CompTIA Security+ Exam Notes

CompTIA Security+ Exam Notes
Let Us Help You Pass
Showing posts sorted by date for query abac. Sort by relevance Show all posts
Showing posts sorted by date for query abac. Sort by relevance Show all posts

Thursday, January 30, 2025

The Critical Role of Zero Trust Policy Engines in Modern Cybersecurity

 Zero Trust Policy Engine

A "Zero Trust policy engine" is the core decision-making component within a Zero Trust security architecture, responsible for evaluating user, device, and application attributes in real-time to determine whether to grant or deny access to specific resources based on pre-defined security policies, essentially operating on the principle of "never trust, always verify" by continuously assessing trust levels before granting access to any system or data, even if the user is already inside the network perimeter; it acts as the central control point for enforcing Zero Trust policies across the entire environment, dynamically adjusting access based on the current security context. 

Key points about a Zero Trust policy engine:
  • Continuous verification: Unlike traditional security models, the Zero Trust policy engine constantly re-evaluates trust levels based on real-time data such as user location, device health, application behavior, and network conditions, rather than relying solely on initial authentication. 
  • Attribute-based access control (ABAC): The engine makes access decisions based on attributes associated with users, devices, and applications. This allows for granular control based on specific criteria, such as time of day, data sensitivity, or network location. 
  • The least privilege principle states that the policy engine only grants the minimum level of access needed to perform a task, preventing unnecessary permissions and potential lateral movement within the network. 
  • Policy enforcement points (PEPs): The engine communicates with PEPs deployed across the network infrastructure to enforce the access control decisions based on the policies. 
  • Dynamic policy updates: Administrators can quickly modify access rules within the policy engine to adapt to changing security requirements or business needs. 
How a Zero Trust policy engine works:

1. Access request: When a user attempts to access a resource, the system sends an access request to the policy engine, including details like user identity, device information, and the requested resource. 

2. Attribute evaluation: The policy engine analyzes the provided attributes against the defined Zero Trust policies, checking for factors like user authentication status, device compliance, network location, and data sensitivity. 

3. Decision-making: Based on the evaluation, the policy engine determines whether to grant or deny access to the requested resource

4. Feedback loop: The engine may also continuously monitor user activity during the session, providing real-time feedback to re-evaluate trust levels and adjust access rights if needed. 

Benefits of a Zero Trust policy engine:
  • Enhanced security: Zero Trust significantly reduces the risk of unauthorized access and data breaches by eliminating implicit trust and constantly verifying access. 
  • Improved visibility: The engine provides detailed insights into user activity and access patterns, enabling better threat detection and response. 
  • Flexibility and adaptability: Zero Trust policies can quickly adjust to accommodate changing business needs and evolving threat landscapes.
This is covered in CompTIA Network+ and Security+.
Posted by at No comments:
Labels: , , , , , , , , ,

Sunday, May 5, 2024

Access Control Methods

 ABAC, DAC, MAC, Role-BAC, Rule-BAC

ABAC (Attribute-Based Access Control)
The most fine-grained access control.
Access is based on a combination of subject and object attributes
  • Operating system
  • IP address
  • Up-to-date patches
  • Up-to-date antimalware
  • Employee's identity
  • Time of day
  • Location
  • Type of device
DAC (Discretionary Access Control)
  • Based on the owner of the file or folder
  • The owner decides who gets access and the type of access
  • Windows, Linux, and UNIX use a DAC method
MAC (Mandatory Access Control)
  • Each object is assigned a classification label
  • Each subject is assigned a clearance level (such as Confidential, Secret, or Top Secret)
  • A subject with the label "Secret" would be unable to access "Top Secret" data as it would be above its clearance level.
  • Also, based on "Need to know," in other words, not everything will they have access to at its security level. 
RBAC (Role-Based Access Control)
  • Based on your job function (role)
  • Group-based security
  • Group examples: Accounting, HR, IT, Sales. etc
RBAC (Rule-Based Access Control)
  • System enforced rules
  • Some rule triggers the access control
  • Time of day 
  • Conditional access is a form of rule-based access control
  • UAC (User Account Control - Windows) and sudo - Linux are examples of conditional access

Posted by at No comments:
Labels: , , , , , , , , , , , ,

Friday, January 18, 2019

C - I - A: Confidentiality - Integrity - Availability


CIA 

Confidentiality: Making certain information (data) is only viewable by certain people.

1. Encryption is the main method for confidentiality. Whether it is file encryption, full disk encryption, or full device encryption for mobile devices. The user needing to read the information would need a decryption key to decipher the encryption first. 

2. ACL (Access Control Lists) is another method of providing confidentiality. This is not as secure as using encryption. There are different access control methods such as MAC (Mandatory Access Control), DAC ( Discretionary Access Control), Role-BAC (Role-Based Access Control), Rule-BAC (Rule-Based Access Control), and ABAC (Attribute Access Control). These methods and examples will be discussed in a different post.

3. Steganography: With this method, you could hide a document inside of another document, inside a photo, video file, or audio file. The carrier (the file used as the hiding method has to be larger than the file you are trying to hide) looks the same, in the case of the audio or video file they still play. 

 Steganography is "Security through Obscurity"

Steganography can be used in some cases to bypass security controls such as DLP (Data Loss Prevention) systems. One way to detect this activity would be to employ file integrity monitoring. That way you would have the original hash and any modification to the file would produce a different hash. 

For the "Use Case" of confidentiality, encryption is used.

Integrity: Making sure that the data has not been altered, changed, corrupted, or modified by intentional or accidental means. 

Verifying integrity is provided through hashing. Hashing is a one-way function that produces a fixed-length output that cannot be reversed to produce the original input.

For the use case of integrity, hashing is used

 Availability: This means that the information/data is accessible when the information is needed to modify or view the data.

 Many things provide availability such as Load Balancing, Fault Tolerance, Alternate Sites (Hot, Warm, Cold, Mobile), Alternate Power (Generator, UPS), Backups, Patching, RAID, and HVAC.


Posted by at No comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)