CompTIA Security+ Access Control Models (EXAMCRAM CompTIA Security+ SY0-501 Fifth Edition by Diane Barrett/Marty M. Weiss)

Mandatory access control (MAC)-The most basic form of access control involves assigning labels to resources and accounts (ex. SENSITIVE, SECRET and PUBLIC). Also referred to as multilevel access control.

Discretionary access control (DAC)- A slightly more complex system of access control involves restricting access for each resource in a discretionary manner.  DAC scenarios allow individual resources to be individually made available or secure from access. Access rights are configured at the discretion of the accounts that have the authority over each resource, including the capability to extend administrative rights through the same mechanism. In DAC, a security principal (account) has complete control over the objects that it creates or otherwise owns, unless this is restricted through group or role membership. The owner assigns security levels based on objects and subjects and can make his or her own data available to others as desired. A common scenario for DAC is online social network users choosing who can access their data.

Attribute-based access control (ABAC)-is a logical access control model that the Federal Identity, Credential, and Access Management (FICAM) Roadmap recommends as the preferred access control model for information sharing among divers organizations.  ABAC is based on the Extensible Access Control Markup Language (XACML). The reference architecture is similar to the core components of AAA. The ABAC authorization process is determined by evaluating rules and policies against attributes associated with a entity, such as the subject, object, operation, or environment condition.  Attributes are characteristics that define specific aspects of the entity. When an access request is made, the access decision is based on the evaluation of attributes and access control rules by the attribute-based access control mechanism.  ABAC is well suited for large and federated enterprises, making it more complicated and costly to implement and maintain than simple access control models.

Rule-based access control (RBAC)-Rule-based access control dynamically assigns roles to users based on criteria that the data custodian or system administrator defines.  Rule-based access control includes controls such as the time of day, the day of the week, specific terminal access, and GPS coordinates of the requester, along with other factors that might overlay a legitimate account's access request.  Implementation of rule-based access control might require that rules be programmed using code instead of allowing traditional access control by checking a box. 

Role-based access control (RBAC)-Access rights are first assigned to roles.  Then accounts are associated with these roles, without the direct assignment of resource access rights.  This solution provides the greatest level of scalability within large enterprise scenarios, where explicitly granting rights to each individual account could rapidly overwhelm administrative staff and increase the potential for accidentally granting unauthorized permissions. 

Comments

Post a Comment

Popular posts from this blog

Microsoft Safety Scanner

Looks like Microsoft did sneak a new on demand anti-malware scanner past us. Most would have been unaware of the new application if not for keeping up with various IT newletters, blogs and web sites, such as I do on a daily basis. This small application is downloaded as an .exe file and instead of being installed onto your Windows enironment, it is just ran directly from the .exe file to start the scanning process. One of the downsides to the program is that you have to re-download the file again, after ten days, to include the latest definitions for the program. If your willing to live with the small inconvienence, it looks like a good additional on-demand malware scanner, in additional to you main persistant anti-malware program. Just don't depend on this one alone as your main anti-malware program for your Windows OS environment. Microsoft Safety Scanner download
Read more

The man who could have been Bill Gates

Brian McCullough on his YouTube Internet History Podcast channel has a very interesting podcast about the history of CP/M and PC-DOS/MS-DOS. CP/M could have been the dominant 16 bit OS for IBM PC's instead of DOS, during the debut of IBM's 5150 Personal Computer. The man who could have been Bill Gates Podcast What Was CP/M, and Why Did It Lose to MS-DOS?
Read more