permissions necessary to access what they want to access.
What are CRUD operations?
Create, Read, Update and Delete
What should privileges always be based on?
Least privilege.
Define accountability
Tracing an action to a subject (user).
- also known as auditing.
What must accountability include to be legitimate?
- Identify the subject
- The action
- Object on which the action was performed
- Timestamp
What is DAC?
Discretionary Access Control
- security of objects is at the owners control and granted through an ACL.
- identity based
- common on commercial products and all client based systems.
What is MAC?
Mandatory Access Control
- data owner cannot grant access
- OS makes granting choice based on security label system.
- subjects label must dominate the objects label.
- rules are configured by security officer and enforced by OS.
What is RBAC?
Role Based Access Control.
- good at fixing authorization creep.
What can you authenticate your identity with?
- Something you know
- Something you have
- Something you are
Having two of these is called Strong Authentication, or Two-factor.
What are static biometric measures?
Biometric markers that do not change.
I.e. your fingerprint, hand geometry, iris, retina pattern.
What are dynamic biometrics?
Biometrics that are based on your behavioral traits.
I.e. voice, gait, signature, keyboard cadence, etc.
What is a type 1 accuracy error?
FRR - false rejection rate
Legitimate user is barred from access.
Usually happens when system identifies too much info.
