Overview of Access Control

Questions and Answers

What does NISTIR 7298 define?

• Cryptography
• Access control (correct)
• Network protocols
• Data encryption

Access control involves granting or denying requests to use information processing services.

True (A)

According to RFC 4949, what regulates the use of system resources?

security policy

Access to system resources is permitted only by authorized ______.

entities

Which of the following is a basic security requirement for access control?

Limiting access to authorized users (D)

Allowing users to execute any type of transaction is a recommended access control practice.

False (B)

What should be controlled in accordance with approved authorizations?

the flow of CUI

Separating the duties of individuals reduces the risk of malevolent activity without ______.

collusion

What principle involves granting only the necessary access rights to users?

Least privilege (D)

It's best practice to use privileged accounts for accessing nonsecurity functions.

False (B)

What should be prevented to maintain security and audit the execution of such functions?

executing privileged functions by non-privileged users

Limiting unsuccessful ______ attempts is an important aspect of access control.

logon

What should be provided to users consistent with applicable rules?

Privacy and security notices (C)

It is not necessary to terminate a user session after a defined period of inactivity.

False (B)

What type of mechanisms should be employed to protect the confidentiality of remote access sessions?

cryptographic

Remote access should be routed via managed access control ______.

points

What should be authorized prior to allowing wireless connections?

Wireless access (D)

It is safe to skip authentication and encryption when using wireless access.

False (B)

What type of devices should be under control for security reasons?

mobile devices

[Blank] should be encrypted on mobile devices to protect its confidentiality.

CUI

External information systems require what to limit connections?

Control and verification (C)

It's acceptable to use organizational portable storage devices freely on external information systems.

False (B)

What type of information should be controlled when posted or processed on publicly accessible information systems?

CUI

In a broad sense, all of computer security is concerned with ______ control.

access

According to RFC 4949, computer security measures implement and assure:

Access control services (C)

Discretionary Access Control (DAC) controls access based on the roles that users have.

False (B)

What is compared with security clearances in Mandatory Access Control (MAC)?

security labels

Role Based Access Control (RBAC) controls based on the roles users have within a ______.

system

Attribute-Based Access Control (ABAC) considers attributes of whom or what?

All of the above (D)

An 'object' in access control is an entity capable of accessing resources.

False (B)

Flashcards

Access Control (NISTIR 7298)

The process of granting or denying specific requests to obtain/use information and related processing services or enter facilities.

Access Control (RFC 4949)

A process regulating system resource use according to a security policy, allowing only authorized entities.

Basic Security Requirement (Access)

Limit information system access to authorized entities only.

Derived Security Requirement (CUI)

Control CUI flow as per approved authorizations.

Derived Security Requirement (Duties)

Separate duties to reduce malevolent activity risk.

Principle of Least Privilege

Employ least privilege for specific security functions.

Session Lock Use

Use session lock with pattern-hiding displays after inactivity.

Automated Session Termination

Terminate a user session automatically after a defined condition.

Wireless Access Security

Protect wireless access using authentication and encryption.

Mobile Device Connection

Control connections of mobile devices.

Access Control Scope

Broadly, all of computer security is concerned with controlling access.

Discretionary Access Control (DAC)

Controls access based on identity and access rules.

Mandatory Access Control (MAC)

Controls access based on security labels with security clearances.

Role-Based Access Control (RBAC)

Controls access based on user roles and access rules.

Attribute-Based Access Control (ABAC)

Controls access based on user, resource, and environment attributes.

Subject

An entity capable of accessing objects.

Object

A resource to which access is controlled.

Access Right

Describes how a subject may access an object.

Protection Domain

Set of objects and access rights.

Inodes

Control structures with key file information. File attributes, permissions and control info sorted in the inode

SetUID/SetGID

Uses rights of file owner/group temporarily.

Sticky Bit

Only file owner can rename, move, or delete any file in the directory.

ABAC Distinguishing Feature

Controls objects by evaluating entity attributes, operations, and environment relevancy.

Identity, Credential, and Access Management (ICAM)

Managing digital identities, credentials, and access control.

Identity Management Focus

Assign attributes to a digital identity.

Credential Management Focus

Manage the life cycle of the credential.

Access Management

Control of how entities gain resource access.

Identity Federation Goal

Trusting digital identities, attributes, credentials from another organization.

Open Identity Trust Framework (OITF)

A standardized spec for identity/attribute exchange.

Study Notes

• Access control is the process of granting or denying requests to obtain and use information processing services and enter physical facilities.
• Access control regulates the use of system resources with a security policy, permitting access only by authorized entities according to that policy.

Basic Security Requirements

• Limit information system access to authorized users, processes acting on their behalf, or devices.
• Limit information system access to authorized transactions and functions.

Derived Security Requirements

• Control the flow of Controlled Unclassified Information (CUI) in accordance with approved authorizations.
• Separate duties to reduce the risk of malevolent activity carried out through collusion.
• Employ the principle of least privilege for specific security functions and privileged accounts.
• Use non-privileged accounts or roles when accessing nonsecurity functions.
• Prevent non-privileged users from executing privileged functions and audit the execution of such functions.
• Limit unsuccessful logon attempts.
• Provide privacy and security notices consistent with applicable CUI rules.
• Use session lock with pattern-hiding displays to prevent data access after inactivity.
• Terminate user sessions automatically after a defined condition.
• Monitor and control remote access sessions.
• Use cryptographic mechanisms to protect the confidentiality of remote access sessions.
• Route remote access via managed access control points.
• Authorize remote execution of privileged commands and remote access to security-relevant information.
• Authorize wireless access before allowing connections.
• Protect wireless access using authentication and encryption.
• Control connection of mobile devices.
• Encrypt CUI on mobile devices.
• Verify, control, and limit connections to and use of external information systems.
• Limit the use of organizational portable storage devices on external information systems.
• Control CUI posted or processed on publicly accessible information systems.
• A broad definition of computer security includes measures that implement and ensure security services in a computer system, particularly those that assure access control service.

Access Control Policies

• Discretionary Access Control (DAC): access based on the identity of the requestor and access rules.
• Mandatory Access Control (MAC): access based on comparing security labels with security clearances.
• Role-Based Access Control (RBAC): Access control based on the roles that users have within the system and the accesses that users in those roles are allowed.
• Attribute-Based Access Control (ABAC): Access control based on user attributes, resource attributes, and current environmental conditions.

Subjects, Objects, and Access Rights

• Subject: An entity capable of accessing objects, can be an Owner, Group or the World.
• Object: A resource to which access is controlled, entity used to contain and/or receive information.
• Access right: Describes the way in which a subject may access an object.
• Possible access rights include Read, Write, Execute, Delete, Create, and Search.

Discretionary Access Control (DAC)

• An entity may grant access rights to another entity to enable it to access some resource.
• Often provided using an access matrix, with subjects listed in one dimension and objects in the other.
• Each entry in the matrix indicates access rights of a particular subject for a particular object.

Access Control System Commands

• Transfer Command: Transfers access right to another subject.
• Grant Command: Grants access right to a subject, usually requiring ownership.
• Delete Command: Removes an access right from a subject.
• Read Command: Grants read access to a subject.
• Create Command: Creates a new object.
• Destroy Object Command: Removes an object from the system.
• Create Subject Command: Adds a new subject.
• Destroy Subject Command: Removes a subject.

Protection Domains

• Set of objects with access rights to those objects.
• More flexibility when associating capabilities with protection domains.
• Association between a process and a domain can be static or dynamic.
• In user mode protected, memory areas prevent use and certain instructions from being executed.
• In kernel mode, there is privileged instruction execution and access to protected memory areas.

UNIX File Access Control

• UNIX files are administered using inodes (index nodes), control structures with key information needed for a particular file.
• Several file names may be associated with a single inode.
• An active inode is associated with exactly one file.
• File attributes, permissions, and control information are sorted in the inode.
• The inode table or list contains all the files’ inodes stored on disk.
• When a file is opened, the inode is stored in a memory-resident inode table for quick access.
• Directories are structured in a hierarchical tree that contains files and/or other directories.
• Directories are structured in a hierarchical tree and contain filenames plus pointers to associated inodes.
• Each file has a unique user identification number (user ID) and belongs to a specific group.
• There are 12 protection bits to specify read, write, and execute permissions.
• Permissions are set for the owner of the file, members of the group, and all other users.
• The owner ID, group ID, and protection bits are part of the file's inode. “Set user ID” (SetUID) and “Set group ID” (SetGID) used.
• System temporarily uses rights of the file owner/group in addition to the real users rights when making access control decisions.
• Enables privileged programs to access files/resources not generally accessible.
• When applied to a directory the sticky bit specifies that only the owner of any file in the directory can rename, move, or delete that file.
• Superusers are exempt from usual access control restrictions and have system-wide access.
• Modern UNIX systems support Access Control Lists (ACLs) with FreeBSD, OpenBSD, Linux, and Solaris.
• FreeBSD uses the setfacl command to assign a list of UNIX user IDs and groups.
• Setfacl allows any number of users and groups to be associated with a file.
• In FreeBSD, a file does not need to have an ACL by default but can include an additional bit indicating an extended ACL.
• When a process requests to a file system object there are two steps performed.
• Step 1 selects the most appropriate ACL.
• Step 2 checks if the matching entry contains sufficient permissions.

Role Based Access Control (RBAC)

• RBAC0: Base model.
• RBAC1: Hierarchical roles
• RBAC2: Constraints are applied.
• RBAC3: Combined RBAC1 and RBAC2 to utilize Role Hierarchies and Constraints.
• Constraints adapt RBAC to the specifics and security policies of the organization.
• Mutually exclusive roles, cardinality (setting max number with respect to roles), and prerequisite roles.
• Prerequisite roles dictate that a user can only be assigned a particular role if already assigned some other specified role.

ABAC (Attribute Based Access Control)

• Authorizations can express conditions on properties of both the resources and subjects.
• Strength is in its flexibility and power of expression.
• Systems are capable of enforcing DAC, RBAC, and MAC concepts.
• Allows an unlimited number of attributes to be combined to satisfy any access control rule.
• Attributes of the subject, attributes of the object, and a formal relationship/rule defining allowable operations for subject-object attribute combinations.
• Attributes define the identity and characteristics of the subject.
• An object (or resource) attributes are a passive information system related entity containing or receiving information.
• Environment attributes describe the operational or situational context.

ABAC Policies

• A policy is a set of rules and relationships governing allowable behavior, based on privileges of subjects and how resources are protected under environmental conditions.
• Often written from object perspective, privileges are defined by an authority and embodied in a policy.
• Other terms for privileges: rights, authorizations, and entitlements.

Identity, Credential, and Access Management (ICAM)

• ICAM manages and implements digital identities, credentials, and access control.
• It creates trusted digital identity representations for individuals and nonperson entities (NPEs).
• Binds identities to credentials that may serve as a proxy for the individual of NPE in access transactions.
• A credential authoritatively binds an identity to a possessed token and controlled by a subscriber.
• It Uses the credentials to provide authorized access to an agency's resources.

Identity Management

• Identity management assigns attributes to a digital identity, connecting the digital identity to an individual or NPE.
• This establishes a trustworthy digital identity, independent of specific applications or contexts.
• The most common approach to access control creates a digital representation of identity for specific application use.
• Mechanisms, policies, and procedures for protecting person identity information, this includes controlling access to identity data.
• Important techniques include sharing authoritative identity day with applications where needed and revocation of an enterprise identity.

Credential Management

• It Encompasses five components and is the overall management of the lifecycle of credentials (smart cards, private/public cryptographic keys, and digital certificates).
• This includes An authorized individual to establish the need for the credential.
• In the process, the sponsored individual enrolls for identity proofing.
• Authority must maintain/incorporate attribute data maintained by the identity management component.
• Depending on the production method, it may use encryption, digital signatures and smart cards.
• The credential is issued to an individual or NPE and the credential must be maintained over it is cycle, revocation, replacement, PIN reset, or a suspension.

Access management manages and controls how entities access resources

• This covers both logical and physical access and may be internal to or an external element.
• This ensures the proper verification attempts to access a security, a building, a computer and any data.
• Three elements are required for an enterprise wide access control facility:
  • Resource management.
  • Privilege management.
  • Policy Management.

Three Support Elements Required for an Enterprise Wide Access Control Facility:

• Concerned with defining rules for resources requiring access control, including credentials needed, user attributes, resource attributes, and environmental conditions.
• Establishes and maintains entitlement or privilege attributes comprising an individual's access profile, for determining access decisions to both physical and logical access.
• Govern what is allowable and unallowable in an access transaction.

Identity Federation

• The technology, standards, policies, and processes that provides trust.
• Allows organizations to use/trust digital entities from another organization.
• How do you trust the entities and identities from external entities?
• How do you vouch for the identities of individual in your own organization?

Open Identity Trust Framework (OITF)

• OpenID: Open standard allowing users to authenticate across sites.
• OIDF: International nonprofit promoting OpenID technologies.
• ICF: Nonprofit evolving the Information Card ecosystem.

OITF continued

• OITF: Standardized, open trust framework for identity and attribute exchange, by OIDF and ICF.
• OIX: Independent, neutral certification provider conforming .
• AXN: Internet-scale gateway for accessing user attributes affordably.

Description

Learn about access control, which grants or denies requests to use information processing services and enter physical facilities. It regulates system resource usage with a security policy, permitting access only to authorized entities. Discover basic and derived security requirements.