3.7 Given a Scenarior, Implement Identity and account management controls Flashcards
Identity
Identity and access management includes many important concepts that are tested on the CompTIA Security+ exam. Users claim an identity with a username and prove their identity by authenticating (such as with a password). They are then granted access to resources based on their proven identity.
Identity providers (Idp)
An identity provider (IdP) is a service that stores and manages digital identities. Companies use these services to allow their employees or users to connect with the resources they need. They provide a way to manage access, adding or removing privileges, while security remains tight.
Attributes
Authentication attributes help identify a user or a device based on characteristics or traits. These are rarely used on their own but instead are used with one or more authentication factors.
Certificates
they are digital files that support cryptography for increased security. The embedded certificate allows the use of a complex encryption key and provides much more secure authentication than is possible with a simple password. Additionally, the certificate can be used with digital signatures and data encryption.
Tokens
A token key or (sometimes called a key fob or just a token) is an electronic device about the size of a remote key for a car. You can easily carry token keys in a pocket or purse or connect them to a key chain. They include a liquid crystal display (LCD) that displays a number, and this number changes periodically, such as every 60 seconds. They are sometimes called hardware tokens to differentiate them from logical or software tokens.
SSH keys
An SSH key is a secure access credential used in the Secure Shell (SSH) protocol. SSH keys use key pairs based on public key infrastructure (PKI) technology, the gold standard for digital identity authentication and encryption, to provide a secure and scalable method of authentication.
Smart cards
Smart cards are credit card-sized cards that have an embedded microchip and a certificate. Users insert the smart card into a smart card reader, similar to how someone would insert a credit card into a credit card reader. The smart card reader reads the card’s information, including the details from the certificate, which provides certificate-based authentication.
Account types
Credential policies define login policies for different personnel, devices, and accounts. This includes items in the something you know factor (such as passwords) or any other factor or combination of factors. It’s common for an organization to apply credential policies differently to different types of accounts.
User account
Most accounts are for regular users or the personnel working in the organizations. Administrators create these accounts and then assign appropriate privileges based on the user’s job responsibilities. It’s common to assign a basic credential policy that applies to all personnel. This could be a password policy defining things like the minimum password length, password history, and account lockout policies.
Shared and generic
An organization can create a regular user account that temporary workers will share. Shared accounts are discouraged for normal work. However, if a temp agency is sending someone different every day, a shared account may provide a better solution than a guest account because access can be tailored for the shared account. Basic credential policies apply to shared and generic accounts.
Guest accounts
Windows operating systems include a Guest account. These are useful if you want to grant someone limited access to a computer or network without creating a new account. For example, imagine an organization contracts with a temp agency to have someone do data entry. The agency may send a different person every day. Enabling the Guest account for this person would be simpler than creating a new account every day. Administrators commonly disable the Guest account and only enable it in special situations.
Service accounts
Some applications and services need to run under the context of an account, and a service account fills this need. As an example, SQL Server is a database application that runs on a server, and it needs access to resources on the server and the network.
Password Complexity
One method used to make passwords more secure is to require them to be complex and strong. A strong password is of sufficient length, doesn’t include words found in a dictionary or any part of a user’s name, and combines at least three of the four following character types: Uppercase characters (26 letters A–Z) Lowercase characters (26 letters a–z) Numbers (10 numbers 0–9) Special characters (such as !, $, and *)
Password history
A password history system remembers past passwords and prevents users from reusing them. It’s common for password policy settings to remember the last 24 passwords and prevent users from reusing them until they’ve used 24 new passwords.
When using password history, it’s common to use the minimum password age setting. Imagine this is set to 1 day, and the password history is set to 24. After users change their password, they can’t change it again until a day has passed. It’ll take them 24 days of changing their password every day before they can reuse the original password.
Password reuse
Many users would prefer to use the same password forever simply because it’s easier to remember. Even when technical password policies force users to change their passwords, many users simply change them back to the original password. Unfortunately, this significantly weakens password security.