Access Control System Flashcards
a collection of mechanisms that work together to create security architecture to protect the assets of an information system
Access controls
One of the goals of access control is ______________ ___________, which is the mechanism that proves someone performed a computer activity at a specific point in time
personal accountability
Access control is the heart of an information technology (IT) security system and is needed to meet the major objectives of InfoSec:
Confidentiality and Integrity
uniquely identify the users of an information system
Identification credentials
Site examples of information credentials:
Examples: name, initials, email address, or a meaningless string of characters, Social Security number, IDs, and others
permit the system to verify one’s identification credential
Authentication credentials
Site an example of authentication credential:
Password
- The predominant strategy to ensure confidentiality
- The objective is to give people the least amount of access to a system that is needed to perform the job they’re doing
Least Privilege (Need-to-Know)
Maintains overall responsibility for the information within an information system
Information Owner
The ________________ must be the one to make the decisions about who uses the system and how to recover the system in the event of a disaster
information owner
dictates that the information owner is the one who decides who gets to access the system(s)
Principle of Discretionary Access Control (DAC)
A list or a file of users who are given the privilege of access to a system or resource (a database, for example)
Access Control Lists
- Granting access to new employees
- Include checking management approvals for grating access
User Provisioning
- The system decides who gains access to information based on the concepts of subjects, objects, and labels
- Often used in military and government systems
Mandatory Access Control
Mandatory Access Control is also called…
Nondiscretionary Access Control
The people or other systems that are granted a clearance to access an object within the information system
Subjects
The elements within the information system that are being protected from use or access
Objects
The mechanism that binds objects to subjects. A subject’s clearance permits access to an object based on the labeled security protection assigned to that object
Labels
Involves assigning users to a group and then assigning rights to the group for access control purposes
Role-Based Access Control
are most appropriate where there is high turnover of employees and/or frequent movements between job roles
Role-Based Access Control
The idea of authentication is that only the legitimate user possesses the secret information needed to prove to a system that she has the right to use a specific user ID
Principles of Authentication
These secrets are commonly passwords, but history has shown that passwords are problematic:
Passwords can be insecure
Passwords are easily broken
Passwords are inconvenient
Passwords are repudiable
Passwords are an example of a…
single factor authentication
- Using more than one authentication mechanism
Multifactor Authentication
