Authorization Controls
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Authorization controls.
00:00
The learning objectives for this lesson are to
00:00
describe the different types of access control methods,
00:00
to evaluate authentication protocols,
00:00
and to describe identity proofing mechanisms.
00:00
Let's get started. The first type of
00:00
access control method we will discuss is
00:00
discretionary access control or DAC.
00:00
With DAC, the resource owner
00:00
determines who has access to everything.
00:00
DAC is very flexible and it's used by
00:00
default in Unix/Linux and Windows systems.
00:00
It's the weakest model because it requires
00:00
centralized administration and this
00:00
is difficult to enforce.
00:00
It's also vulnerable to
00:00
insider threats and compromised account abuse.
00:00
The next method is mandatory access control or MAC.
00:00
MAC is very different.
00:00
It's based on security clearance levels.
00:00
Labels are applied to objects and
00:00
subjects and each of these are granted a clearance level.
00:00
Labeling is performed using pre-established rules.
00:00
These rules cannot be changed by subject accounts.
00:00
MAC is also considered to be non-discretionary.
00:00
When you see a question on
00:00
the test and it mentions labels, it's MAC.
00:00
Also, a key point again is that it's non-discretionary.
00:00
A quick breakdown of how this would work is that
00:00
all data users would be given specific labels
00:00
and then those labels have their own rules as to
00:00
what they're allowed to access with those labels.
00:00
Everything is built on this system.
00:00
It's cumbersome to set up,
00:00
but it's very secure because it enforces,
00:00
hence the mandatory,
00:00
access on the data based on those labels.
00:00
Next, we have role-based access control or RBAC.
00:00
This is adding an additional element to
00:00
DAC based on the subject's roles.
00:00
Users can gain rights based on their roles.
00:00
For example, in a corporation,
00:00
the HR department may have additional access to data,
00:00
so all users that are in
00:00
that HR department role would have access to that.
00:00
We also have attribute-based access control, ABAC.
00:00
This is a more fine-grained approach as it
00:00
utilizes a combination of any attributes.
00:00
It also uses the eXtensible
00:00
Access Control Markup Language,
00:00
XACML.
00:00
If you see a question talking about XACML,
00:00
then you know that it's attribute-based
00:00
access control, ABAC.
00:00
Finally, we have rule-based access control.
00:00
This is where we have policies that are determined by
00:00
a system enforced rules rather than by system users.
00:00
Authentication protocols.
00:00
First, we have single sign-on or SSO.
00:00
This allows a user to authenticate
00:00
once to a local server and
00:00
then be authenticated to other servers
00:00
without having to enter in their credentials again.
00:00
Then we have Remote Authentication
00:00
Dial-In User Service or RADIUS.
00:00
This uses the UDP protocol
00:00
and it authenticates with a shared secret.
00:00
Next, we have diameter.
00:00
This is considered an improved version of RADIUS.
00:00
It's TCP based and it requires
00:00
IPSec and TLS for the confidentiality of the data.
00:00
It gets its name diameter because
00:00
it's considered to be twice as good as RADIUS.
00:00
We also have Terminal Access
00:00
Controller Access-Control System Plus or TACACS+.
00:00
This is a Cisco developed protocol.
00:00
It runs on TCP and port 49.
00:00
The data is encrypted and all AAA functions are discrete.
00:00
Next, we have Lightweight Directory
00:00
Access Protocol or LDAP.
00:00
This is a directory service protocol
00:00
that runs over TCP IP.
00:00
LDAP service uses a directory database to
00:00
determine who can and cannot access data,
00:00
or in some cases,
00:00
if you're allowed to authenticate to a network.
00:00
Finally, we have Secure LDAP or LDAPS.
00:00
This is simply LDAP that runs over SSL or TLS.
00:00
The next, we have the granddaddy of them all, Kerberos.
00:00
This is a single sign-on network authentication protocol.
00:00
It's used in Active Directory.
00:00
First, a client request services from a server.
00:00
Clients and servers both rely on
00:00
the Key Distribution or KDC for authentication.
00:00
The KDC has two parts.
00:00
The first is the Authentication Service
00:00
and the second is the Ticket Granting Service.
00:00
The KDC will issue what is known as a ticket
00:00
granting ticket for authentication,
00:00
the KDC runs on port 88 TCP or UDP.
00:00
Here's a simplified breakdown of Kerberos and Action.
00:00
First, the client asks for authentication to
00:00
the Kerberos Key Distribution Center or the KDC.
00:00
This is composed of
00:00
the Authentication Server and
00:00
the Ticket Granting Server,
00:00
it's asking for the Ticket Granting Ticket.
00:00
Authorization is given and
00:00
the TGT is then passed to the client.
00:00
The client uses the TGT,
00:00
the Ticket Granting Ticket to access the server,
00:00
that is what establishes authentication,
00:00
and then the server allows access.
00:00
Next, we have Open Authorization or OAuth.
00:00
This is often used for authentication and
00:00
authorization for a RESTful API.
00:00
A user account is hosted by one or more resource servers.
00:00
Authorization requests are
00:00
processed by authorization servers.
00:00
It uses JavaScript object notation or
00:00
JSON web token, JWT format.
00:00
It can be passed in URLs and
00:00
HTTP headers and can be
00:00
digitally signed to ensure authentication and integrity.
00:00
Extensible Authentication Protocol or EAP.
00:00
This provides a framework for deploying
00:00
different authentication protocols and system.
00:00
It mostly uses digital certificates
00:00
rather than passwords to help establish the trust.
00:00
802.1x, this uses EAP for
00:00
wireless Ethernet or VPN gateways
00:00
to provide authentication.
00:00
It has three parts. The first is the supplicate.
00:00
This is the device requesting access.
00:00
Then we have the network access server or NAS.
00:00
Don't confuse this with network attached storage.
00:00
This is edge equipment such as switches or access points.
00:00
Then finally, we have the Authentication,
00:00
Authorization and Accounting, or AAA server.
00:00
This is the server that authenticates the requests.
00:00
Identity Proofing Mechanisms.
00:00
Identity Proofing is verifying
00:00
that a user's various characteristics
00:00
and credentials are accurate
00:00
and unique to that individual.
00:00
Multi-factor Authentication uses one
00:00
or more of the following.
00:00
Something you know, which is usually a password,
00:00
something you have: a token or similar device,
00:00
something you are: biometrics.
00:00
We're all familiar with
00:00
Multi-factor Authentication in one form or another.
00:00
Oftentimes when you're accessing
00:00
your online bank accounts,
00:00
you may receive a text.
00:00
This would be something you have,
00:00
something that is sent to you.
00:00
That is an example of two-factor authentication.
00:00
Multi-factor is adding in even more than that.
00:00
You can add in a password to
00:00
authenticate and then you must
00:00
use a second password, say,
00:00
using OAuth or Google Authenticator,
00:00
and maybe sometimes you have to use a thumbprint.
00:00
This is something you are.
00:00
You can use a combination
00:00
of these things to help uniquely
00:00
identify a person and
00:00
ensure that you're letting the right person in.
00:00
We can also use two-step verification,
00:00
like I mentioned with the SMS before.
00:00
These are out of band mechanisms
00:00
that generate a token on the server side,
00:00
and then that's sent to a user.
00:00
Like I mentioned earlier, SMS messages,
00:00
phone calls, push notifications, or email.
00:00
HMAC Based One-Time Password,
00:00
or also known as HTOP,
00:00
is an algorithm for token-based authentication.
00:00
The client and server both share the same shared secret.
00:00
They're stored as an eight byte value
00:00
that generated by a random number generator.
00:00
The next we have is a Time-Based One-time Password,
00:00
or TOTP.
00:00
This is a refined version of HMAC,
00:00
by adding in a value taken from
00:00
the timestamp of both the client and the server.
00:00
This allows each token has
00:00
a short usage time, 30-60 seconds.
00:00
A good example of this is Google Authenticator.
00:00
Identity Proofing Mechanisms,
00:00
Hardware root of Trust RoT.
00:00
This is a trust anchor.
00:00
A secure subsystem that can provide attestation.
00:00
It's established using a Trusted Platform Module or TPM,
00:00
which is a hardware module to store
00:00
encryption keys or other forms of identification.
00:00
The TPMs are built usually
00:00
into the motherboard of a computer.
00:00
We also have JavaScript Object Notation,
00:00
JSON, Web Token, JWT.
00:00
This is a subset of JavaScript used in
00:00
the REST style of web app architecture.
00:00
JSON Web Tokens are
00:00
a method to transfer claims between two parties.
00:00
JWTs have a header, a payload,
00:00
and a signature separated by
00:00
dots and are expressed in Base64.
00:00
Let's summarize. We discussed
00:00
the different types of access control methods.
00:00
We presented the types of authentication protocols,
00:00
and we went over the different
00:00
types of identity proofing.
00:00
Let's do some example questions.
00:00
Which type of access control is used for
00:00
security clearance levels and utilizes labels?
00:00
Mandatory access control or MAC.
00:00
Question 2, this authorization protocol improves upon
00:00
RADIUS by adding a failover mechanism
00:00
and requiring IPSec and TLS?
00:00
Diameter. Remember, diameter is
00:00
considered to be twice as good as RADIUS.
00:00
Question 3, which type of token has
00:00
a built-in expiration for
00:00
each token to prevent future attacks?
00:00
Time-based one-time password or TOTP,
00:00
because they're only useful for that 30-60 second block.
00:00
Finally, Question 4,
00:00
which access control model is the most flexible and is
00:00
used by default in Unix/Linux and Windows systems?
00:00
Discretionary access control or DAC.
00:00
I hope that lesson was useful for
00:00
you, and I'll see you in the next one.
Up Next
CASP+ Module 2 Review Questions
10m
Instructed By
