Chapter 4 Flashcards
Measures that implement, assure security services in computer system
Access Control Principles
Controls access based on the identity of requestor and on access rules (authorizations)
Discretionary Access Control (DAC)
Controls access based on roles that users have within system and on rules stating what accesses are allowed to users in given roles
Role-Based Access Control (RBAC)
Controls access based on comparing security labels with security clearances
Mandatory Access Control (MAC)
Controls access based on attributes of the user, the resource to be accessed, and current environmental conditions
Attribute-Based Access Control (ABAC)
Entity capable of accessing objects:
- Owner
- Group
- World
Subject
Resource to which access is controlled
Object
Describes way in which a subject may access an object
Access Right
Scheme in which an entity may enable another entity to access some resource
DAC
- Set of objects together with access rights to those objects
- More flexibility when associating capabilities with protection domains
- in terms of the access matrix, a row defines a protection domain
Protection Domains
- Control structures with key information needed for a particular file
- Several file names may be associated with single inode
- active inode is associated with a single inode
UNIX files are administered using inodes (index nodes)
May contain files and or other directories
Contains file names plus pointers to associated inodes
Directories are structured in a hierarchical tree
- Unique user ID #
- Member of primary group identified by group ID
- Belongs to specific group
- 12 protection bits
UNIX File Access Control
Set UID
Set Group ID (GID)
Sticky bit - when applied to a directory it specifies that only owner of any file in directory can rename, move, delete that file
Superuser - exempt from usual access control restrictions, system-wide access
Traditional UNIX File Access Control
FreeBSD - Setfacl command assigns a list of UNIX user IDs and groups
- Any number of users and groups can be associated with a file
Access Control Lists (ACL) in UNIX
Provide a means of adapting RBAC to specifics of administrative, and security policies of an organization
Constraints - Role Based Access Control
- user can only be assigned to 1 role in set( during a session or statically)
- any permission (access right) can be granted to 1 role in set
Mutually exclusive roles
Setting max # with respect to roles
Cardinality
Dictates user can only be assigned to particular role if its alrdy assigned to some other specified role
Prerequisite roles
- Can define authorizations that express conditions on properties of both the resource and subject
- Strength is its flexibility and expressive power
- considerable interest in applying the model to cloud services
Attribute Based Access Control (ABAC)
- subject is an active entity that causes info to flow among objects or changes
- attributes define identity and characteristics of subject
Subject attributes (ABAC)
- object is a passive info system-related entity containing/ receiving info
Object attributes ABAC
- Describe operational, technical, situational environment in which info access occurs
Environment attributes ABAC
Policy is set of rules & relationships that govern allowable behavior within organiztion
- based on privileges of subjects and how resources are to be protected under
ABAC policies
Comprehensive approach to managing and implementing digital identities, credentials, access control
Identity, Credential, and Access Management (ICAM)
Concerned with assigning attributes to a digital identity and connecting that digital identity to an individual or NPE
Identity Management
Management of the life cycle of the credential
- Encompasses 5 logical components:
- authorized individual sponsors an individual/entity
- enrolls for credential
- cred. is produced
- cred. issued to individual
- maintained over its life cycle
Credential Management
Deals with management/control of ways entities are granted access to resources
- covers both logical and physical access
Access management
Concerned with defining rules for a resource that requires access control
- rules would include credential requirements
Resource Management (Enterprise-wide access control facility)
Concerned with establishing/ maintaining entitlement or privilege
- Attributes represent features of individual that can be used as basis for determining access decisions
Privilege Management (Enterprise-wide access control facility)
Governs what is allowable and unallowable in access transaction
Policy management (Enterprise-wide access control facility)
Term used to describe technology, standards, policies, process that allow an organization to trust digital identities, identity att., cred.
Identity Federation
OpenID - open standard that allows users to be authenticated by certain cooperating sites
OIDF - international nonprofit org of individual committed to enabling OpenID tech.
ICF - Information Card Foundation - is nonprofit to evolve IC ecosystem
OITF - Open Identity Trust Framework standardized developed jointly by OIDF ICF
OIX - Exchange Corp an independent, neutral, international provider of cert trust framewrk confrom to OITF
AXN - Attribute Exchange Network online Internet-scale gateway for identity service
Open Identity Trust Framework
