Lesson 8 Identity and Access Control Management Flashcards
Access Control Schemes
DAC - Discretionary Access Control
RBAC - Role Based Access Control
MAC - Mandatory Access Control
ABAC - Attribute Based Access Control
DAC
Discretionary Access Control
- Owner of a file has all the power
- No centralized point of management
- Owner centric, User defined
- Not rule based
- Used on local file storage on NTFS
MAC
Mandatory Access Control
- Objects are given sensitivity labels
- Subjects are given clearance labels
- Centralized point of management
- System defined, very rigid
- Rule based
- Used by Trusted OS like SE Linux
- ex app armor to assign profiles
RBAC
Role-Based Access Control
- Permissions are given to roles
- Users inherit permissions from the role they are given
- Centralized point of management
- Eases permission management for organizations
- Rule Based
- Similar to group based permission management
- used where content is king, like a blogging site, web site etc
ABAC
Attribute-Based Access Control
- Limits access based off of any attribute of an object/file
- File extension, time, size, content, location, etc
- Centralized point of management
- Verify flexible but can become overly complex
- May slow down system
- Weighs a particular situation using attributes and is session aware
- ex. Inability to use sudo or WSL for certain privileged users
- ex User Account Control (UAC)
GPO
Group Policy Objects
Windows Active Directory network configuration of access policies
- configures access rights for user/group/role accounts
- can be linked to administrative boundaries in Active Directory such as domains, and Ogr Units (OUs)
Federation and Attestation
Federation means that the company trusts accounts created and managed by a different network
- like using google account -Identity Provider (IdP)- as login credentials to a third party site, like Twitter -Service Provider (SP)-
- Attestation is vouching for another
- user contacts SP, SP redirects user to IdP to authenticate
- user authenticates with IdP and gets an Attestation of identity, like a token or IdP signed document
- User presents attestation document to SP. SP can use this due to trust relationship with IdP
- SP can now connect with user
SAML
Security Assertions Markup Language
- provides a means for federated networks and cloud providers to provide user identity assertions and transmit attestations between the user and IdP
- uses xml for the assertions
- signed by the XML signature specification
- utilizes Simple Object Access Protocol (SOAP) and HTTP (tcp over 80)/HTTPS(tcp over 443) to communicate the attestations
OAuth and OpenId Connect
A better solution than SAML and SOAP for mobile devices
- Uses RESTful APIs
OAuth - Open Authentication Standard
- used for federated identity management, allowing resource servers or consumer sites work with user accounts created and managed on a separate identity provider
OpenID Connect (OIDC) -an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields
Service Accounts (Windows)
System - has most privileges
Local Service Account - same privileges as the standard user account, can only access the network as an anonymous user
Network Service Account - same privileges as the standard user account but can present the computers account credentials to access the network resources