CISSP考试指南笔记：5.12 快速提示

血狼debugeeker

发布于 2021-03-23 11:06:46

2950

发布于 2021-03-23 11:06:46

文章被收录于专栏：debugeeker的专栏

Access is a flow of information between a subject and an object.
A subject is an active entity that requests access to an object, which is a passive entity.
A subject can be a user, program, or process.
Some security mechanisms that provide confidentiality are encryption, logical and physical access control, transmission protocols, database views, and controlled traffic flow.
Identity management (IdM) solutions include directories, web access management, password management, legacy single sign-on, account management, and profile update.
Password synchronization reduces the complexity of keeping up with different passwords for different systems.
Self-service password reset reduces help-desk call volumes by allowing users to reset their own passwords.
Assisted password reset reduces the resolution process for password issues for the helpdesk department.
IdM directories contain all resource information, users’ attributes, authorization profiles, roles, and possibly access control policies so other IdM applications have one centralized resource from which to gather this information.
An automated workflow component is common in account management products that provide IdM solutions.
User provisioning refers to the creation, maintenance, and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications.
User access reviews ensure there are no active accounts that are no longer needed.
The HR database is usually considered the authoritative source for user identities because that is where each user’s identity is first developed and properly maintained.
There are five main access control models: discretionary, mandatory, role based, rule based, and attribute based.
Discretionary access control (DAC) enables data owners to dictate what subjects have access to the files and resources they own.
The mandatory access control (MAC) model uses a security label system. Users have clearances, and resources have security labels that contain data classifications. MAC systems compare these two attributes to determine access control capabilities.
Role-based access control (RBAC) is based on the user’s role and responsibilities (tasks) within the company.
Rule-based RBAC (RB-RBAC) builds on RBAC by adding Boolean logic in the form of rules or policies that further restrict access.
Attribute-based access control (ABAC) is based on attributes of any component of the system. It is the most granular of the access control models.
Three main types of constrained user interface measurements exist: menus and shells, database views, and physically constrained interfaces.
Access control lists are bound to objects and indicate what subjects can use them.
A capability table is bound to a subject and lists what objects it can access.
Some examples of remote access control technologies are RADIUS, TACACS+, and Diameter.