Domain 5: Access Control Technologies Flashcards
(49 cards)
1
Q
Concentrates access control in one logical point for a system or organization
A
Centralized Access Control
2
Q
- Access control where local sites support and maintain independent systems, access control databases and data
- Each sites may have different models, policies and level of security
A
Decentralized Access Control
3
Q
Allows users to authenticate once and have access to multiple different systems
A
Single sign-on (SSO)
4
Q
Occurs when individual users gain more access to more systems
A
Access Aggregation
5
Q
Participating organizations share identity attributes allowing for a user to authenticate with one member then having access to all other members
A
Federated system
6
Q
- XML-based language used to send authentication and authorization data between identity providers and service providers
- Frequently used to enable single sign-on for web applications and services
A
SAML
7
Q
- Relies on access tokens which are issued by an authorization server and then presented to resource servers like third-party web applications
- Used by Google, Microsoft, Facebook and other sites to allow users to share elements of their identity or account information while authenticating via the original identity provider
A
OAuth
8
Q
- An open-source standard for decentralized authentication
- Users create credentials with an identity provider like Google then sites (relying parties) use that identity
A
OpenID
9
Q
Combines the OpenID authentication and OAuth authorization into a single protocol
A
OpenID Connect
10
Q
- OAuth Component
- The user authenticating
A
Resource Owner
11
Q
- OAuth Component
- Applications that users want to use
A
Client
12
Q
- OAuth Component
- Servers owned by the identity provider
- Authenticates the resource owner
A
Authorization Server
13
Q
- OAuth Component
- The server the client wants to access in behalf of the resource owner
A
Resource Server
14
Q
Allows an organization to leverage a cloud service for identity management
A
Identity as a service (IDaaS)
15
Q
- Protocol used for interfacing and querying directory service information
- Uses TCP/UDP port 389
- Queries transmitted in cleartext
A
Lightweight directory access protocol (LDAP)
16
Q
- Third party authentication service
- Uses AES symmetric encryption and mutual authentication of both clients and servers
- Protects against network sniffing and replay attacks
- Most common single sign-on method used in organizations
A
Kerberos
17
Q
- Kerberos term
- A unique identity
- i.e. user and/or service
A
Principal
18
Q
- Kerberos term
- The group of systems (domain) Kerberos has authority over
A
Realm
19
Q
- Kerberos term
- Encrypted message that provides proof that a subject is authorized to access an object
- Contains client identity, service ID and etc.
A
Ticket
20
Q
- Kerberos term
- The heart of Kerberos where tickets and access is granted
A
Key Distribution Center (KDC)
21
Q
The Key Distribution Center (KDC) consists of what two servers?
A
Authentication Server (AS) and Ticket Granting Server (TGS)
22
Q
- Kerberos term
- Confirms that a known user is making access request to a known service and issues a service ticket
A
Ticket Granting Server (TGS)
23
Q
- Kerberos term
- Confirms that the user is making the access request and issues out a Ticket Granting Ticket (TGT)
A
Authentication Server (AS)
24
Q
- Kerberos term
- Provides proof that a subject has authenticated through a KDC and is authorized to request tickets to access other objects
A
Ticket Granting Ticket (TGT)
25
- Kerberos Process Step
| - The client sends its TGT back to the KDC with a request for access to the resource.
Kerberos Process Step 1
26
- Kerberos Process Step
- The KDC verifies that the TGT is valid and checks its access control matrix to verify that the user has sufficient privileges to access the requested resource.
Kerberos Process Step 2
27
- Kerberos Process Step
| - The KDC generates a service ticket and sends it to the client.
Kerberos Process Step 3
28
- Kerberos Process Step
| - The client sends the ticket to the server or service hosting the resource.
Kerberos Process Step 4
29
- Kerberos Process Step
| - The server or service hosting the resource verifies the validity of the ticket with the KDC.
Kerberos Process Step 5
30
- Kerberos Process Step
- Once identity and authorization is verified, Kerberos activity is complete. The server or service host then opens a session with the client and begins communications or data transmission.
Kerberos Process Step 6
31
- Sequel to Kerberos
- Asymmetric encryption
- Uses privilege attribute certificates (PACs)
SESAME (secure European system for applications in a multivendor environment)
32
- Authentication system
- Uses UDP ports 1812 (authentication) and 1813 (accounting)
- Authorizes users by allowing specific users to access specific data objects
RADIUS
33
- Authentication system
| - Designed to be RADIUS successor
Diameter
34
- Authentication system
- Centralized access control system that requires users to send an ID and static (reusable) password for authentication.
- Uses UDP port 49
TACACS
35
- Authentication system
- Provides better password protection by allowing two-factor authentication
- Uses TCP port 49
TACACS+
36
- Used in WAN authentication
| - Password is sent across the network in cleartext
Password Authentication Protocol (PAP)
37
- Used in WAN authentication
| - Depends upon a ‘secret’ known only to the authenticator and the peer. The secret is not sent over the link.
Challenge-handshake Authentication Protocol (CHAP)
38
- Subjects are given full control of objects they have created or have been given access to, including sharing the objects with other subjects.
- All objects have owners, and access is based on the discretion or decision of the owner.
Discretionary Access Control (DAC)
39
- System-enforced access control based on subject’s clearance and object’s labels
- Subject may access an object only if the subject’s clearance is equal to or greater than the object’s label
Mandatory Access Control (MAC)
40
- Subjects are grouped into roles, and each defined role has permissions based upon the group, not the individual
- Non Discretionary access control
Role-based access control (RBAC)
41
- Access control based on the responsibilities each subject must perform
- i.e. writing prescriptions, restoring data from a backup tape etc.
- Non Discretionary access control
Task-based access control
42
- Access control that system uses a series of defined rules, restrictions, and filters for accessing objects within a system
- i.e. rules are “if/then” statements
Rule-based access control
43
- Access control restricts access to data based on the content within an object
- i.e. all employees have access to the HR database but cannot view the CIO HR record (database view)
Content-dependent access control
44
- Access control that provides access based on a certain parameter i.e. location, time, sequence of responses, access history etc..
- i.e. employee has network access from 9 - 5pm but denied access on Sunday at 1am
Context-dependent access control
45
Admins centrally administer access and can make changes that affect the whole environment
Nondiscretionary Access Controls
46
- Access control that uses policy rules that include multiple attributes (i.e. characteristics of users, the network, and devices on the network)
- i.e. SDN “Allow Managers to access the WAN using tablets or smartphones.”
Attribute Based Access Control (ABAC)
47
- Classification within the Mandatory Access Control (MAC) model
- Relates various classification labels in an ordered structure from low security to medium security to high security
- i.e. Confidential, Secret, and Top Secret, respectively
Hierarchical Environment
48
- Classification within the Mandatory Access Control (MAC) model
- There is no relationship between one security domain and another
Compartmentalized Environment
49
- Classification within the Mandatory Access Control (MAC) model
- Combination of other two environments
- i.e. Hierarchical level may contain numerous subdivisions that are isolated from the rest of the security domain
Hybrid Environment
