Access Control Systems and methodology

User makes a claim as to his or her identity.

User proves his or her identity using one or more mechanisms.

System makes decisions about what resources the user is allowed to access and the manner in which they may be manipulated.

System keeps an accurate audit trail of the users activity.

Entities that may be assigned permissions.

Types of resources that subjects may access.

Relationships between subjects and the objects they may access.

Contains access control entities (ACEs) that correspond to access permissions.

Access control list (ACL)

Controls designed to prevent unwanted activity from occurring.

Type of controls that provide a means of discovering unwanted activities that have occurred.

Controls that are mechanisms for bringing a system back to its original state prior to the unwanted activity.

Control type used to discourage individuals from attempting to perform undesired activities.

Control type implemented to make up for deficiencies in other controls.

Four phases of access control.

Identification, authentication, authorization, accounting

Three important access control concepts.

Subjects, objects, access permissions

Five types of access controls.

Preventative, detective, corrective, deterrent, compensatory

Three categories of access control.

Administrative, logical/technical, physical.

Controls constituting policies, procedures, disaster recovery plans, awareness training, security reviews and audits, background checks, reviews of vacation history, separation of duties, and job rotation.

Control type that restricts access to systems and the protection of information.

Logical/technical controls

Type of controls used to protect access to the physical facilities housing information systems.

States that the subjects of an access control system should have the minimum set of access permissions necessary to complete their assigned job functions.

Principle of least privilege

The ability to perform critical system functions should be divided among different individuals to minimize the risk of collusion.

Users should only have access to information that they have a need to know to perform their assigned responsibilities.

Users gain different access permissions as they move from position to position in an organization but old permissions are not revoked.

Authorization of the subjects access to an object depends on labels which indicate a subjects clearance and the classification or sensitivity of the related object

Mandatory access control (MAC)

Access control type where the subject has authority to specify what objects can be accessible.

Discretionary access control (DAC)

Access control type where the Administrator determines which subjects can have access to certain objects based on an organizations security policy.

Non-discretionary access control (NDAC) also known as role based access control (RBAC)

Access control type where the administrator specifies upper and lower bounds of the authority for each subject and uses those boundaries to determine access permissions.

Lattice based access control (LBAC)

Four types of access control systems.

MAC, DAC, NDAC (RBAC), LBAC

A central authentication and/or authorization point for an enterprise.

Centralized access control system

A series of diverse access control systems at different points throughout the enterprise.

Decentralized access control systems

Technology that enables centralized authentication.

Software used on a network to establish a users identity.

Three components of kerberos

Key distribution center (KDC), Authentication service (AS), Ticket granting service (TGS)

A public key based alternative to kerberos

Three authentication factors.

Something you know, something you have, something you are

Using at least two authentication factors.

Two-factor authentication

The most commonly implemented authentication technique.

Four different kinds of tokens

Static password, synchronous dynamic...