Access Control Models Flashcards
3.0 Implementation (23 cards)
A nondiscretionary access control technique that is based on a set of operational rules or restrictions to enforce a least privileges permissions policy.
Rule-Based Access Control
Tracking authorized usage of a resource or use of rights by a subject and alerting when unauthorized use is detected or attempted.
Accounting
When access control uses policies to control access to resources, allowing the organization to systematically enforce rules about who can access which resources under which conditions.
Policy-driven access control
The process of determining what rights and privileges a particular entity has.
Authorization
An access control model where resources are protected by ACLs that are managed by administrators and that provide user permissions based on job functions.
Role-Based Access Control (RBAC)
Security model that assumes that all devices, users, and services are not inherently trusted, regardless of whether inside or outside a network’s perimeter.
Zero Trust
Concept of having more than one person required to complete a task.
Separation of duties
Security status of a device, including its security configurations, software versions, and patch levels.
Device posture
When two communicating entities authenticate each other before exchanging data. It requires not only the server to authenticate the user but the user to authenticate the server
Mutual authentication
A method of validating a particular entity’s or individual’s unique credentials.
Authentication
The security goal of ensuring that the party that sent a transmission or created data remains associated with that data and cannot deny sending or creating that data.
Non-repudiation
An access control model where each resource is protected by an access control list (ACL) managed by the resource’s owner(s).
The model used by default for most UNIX/Linux distributions and Microsoft Windows. The weakest model because it makes centralized administration of security policies the most difficult to enforce. It is also the easiest to compromise, as it is vulnerable to insider threats and abuse of compromised accounts.
Discretionary Access Control (DAC)
Access control principle that implements multiple access control methods instead of relying on a single process. Numerous defenses make it harder to bypass security measures.
Defense-in-depth
The restriction of highly sensitive data usually referenced in government and military contexts.
Need to know
Rights and permissions should be set to
the bare minimum
– You only get exactly what’s needed to complete your objective
Principle of least privilege
Restrictions on incoming and outgoing network traffic based on the time of day. This allows organizations to define when resources can be accessed or specific actions can be performed
Time of day restrictions
An access control technique that evaluates a set of attributes that each subject possesses to determine if access should be granted.
The attributes assigned to a resource constitute a policy that uses Boolean logic to determine who can access the resource. An example of a file access policy might include the following attributes: role = manager, department = development, and project = NewApp. Only users who possess all three attributes can access the file.
Attribute-based access control (ABAC)
What are the five functions of the NIST CSF (Cybersecurity Framework)?
Identify, Protect, Detect, Respond, Recover
An access control model where resources are protected by inflexible, system-defined rules. Resources (objects) and users (subjects) are allocated a clearance level (or label).
Users with high clearance are not permitted to write low-clearance documents. This is referred to as write up, read down. This prevents, for example, a user with Top Secret clearance from republishing some Top Secret data that they can access with Secret clearance.
Mandatory Access Control (MAC)
The process of deploying an account, host, or application to a target production environment. This involves proving the identity or integrity of the resource, and issuing it with credentials and access permissions.
Provisioning
The process of removing an account, host, or application from the production environment. This requires revoking any privileged access that had been assigned to the object.
Deprovisioning
In zero trust architecture, functions that define policy and determine access decisions.
Control Plane
An analysis that measures the difference between the current and desired states in order to help assess the scope of work included in a project.
Gap analysis
