Domain 5: Access Control Technologies Flashcards
Concentrates access control in one logical point for a system or organization
Centralized Access Control
- Access control where local sites support and maintain independent systems, access control databases and data
- Each sites may have different models, policies and level of security
Decentralized Access Control
Allows users to authenticate once and have access to multiple different systems
Single sign-on (SSO)
Occurs when individual users gain more access to more systems
Access Aggregation
Participating organizations share identity attributes allowing for a user to authenticate with one member then having access to all other members
Federated system
- XML-based language used to send authentication and authorization data between identity providers and service providers
- Frequently used to enable single sign-on for web applications and services
SAML
- Relies on access tokens which are issued by an authorization server and then presented to resource servers like third-party web applications
- Used by Google, Microsoft, Facebook and other sites to allow users to share elements of their identity or account information while authenticating via the original identity provider
OAuth
- An open-source standard for decentralized authentication
- Users create credentials with an identity provider like Google then sites (relying parties) use that identity
OpenID
Combines the OpenID authentication and OAuth authorization into a single protocol
OpenID Connect
- OAuth Component
- The user authenticating
Resource Owner
- OAuth Component
- Applications that users want to use
Client
- OAuth Component
- Servers owned by the identity provider
- Authenticates the resource owner
Authorization Server
- OAuth Component
- The server the client wants to access in behalf of the resource owner
Resource Server
Allows an organization to leverage a cloud service for identity management
Identity as a service (IDaaS)
- Protocol used for interfacing and querying directory service information
- Uses TCP/UDP port 389
- Queries transmitted in cleartext
Lightweight directory access protocol (LDAP)
- Third party authentication service
- Uses AES symmetric encryption and mutual authentication of both clients and servers
- Protects against network sniffing and replay attacks
- Most common single sign-on method used in organizations
Kerberos
- Kerberos term
- A unique identity
- i.e. user and/or service
Principal
- Kerberos term
- The group of systems (domain) Kerberos has authority over
Realm
- Kerberos term
- Encrypted message that provides proof that a subject is authorized to access an object
- Contains client identity, service ID and etc.
Ticket
- Kerberos term
- The heart of Kerberos where tickets and access is granted
Key Distribution Center (KDC)
The Key Distribution Center (KDC) consists of what two servers?
Authentication Server (AS) and Ticket Granting Server (TGS)
- Kerberos term
- Confirms that a known user is making access request to a known service and issues a service ticket
Ticket Granting Server (TGS)
- Kerberos term
- Confirms that the user is making the access request and issues out a Ticket Granting Ticket (TGT)
Authentication Server (AS)
- Kerberos term
- Provides proof that a subject has authenticated through a KDC and is authorized to request tickets to access other objects
Ticket Granting Ticket (TGT)
- Kerberos Process Step
- The client sends its TGT back to the KDC with a request for access to the resource.
Kerberos Process Step 1
- Kerberos Process Step
- The KDC verifies that the TGT is valid and checks its access control matrix to verify that the user has sufficient privileges to access the requested resource.
Kerberos Process Step 2
- Kerberos Process Step
- The KDC generates a service ticket and sends it to the client.
Kerberos Process Step 3
- Kerberos Process Step
- The client sends the ticket to the server or service hosting the resource.
Kerberos Process Step 4
- Kerberos Process Step
- The server or service hosting the resource verifies the validity of the ticket with the KDC.
Kerberos Process Step 5
- Kerberos Process Step
- Once identity and authorization is verified, Kerberos activity is complete. The server or service host then opens a session with the client and begins communications or data transmission.
Kerberos Process Step 6
- Sequel to Kerberos
- Asymmetric encryption
- Uses privilege attribute certificates (PACs)
SESAME (secure European system for applications in a multivendor environment)
- Authentication system
- Uses UDP ports 1812 (authentication) and 1813 (accounting)
- Authorizes users by allowing specific users to access specific data objects
RADIUS
- Authentication system
- Designed to be RADIUS successor
Diameter
- Authentication system
- Centralized access control system that requires users to send an ID and static (reusable) password for authentication.
- Uses UDP port 49
TACACS
- Authentication system
- Provides better password protection by allowing two-factor authentication
- Uses TCP port 49
TACACS+
- Used in WAN authentication
- Password is sent across the network in cleartext
Password Authentication Protocol (PAP)
- Used in WAN authentication
- Depends upon a ‘secret’ known only to the authenticator and the peer. The secret is not sent over the link.
Challenge-handshake Authentication Protocol (CHAP)
- Subjects are given full control of objects they have created or have been given access to, including sharing the objects with other subjects.
- All objects have owners, and access is based on the discretion or decision of the owner.
Discretionary Access Control (DAC)
- System-enforced access control based on subject’s clearance and object’s labels
- Subject may access an object only if the subject’s clearance is equal to or greater than the object’s label
Mandatory Access Control (MAC)
- Subjects are grouped into roles, and each defined role has permissions based upon the group, not the individual
- Non Discretionary access control
Role-based access control (RBAC)
- Access control based on the responsibilities each subject must perform
- i.e. writing prescriptions, restoring data from a backup tape etc.
- Non Discretionary access control
Task-based access control
- Access control that system uses a series of defined rules, restrictions, and filters for accessing objects within a system
- i.e. rules are “if/then” statements
Rule-based access control
- Access control restricts access to data based on the content within an object
- i.e. all employees have access to the HR database but cannot view the CIO HR record (database view)
Content-dependent access control
- Access control that provides access based on a certain parameter i.e. location, time, sequence of responses, access history etc..
- i.e. employee has network access from 9 - 5pm but denied access on Sunday at 1am
Context-dependent access control
Admins centrally administer access and can make changes that affect the whole environment
Nondiscretionary Access Controls
- Access control that uses policy rules that include multiple attributes (i.e. characteristics of users, the network, and devices on the network)
- i.e. SDN “Allow Managers to access the WAN using tablets or smartphones.”
Attribute Based Access Control (ABAC)
- Classification within the Mandatory Access Control (MAC) model
- Relates various classification labels in an ordered structure from low security to medium security to high security
- i.e. Confidential, Secret, and Top Secret, respectively
Hierarchical Environment
- Classification within the Mandatory Access Control (MAC) model
- There is no relationship between one security domain and another
Compartmentalized Environment
- Classification within the Mandatory Access Control (MAC) model
- Combination of other two environments
- i.e. Hierarchical level may contain numerous subdivisions that are isolated from the rest of the security domain
Hybrid Environment
