Chapter 4 Authentication, Authorization, Accounting (AAA) and Identity Management Definitions Flashcards
AAA
Authentication, Authorization, and Accounting
Identification
Identification is the process of providing the identity of a subject or user. This is the first step in the authentication, authorization, and accounting process.
one-time passcode (OTP)
A one-time passcode (OTP) is a set of characteristics that can be used to prove a subject’s identity one time and one time only. Because the OTP is valid for only one access, if it’s captured, additional access would be automatically denied.
Out-of-band authentication
Out-of-band authentication requires communication over a channel that is distinct from the first factor.
Multifactor authentication
Multifactor authentication is when two or more factors are presented. Multilayer authentication is when two or more of the same type of factors are presented. Data classification, regulatory requirements, the impact of unauthorized access, and the likelihood of a threat being exercised should all be considered when you’re deciding on the level of authentication required.
Multilayer authentication
Multilayer authentication is when two or more of the same type of factors are presented.
SAML
Security Assertion Markup Language (SAML) SAML is an open standard for exchanging authentication and authorization data between identity providers. SAML is used in many single sign-on (SSO) implementations.
Zero trust
This concept assumes that no system or user will be “trusted” when requesting access to the corporate network, systems, and applications hosted on the premises or in the cloud. You must first verify their trustworthiness before granting access.
BeyondCorp
Google’s implementation of zero trust. This model shifts access control from the network perimeter firewalls and other security devices to individual devices and users.
Federated Identity Management
A collection of shared protocols that allows user identities to be managed across organizations.
Forest
A collection of domains managed by a centralized system.
Kerberos:
Kerberos: A ticket-based protocol for authentication built on symmetric-key cryptography.
Multitenancy
A term in computing architecture referring to the serving of many users (tenants) from a single instance of an application. Software as a Service (SaaS) offerings are examples of multitenancy. They exist as a single instance but have dedicated shares served to many companies and teams.
OAuth
An open standard for authorization used by many APIs and modern applications. You can access OAuth and OAuth 2.x specifications and documentation at https://oauth.net/2.
OpenID (or OpenID Connect)
Another open standard for authentication. OpenID Connect allows third-party services to authenticate users without clients needing to collect, store, and subsequently become liable for a user’s login information. Detailed information about OpenID can be accessed at
Passwordless
A type of authentication based on tokens. Passwordless authentication challenges are typically received and sent through SMS, email (magic links), or biometric sensors.
Social identity provider (social IdP)
A type of identity provider originating in social services like Google, Facebook, Twitter, and so on.
Web identity
The identifying data is typically obtained from an HTTP request (often these are retrieved from an authenticated email address).
Windows identity
This is how Active Directory in Microsoft Windows environments organizes user information.
WS-Federation
A common infrastructure (federated standard) for identity, used by web services and browsers on Windows Identity Foundation. Windows Identity Foundation is a framework created by Microsoft for building identity-aware applications. You can obtain detailed information about Windows Identity Foundation and WS-Federation at https://docs.microsoft.com/en-us/dotnet/framework/security/.
Authorization
Authorization is the process of assigning authenticated subjects permission to carry out a specific operation. The authorization model defines how access rights and permission are granted. The three primary authorization models are object capability, security labels, and ACLs.
Implicit deny
If no rule is specified for the transaction of the subject/object, the authorization policy should deny the transaction.
Need to know:
A subject should be granted access to an object only if the access is needed to carry out the job of the subject.
Mandatory access controls (MACs)
Mandatory access controls (MACs) are defined by policy and cannot be modified by the information owner. MACs are primarily used in secure military and government systems that require a high degree of confidentiality.