(2) Identity and Access Management

Question 1

Define an Identity

Answer 1

An Identity is a set of declarations that an individual makes about one entity to another entity (such as to an app, computer, or service provider)

Question 2

What do user accounts require?

Answer 2

User accounts require the skill to identify a specific person and other subjects such as services. These services then grant attributes, rights, memberships to groups, etc.

Question 3

What are some attributes that are associated with an identity?

Answer 3

Some attributes that are associated with an identity would be items such as name, address, title, etc.

Question 4

What overall system is used with the Authentication, Authorization, and Accounting (AAA) framework?

Answer 4

Identities are used with the Authentication, Authorization, and Accounting (AAA) framework.

Question 5

What is privilege management?

Answer 5

Privilege management is the flowing management of Authentication, Authorization, and Accounting (AAA) rights.

Question 6

When it comes to Multi Factor Authentication (MFA), describe what a knowledge factor is

Answer 6

When it comes to Multi Factor Authentication (MFA), a knowledge factor is something you know.

Question 7

When it comes to Multi Factor Authentication (MFA), describe what a possession factor is

Answer 7

When it comes to Multi Factor Authentication (MFA), a knowledge factor is something you have.

Question 8

When it comes to Multi Factor Authentication (MFA), describe what a biometric factor is

Answer 8

When it comes to Multi Factor Authentication (MFA), a biometric factor is something you are.

Question 9

When it comes to Multi Factor Authentication (MFA), describe what a location factor is

Answer 9

When it comes to Multi Factor Authentication (MFA), a biometric factor is somewhere you are.

Question 10

When it comes to Single Sign On (SSO), what is shared authentication?

Answer 10

Shared authentication is where an ID is used for multiple sights while relying on authentication through a single ID provider

Question 11

Name two common SSO technologies

Answer 11

Two common SSO technologies are Lightweight Directory Access Protocol (LDAP) and Central Authentication Service (CAS)

Question 12

What is OpenID?

Answer 12

OpenID is open sourced standard for decentralized authentication. It is used by the likes of Google, Amazon, and Microsoft, who function as ID providers.

Users create the ID with the ID provider and then people use the IDs to log into many different sites.

Question 13

In terms of SSO technologies, what is OAuth?

Answer 13

In terms of SSO tech, OAuth is an open sourced standard used by Google, Microsoft, Facebook, and allows users to share parts of their ID or info while authenticating to the original ID provider.

It uses Access Tokens

Question 13

In terms of SSO technologies, what is OpenID Connect?

Answer 13

OpenID Connect is an authentication layer that uses the OAuth Protocol

Question 14

In terms of SSO technologies, what is Facebook Connect?

Answer 14

Facebook Connect is also known as Login with Facebook, which is a shared authentication system that uses Facebook credentials for authentication

Question 15

Describe the most useful security benefits of Single Sign On (SSO)?

Answer 15

One of SSO’s most useful benefits is the reduction of password reuse, as well as the reduction of password resets and support calls.

Question 16

What types of benefits do shared authentication systems provide?

Answer 16

Shared authentication systems allow users to use credentials without needing to make new accounts every time they visit a site, which cuts down on password tiredness.

Users are normally alerted to the type of data that is shared with the site they are using, such as gender, name, etc.

Question 17

What are some risks of Single Sign On (SSO)?

Answer 17

Some risks of SSO include accessing multiple systems and accounts, so if an attacker accesses the SSO set, then this gives the attacker access to all the sites that the person uses.

Question 18

What is the concept of Federation?

Answer 18

Federation is about combining an ID and its related data parts.

Question 19

What service types or groups like to use federation?

Answer 19

Organizations and cloud services like to use federation

Question 20

When it comes to federated security, describe what an Identity Provider (IDP) is and does

Answer 20

When it comes to federated security, an Identity Provider (IDP) has to provide identity components, make assertions about those ID components, and release information to parties that rely on that info and ID holders.

Question 21

In terms of federated Identities, what does a relying party (RP) or Service Provider (SP) do?

Answer 21

An RP or SP has to provide services to federation members and has to securely treat user and ID provider data.

Question 22

In terms of federated identity security, what must consumers of this service do?

Answer 22

Consumers of federated services have to make decisions about what data points are shared and validate those decisions through ID data point sharing

Question 23

Describe some of the design choices that need to be made when using a Federated Identity system

Answer 23

When using a federated identity system, certain design choices need to be made such as

A. how much assurance of a persons Identity is needed? The more assurrance is needed, the more trust is required between ID providers and and other parties

B. Manual vs Automatic provisioning. Manual may provide more security but may delay access. The opposite is true for automatic provisioning

C. How much user data will be needed to provide authorization and access?

Question 24

What is true of federations that require a higher trust level?

Answer 24

With federations that require a higher trust level, security practices have to be vetted properly between the ID providers and the parties that rely on the service.

Question 25

What must ID providers do when it comes to ID security within federated identities?

Answer 25

ID providers must secure their credential store, and should have a strong handling alert system in case security incidents happen