Access control & memory Flashcards
What is access control?
a broad term that describes the administrative, physical, and technical controls that regulate the interaction between subjects and objects
What is access control also known as?
Identity and access management (IAM)
What is a subject?
any active entity that requests access to a resource (an object)
Examples of subjects (2)
- Users
- Processes
What is an object?
a resource, a passive entity that is or contains the information that is needed by a subject
Examples of resources (3)
- files
- I/O
- database entries
What is access control used for?
granting, preventing, or revoking access to an object
What are the four stages of the access control process?
- Identification
- Authentication
- Authorisiation
- Accounting
What are the three authentication methods?
- knowlegde
- ownership
- characteristic
What is a type 1 error (false rejection)?
when a known legitimate authorised user is rejected as unknown/unauthorised user
What is a type 2 error (false acceptance)?
when an unknown/unauthorised user is authenticated as a known/authorised user
What is multi-factor authentication?
requiring multiple independent evidences to establish identity
What are the three requirements for authentication?
- Implicit deny
- Neet to know
- Separation of duties
What is implicit deny?
if no rule is specified for the transaction of the subject/object, the authorization policy should deny the transaction (conforming with the more general “default-safe” principle)
What is meant by “need to know”?
a subject should be granted access to an object only if the access is needed to carry out the job of the subject (conforming with the more general “least-privilege” principle)
What is “separation of duties”?
a single individual should not
perform all the critical- or privileged-level duties.
Important duties must be separated/divided among
several individual
Access control models (4)
- Mandatory Access Control: MAC
- Discretionary Access Control: DAC
- Role-Based Access Control: RBAC
- Attribute-Based Access Control: ABAC
Alternative name for mandatory access control (MAC)?
Rule-based access control
Alternative name for discretionary access control (DAC)?
Identity-based access control
What is an access control policy?
a specification for an access decision function
Examples of access control policies (2)
Bell-LaPadula & Biba
What does the Bell-LaPadula access control policy model guarantee?
Confidentiality
What does the Biba access control policy model guarantee?
Data integrity
How is access control often expressed?
Using an access control matrix?