User, Group, and Role Management - Privilege management is the process of restricting a user’s ability to interact with the computer system.
- Privilege management can be performed on an individual user basis, on membership in a specific group or groups, or on a function/role basis.
- The key concepts of privilege management are the ability to restrict and control access to information and information systems.
Single Sign-on - Single sign-on requires a user to authenticate successfully once the validated credentials and associated rights and privileges are then automatically carried forward when the user accesses other systems or applications.
- Though it can be a very efficient method of controlling access, single sign-on can be difficult to implement.
Centralized vs. Decentralized Management - Privilege management can be performed in a centralized or decentralized mode.
- In a centralized mode, control, along with modifications, updates, and maintenance, is performed from a central entity.
- In a decentralized mode, control is pushed down to a much lower and more distributed level.
Auditing (Privilege, Usage, and Escalation) - Auditing is the process of tracking things such as logons, logoffs, file access, and process start or stop events.
- Auditing can be performed on a privilege-level, usage, or escalation basis.
- Privilege auditing is the process of checking the rights and privileges assigned to a specific account or group of accounts.
- Usage auditing is the process of recording who did what and when.
- Escalation auditing is the process of looking for an increase in privileges, such as when a “regular” user suddenly gains administrator level privileges.
Handling Access Control (MAC, DAC, and RBAC) - The three main models of access control are mandatory access control, discretionary access control, and role-based access control.
- Mandatory access control is based on the sensitivity of the information or process itself.
- Discretionary access control uses file permissions and access lists to restrict access based on a user’s identity or group membership.
- Role-based access control restricts access based on the user’s assigned role or roles.
|