CIA Triad and Access Control Flashcards
Define Access Control
Oversees the authorisation of users based on some security policy that the system adheres to. In essence, the AC model determines who can do what.
Define Confidentiality
Relates to the disclosure of information to unauthorised parties.
Define Integrity
Relates to preventing the modification of data or/and system assets to operate in a way other the one they that was intended by unauthorised parties
Define Availability
Relates to ensuring the availability of system resources to authorised parties.
What are the 3 methods of determining the Access Control of an entity?
Identification, Authentication, Authorisation.
Define Identification
The mapping of an identity to an entity. For example, a student ID card.
Define Authentication
The process of verifying the identification.
Define Authorisation
The granting or denying of access of an system entity to an object.
What are the four methods of Authentication?
Something you know; something you are; something you have; your location.
Give an example of a hard and soft token
Hard token : Key fob
Soft token : OTP
Give an example of a ‘Who you are’ authentication method. What is an issue with this?
Biometric markers. However, still replicable with effort.
What is multi-factor authentication?
An access control mechanism that uses two or more methods for providing authentication.
What makes for a strong authentication process? Give an example.
Using 2 or more different methods for authentication. For example, a PIN and a OTP uses what you know and what you have.
Define Access Control Model
A formal description of the concepts used to determine which permissions certain subjects have to objects.
Define Access Control Policy
Defines what is allowed / forbidden from a security perspective in a system.
Describe the concepts of PEP and PDP across the security model. Why are they needed?
They enforce the access control model.
Policy Enforcement Points are implemented across layers of the Security Model. When receiving a request, the PEP communicates with the PDP to determine whether access is granted or not.
What are 2 issues of Biometric markers?
If compromised can’t generate a new one.
As of today, all biometric types have been broken.
What is the Access Control Matrix Model? Give examples of subjects and objects.
A model that defines the permissions of subjects on system objects.
Subjects can be users, groups, processes etc.
Objects can be data, files, memory etc.
What are 4 issues with the ACMM?
Subjects of a system are very dynamic and high in numbers, thus the model is constantly changing and is large. This leads to:
Poor scalability, Complexity, Poor modifiability / maintenance, Slow look up,
Define the RBAC Matrix Model. How does it resolve the ACMM issues?
Model assigns subjects (users) to roles. Roles are relatively static in a system, thus model is more scalable, modifiable, smaller, maintainable and less complex.
Define Roles Hierarchy in the RBAC. Give an example.
Access rights can be seen as the sample space. Subsets of these access rights are given out based on the hierarchical standing of the role.
