Access Control

Question 0

What are the three main security principles?

Answer 0

1. Confidentiality
2. Integrity
3. Availability

Question 1

What are the four steps that must happen to access an object?

Answer 1

1. Identification
2. authentication
3. Authorization
4. Accountability

Question 2

What do the following terms mean:

1. Access
2. Subject
3. Object

Answer 2

Access: the flow of information between a subject and an object.

Subject: an active entity that requires access to an object or the data within an object. A subject may be a user, a program or a process that access an object.

Object: a passive entity that can be a computer, a database file, a program, directory or a field

Question 3

What are the three factors of authentication?

Answer 3

1. Authentication by knowledge e.g password
2. Authentication by ownership e.g swipe card
3. Authentication by characteristic e.g biometric

Question 4

What are the types of identity management technologies.

Answer 4

• Directories
• web access management
• password management
• legacy single sign-on
• Account management
• profile update

Question 5

What are the types of Password management?

Answer 5

1. Password synchronization - reduces the complexity of keeping up with different passwords for different systems.
2. Self-service Password Reset - reduces help-desk call volumes by allowing users to reset their own passwords.
3. Assisted password reset - reduces the resolution process for password issues for the help desk. e.g. help desk

Question 6

What is a federation identity?

Answer 6

This is a a portable identity, and its associated entitlements, that can be used across business boundaries. It allows a user to be authenticated across multiple IT systems and enterprises.

Question 7

What is SAML?

Answer 7

Security Assertion Markup Language: it is a XML standard that allows the exchange of authentication and authorization data to be shared between security domains.

Question 8

What are types of password controls that an administrator can put in place.

Answer 8

1. Password Checkers
2. Password Hashing and Encryption
3. Password Aging
4. Limit Logon Attempts
5. Cognitive Password
6. One- Time Password
7. Token Device ( synchronous or asynchronous)
8. Cryptographic keys
9. Passphrase
10. Memory card
11. Smart cards

Question 9

What are the three Access Control Models?

Answer 9

DAC - Discretionary Access Control: Data owners decide who has access to resources, and ACLs are used to enforce these access decisions.

MAC - Mandatory Access Control. The operating systems enforce the system’s security policy through the use of security labels.

RBAC - Role Base Access Control. Access decisions are made based on each subject’s role and/or functional position.

Question 10

What are Access Control Techniques used in conjunction with the Access Control Models?

Answer 10

Access control matrix: Table of subjects and objects that outlines access relationships.

Access control list (ACL): Bound to an object and indicates what subjects can access it and what operations they can carry out.

Capability table: a capability table, UNLIKE an ACL, is bounded to subjects. It indicates what objects that subjects can access and what operations it carry out.

Content-based access: Bases access decisions on the sensitivity of the data, not soley on identity or content sensitivity.

Context-based access: Bases access decisions on the state of the situation, not solely on identity or content sensitivity.

Restricted interface: Limits the user’s environment within the system, this limiting access to objects. Example: ATM interface.

Rule-based access: Restricts subjects’ access attempts by predefined rules.