Access Control CISSP Topic 2a - Security Confessions

Access Control (CISSP Topic 2a)

Access Control is all about the security features that control how users and systems communicate with each other systems and resources. The objective is to protect the systems and resources from unauthorized access.

January 7, 2013

CISSP

Introduction

The goal

https://technicalconfessions.com/images/postimages/postimages/_132_2_relationship between subject and object.png

The objective is to protect the systems and resources from unauthorized access.

Definitions

To understanding the concept of access control, we need to understand the relationship between a subject and an object. In every scenario, the subject would always communicate to the Object. For instance, a person may access a file though you may have a computer communicate with another computer (e.g. a firewall through to a web service)

What I'm getting at is that the subject will always communicate to an object

Access

Subject

Object

Identification

Authentication
= It establishes the user's identity and ensure the user is who they say they are (If you have a credit card, you can authenticate it's yours by entering in the pin number) Authorization
= The specific rights granted to an individual Accountability
= The ability to determine the actions and behavior of a single identity within the system, commonly by audit trails and logs

Authentication can come in 3 ways

Level 1: Something you know
Level 2: Something you have
Level 3: Something you are

Level 1: Something you know

Something a person knows can be one of the following:

Password

PINs

Lock combination

Token

Synconynous Tokens - Based on a clock/counter
Asynconous Tokens = (Challenge response) based on a time

Cards

Touch-less smart card (uses an antena)
Contact smart card (the card touches the sensor)
Smart Card = Holds data + has a processing power (uses a pin to unlock the info)

Memory

Holds data though does not has any processing power

Certificates

Note: Basically anything that can be found in the person's brain

Level 2: Something you have

Anything something a person have

RSA Token

Badge

Key

Level 3: Something you are

This is all about the physical attributes (biometrics) of an individual.
False Rejection Rate = Type 1 False Acceptance Rate = Type 2 CER (Crossover Error Rate)
Note: The lower the CER number the better

There are many ways to determine the biometrics and how good they are. The way to compare which biometrics is the best is by either using the CER or a Zepher Chart

Note: Zepher Chart is the better option

Two-Factor (Strong) Authentication

Two factor authentication (a.k.a. Strong authentication) is when you use any 2 of the 3 levels of authentication

About the author
Daniel is a Technical Manager with over 10 years of consulting expertise in the Identity and Access Management space.
Daniel has built from scratch this blog as well as technicalconfessions.com
Follow Daniel on twitter @nervouswiggles

Comments

Other Posts

AWS-PHP integration - Email not sent. SMTP Error: Could not authenticate.

phpsmtpaws

February 6, 2020

Created by: Daniel Redfern
AS I was migrating my environment into an S3 environment, I wanted to leverage off the SES services that AWS provide, more specifically, to leverage the off the SMTP functionality by sending an email via PHP
Read More...

SOLUTION: no headers files (.h) found in softwareserial - Arduino

Arduino

February 24, 2019

Created by: Daniel Redfern
The WeMos D1 is a ESP8266 WiFi based board is an extension to the current out-of-the-box library that comes with the Arduino installation. Because of this, you need to import in the libraries as well as acknowledging the specific board. This process is highly confusion with a number of different individuals talking about a number of different ways to integrate.
Read More...

NameID element must be present as part of the Subject in the Response message

ShibbolethSAML

August 7, 2018

Created by: Daniel Redfern
NameID element must be present as part of the Subject in the Response message, please enable it in the IDP configuration.
Read More...

HOW TO provision AD group membership from OpenIDM

OpenIDMICFAD-connector

June 15, 2018

Created by: Daniel Redfern
For what I see, there's not too many supportive documentations out there that will demonstrate how provision AD group membership with the ICF connector using OpenIDM. The use of the special ldapGroups attribute is not explained anywhere in the Integrators guides to to the date of this blog. This quick blog identifies the tasks required to provision AD group membership from OpenIDM to AD using the LDAP ICF connector. However this doesn't really explain what ldapGroups actually does and there's no real worked example of how to go from an Assignment to ldapGroups to an assigned group in AD. I wrote up a wiki article for my own reference: AD group memberships automatically to users This is just my view, others may disagree, but I think the implementation experience could be improved with some more documentation and a more detailed example here.
Read More...

ForgeRock OpenIDM - InvalidCredentialException: Remote framework key is invalid

ICFIDMOpenIDMOpenICF

November 8, 2017

Created by: Daniel Redfern
In the past, the similar error occurred though for the Oracle Identity Management solution. invalidcredentialexception remote framework key is invalid Because they all share the ICF connector framework, the error/solution would be the same.
Read More...

org.forgerock.script.exception.ScriptCompilationException: missing ; before statement

IDMsync.confforgerockopenidm

November 8, 2017

Created by: Daniel Redfern
org.forgerock.script.exception.ScriptCompilationException: missing ; before statement
Read More...

ForgeRock IDM - org.forgerock.script.exception.ScriptCompilationException: missing ; before statemen

OpenIDMsync.confForgeRock

September 17, 2017

Created by: Daniel Redfern
ForgeRock IDM - org.forgerock.script.exception.ScriptCompilationException: missing ; before statement
Read More...

Caused by: org.forgerock.json.resource.BadRequestException: Target does not support attribute groups

OpenIDMForgeRockICFConnector

September 17, 2017

Created by: Daniel Redfern
When performing the attempt of a reconciliation from ForgeRock IDM to Active Directory, I would get the following error
Read More...

ForgeRock OpenIDM - InvalidCredentialException: Remote framework key is invalid

OpenIDMForgeRockICFConnectorAD

September 17, 2017

Created by: Daniel Redfern
In the past, the similar error occurred though for the Oracle Identity Management solution. invalidcredentialexception remote framework key is invalid Because they all share the ICF connector framework, the error/solution would be the same.
Read More...

ERROR Caused by com.google.api.client.auth.oauth2.TokenResponseException 400 Bad Request - invalid_g

OpenIDMIDMGoogleGoogle-AppsICFreconciliation

September 12, 2017

Created by: Daniel Redfern
During the reconcilation from OpenIDM to the ICF google apps connector, the following error response would occur. ERROR Caused by com.google.api.client.auth.oauth2.TokenResponseException 400 Bad Request - invalid_grant
Read More...

Tags

11g AD AD connector Adapters ant API Apple OSX AQ Arduino Authentication aws Bi Publisher 11g CAS CISM CISSP Connector Connectors cryptography Deployment Manager Design Console Eclipse Eclipse IDE Enterprise Manager Excel ForgeRock ForgeRock Agents ForgeRock OpenIDM Google Google Apps Google Chrome IAM ICF IDM IDP iReports J2EE JAVA Java 8 JAX-WS JDBC JDeveloper JDeveloper 11g JDeveloper 12c JMS JNDI JSP Just For Fun JWT Keystore keystores LDAP ldapsearch Logging MAC MDS metadata O365 OAM OAM 11g OCPJP OCPJP 7 ODI OEG OEL Office 365 OHS OIA OIA 11g OID 11g OIF OIM OIM 10g OIM 11g OIM 11gR2 OIM 11gR2 PS2 OIM11g OIM11GR2 OIM11gR2PS2 OPAM 11g OPatch OpenAM OpenAM 12.x OpenAM 12x OpenAM J2EE Agents OpenDJ OpenICF OpenIDM ORA-Errors Oracle Oracle AQ Oracle Database Oracle Databases Oracle Linux OrientDB PHP PKI Plugin Plugins Powershell PSU Queue Queues RCU Reconciliation RHEL SAML SAML2 SEO Servlet Shibboleth Shibboleth IDP Shibboleth SP smtp SOA Spring Spring Security SQL SQL Developer sync.conf Technical Confessions Tomcat Topics UNIX VirtualBox Virtualization VM VMware Web Services Weblogic Windows WLS WLST

Recent Posts

AWS-PHP integration - Email not sent. SMTP Error: Could not authenticate.

SOLUTION: no headers files (.h) found in softwareserial - Arduino

NameID element must be present as part of the Subject in the Response message

HOW TO provision AD group membership from OpenIDM

ForgeRock OpenIDM - InvalidCredentialException: Remote framework key is invalid

org.forgerock.script.exception.ScriptCompilationException: missing ; before statement

Monthly Activity

Group by date

2012
April 2012 (5)
June 2012 (3)
July 2012 (4)
August 2012 (20)
September 2012 (12)
October 2012 (14)
November 2012 (26)
December 2012 (7)

2013
January 2013 (4)
February 2013 (14)
March 2013 (50)
April 2013 (3)
May 2013 (2)
July 2013 (17)
August 2013 (20)
September 2013 (5)
October 2013 (3)
November 2013 (5)
December 2013 (1)

2015
January 2015 (6)
February 2015 (12)
March 2015 (21)
April 2015 (5)
May 2015 (2)
June 2015 (6)
July 2015 (2)
August 2015 (12)
September 2015 (1)
October 2015 (12)

2014
January 2014 (1)
February 2014 (8)
March 2014 (12)
April 2014 (4)
May 2014 (20)
June 2014 (14)
July 2014 (4)
August 2014 (21)
October 2014 (7)
November 2014 (11)
December 2014 (10)

2017
February 2017 (1)
May 2017 (3)
June 2017 (3)
August 2017 (1)
September 2017 (4)
November 2017 (2)

2016
February 2016 (3)
March 2016 (1)
April 2016 (1)
May 2016 (5)
October 2016 (1)
November 2016 (2)
December 2016 (2)

2018
June 2018 (1)
August 2018 (1)

2019
February 2019 (1)

2020
February 2020 (1)

Popular Tags:

Technical Confessions

Security Confessions

About

TechnicalConfessions.com
UI built by Daniel Redfern

Born:
23rd April, 2012

Last significant Design Update:
24th December, 2016

Last Blog update:
6th February, 2020