Access Control

The policy definition and enforcement  process an organization uses for authorizations granted.

The operating system limits operations on an object - every single object is assigned a label; then rights to those objects are determined by clearance level of the user (role based).

Based on the individual - this is what we normally encounter and control ourselves as the owner of a file, etc.

Role based, and rights are gained implicitly in a hierarchial way (feeds up); Windows Groups is an example of this being used.

Complex relationship between applications being used and the data itself; combines and evaluates many parameters.

Rule applies to the object and rules followed, not based on user; ex: network only available from 2AM-5PM; Chrome can only be used for 2 hours per day, etc.

Passive device, doesn't send out signals but can be read by a reader to gain access.

More intelligent card (includes credit cards) that can actually be read for information; may contain digital certificate, and usually used in conjunction with a PIN (2 factors).

Way to measure how well the biometrics are working; how many times an unauthorized user gained access.

Way to measure how well the biometrics are working; how many times an authorized user was rejected.

Rate at which the FAR and the FRR are equal; we want them to be equal to one another.

Carry around a fob with you or have a software generator on your phone and use it in conjuction with a username or password.

One time passwords - either hash based or time based.

Used as an ID card in government, certificate based ID card; uses 802.1x to authenticate.