4.6 Flashcards
Identity and access management, access controls, multifactor authentication, password security
IAM stands for
Identity and Access Management
Giving the right permissions to the right people at the right time is known as
IAM
Software that is used for:
Access control
Authentication and authorization
Identity governance (provisioning/deprovisioning user accounts)
IAM
IAM utilizes ____ access control. That means if a user creates a file, that file is private to that user, even if another user logs into that same device.
Mandatory
The formal process of verifying that a user really is who they say they are. Used by IAM solutions.
Identity proofing
An identity proofing process where the user verifies their identity via government documents, answering questions about previous addresses or purchases, or an in-person meeting.
Verification/attestation
An identity proofing process where the user verifies their identity by sending credentials (username/password) and may answer security questions. This is an information gathering process.
Validation
An identity proofing process where the IAM system gathers information about a user to verify that the user is who they say they are.
Resolution
SSO stands for
Single Sign-On
An authentication solution where the user has to validate their identity only once to access all of the resources in a network.
This is usually limited by time. Ex. You will only be authenticated for 24 hours, after which you will have to authenticate again.
SSO
LDAP stands for
Lightweight Directory Access Protocol
The protocol used to query and update an X.500 directory.
It is also often used for authentication/authorization, typically SSO.
LDAP
A global directory service that organizes components to manage information.
It follows the format of:
attribute=value
X.500
SAML stands for
Security Assertion Markup Language
An open-source standard protocol for authentication and authorization with which you can authenticate through a third-party database.
That way, instead of creating/managing your own identity management database for your organization, you can use one that exists elsewhere.
However, this protocol was not created to work with mobile devices, so its use is limited in modern day.
SAML
An authentication protocol that can authenticate users through a third-party authentication database
SAML
Describe how SAML authentication works
User attempts to access Resource Server
Resource Server redirects user to third-party Authorization Server through an encrypted SAML request
User logs in
Authorization Server redirects the user back to the Resource Server with a SAML token
Resource Server verifies the SAML token and grants access to the user
An authorization framework that allows applications to access resources on a user’s behalf
OAUTH
When you see a message such as:
“[3rd Party App] wants to access your Google Account
This will allow [3rd Party App] to:
See, edit, create, and delete all of your Google Drive files”
What authorization protocol is being used?
OAUTH
When you see a message such as:
“Sign in through Facebook
Sign in through Twitter
Sign in through Instagram”
What authentication method is being used?
Federation / federation authentication
Because OAUTH is an authorization protocol and NOT an authentication protocol, what service is used in conjunction with it? This service provides SSO authentication.
OpenID
An authentication method that allows network access without using a local authentication database.
It allows you login to a resource without having to create a new account specifically for that resource.
It can allow you to sign in through an existing trusted third-party organization with which the two organizations have a trust relationship.
Federation
What is the main thing to consider when determining which type of IAM services to use
Interoperability
Some apps may be compatible with the method you choose; others will need to implement some kind of API or other interoperability measures to make it work.
The process of enforcing policies that would allow/disallow users/devices access to resources
Access control
An access control model that allows users/devices the bare minimum of access to perform their job.
Least privilege
An access control model that is based on security clearance levels. Every file or object gets a label with the security clearance required to access it.
The administrator of the system defines the security clearance that a user/device has.
Mandatory Access Control
An access control model that allows the user who created the data to determine who else can access the data, and what they can do to modify it.
Very flexible, but very weak security.
DAC
An access control model that is based on account roles (manager, director, team lead, project manager, etc.).
Administrators provide access based on the role of the user. Rights are gained implicitly instead of explicitly.
RBAC
RBAC stands for
Role-Based Access Control
What does it mean when rights/permissions are gained implicitly instead of explicitly?
It means that the rights are assigned due to a user’s role or attribute rather than assigned individually to that user.
An access control model that grants rights and permissions according to system-enforced rules. The administrator configures these rules, and attaches them to files. These rules are then enforced once a user attempts to access the resource.
Ex:
Lab network access is only available between 9am-5pm
Only Chrome browsers can complete this web form
RuBAC
ABAC stands for
Attribute-Based Access Control
An access control model that develops a complex ruleset to determine whether someone has or doesn’t have access to a resource.
It can examine attributes that are be unique to the user. Seniority, current projects, security clearance level, work status, attempted action to take, etc.
It will also consider external factors like time of day and browser type.
It considers many different parameters, including context. It can evaluate the source IP address, time of day, desired action, and relationship the user has to the data.
All of these criteria are combined to determine whether to grant access.
It is a “next generation” authorization model.
ABAC
Difference between RuBAC and ABAC
RuBAC focuses on rules, related to external factors. Time of day, working hours, schedules, specific devices.
ABAC focuses on attributes that can rely on personal information like active projects, work status, security clearance, seniority, attempted action, etc.
RuBAC stands for
Rule-Based Access Control
An access control model that restricts access during certain times or days of the week.
This model is typically not used on its own.
Time-of-day restrictions
4 factors used in MFA
Something you know
Something you have
Something you are
Somewhere you are
3 examples of “something you know”
Password
PIN
Pattern
4 examples of “something you have”
Smart card
USB security key (contains certificate specific to you)
Hardware/software token (RNG)
Your phone (SMS code)
1 example of “something you are”
Biometric authentication
Fingerprint, iris scan, voice print
2 examples of “somewhere you are”
IP address
Mobile device location services (GPS)
What is password entropy?
Unpredictability
Software that can remember all of your different passwords for you. It stores your password in one database that has been encrypted.
To use this service, you may need to provide multifactor tokens.
Password manager
A method of authentication that uses facial recognition, security keys, or PINs instead of using passwords.
This is often used in conjunction with (NOT instead of) passwords or other authentication measures.
Password authentication
An authentication/authorization measure that gives a technician a temporary set of credentials. These credentials give administrator access for a limited amount of time - just enough time to solve a problem or adjust a configuration.
This prevents attackers from gaining elevated account rights.
Just-in-time permissions
The entity responsible for allowing or disallowing access based upon a predetermined set of security policies. Used for giving just-in-time permissions to users.
Central clearinghouse
AKA password vault
Central clearinghouse is AKA
Password vault
Explain the process of gaining and using just-in-time permissions
User requests access from a central clearinghouse/password vault
The central clearinghouse/password vault contains primary credentials. It creates ephemeral credentials based on those primary credentials and supplies them to the user. The primary credentials are never released.
The ephemeral credentials are used for one session and then deleted.