Access Control Flashcards
Which statement correctly describes biometric methods? A. They are the least expensive and provide the most protection. B. They are the most expensive and provide the least protection. C. They are the least expensive and provide the least protection. D. They are the most expensive and provide the most protection.
D. Compared with the other available authentication mechanisms, biometric methods provide the highest level of protection and are the most expensive.
Authorization Creep
What is authorization creep*? (permissions accumulate over time even if you don’t need them anymore) Auditing authorization can help mitigate this. SOX requires yearly auditing.
Access Controls
Access controls are security features that control how people can interact with systems, and resources. Goal is to protect from un-authorized access.
Access
The data flow between an object and a subject.
Access Control Subject
Is a person, process or program
Object
Is a resource (file, printer etc)
Components of Access Control
IA3
- Identification – who am I? (userid etc)
- Authentication – prove that I am who I say I
- Authorization – now what am I allowed to access
- Auditing – Big Brother can see what I accessed.
Authentication Proving who you say you are, usually one of these 3.
Something you know (password)
Something you have (smart card / token)
Something you are (biometrics)
Identity Management
Identity management products are used to id, authenticate and authorize users in an automated means. It’s a broad term. These products may (or may not) include User account management Access controls Password management Single Sign on Permissions
Directories
Information about the users and resources LDAP (based on X.500)
Key concept is namespaces (like branches of a tree) and DN (distinguished names) Can anyone explain namespaces and DNs? DN=CN and multiple DCs can include OUs
Active Directory (an implementation of LDAP) Legacy NT (flat directory structure) Novell Netware
A Federation ADFS
A Federation is multiple computing and/or network providers agreeing upon standards of operation in a collective fashion.
(self governing entities that agree on common grounds to easy access between them) A federated Identity is an identity and entitlements that can be used across business boundaries.
(MS passport, Google checkout) Active Directory Federated Services
DAC
Discretionary Access Control
Owner or creator of resource specifies which subjects have which access to a resource. Based on the Discretion of the data owner* Common example is an ACL
(what is an ACL?) Commonly implemented in commercial products (Windows, Linux, MacOS)
MAC
Mandatory Access Control
Data owners cannot grant access!* OS makes the decision based on a security label system*
Users and Data are given a clearance level (confidential, secret, top secret etc)*
Rules for access are configured by the security officer and enforced by the OS.
Rules Based Access Control
RBAC
Is considered a “compulsory control” because the rules are strictly enforced and not modifiable by users. Routers and firewalls use Rule Based access control heavily.
RBAC
Access Control Technology / Techniques
Constrained User Interfaces* view, shell, menu, physical Access Control Matrix* Capability Tables* ACL* Content Dependant Access Control Context Dependant Access Control You should really know ALL of these and be able to differential between similar types!
Context-Dependent Access Control
Makes access decisions based on the context of a collection of information rather than on the sensitivity of the data.
A system that is using context-dependent access control “reviews the situation” and then makes a decision. For example, firewalls make contextbased access decisions.. syn + syn-ack + ack