4.4 Flashcards
federated single sign-on (SSO)
also known as Federated identity management, refers to the formation of a trusted relationship between separate entities and
third parties, such as cloud/application vendors or
partners, enabling them to share identities and authenticate users across domains and realms
SSO allows a user to:
access multiple applications
using a single set of credentials
LDAP servers are:
easy to install, maintain, and
optimize, but they are without solid security of the
queries, updates, and valuable information in the
LDAP directory
Lightweight Directory access protocol (LDAP)
Lighter, cross platform, and standard base solution 
security assertion markup language (SAML)
an XML-based open-source SSO standard
A key advantage of SAML
open-source
interoperability
Open authorization (OAuth)
an open authorization framework that allows a third-party application to get limited access
to an HTTP service
Developers use OAuth to
publish and interact with
protected data in a safe and secure manner
Service provider developers can use OAuth to
store protected data and give users secure delegated
access
mandatory access control (MAC)
an access control policy that is uniformly
enforced across all subjects and objects within the
boundary of an information system.
(MAC)
A subject that has
been granted access to information is constrained from
doing any of the following:
- Passing the information to unauthorized subjects or objects
- Granting its privileges to other subjects
- Changing one or more security attributes on subjects,
objects, the information system, or system components - Choosing the security attributes to be associated with
newly-created or modified objects - Changing the rules governing access control”
A mandatory access control model uses
a strict set of established sensitivity levels and access controls
for integrity and confidentiality based on classifications
Discretionary access control (DAC)
DAC models involve control and management by the
owner/creator of the object
DAC leaves a certain amount of access control to the
discretion of the object’s owner – or anyone else
who is authorized to control the object’s access
The DAC policy is enforced over all entities so that a subject being granted access can:
- Pass the information to other subjects or objects
- Grant its privileges to other subjects
- Change security attributes on subjects, objects,
information systems, or system components - Choose the security attributes to be associated with
newly-created or revised objects; or - Change the rules governing access control
Multi-factor authentication (MFA)
typically involves adding
an additional authentication mechanism to the initial origin authentication or credential
presentation
- Something you know
- Something you have
- Something you are
- Somewhere you are
4 MFA authentications
- Something you know
- Something you have
- Something you are
- Somewhere you are
Something you know
Password
Personal identification number
(PIN)
Secret word or phrase
Passphrase
Something you have
Hard/soft authentication tokens
(YubiKey/Authy)
Badge or smart card
Security keys
X509v3 certificates
Something you are
Fingerprint
Ocular biometrics
Speech patterns
Facial recognition
Somewhere you are
Remote client-based and
clientless VPN
Remote Software Defined
Perimeter (SDP)
Cloud IdM managed
network
802.1x wired or wireless
network
Fingerprint biometric
oldest and most common biometrics since they vary from person to person
and do not change over time
A fingerprint scanner system has two functions
- Gets an image of the finger
- Determines whether the outline of ridges and valleys in the image matches the patterns in pre-scanned images
facial recognition
One of the fastest growing mechanisms prepandemic
Commonly used to identify or verify an individual in still or video images
The main applications of face recognition are
areas of security biometrics and human-tocomputer interaction (including robotics)
The primary method for modeling facial images is
Principal Component Analysis (PCA)
iris scan biometric
The iris is the thin, circular structure “color” part of
the eye and controls the diameter and size of the
pupils and therefore the amount of light reaching
the retina
iris scanners use:
Iris scanners use camera technology to get images
of the intricate and detailed structures of the iris
using delicate infrared illumination
retina scan biometrics
The retina is a thin tissue composed of neural cells located in the back portion of the eye
Due to the complex make-up of the capillaries, every person’s retina is distinctive
more invasive
how are retina scanners used?
sends a beam of low-energy infrared light into an eye when user looks through the scanner’s
eyepiece
A beam of light traces a standardized path on the
retina and the pattern of variations are converted to
code and stored in a database
voice recognition
is classified as a “behavioral biometric” which is non-invasive
mobile biometrics (3 of them)
fingerprint
facial
voice, ocular and swipe patterns
biometric measurements
False acceptance rate (FAR)
False rejection rate (FRR)
Crossover error rate (CER)
False acceptance rate (FAR)
measures the
probability that the biometric system will incorrectly
accept an access effort by an unauthorized user
- A system’s FAR is often specified as the ratio of the
number of false acceptances divided by the amount
of authentication attempts
False rejection rate (FRR)
the probability that
the system incorrectly rejects access to an authorized person, due to failing to match the biometric input with a template
Crossover error rate (CER)
the value of FAR
and FRR when the sensitivity is setup so that FAR and FRR are the same
- This is an excellent metric for quantitative comparison of differing biometrics
Privileged access management (PAM)
an identity security
initiative that helps organizations counter cyberthreats by
monitoring, detecting, and stopping unauthorized access to
critical resources
**important in zero trust
PAM components
Just-in-time permissions
Password vaulting
Ephemeral credentials
Just-in-time permissions
A practice where the
privilege granted to
applications or systems is
limited to predetermined
periods of time, on an asneeded basis
Minimizes the risk of
standing privileges that
attackers can easily
exploit
Password vaulting
A program that securely
stores credentials for
multiple applications and
in an encrypted format
Users can access the
vault via a single
“master” password and
the vault then presents
it for the account they
need to access
Ephemeral credentials
Dynamically generated
credentials that are
created when needed,
then discarded afterward
Like persistent credentials, these
credentials offer the subject a temporary token needed to gain
access
