Access Controls Concepts Flashcards
CC Domain 3 Access Controls Concepts
zero trust
means access to a computing, network, or data resource will not be given to any person or subject unless that access is explicitly
authorized.
Least Privilege
concept that a user should only have access to the resources that they need in order to do their job but no more than that.
Segregation of Duties
internal control that organizations use to prevent fraud or the
likelihood of errors.
Two-Person Rule
requires certain functions to be performed by two authorized users or employees working in tandem.
subject
entity that is capable of accessing an object, usually by first requesting such access.
object
entity, or resource, that is accessed by a subject. (files, folders, apps)
Access
right that is granted to the subject to perform a function
with the object
Identification
act of the subject providing identifying information
Authentication
method by which systems verify that a user really is who they claim
to be.
Centralized
where one department or entity is responsible for governing, managing, and configuring tools for access administration. For example, in a centralized model the IT department would manage access control for all resources (e.g., physical and all information systems)
Decentralized
access administration is managed by different departments or people for different systems throughout the organization.
Hybrid
utilizes a combination of centralized and decentralized access control. For example, the IT department may manage access control for critical resources such as Active Directory (centralized administration), while systems belonging to individual departments, such as the sales team customer relationship management (CRM), may be managed by individual departments (decentralized administration).
Provisioning
creation and maintenance of user accounts as well as maintaining the correct access rights for the user.
Review
Accounts are regularly reviewed and monitored to ensure that
there is still a need for access over time.
Revocation
After an employee has separated from the organization or when the employee no longer has a need for an account or access to a
system, their access(es) is/are revoked
Privileged Access Management
type of access management that focuses on managing privileged accounts, usually using dedicated PAM systems and solutions.
Discretionary Access Control (DAC)
provides the owner of the resource, typically the creator, full control
to configure which subjects (e.g., users, groups) can access the object (e.g., file, folder) permissions given on the admin or object owners discretion
Mandatory access control (MAC)
leverages a central authority, typically a security administrator, that
regulates access based on security labels, such as the clearance level that a subject (user) has been approved for, as well as the
classification of the object (file, database, etc.). uses tags to label both subject and objects(secret, confidential and unclassified
Role-based access control (RBAC)
enforces access based on roles that define permissions and the level
of access provided to any subjects assigned to that role
Rule based Access Control(RAC)
a framework that restricts access to devices, databases, and locations based on a set of predetermined permissions and rules. TIME OF DAY RESTRICTION
Directories
stores information about users, resources, and access permissions and allows administrators to centrally configure rules to control who gets access to what in the organization’s systems and network.
Single sign-on
technology that allows users to seamlessly access a range of resources after authenticating just one time.
Federated identity management (FIM)
variant of single sign-on that allows organizations to establish arrangements to utilize the same identification and authentication information to authenticate users across multiple different organizations.
Physical access controls
type of physical security control that regulates and
monitors access to physical resources (such as a datacenter facility)
