Domain 5 Flashcards
Access Control
The objective of access control is to protect information and informaation systems from unauthorized access (confidentiality), modification (integrity), and disruption (availability).
Physical access focuses and facility, equipment and devices.
Access management
Access management controls are security mechanisms that control how subjects and objects communicate and interact with each other and flow of information.
Subject
A subject is an active entity that requests access to an object or to the data within the object.
Object
An object is an entity being accessed or the item being acted upon.
Rights
Rights generally refer to the ability of a subject to take an action; for example, the right to log on remoely, install software, and create user accounts. Rights can be assigned to user accounts, group, accounts, or resources.
Permissions
Permissions are functions that a subject can perform on an object, a file or folder; for example, read, write, modify, and delete.
- Access control lists are generally used to assign permissions.
- Permissions can be assigned to a user account, group accounts, or resources depending upon the system or device.
- Permissions are generally cumulative.
- Permissions can be explicit ot inherited.
Privilege
Privilege relates to overriding capabilities.
- Administrative, root, and super user.
- Privilege trumps rights and permissions.
Need to know
Need to know means that the subject has a demonstrated and approved reason for being graned access.
Least Privilege
Least Privilege means assigning subjects only the rights and permissions needed to complete their assignments.
Default Allow
Default Allow means any access or action not explicitly forbidden is allowed.
Default Deny
Default Deny means any access or action not explicitly allowed is forbidden.
Authorization Creep
Authorization Creep is the accumulation of access rights, permissions, and priviledges over time.
- Promotions, lateral moves, cross-training and temporary coverage may contribute to authorization creep.
Dual Control
Dual Control is the practive of having more than one subject or key required to complete a specific task (requestor and approver).
Separation of duties
Separation of duties is the breaking down of a task into processes that are assigned to different subjects so that no one subject is in complete control.
Registration
Registration is a distinguishing characteristic (e.g. username)
Authentication
Authentication is the process of providing an identify to an authentication system.
- The proof is referred to as a factor.
- The combination of a user name and factor is referred to as credentials.
Authentication Factors
- Something a user knows.
- Something a user has.
- Something a user is / something a user does.
- Something a user is.
Something you know
Something you know is a shared secret known to the user and the authentication system.
- Passwords, passphrases, Cognitive passwords, out-of-wallet password.
Cognitive Passwords
Cognitive Passwords (challange questions) utilize a preselected questions and answer based on fact, opinion, or memory.
Out-of-Wallet passwords
Out-of-Wallet passwords (challange questions) are answers to questions derived from subscription databases.
Something you have
Something you have requires physical possetion of a device.
- Secure token, Smart Card.
Secure Token
A secure token is a handheld device with a LED that displays a number and the number is synchronized with an authentication server.
Smart Cards
A smart card is a credit card-sized card that has an integrated circuit and a certifiacte used to identify the holder.
Types of Smart Cards
- Smart Card
- Common Access Card (CAC)
- Personal Identity Verification (PIV)
- Contactless Card
- Proximity Card
Common Access Card (CAC)
Smart card that includes a picture of the user. Used for both visual identification and computer access.
Personal Identify Verification (PIV)
Smart card that includes picture of the user. Used for both visual identification and computer access.
Contactless Cards
Contactless smart cards that can be read without inserting into a reader device (Read range 1-3”)
Proximity Card
Contactless smart card that can be read without inserting into a reader device. (Read range up to 15”)
Biometric - Something you are
Biometric refers to human characteristics.
- Physiological biometric makers include fingerprints, fingerscans, retina scans, iris scans, facial recognition, vascular patterns, palm scans, and hand geometry.
Biometric - Something you do
Something you do is a behavioral trait.
- Behavioral biometric traits include voice pattern recognition, keystroke dynamics, and signature dynamics.
Single - Factor Authentication
Only one factor is required for authentication.
Multi-Layer Authentication
Two or more of the same type of factor is required for authentication.
Multi-factor Authentication
Two or more different types of factors are required for authentication.
Out-of-band Authentication
Use of more thn one communication channel required for authentication.
Session Management
Session management ensures that any instance of identification and authentication to a resource is managed properly.
Broken Authentication
Broken Authentication attacks use leaks or flaws in the authentication or session management functions (e.g., expoused accounts, passwords, session IDs) to impersonate users and gain system access.
Identity Management (IdM)
Identity Management (IdM) describes the technical management of user identities (including authentication and authorization) withn and/or across enterprise boundaries.
Identity Management (IdM) technologies
- Directory Services (LDAP,AD) - on/off premise
- Single sign-on (SSO) - on/off premise
- Identity-as-a-service (IDaaS) - cloud
- Federated identity management (FIM) distributed.
Directory Services
A directory service is the centralized collection and distributed database (domain) of user data, computers, and trusted entities. LDAP Attributes:
- Scalability (billon + user entries)
- Distrubuted and synchronizable.
Direcotry Services Technologies
- Lightweight Directory Access protocol (LDAP).
- Microsoft Active Directory (AD) which is Microsoft’s implementation of LDAP.
Single Sign-on
Single Sign-on (SSO) describes a unified login experience in which the user provides a set of credentials one time and is allowed to access multiple systems without needing to authenticate.
- SSO system intercepts requrest for identification and authentication.
- SSO can be a bottleneck or single point of failure (SPOF).
- Legacy SSO rarely is a true enterprise solution.
Identity-as-a-service (IDaaS)
(IDaaS) is a SaaS-based identity and access management solution.
Identity-as-a-service (IDaaS) components
- Identity and governance administration (IGA), which is the provisionning of users to cloud applications.
- Access, which includes user authentication, SSO (single sign on) and authorization supporting federation standards.
- Intelligence, which includes identity access log monitoring and reporting.
Federated Identity Management
Federated Identity Management (FIM) is an arrangement made among multiple enterprises that allows users (and sometimes objects) to user the same identification data to obtain access to diparate resources (aka “portable identity”)
Federated Identity Management technologies
- Secure Assertion Markup Language (SAML)
- OAuth
- OpenID Connect
- Shibboleth.
Secure Assertion Markup Language (SAML)
Secure Assertion Markup Language (SAML) is an open standard that provides user authentication and authorization services.
Shibboleth
Shibboleth is a standard-based, open source software for web single sign-on across or within organization boundaries.
- The Shibboleth softwate immplements widely used federated identity standards, principally SAML, to provide a federated single sign-on and attribute exchange framework.
- Shibboleth also provides extended privacy functinality allowing a user and their home site to control the attributes released to each application.
OAuth 2.0
OAuth 2.0 is an authorization (not identification) framework that enables applications to obtain limited access to user accounts on an HTTP service such as Facebook ot Twitter.
OpenID Connect
OpenID Connect is an identity layer on top of the OAuth 2.0 protocl which facilities authentication.
- OpenID connect verifies the identity of the end user,
- The id_token(secure token) includes information about the user.
- Can be used by both mobile and static application.
Access Control Model
An Access Control Model is a framework that dictateshow subjects access objects or how hobjects access objects.
Subject-based Access Controls Models
- Mandatory Access Control (MAC)
- Discretionary Access Control (DAC)
- Role-based Access Control (RBAC)
- Attribute-based Access Control (ABAC)
Object-base Access Control Models
- Rule-based Access Control (RBAC)
- Content-based Access Control
- Context-based access control
- Constrained interfaces.
Mandatory Access Control (MAC)
Acces is based on the relationship between subject clearence and need to know and the object classification label.
- Enforcement: Security Level.
Discretionary Access Control (DAC)
Data owners decide subject access.
- Enforcement: Access Control Lists, Capabilities tables.
Role-based Access Control (RBAC) [Non-Discretionary]
Access is based on the subject’s assigned roles Many-may relationship allowed.
- Enforcement: Access Control Lists, Capabilities tables, Secuity Policies.
Attribute-based Acess Control (ABAC)
Attribute-based Acess Control (ABAC) is a logical access control model that control access to objects by evaluating rules againts the attributes of entities (both subject and object), operations, and the environment relevant to a request.
Rule-based Access Control
Access based on situational if/then statements
- Enforcement: Global policy, Rules
Content Dependent
Filter based on the data being acted upon
- Enforcement: Keywords, Categories.
Contect Dependent
Access based on a collection or sequnece of actions.
- Rules, Security Policy.
Constrained Interface
Access restricted by functionality,
- Enforcement: Design, Configuration.
Identity and Access Management (IAM)
Identity and Access Management (IAM) is a business process with the objective of ‘enabling the right individuals to access the roight resorces at the right times and for the right reasons’.
Identity and Access Management (IAM) Characteristics
- IAM functions including provisioning, education, auditing, and deprovisioning.
- IAM functions take place throughout the employee lifecycle.
- IAM functions are a shared responsability - managers, owners, HR, IT, Physical Security, information security and audit.
Provisioning Lifecycle Phase 1
- Onboarding.
- Account Request.
- User Agreement
- Cedential Management
Provisioning Lifecycle Phase 2
- Authorization
- Assignment of rights and permissions
- User Training
Provisioning Lifecycle Phase 3
- User account auditing.
- User access auditing
- Change request.
- User Training.
Termination
Termination ends employment. How termination is handled depends upon the specific circumstances (firendly/unfriendly) and transition arrangements that have been made with the empoloyee.
