CompTIA® Security+ Exam Notes : Implement Identity And Access Management Controls

4. Identity and Access Management

4.3 Given a scenario, implement identity and access management controls

Access Control Models:

Computer based access controls prescribe not only who or what process may have access to a given resource, but also the type of access that is permitted. These controls may be implemented in the computer system or in external devices. Different types of access control are:

1. Mandatory access control

2. Discretionary access control

3. Rule based access control

4. Role based access control

Mandatory Access Control (MAC) secures information by assigning sensitivity labels on objects (resources) and comparing this to the level of sensitivity a subject (user) is operating at. MAC ensures that all users only have access to that data for which they have matching or greater security label (or security clearance). In general, MAC access control mechanisms are more secure than DAC. MAC is usually appropriate for extremely secure systems including multilevel secure military applications or mission critical data applications. Sensitivity labels are associated with Mandatory Access Control (MAC). Here the access control is determined by the security policy of the system. The object owner or the user have almost no control over the resource.

Discretionary Access Control (DAC): Discretionary Access Control (DAC) is a means of restricting access to information based on the identity of users and/or membership in certain groups. Access decisions are typically based on the authorizations granted to a user based on the credentials he presented at the time of authentication (user name, password, hardware/software token, etc.). In most typical DAC models, the owner of information or any resource is able to change its permissions at his discretion. DAC has the drawback of the administrators not being able to centrally manage these permissions on files/information stored on the web server.Here the access control is determined by the owner of an object.

Role Based Access Control (RBAC): In Role-Based Access Control (RBAC), access decisions are based on an individual's roles and responsibilities within the organization. For instance, in a corporation, the different roles of users may include those such as chief executive, manager, executive, and clerk. Obviously, these members require different levels of access in order to perform their functions, but also the types of web transactions and their allowed context vary greatly depending on the security policy. In Role Based Access Control, the administrator sets the roles. Therefore, this type of access control is sometimes considered as a subset of MAC. As the name suggests, the access to an object is determined by the role of an employee. Users are assigned roles first and then the permissions are assigned to roles.

Rule Based Access Control (RBAC): The access to a resource in Rule Based Access Control is based a set of rules. ACLs (Access Control Lists) are used for this type of access control. In Rule Based Access Control, the administrator sets the rules. Therefore, this type of access control is sometimes considered as a subset of MAC.


Note that the divisions do not want the information to be made available to the group personnel only. A role based access control is suitable under this situation because it provides security, as well as flexibility. Here individual users are given privileges based on their respective roles in the organization rather than by name.

Using Discretionary Access Control (DAC), the access rights for resources are controlled by the owner of a given resource.

Tokens: A token can be a physical device such as a smart card or an electronic process such as RSA's SecureID token. Tokens provide one of the most secure authentication environments, because typically a token is unique to a user, and it is difficult to spoof.

Physical tokens are usually smart cards that a user must have on him to access a network resources. Smart card is an example of physical token, where as SecurID, from RSA is basically an electronic token that could be implemented as software token or as a hardware token.

Smart card: Smart cards usually come in two forms. The most common takes the form of a rectangular piece of plastic with an embedded microchip. The second is as a USB token. It contains a built in processor and has the ability to securely store and process information. A "contact" smart card communicates with a PC using a smart card reader whereas a "contactless" card sends encrypted information via radio waves to the PC.

The following are some of the attributes of a smart card:

1. A smart card is typically a credit card sized device that has a micro-computer and memory built in. It is highly tamper proof, and provides high degree of security while transacting on-line.

2. On the client-side, the smart card software essentially consists of two parts:

  • Card reader software (also known as host software) that runs on a computer connected to a smart card.
  • Card software that runs on the smart card itself. As a counterpart of reader-side software, card software is also referred to as card-side software.

3. The smart card usually requires two-factor authentication. In addition to presenting the card to the system, you need to enter authentication password or code when prompted. Double authentication (One is physical possession of the card and the second authentication code) ensures better security.

Fingerprint and retina scan, both belong to same: "what you are". Hence constitute single-factor authentication.

Small device storage may be used to store valuable documents and devices under lock and key. Fingerprint scanner may be used to provide entry only to the authorized personnel into the admin office. CCTV system may be used to monitor the activity within the admin office. All these measures improves the security of the admin office.

Single sign on

Shibboleth: This identity solution is an open-sourced, federated single sign-on (SSO) system that runs on SAML. Most users of Shibboleth are research and educational institutions. Whereas most federated systems are designed to work only with identity and service providers in the same organization, Shibboleth works on an inter-organizational basis.

OpenID Connect: OpenID Connect is an authentication service that can be used to sign into any website or web app that accepts it. This authentication service is often provided by a third party.

OAUTH: Open Standard for Authorization is an authorization service that can be used to gain access to information. The main use for OAUTH is to share information with third party applications.

Operationally speaking, OAUTH works with HTTP to allow access tokens to be allotted to third-party clients under the approval of the owner of the information resources.

Secure Token: Secure tokens are protected data sets, sometimes encrypted, that serve as verification for users and systems. Benefits of using secure tokens include the fact that secure tokens do not leak information about credentials and that impersonation of secure tokens is not easy.

NTLM: New Technology LAN Manager, or NTLM, is a proprietary Microsoft Windows password hash storage system. NTLM is a challenge-response protocol system that has enhanced security because it is non-reversible. NTLM is often used in active directory environments that do not provide for user logon authentication via TACACS or Radius.

Previous   Contents   Next

Security+ Cram Notes Contents
certexams ad

simulationexams ad