Chapter 17: Managing Identities and Access

Question 1

access control mechanism

Answer 1

dictates how subjects access objects

Question 2

reference monitor

Answer 2

abstract machine which mediates all access subjects have to objects: to ensure subjects have necessary access rights and to protect objects from unauthorized access and destructive modification

Question 3

six main access control models

Answer 3

discretionary, mandatory, role-based, rule-based, attribute-based, risk-based

Question 4

DAC

Answer 4

discretionary access control

Question 5

discretionary access control

Answer 5

data owners dictate what subjects have access to files and resources they own

Question 6

access control lists

Answer 6

bound to objects and indicate what subjects can use them

Question 7

MAC

Answer 7

mandatory access control

Question 8

mandatory access control model

Answer 8

uses a security label system

Question 9

MAC model

Answer 9

users have clearances and resources have security labels with data classifications; MAC system compare these two attributes to determine access control

Question 10

IFTTT rules

Answer 10

if this, then that

Question 11

most granular of the access control models

Answer 11

ABAC; Attribute-based access control

Question 12

XML

Answer 12

Extensible Markup Language

Question 13

Extensible Markup Language

Answer 13

rules for encoding documents in machine-readable form for interoperability between various web technologies

Question 14

SPML

Answer 14

Service Provisioning Markup Language

Question 15

Service Provisioning Markup Language

Answer 15

automation of user management and access entitlement configuration for electronically published services across multiple provisioning systems

Question 16

SAML

Answer 16

Security Assertion Markup Language; exchange of authentication and authorization data to be shared between security domains

Question 17

XACML

Answer 17

Extensible Access Control Markup Language

Question 18

Extensible Access Control Markup Language

Answer 18

declarative access control policy language in XML and a processing model which interprets security policies

Question 19

OAuth

Answer 19

open standard which allows a user to grant authority to some web resource, like a contacts database, to a third party

Question 20

OpenID Connect

Answer 20

authentication layer built on OAuth 2.0 protocol which allows transparent authentication and authorization of client resource requests

Question 21

Kerberos

Answer 21

client/server authentication protocol based on symmetric key cryptography which provides single sign-on (SSO) for distributed environments

Question 22

KDC

Answer 22

key distribution center; most important component within a Kerberos environment because it holds all users’ and services’ secret keys, provides an authentication service, and securely distributes keys

Question 23

TGT

Answer 23

ticket granting ticket; Kerberos users receive a TGT, which allows them to request access to resources through the TGS, which generates a new ticket with the session keys

Question 24

TGS

Answer 24

ticket granting service

Question 25

weaknesses of Kerberos

Answer 25

KDC is a single point of failure; susceptible to password guessing; session and secret keys are locally stored; KDC needs to always be available; management of secret keys is required

Question 26

Remote access control technologies

Answer 26

RADIUS, TACACS+, Diameter

Question 27

identity and access provisioning life cycle

Answer 27

provisioning, access control, compliance, configuration management, and deprovisioning

Question 28

system account

Answer 28

created by the operating system for use by a particular process, not by a human

Question 29

service account

Answer 29

system account for a process that runs as a service (i.e. it listens for and responds to requests from other processes)

Question 30

authorization creep

Answer 30

when a user gains too much access rights and permissions over time

Question 31

MSAs

Answer 31

managed service accounts; Active Directory domain accounts used by services and provide automatic password management

Question 32

Role-based access control reduces administrative burdens by …

Answer 32

administrator assigns permissions and rights to a role, and users are plugged into those roles; admin does not need to revoke or reassign permissions to individuals users as they change jobs

Question 33

challenge/response mechanism

Answer 33

asynchronous token

Question 34

capability- based access control system

Answer 34

subject (user) has to present an item (ticket, token, or key) which outlines what it can access. capability is tied to the subject for access control purposes

Question 35

specialized, require extensive administration, expensive, reduce user functionality

Answer 35

MAC (mandatory access control) and multilevel security

Question 36

ACLs

Answer 36

access control lists; can be modified to provide tighter access control; bound to objects and outline which operations specific subjects can carry out on them

Question 37

based on symmetric cryptography

Answer 37

Kerberos

Question 38

SOA

Answer 38

service-oriented architecture

Question 39

service-oriented architecture

Answer 39

allows team to create a centralized web portal and offer the various services needed by internal and external entities