• Access is a flow of information between a subject and an object.

• A subject is an active entity that requests access to an object, which is a passive entity.

• A subject can be a user, program, or process.

• Some security mechanisms that provide confidentiality are encryption, logical and physical access control, transmission protocols, database views, and controlled traffic flow.

• Identity management (IdM) solutions include directories, web access management, password management, legacy single sign-on, account management, and profile update.

• Password synchronization reduces the complexity of keeping up with different passwords for different systems.

• Self-service password reset reduces help-desk call volumes by allowing users to reset their own passwords.

• Assisted password reset reduces the resolution process for password issues for the helpdesk department.

• IdM directories contain all resource information, users’ attributes, authorization profiles, roles, and possibly access control policies so other IdM applications have one centralized resource from which to gather this information.

• An automated workflow component is common in account management products that provide IdM solutions.

• User provisioning refers to the creation, maintenance, and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications.

• User access reviews ensure there are no active accounts that are no longer needed.

• The HR database is usually considered the authoritative source for user identities because that is where each user’s identity is first developed and properly maintained.

• There are five main access control models: discretionary, mandatory, role based, rule based, and attribute based.

• Discretionary access control (DAC) enables data owners to dictate what subjects have access to the files and resources they own.

• The mandatory access control (MAC) model uses a security label system. Users have clearances, and resources have security labels that contain data classifications. MAC systems compare these two attributes to determine access control capabilities.

• Role-based access control (RBAC) is based on the user’s role and responsibilities (tasks) within the company.

• Rule-based RBAC (RB-RBAC) builds on RBAC by adding Boolean logic in the form of rules or policies that further restrict access.

• Attribute-based access control (ABAC) is based on attributes of any component of the system. It is the most granular of the access control models.

• Three main types of constrained user interface measurements exist: menus and shells, database views, and physically constrained interfaces.

• Access control lists are bound to objects and indicate what subjects can use them.

• A capability table is bound to a subject and lists what objects it can access.

• Some examples of remote access control technologies are RADIUS, TACACS+, and Diameter.

 

剩余内容请关注公众号debugeeker, 链接为CISSP考试指南笔记：5.12 快速提示