Section 20 - Access Control Flashcards
What is Access Control?
Methods used to secure data and information by verifying a user has permissions to read, write, delete or otherwise modify it
What are the four access control models?
DAC
MAC
RBAC
ABAC
What is DAC?
Discretionary Access Control
The access control policy is determined by the owner
What is MAC?
Mandatory Access Control
An access control policy where the computer system determines the access control for an object
*** It does this through data labels. Data labels create this trust level for all subjects. Every person gets a label of their trust level and each data object gets a label as well. It then compares these labels to each other to give access. For example, someone with a secret clearance (subject) would not get access to top security information (object.)
If you want to access something with a MAC system, you need to not just meet the minimum level but you also have to have what?
A need to know
*** This system is typically seen in military installations
MAC is implemented in one of two ways. These are what?
Rule Based
Lattice Based
What is RAC?
Rule Based Access Control
Label-based access control that defines whether access should be granted or denied to objects by comparing the object label and the subject label
What is Lattice Based Access Control?
Utilizes complex mathematics to create sets of objects and subjects to define how they interact
MAC exists in a couple of OS but which of them does it not?
Windows
This is because Windows uses Discretionary Access Control instead
What is RBAC?
Role Based Access Control
An access model that is controlled by the system (like MAC) but utilizes a set of permissions instead of a single data label to define the permission level
*** The whole idea here is that we set permissions based on the job function. For example, you’d have a role for IT, HR and sales. Each have their own roles based on their job and their permissions are tailored to what access they need between each other. So HR wouldn’t need access to IT files but IT would need access to HR’s.
What is ABAC?
Attribute Based Access Control
An access model that is dynamic and context-aware using IF-THEN statements
*** This uses tagging things so you can give the right permissions using different software automation.
What are some of the best practices for access control?
Implicit Deny
Least Privilege
Separation of Duties
Job Rotation
What is Implicit Deny?
All access to a resource should be denied by default and only be allowed when explicitly stated
What is Least Privilege?
Users are only given the lowest level of access needed to perform their job functions
What is Separation of Duties?
Requires more than one person to conduct a sensitive task or operation