Is the traditional method of implementing access control?

  1. NIST IR 7298, Glossary of Key Information Security Terms, defines _________ as the process of granting or denying specific requests to: [1] obtain and use information and related information processing services; and [2] enter specific physical facilities.

    access control

  2. Internet Security Glossary, defines __________ as a process by which use of system resources is regulated according to a security policy and is permitted only by authorized entities [users, programs, processes, or other systems] according to that policy.

    access control

  3. the central element of computer security.

    Access control

  4. [T/F] All of computer security is concerned with access control.

    True

  5. Measures that implement and  assure security services in a computer system, particularly those that assure access control service.

    Computer security

  6. Access Control Context:

    • Authentication
    • Authorization
    • Audit

  7. Verification that the credentials of a user or other system entity are valid.

    Authentication

  8. The granting of a right or permission to a system entity to access a system resource. This function determines who is trusted for a given purpose.

    Authorization

  9. An independent review and examination of system records and activities in order to test for adequacy of system controls, to ensure compliance with established policy and operational procedures, to detect breaches in security, and to recommend any indicated changes in control, policy and procedures.

    Audit

  10. mediates between a user and system resources, such as applications, operating systems, firewalls, routers, files, and databases.

    access control mechanism

  11. maintains an authorization database that specifies what type of access to which resources is allowed for this user.

    security administrator

  12. Access Control Policies:

    • Discretionary access control [DAC]
    • Mandatory access control [MAC]
    • Role-based access control [RBAC]
    • Attribute-based access control [ABAC]

  13. Controls access based on the identity of the requestor and on access rules [authorizations] stating what  requestors are [or are not] allowed to do.

    Discretionary access control [DAC]

  14. The policy is termed ________ because an entity might have access rights that permit the entity, by its own volition, to enable another entity to access some resource.

    discretionary

  15. Controls access based on comparing security with security clearances.

    Mandatory access control [MAC]

  16. The policy is termed ________ because an entity that has clearance to access a resource may not, just by its own volition, enable another entity to access that resource.

    mandatory

  17. Controls access based on the roles that users have within the system and on rules stating what accesses are allowed to users in given roles.

    Role-based access control [RBAC]

  18. Controls access based on attributes of the user, the resource to be accessed, and current environmental conditions.

    Attribute-based access control [ABAC]

  19. An ________, which can be embodied in an authorization database,  dictates what types of access are permitted, under what circumstances, and by whom.

    access control policy

  20. _______ is the traditional method of implementing access control.

    DAC

  21. ______ is a concept that evolved out of requirements for military information security and is best covered in the context of trusted systems.

    MAC

  22. The basic elements of access control are:

    subject, object, and access right

  23. A ________ is an entity capable of accessing objects. Generally, the concept of subject equates with that of process.

    subject

  24. This may be the creator of a resource, such as a file.

    Owner

  25. In addition to the privileges assigned to an owner, a named group of users may also be granted access rights, such that membership in the group is sufficient to exercise these access rights.

    Group

  26. The least amount of access is granted to users who are able to access the system but are not included in the categories owner and group for this resource.

    World

  27. An ________ is a resource to which access is controlled. In general, an object is an entity used to contain and/or receive information.

    object

  28. An _________ describes the way in which a subject may access an object.

    access right

  29. Access right includes:

    Read, Write, Execute, Delete, Create, Search

  30. A general approach to DAC, as exercised by an operating system or a database management system, is that of an _________.

    access matrix

  31. an _________ is usually sparse and is implemented by decomposition in one of two ways.

    access matrix

  32. _________ lists users and their permitted access rights.

    access control lists [ACLs]

  33. A _________ specifies authorized objects and operations for a particular user.

    capability ticket

  34. [T/F] It is easy to determine the set of access rights that a given user has, but more difficult to determine the list of users with specific access rights for a specific resource.

    True

  35. An ________ contains one row for one access right of one subject to one resource.

    authorization table

  36. Sorting or accessing the table by _______ is equivalent to a capability list. Sorting or accessing the table by ________ is equivalent to an ACL.

    subject, object

  37. assumes a set of subjects, a set of objects, and a set of rules that govern the access of subjects to objects.

    Access Control Model

  38. Access rights include the ability to delete a process, stop [block], and wake up a process.

    Processes

  39. Access rights include the ability to read/write the device, to control its operation [e.g., a disk seek], and to block/unblock the device for use.

    Devices

  40. Access rights include the ability to read/write certain regions of memory that are protected such that the default is to disallow access.

    Memory locations or regions

  41. Access rights with respect to a subject have to do with the ability to grant or delete access rights of that subject to other objects, as explained subsequently.

    Subjects

  42. A ________ could be defined, which results in the transferred right being added to the target subject and deleted from the transferring subject.

    transfer-only right

  43. The ability of one subject to create another subject and to have ______  access right to that subject can be used to define a hierarchy of subjects.

    ‘owner’

  44. A _______ is a set of objects together with access rights to those objects.

    protection domain

  45. [T/F] A more general concept of protection domain provides more flexibility.

    True

  46. A user program executes in a _________, in which certain areas of memory are protected from the user’s use and in which certain instructions may not be executed.

    user mode

  47. When the user process calls a system routine, that routine executes in a system mode, or what has come to be called _______, in which privileged instructions may be executed and in which protected areas of memory may be accessed.

    kernel mode

  48. An _________ is a control structure that contains the key information needed by the operating system for a particular file.

    inode [index node]

  49. A directory that is inside another directory is referred to as a _________.

    subdirectory

  50. A _________ is simply a file that contains a list of file names plus pointers to associated inodes.

    directory

  51. The ________ is  exempt from the usual file access control constraints and has systemwide access.

    superuser

  52. [T/F] A final point to note is that the traditional UNIX file access control scheme implements a simple protection domain structure. A domain is associated with the user, and switching the domain corresponds to changing the user ID temporarily.

    True

  53. ________ allows the administrator to assign a list of UNIX user IDs and groups to a file by using the setfacl command.

    FreeBSD

  54. [T/F] Traditional DAC systems define the access rights of individual users and groups of users. In contrast, RBAC is based on the roles that users assume in a system rather than the user’s identity.

    True

  55. provide a means of reflecting the hierarchical structure of roles in an organization.

    ROLE HIERARCHIES—RBAC1

  56. make use of the concept of inheritance to enable one role to implicitly include access rights associated with a subordinate role.

    Role hierarchies

  57. provide a means of adapting RBAC to the specifics of administrative and security policies in an organization.

    CONSTRAINTS—RBAC2

  58. A ________ is a defined relationship among roles or a condition related to roles.

    constraint

  59. roles such that a user can be assigned to only one role in the set.

    Mutually exclusive roles

  60. refers to setting a maximum number with respect to roles.

    Cardinality

  61. A system might be able to specify a __________, which dictates that a user can only be assigned to a particular role if it is already assigned to some other specified role.

    prerequisite role

  62. An _________ can define authorizations that express conditions on properties of both the resource and the subject.

    ABAC model

  63. There are three key elements to an ABAC model: _______, which are defined for entities in a configuration; a _________ which defines the ABAC policies; and the ___________, which applies to policies that enforce access control.

    attributes, policy model, architecture model

  64. characteristics that define specific aspects of the subject, object, environment conditions, and/or requested operations that are predefined and preassigned by an authority.

    Attributes

  65. A subject is an active entity that causes information to flow among objects or changes the system state.

    Subject attributes

  66. An object, also referred to as a resource, is a passive information system-related entity containing or receiving information.

    Object attributes

  67. These attributes have so far been largely ignored in most access control policies.

    Environment attributes

  68. a logical access control model that is distinguishable because it controls access to objects by evaluating rules against the attributes of entities [subject and object], operations, and the environment relevant to a request.

    ABAC

  69. [T/F] ABAC enables fine-grained access control, which allows for a higher number of discrete inputs into an access control decision, providing a bigger set of possible combinations of those variables to reflect a larger and more definitive set of possible rules, policies, or restrictions on access. Thus, ABAC allows an unlimited number of attributes to be combined to satisfy any access control rule.

    True

  70. In ABAC, the _________ is derived from many sources of which the object owner has no control, such as Subject Attribute Authorities, Policy Developers, and Credential Issuers.

    root of trust

  71. A _______ is a set of rules and relationships that govern allowable behavior within an organization, based on the privileges of subjects and how resources or objects are to be protected under which environment conditions.

    policy

  72. represent the authorized behavior of a subject; they are defined by an authority and embodied in a policy.

    Privileges

  73. ______ is a comprehensive approach to managing and implementing digital identities [and associated attributes], credentials, and access control. ICAM has been developed by the U.S. government, but is applicable not only to government agencies, but also may be deployed by enterprises looking for a unified approach to access control.

    ICAM

  74. ___________ is concerned with assigning attributes to a digital identity and connecting that digital identity to an individual or NPE.

    Identity management

  75. A ____________ is often comprised of a set of attributes that when aggregated uniquely identify a user within a system or an enterprise.

    digital identity

  76. A ________ is an object or data structure that authoritatively binds an identity [and optionally, additional attributes] to a token possessed and controlled by a subscriber.

    credential

  77. ___________ is the management of the life cycle of the credential.

    Credential management

  78. The ___________ deals with the management and control of the ways entities are granted access to resources. It covers both logical and physical access, and may be internal to a system or an external element.

    access management component

  79. This element is concerned with defining rules for a resource that requires access control.

    Resource management

  80. This element is concerned with establishing and maintaining the entitlement or privilege attributes that comprise an individual’s access profile.

    Privilege management

  81. This element governs what is allowable and unallowable in an access transaction.

    Policy management

  82. ________ is a term used to describe the technology, standards, policies, and processes that allow an organization to trust digital identities, identity attributes, and credentials created and issued by another organization.

    Identity federation

  83. The _____________ involves users developing arrangements with an identity service provider to procure digital identity and credentials, and arrangements with parties that provide end-user services and applications and that are willing to rely on the identity and credential information generated by the identity service provider.

    exchange of identity information

  84. The _________ requires that the user has been authenticated to some degree of assurance, that the attributes imputed to the user by the identity service provider are accurate, and that the identity service provider is authoritative for those attributes.

    relying party

  85. This is an open standard that allows users to be authenticated by certain cooperating sites [known as Relying Parties] using a third party service, eliminating the need for Webmasters to provide their own ad hoc systems and allowing users to consolidate their digital identities.

    OpenID

  86. __________ is an international nonprofit organization of individuals and companies committed to enabling, promoting, and protecting OpenID technologies.

    OIDF: The OpenID Foundation

  87. ________ is a nonprofit community of companies and individuals working together to evolve the Information Card ecosystem.

    ICF: The Information Card Foundation

  88. ____________ is a standardized, open specification of a trust framework for identity and attribute exchange, developed jointly by OIDF and ICF.

    OITF: The Open Identity Trust Framework

  89. __________ is an independent, neutral, international provider of certification trust frameworks conforming to the Open Identity Trust Frameworks model.

    OIX: The Open Identity Exchange Corporation

  90. _________ is an online Internet-scale gateway for identity service providers and relying parties to efficiently access user asserted, permissioned, and verified online identity attributes in high volumes at affordable costs.

    AXN: An Attribute Exchange Network [AXN]

  91. __________ functions as a certification program which enables a party who accepts a digital identity credential to trust the identity, security, and privacy policies of the party who issues the credential and vice versa.

    Trust framework

  92. Also called service providers, these are entities delivering services to specific users.

    Relying parties [RPs]

  93. These are users of an RP’s services, including customers, employees, trading partners, and subscribers.

    Subjects

  94. __________ are entities acknowledged by the community of interest as being able to verify given attributes as presented by subjects and which are equipped through the AXN to create conformant attribute credentials according to the rules and agreements of the AXN.

    Attribute providers [APs]

  95. These are entities able to authenticate user credentials and to vouch for the names [or pseudonyms or handles] of subjects, and which are equipped through the AXN or some other compatible Identity and Access Management [IDAM] system to create digital identities that may be used to index user attributes.

    Identity providers [IDPs]

  96. Assessors evaluate identity service providers and RPs and certify that they are capable of following the OITF provider’s blueprint.

    Assessors

  97. These entities may be called on to check that parties’ practices have been in line with what was agreed for the OITF.

    Auditors

  98. These entities provide arbitration and dispute resolution under OIX guidelines.

    Dispute resolvers

  99. ________ is an organization that translates the requirements of policymakers into an own blueprint for a trust framework that it then proceeds to build, doing so in a way that is consistent with the minimum requirements set out in the OITF specification.

    Trust framework providers

What is traditional access control?

Traditional access control [AC] is the mechanism by which a system constrains the actions of a legitimate user and the programs operating on his behalf to only those that cannot compromise the security of the system. The term security, here, is meant to also cover confidentiality and integrity of information.

What are some methods for implementing access control?

Access Control: Models and Methods.
This response leads to more frustration as the user needs to get on with their task and all they need is access to one folder. ... .
Mandatory Access Control [MAC].
Role-Based Access Control [RBAC].
Discretionary Access Control [DAC].
Rule-Based Access Control [RBAC or RB-RBAC].

What is traditional access control models?

The traditional access control models are discretionary access control [DAC], mandatory access control [MAC], role-based access control [RBAC], and attribute-based access control [ABAC].

What is the method of access control?

Three main types of access control systems are: Discretionary Access Control [DAC], Role Based Access Control [RBAC], and Mandatory Access Control [MAC]. DAC is a type of access control system that assigns access rights based on rules specified by users.

Chủ Đề