Security+ Domain 4.0: Identity and Access Management: Chapter 20

  1. Security+ Certification
  2. Security+: Definitions and Catchwords
  3. Security+ Domain 1.0: Threats, Attacks and Vulnerabilities
  4. Security+ Domain 2.0: Technologies and Tools, Chapter 6
  5. Security+ Domain 2.0: Technologies and Tools, Chapter 7
  6. Security+ Domain 2.0: Technologies and Tools, Chapter 8
  7. Security+ Domain 2.0: Technologies and Tools, Chapter 9
  8. Security+ Domain 2.0: Technologies and Tools, Chapter 10
  9. Security+ Domain 3.0: Architecture and Design: Chapter 11
  10. Security+ Domain 3.0: Secure Systems Design and Deployment: Chapter 12
  11. Security+ Domain 3.0: Secure Systems Design and Deployment: Chapter 12 cont’d
  12. Security+ Domain 3.0: Architecture and Design: Chapter 13: Embedded Systems
  13. Security+ Domain 3.0: Architecture and Design: Chapter 14: Application Development
  14. Security+ Domain 3.0: Architecture and Design: Chapter 15: Cloud and Virtualization
  15. Security+ Domain 3.0: Architecture and Design: Chapter 16: Resiliency and Automation
  16. Security+ Domain 3.0: Architecture and Design: Chapter 17: Physical Security
  17. Security+ Domain 4.0: Identity and Access Management: Chapter 18
  18. Security+ Domain 4.0: Identity and Access Management: Chapter 19
  19. Security+ Domain 4.0: Identity and Access Management: Chapter 20
  20. Security+ Domain 5.0: Risk Management: Chapter 21
  21. Security+ Domain 5.0: Risk Management: Chapter 22
  22. Security+ : Sample Questions
  23. Security+ Domain 5.0: Risk Management: Chapter 23
  24. bastion.inf
  25. Security+ Domain 5.0: Risk Management: Chapter 24
  26. Security+ Domain 5.0: Risk Management: Chapter 25
  27. Security+ Domain 5.0: Risk Management: Chapter 26
  28. Security+ Domain 5.0: Risk Management: Chapter 27
  29. Security+ Domain 5.0: Risk Management: Chapter 28
  30. Security+ Domain 5.0: Risk Management: Chapter 29
  31. Security+: My Favorite Free Tools

Chapter 20: Identity and Access Management Controls

Access Control Models

MAC

DAC

ABAC

RBAC

RB-RBAC

Access control comprises mechanisms for limiting access to information or resources, based on

      • user identity
      • membership in groups

Routers and operating systems store this information in an Access Control List (ACL).

An ACL consists of access control entries (ACEs).

A guide to understanding Cisco Access Control Lists:
Cisco Access Control Lists (ACL) at
http://www.networkclue.com/routing/Cisco/access-lists/index.aspx

Another example courtesy of JLSNet:
http://www.jlsnet.co.uk/index.php?page=cc_access

What these rules look like as Linux kernel firewall rules (thanks to the JustLinux Forums):
http://www.justlinux.com/forum/showthread.php?threadid=150675

Windows rights based on group membership are inherited rights. These may include:

        • Full Control
        • Modify
        • Read
        • List Contents
        • Execute
        • Write

This type of access control is used in government and military environments where objects are labelled as “Top Secret” or “Secret,” for example.

No subject can alter another subject’s access level.

All access is strictly defined at the object level:
-only members of a specific group have access

and at the group level:
-access to an object requires membership in a certain group.

All access is defined by a user’s specific role, for instance:

        • Manager
        • Accountant
        • HR

One user may have many roles.

This is the least restrictive model. Think of Windows workgroup permissions: the user of a PC shares a folder, assigns a password, and sets permission (for instance, read-only).

The user decides everything.

Rule-Based Role-Based Access Control (RB-RBAC)

Yes, this is a thing. The Security+ test may ask about Rule-Based Access Control, or Rule-Based Role-Based Access Control (RB-RBAC). Think of this as a protocol where a rule-based mechanism like a router assigns a role to a user based on those rules.

Biometrics

Fingerprint, iris, retina, voice, face

False Positives and False Negatives

False Acceptance Rate

False Rejection Rate

Crossover Error Rate

Other Layers of Security Based on Authentication

File system security

Database security