About Me
CompTIA Security+
1 Threats, Attacks, and Vulnerabilities
1-1 Types of Threats
1-2 Types of Attacks
1-3 Vulnerabilities
1-4 Threat Actors and Motives
1-5 Threat Intelligence
1-6 Incident Response
1-7 Penetration Testing
1-8 Vulnerability Scanning
1-9 Threat Modeling
1-10 Security Controls
2 Technologies and Tools
2-1 Firewalls
2-2 Intrusion Detection Systems (IDS)
2-3 Intrusion Prevention Systems (IPS)
2-4 Security Information and Event Management (SIEM)
2-5 Data Loss Prevention (DLP)
2-6 Security Orchestration, Automation, and Response (SOAR)
2-7 Endpoint Security
2-8 Network Security
2-9 Cloud Security
2-10 Mobile Device Security
2-11 Secure Coding Practices
2-12 Cryptography
2-13 Public Key Infrastructure (PKI)
2-14 Certificate Management
2-15 Security Tools and Utilities
3 Architecture and Design
3-1 Security Models
3-2 Security Controls
3-3 Secure Network Design
3-4 Secure Systems Design
3-5 Secure Application Design
3-6 Secure Cloud Architecture
3-7 Secure Mobile Architecture
3-8 Secure IoT Architecture
3-9 Secure Data Storage
3-10 Secure Backup and Recovery
3-11 Security in DevOps
3-12 Security in Agile Development
3-13 Security in Continuous IntegrationContinuous Deployment (CICD)
3-14 Security in Configuration Management
3-15 Security in Identity and Access Management (IAM)
4 Identity and Access Management
4-1 Authentication Methods
4-2 Authorization Mechanisms
4-3 Identity and Access Management (IAM) Concepts
4-4 Single Sign-On (SSO)
4-5 Multi-Factor Authentication (MFA)
4-6 Federation
4-7 Role-Based Access Control (RBAC)
4-8 Attribute-Based Access Control (ABAC)
4-9 Identity as a Service (IDaaS)
4-10 Identity Lifecycle Management
4-11 Access Reviews and Audits
4-12 Privileged Access Management (PAM)
4-13 Identity Federation
4-14 Identity Provisioning and Deprovisioning
5 Risk Management
5-1 Risk Management Concepts
5-2 Risk Assessment
5-3 Risk Mitigation Strategies
5-4 Business Impact Analysis (BIA)
5-5 Risk Register
5-6 Risk Treatment
5-7 Risk Monitoring and Reporting
5-8 Risk Appetite and Tolerance
5-9 Risk Communication
5-10 Risk Transfer
5-11 Risk Acceptance
5-12 Risk Avoidance
5-13 Risk Reduction
5-14 Risk in Cloud Environments
5-15 Risk in Mobile Environments
5-16 Risk in IoT Environments
6 Cryptography and PKI
6-1 Cryptographic Concepts
6-2 Symmetric Encryption
6-3 Asymmetric Encryption
6-4 Hashing
6-5 Digital Signatures
6-6 Public Key Infrastructure (PKI)
6-7 Certificate Management
6-8 Certificate Authorities (CAs)
6-9 Certificate Revocation
6-10 Key Management
6-11 Cryptographic Protocols
6-12 Cryptographic Attacks
6-13 Quantum Cryptography
6-14 Post-Quantum Cryptography
6-15 Cryptographic Use Cases
7 Security Operations
7-1 Security Operations Concepts
7-2 Security Policies and Procedures
7-3 Security Awareness and Training
7-4 Security Monitoring and Logging
7-5 Incident Response
7-6 Forensics
7-7 Disaster Recovery
7-8 Business Continuity
7-9 Physical Security
7-10 Personnel Security
7-11 Supply Chain Security
7-12 Third-Party Risk Management
7-13 Security Audits and Assessments
7-14 Compliance and Regulatory Requirements
7-15 Security Metrics and Reporting
7-16 Security Operations Center (SOC)
7-17 Security Orchestration, Automation, and Response (SOAR)
7-18 Security in DevOps
7-19 Security in Agile Development
7-20 Security in Continuous IntegrationContinuous Deployment (CICD)
4.8 Attribute-Based Access Control (ABAC) Explained

4.8 Attribute-Based Access Control (ABAC) Explained

Key Concepts

Attribute-Based Access Control (ABAC) is a flexible and fine-grained access control method that evaluates access requests based on attributes associated with the user, the resource, and the environment. Key concepts include Attributes, Policies, and Decision Points.

Attributes

Attributes are characteristics or properties that describe entities such as users, resources, and environments. These attributes can include user roles, time of access, location, resource sensitivity, and more. Attributes provide the basis for making access control decisions.

Example: A user's attributes might include their role (e.g., manager, employee), department (e.g., finance, marketing), and clearance level (e.g., high, medium). Resource attributes could include sensitivity level (e.g., confidential, public) and format (e.g., document, spreadsheet).

Policies

Policies are rules that define how access should be granted or denied based on the attributes of users, resources, and environments. Policies are typically expressed in a formal language and can be complex, allowing for fine-grained control over access.

Example: A policy might state that a user with the role of "manager" and clearance level "high" can access "confidential" documents during business hours (9 AM to 5 PM) from the company's headquarters. This policy combines multiple attributes to determine access.

Decision Points

Decision Points are the mechanisms that evaluate access requests against the defined policies. When a user requests access to a resource, the decision point gathers the relevant attributes, applies the policies, and determines whether access should be granted or denied.

Example: When a manager attempts to access a confidential document outside business hours, the decision point evaluates the user's role, clearance level, time of access, and location. Since the access request does not meet the policy criteria, the decision point denies access.

Conclusion

Attribute-Based Access Control (ABAC) provides a highly flexible and fine-grained approach to access control by evaluating access requests based on multiple attributes. By defining policies and using decision points, organizations can implement complex and dynamic access control rules that adapt to changing conditions and requirements.

© 2024 Ahmed Baheeg Khorshid. All rights reserved.