Chapter 3 - Authorization and Access Control Flashcards
What is authorization?
Authorization is the next step taken after we have completed identification and authentication.
It enables us to determine, once we have authenticated the party in question, exactly what they are allowed to do. We typically implement authorization through the use of access controls, which we will discuss later in this chapter.
What is the principle of least privilege?
A concept to keep in mind when deciding the level of access given to individuals.
What are the four basic tasks of access control?
Allowing access
Denying Access
Limiting Access
Revoking Access
Describe ALLOWING ACCESS
Access Control:
Allowing access lets us give a particular party access to a given resource.
Describe DENYING ACCESS
Access Control:
Denying access if the diametric opposite of granting access. When we deny access we are preventing access by a given party to a resource in question.
Describe LIMITING ACCESS
Access Control:
Limiting access refers to allowing some access to a resource, but only up to a certain point.
This is very important when using applications that may be exposed to attack-prone environments.
Describe REVOKING ACCESS
Revocation of access is a very important idea in access control. It is vital that once we have given a party access to a resource, we be able to take that access away again.
What are the two main methods we might use in access control?
Access control lists
Capabilities
What are access control lists?
ACL’s, often referred to as “ackles”, are a very common choice of access control implementation. ACLs are usually used to control access in the file systems on which our operating systems run and to control the flow of traffic in the networks to which our systems are attached.
What is a file system ACL?
When we look at ACls in most file systems, we commonly see three permissions in use: read, write and execute, respectively allowing us to access the contents of a file or directory, write to it, and, presuming that a file contains either a program or a script capable of running on the system in question, execute the contents of the file.
What is a network ACL?
When we look at the variety of activities that take place on networks, both private and public, we can again see ACLs regulating such activity. In the case of network ACLs, we typically see access controlled by the identifiers we use for network transactions, such as Internet Protocol (IP) addresses, Media Access Control (MAC) addresses, and ports. We can see such ACLs at work in network infrastructure such as routers, switches, and firewall devices, as well as in software firewalls, Facebook, Google, e-mail, or other forms of software.
What is a MAC address?
MAC addresses are, in theory, unique identifiers attached to each network interface in a given system. Each network interface has a hardcoded MAC address issued when it is created.
NOTE: Unfortunately for those of us depending on MAC addresses as a basis for our ACLs, the MAC address used by a network interface can be overridden by software settings in most operating systems. Such changes are very trivial to put in place, and the MAC address is not a good choice for a unique identifier of a particular device on the network.
What are capabilities in the context of access control?
Capability-based security can provide us with an alternate solution to access control that uses a different structure than what we see in ACLs.
Capabilities are oriented around the use of a token that controls our access. we can think of a token in a capability as being analogous to the badge we might use to open the door in a building.
Capability-based systems base access allowances on the possession of the token, not on who possesses it.
What is the difference between capability-based systems and ACL s?
Where ACLs define the permissions based on a given resource, an identity, and a set of permissions, all generally held in a file of some sort, capabilities are oriented around the use of a token that controls our access.
What are the most common access control models mentioned in the book?
Discretionary Access Control
Mandatory Access Control
Role-based Access Control
Attribute-based Access Control
Multi-level access control