3.7 Identity and Account Management Controls Flashcards
• Who are you? – A service needs to vouch for you – Authentication as a Service • A list of entities – Users and devices • Commonly used by SSO applications or an authentication process – Cloud-based services need to know who you are • Uses standard authentication methods – SAML, OAuth, OpenID Connect, etc.
Identity provider (IdP)
• An identifier or property of an entity – Provides identification • Personal attributes – Name, email address, phone number, Employee ID • Other attributes – Department name, job title, mail stop • One or more attributes can be used for identification – Combine them for more detail
Attributes
• Digital certificate - Assigned to a person or device
• Binds the identity of the certificate owner to a
public and private key
– Encrypt data, create digital signatures
• Requires an existing public-key infrastructure (PKI)
– The Certificate Authority (CA) is the trusted entity
– The CA digitally signs the certificates
Certificates
• Smart card
– Integrates with devices - may require a PIN
• USB token - Certificate is on the USB device
Tokens and cards
• Secure Shell (SSH) - Secure terminal communication
• Use a key instead of username and password
– Public/private keys - Critical for automation
• Key management is critical
– Centralize, control, and audit key use
• SSH key managers - Open source, Commercial
SSH keys
• Create a public/private key pair – ssh-keygen • Copy the public key to the SSH server – ssh-copy-id user@host • Try it out – ssh user@host – No password prompt!
SSH key-based authentication
• An account on a computer associated with a
specific person
– The computer associates the user with a specific
identification number
• Storage and files can be private to that user
– Even if another person is using the same
computer
• No privileged access to the operating system
– Specifically not allowed on a user account
• This is the account type most people will use
– Your user community
User accounts
• Shared account
– Used by more than one person
– Guest login, anonymous login
• Very difficult to create an audit trail
– No way to know exactly who was working
– Difficult to determine the proper privileges
• Password management becomes difficult
– Password changes require notifying everyone
– Difficult to remember so many password changes
– Just write it down on this yellow sticky paper
• Best practice: Don’t use these accounts
Shared and generic accounts
• Access to a computer for guests
– No access to change settings, modify applications,
view other user’s files, and more
– Usually no password
• This brings significant security challenges
– Access to the userspace is one step closer to an exploit
• Must be controlled
– Not the default - Removed from Windows 10 build 10159
Guest accounts
• Used exclusively by services running on a computer
– No interactive/user access (ideally)
– Web server, database server, etc.
• Access can be defined for a specific service
– Web server rights and permissions will be different than
a database server
• Commonly use usernames and passwords
– You’ll need to determine the best policy for
password updates
Service accounts
• Elevated access to one or more systems – Administrator, Root • Complete access to the system – Often used to manage hardware, drivers, and software installation • This account should not be used for normal administration – User accounts should be used • Needs to be highly secured – Strong passwords, 2FA – Scheduled password changes
Privileged accounts
• Control access to an account
– It’s more than just username and password
– Determine what policies are best for an organization
• The authentication process
– Password policies, authentication factor policies,
other considerations
• Permissions after login - Another line of defense
Account policies
• Is everything following the policy?
– You have to police yourself
• It’s amazing how quickly things can change
– Make sure the routine is scheduled
• Certain actions can be automatically identified
– Consider a tool for log analysis
Perform routine audits
• Permission auditing
– Does everyone have the correct permissions?
– Some Administrators don’t need to be there
– Scheduled recertification
• Usage auditing - How are your resources used?
– Are your systems and applications secure?
Auditing
• Make your password strong - Resist brute-force attack
• Increase password entropy
– No single words, no obvious passwords
• What’s the name of your dog?
– Mix upper and lower case and use special characters
• Don’t replace a o with a 0, t with a 7
• Stronger passwords are at least 8 characters
– Consider a phrase or set of words
• Prevent password reuse
– System remembers password history, requires
unique passwords
Password complexity and length