Chapter 13- Managing Identity and Authentication (IAM) Flashcards
- What is a subject?
Subject is an active entity that accesses a passive object to receive information from or data about an object.
- Subject can be:
users, programs, processes, services, computers or anything that can access a resource
- List company assets:
information (data), systems (IT e.g. fileserver), devices (servers, laptops), facilities (building) and personnel (staff)
- What is an object?
Object is a passive entity that provides information to active subjects.
- Examples of objects are:
files databases, computers, programs, processes, services, printers and storage media.
- What is the primary reason why organizations implement access control mechanisms?
to prevent losses.
- There are 3 categories of IT losses:
Loss of confidentiality, Integrity and Availability
- List security Triad (aka AIC triad, CIA Triad):
Confidentiality, Integrity and Availability.
- What is confidentiality?
Access Controls help ensure that only authorised subjects can access objects.
- What is integrity?
Integrity ensures that data or system configurations are not modified without authorization or that is authorized changes occur security controls detect the changes.
- What is availability?
Availability means that authorised requests for objects must be granted to subjects within a reasonable amount of time.
- Types of access control:
corrective, preventive and detective.
- What is Access Control?
Access Control is any hardware, software, administrative policy or procedure that controls access to resources.
a
a
- List 4 other types of control
a
- What is Preventive Control:
Preventive Control attempts to thwart or stop unwanted or unauthorised activity from occurring
- What is Detective Access Control?
Detective attempts to discover or detect unwanted or unauthorised activity.
- What is Corrective Access Control:
Corrective Control modifies the environment to return the systems to normal after an unwanted or unauthorised activity has occurred.
- What are Deterrent Control?
Deterrent Access Control attempts to discourage security policy violations. it is very similar to preventive controls but depends on individuals deciding not to take unwanted action.
- What is Recovery Access Control?
Recovery Access Control attempts to repair or restore resources, functions and capabilities after a security policy violation.
- What is Directive Access Control?
Directive Access Control attempts to direct, confine or control the actions of subjects to force or encourage compliance with security policies.
- What are Compensating Access Control
A compensating Access Control provides an alternative when it is not possible to use a primary control. or when necessary to increase the effectiveness of a primary control.
- List access control types based on implementations:
physical, technical and administrative
- What are Administrative Access Controls?
Administrative Access controls are policies and procedures defined by an organisation’s security policy and other regulations or requirements. They are sometimes referred to as management controls.
- What is Logical or Technical Access Control?
Logical Access Control are the hardware or software mechanisms used to manage access and to provide protection for resources and systems. e.g. authentication methods, encryption, access control lists
- What is Physical Control?
Physical Access Control are item that you physically touch. They include physical mechanisms deployed to prevent, monitor or detect direct contact with systems or areas within a facility. e.g. mantraps, motion detectors, badges etc.
- What is Identification?
Identification is the process of a subject claiming or professing an identity. e.g. typing a user name, swiping a smartcard
- What is Authentication?
- Authentication verifies the identity of the subject by comparing one or more factors against a database of valid identities.
- What is a single two step process?
A single two-step process occurs when identification and authentication occur together. Without both, a subject cannot gain access to a system.
- What is Authorization?
Authorization is a process where subjects are granted access to objects based on proven identities
What is accountability?
Accountability means that Users and other data subjects can be held accountable for their actions when auditing is implemented.
- Audit logs provide________:
Non Repudiation
- List all or nothing aspects of access control:
identification and authentication because you either pass or fail with this.
- Auditing, logging and monitoring provide ________:
Accountability.