Chapter 4

Question 1

Measures that implement, assure security services in computer system

Answer 1

Access Control Principles

Question 2

Controls access based on the identity of requestor and on access rules (authorizations)

Answer 2

Discretionary Access Control (DAC)

Question 3

Controls access based on roles that users have within system and on rules stating what accesses are allowed to users in given roles

Answer 3

Role-Based Access Control (RBAC)

Question 4

Controls access based on comparing security labels with security clearances

Answer 4

Mandatory Access Control (MAC)

Question 5

Controls access based on attributes of the user, the resource to be accessed, and current environmental conditions

Answer 5

Attribute-Based Access Control (ABAC)

Question 6

Entity capable of accessing objects:

• Owner
• Group
• World

Answer 6

Subject

Question 7

Resource to which access is controlled

Answer 7

Object

Question 8

Describes way in which a subject may access an object

Answer 8

Access Right

Question 9

Scheme in which an entity may enable another entity to access some resource

Answer 9

DAC

Question 10

• Set of objects together with access rights to those objects
• More flexibility when associating capabilities with protection domains
• in terms of the access matrix, a row defines a protection domain

Answer 10

Protection Domains

Question 11

• Control structures with key information needed for a particular file
• Several file names may be associated with single inode
• active inode is associated with a single inode

Answer 11

UNIX files are administered using inodes (index nodes)

Question 12

May contain files and or other directories

Contains file names plus pointers to associated inodes

Answer 12

Directories are structured in a hierarchical tree

Question 13

• Unique user ID #
• Member of primary group identified by group ID
• Belongs to specific group
• 12 protection bits

Answer 13

UNIX File Access Control

Question 14

Set UID
Set Group ID (GID)
Sticky bit - when applied to a directory it specifies that only owner of any file in directory can rename, move, delete that file
Superuser - exempt from usual access control restrictions, system-wide access

Answer 14

Traditional UNIX File Access Control

Question 15

FreeBSD - Setfacl command assigns a list of UNIX user IDs and groups
- Any number of users and groups can be associated with a file

Answer 15

Access Control Lists (ACL) in UNIX

Question 16

Provide a means of adapting RBAC to specifics of administrative, and security policies of an organization

Answer 16

Constraints - Role Based Access Control

Question 17

• user can only be assigned to 1 role in set( during a session or statically)
• any permission (access right) can be granted to 1 role in set

Answer 17

Mutually exclusive roles

Question 18

Setting max # with respect to roles

Answer 18

Cardinality

Question 19

Dictates user can only be assigned to particular role if its alrdy assigned to some other specified role

Answer 19

Prerequisite roles

Question 20

• Can define authorizations that express conditions on properties of both the resource and subject
• Strength is its flexibility and expressive power
• considerable interest in applying the model to cloud services

Answer 20

Attribute Based Access Control (ABAC)

Question 21

• subject is an active entity that causes info to flow among objects or changes
• attributes define identity and characteristics of subject

Answer 21

Subject attributes (ABAC)

Question 22

• object is a passive info system-related entity containing/ receiving info

Answer 22

Object attributes ABAC

Question 23

• Describe operational, technical, situational environment in which info access occurs

Answer 23

Environment attributes ABAC

Question 24

Policy is set of rules & relationships that govern allowable behavior within organiztion
- based on privileges of subjects and how resources are to be protected under

Answer 24

ABAC policies

Question 25

Comprehensive approach to managing and implementing digital identities, credentials, access control

Answer 25

Identity, Credential, and Access Management (ICAM)

Question 26

Concerned with assigning attributes to a digital identity and connecting that digital identity to an individual or NPE

Answer 26

Identity Management

Question 27

Management of the life cycle of the credential

• Encompasses 5 logical components:
• authorized individual sponsors an individual/entity
• enrolls for credential
• cred. is produced
• cred. issued to individual
• maintained over its life cycle

Answer 27

Credential Management

Question 28

Deals with management/control of ways entities are granted access to resources
- covers both logical and physical access

Answer 28

Access management

Question 29

Concerned with defining rules for a resource that requires access control
- rules would include credential requirements

Answer 29

Resource Management (Enterprise-wide access control facility)

Question 30

Concerned with establishing/ maintaining entitlement or privilege
- Attributes represent features of individual that can be used as basis for determining access decisions

Answer 30

Privilege Management (Enterprise-wide access control facility)

Question 31

Governs what is allowable and unallowable in access transaction

Answer 31

Policy management (Enterprise-wide access control facility)

Question 32

Term used to describe technology, standards, policies, process that allow an organization to trust digital identities, identity att., cred.

Answer 32

Identity Federation

Question 33

OpenID - open standard that allows users to be authenticated by certain cooperating sites
OIDF - international nonprofit org of individual committed to enabling OpenID tech.
ICF - Information Card Foundation - is nonprofit to evolve IC ecosystem
OITF - Open Identity Trust Framework standardized developed jointly by OIDF ICF
OIX - Exchange Corp an independent, neutral, international provider of cert trust framewrk confrom to OITF
AXN - Attribute Exchange Network online Internet-scale gateway for identity service

Answer 33

Open Identity Trust Framework