The last chapter in the identity and access management section is all about identity and access management and controls. The last chapter was about what protocols were used for identity and access control. This chapter focuses more on the abstract, business-logic policies driving decisions about user access.
This is a continuation of my blog post series on the CompTIA Security+ exam, where I share my studying and connect it to real-world events.
Back to a basic security concept: all actions should be controlled based on a system of approvals, so those actions can only be performed by authorized parties. Access management controls map out which users can perform which actions.
Access Control Modes
The term “access control” can refer to all security features that are used to prevent unauthorized access to a computer system or network. It’s different from authentication, though. Access is the ability of a subject (user, process, etc.) to interact with an object (data, files, etc.). Access controls determine what a user can do or not do, provided that they’ve already authenticated.
The simplest form of access controls are stored as a matrix. However, this gets unwieldy for large organizations, so it isn’t used very often. Instead, access control lists (ACLs) are used. ACLs are a list of subjects and access rights for a given object.
These controls use different models of access.
MAC
The Mandatory Access Control model is used in environments with different levels of security classifications. Think government clearances. MAC is:
A means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the forma authorization (i.e. clearance) of subjects to access information of such sensitivity.
These controls also have other uses, like preventing information from a Top Secret document from being copy/pasted into a Secret document. Lastly, MAC uses “least privilege” or need-to-know… not all Top Secret documents are available to all Top Secret clearance holders.
DAC
DAC is discretionary access control. They both originated from the military. This DoD term means:
A means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) to another subject.
DAC uses ACLs.
ABAC
Attribute-based access control. What is an attribute? It’s things like user attributes (specific to a job), object attributes, and environmental attributes. This is similar to role-based access control but also allows for the use of Boolean logic.
Role-Based Access Control
This shortens to RBAC… unfortunately, so does the next term. Role-based access control gives or restricts permissions based on a user’s role. This maps their expected duties to the (digital) abilities that they must be given.
Rule-Based Access Control
Another RBAC. This uses ACLs to determine whether access should be granted. This can be used in conjunction with other methods. For example, you might want to use a MAC method, but also restrict access after a certain time of day.
Physical Access Control
This is the process of defining and enforcing who has physical access to a system. This overlaps a lot with a previous chapter, but you’re probably used to that by now.
Ideally, you can use technology to easily manage physical access to building(s), and also electronically log user access as you go.
Proximity Cards
Most people are familiar with these. These are electronic access cards that allow entry through electronic doors. These can be used in conjunction with PINs or other forms of verification. This helps mitigate against attacks using stolen cards.
Smart Cards
I feel like there’s an overlap here between proximity cards and smart cards. Maybe smart cards are just… smarter proximity cards? These can offer a form of authentication, and may also be used in conjunction with other forms of authentication.
Biometric Factors
This book loves biometrics. You can use fingerprints, iris/retina scans, face scans, hand scans, etc. These all involve measuring a pattern of someone’s body, and mapping it to a numerical value. You can also have voice recognition.
The problem with the mapping is that it isn’t always correct. Do you err on the side of caution, and cause a bunch of authorized people to be falsely rejected? That’s a false negatives, and the level of false negatives that you accept is called the false rejection rate, or FRR.
There’s also the chance that you’re too lenient, and authenticate people who shouldn’t be authenticated. These are false negatives, and the level of false negatives is the false acceptance rate, or FAR.
You need to strike a balance between these two. The crossover of FAR and FRR should be roughly equal. This rate is known as the crossover error rate (FAR = FRR).
Tokens
These puppies are another example of “something you have.” It’s a physical object that identifies certain access rights. A common example is a house key. In the case of businesses, physical tokens are often the “smart” cards discussed earlier.
The US government uses Personal Identification Verification (PIV) cards, the DoD uses Common Access Cards (CACs).
However, house keys can be stolen, and so can smart cards. Possession of either one doesn’t necessarily prove that you are the owner, so think about using multifactor authentication.
Access tokens can be implemented in software, as well. This allows users to have 2FA without a second physical device. HMAC-based One-Time Passwords (HTOP) is an algorithm for authenticating a user via an authentication server. This password is time-stamped and is a one-time use.
Certificate-Based Authentication
This is a means of proving identity by showing a certificate. You have a few different options here. This can be a digital certificate that you send along with a message.
It can also be a form of a smart card, like the PIV and CAC cards mentioned earlier.
The IEEE 802.1X standard is used on a number of networks to authenticate a user to an authorization device. This will get discussed more in a later chapter.
File System Security
This book loves to swing back around to seemingly unrelated topics, and this chapter is no exception. File system security is the set of mechanisms and processes to prevent unauthorized access or alterations to file systems.
Your file system needs to be able to do user-level access differentiation (FAT32 doesn’t do this, NTFS does). You’ll need an access control model (we went through those earlier). And then you need to set file read/write/execute permissions for all users.
Database Security
Same concepts, different target. Database security is the application of security controls (who can access what), but for databases. This is managed within the database system and works similar to other methods–there’s a list of users and defined/associated permissions.