Chapter 6 - Access Controls Flashcards
Access Control
Protecting a resource so that it is only accessed by those allowed to use it
Parts of four-part access control
- Identification
- Authentication
- Authorization
- Accountability
Policy definition phase
Define who has access and which resources they can use
Policy enforcement phase
Reject or grant requests for access based on authorizations from the definition phase
Two types of access controls
- Physical
- Logical
Physical access controls
Control entry into a building or other protected area
Example of physical access controls
Smart cards
Logical access controls
Control entry into a computer system or network
Example of logical access controls
Pin or biometrics
The security kernel is what?
The central point of access control
Security kernel (Definition)
permits access when conditions are met
Components of access control
Users, resources, actions, and relationships (conditions between users and resources)
Synchronous token
Use time or events to synchronize with an authentication server
Asynchronous token
uses a challenge-response mechanism
Types of biometrics
dynamic and static
Dynamic biometrics examples
voice inflections or keyboard strokes (what you do)
Static biometrics examples
fingerprints, facial recognition (what you are)
Advantages of biometrics
person must be physically present, difficult to fake, don’t have to worry about lost IDs or forgotten passwords
Disadvantages of biometrics
physical characteristics may change, required devices are expensive
Single sign-on (SSO)
sign onto a computer or network once and then be allowed access into all computers and systems where authorized
Advantages of SSO
Efficient, reduces human error, locks out users with too many failed attempts
Disadvantages of SSO
compromised passwords grant complete access to an intruder, limited security, authentication server can become a single point of failure
Identification
who is trying to gain access?
Authentication
can their identities be verified?
Authorization
what can the requestor access and modify
Accountability
how are actions traced to an individual to ensure that the person who does them can be identified
Discretionary access controls (DAC)
owner of a resource decides who can access it
Mandatory access controls (MAC)
determines level of restriction by sensitivity of resource using classification labels
MAC and NAC are
Stronger than DAC
Nondiscretionary access controls (NAC)
access rules are closely managed by the security administrator, not the owner or other users
Rule-based access control
explicit rules grant access
Role-based access control
grants access based on a user’s role in an organization
Credential and permissions management
systems that provide the ability to collect, manage, and use information associated with access control
Private cloud computing
all components are managed by the organization
Community cloud computing
Components are shared by several organizations
Public cloud computing
Available for public use and managed by third-party providers
Hybrid cloud computing
Contains components of more than one type of cloud
Advantages of cloud computing
No need to maintain a data center or disaster recovery site
Disadvantages of cloud computing
More difficult to keep data secure, greater potential for data leakage
Multi-factor authentication
Requires you to provide a combination of two or more factors in order to verify your identity
Types of factors for MFA
Something you know (such as a password)
Something you have (such as a smartphone)
Something you are (such as facial recognition)
