4.6 Identity and Access Management

Question 1

Identity and Access Management (IAM)

Answer 1

Applications are available anywhere
– Desktop, browser, mobile device, etc.
* Data can be located anywhere
– Cloud storage, private data centers, etc.
* Many different application users
– Employees, vendors, contractors, customers
* Give the right permissions to the right people at
the right time
– Prevent unauthorized access
* Identify lifecycle management
– Every entity (human and non-human) gets a
digital identity
* Access control
– An entity only gets access to what they need
* Authentication and authorization
– Entities must prove they are who they claim to be
* Identity governance
– Track an entity’s resource access
– May be a regulatory requirement
* Provisioning/de-provisioning user accounts
* The user account creation process
– And the account removal process
* Provisioning and de-provisioning occurs for certain events
– Hiring, transfers, promotions, job separation
* Account details
– Name, attributes, group permissions, other permissions
* An important part of the IAM process
– An initial checkpoint to limit access
– Nobody gets Administrator access

Question 2

Permission assignments

Answer 2

Each entity gets limited permissions
– Just enough to do their job
– Group assignments are common
* Storage and files can be private to that user
– Even if another person is using the same computer
* No privileged access to the operating system
– Specifically not allowed on a user account

Question 3

Identity proofing

Answer 3

I could be anyone
– The IAM process should confirm who I am
* Resolution
– Who the system thinks you are
* Validation
– Gathering information from the user
(password, security questions, etc.)
* Verification / Attestation
– Passport, in-person meeting, etc.
– Automated verification is also an option

Question 4

Single sign-on (SSO)

Answer 4

Provide credentials one time
– Get access to all available or assigned resources
– No additional authentication required
* Usually limited by time
– A single authentication can work for 24 hours
– Authenticate again after the timer expires
* The underlying authentication infrastructure must
support SSO
– Not always an option

Question 5

LDAP (Lightweight Directory Access Protocol)

Answer 5

Protocol for reading and writing directories over
an IP network
– An organized set of records, like a phone directory
* X.500 specification was written by the International
Telecommunications Union (ITU)
– They know directories!
* DAP ran on the OSI protocol stack
– LDAP is lightweight
* LDAP is the protocol used to query and update an
X.500 directory
– Used in Windows Active Directory, Apple OpenDirectory,
Novell eDirectory, etc.

Question 6

X.500 Directory Information Tree

Answer 6

Hierarchical structure
– Builds a tree
* Container objects
– Country, organization, organizational units
* Leaf objects
– Users, computers, printers, files

Question 7

Security Assertion Markup Language (SAML)

Answer 7

Open standard for authentication and authorization
– You can authenticate through a third-party to
gain access
– One standard does it all, sort of
* Not originally designed for mobile apps
– This has been SAML’s largest roadblock

Question 8

OAuth

Answer 8

Authorization framework
– Determines what resources a user will be able to access
* Created by Twitter, Google, and many others
– Significant industry support
* Not an authentication protocol
– OpenID Connect handles the single sign-on
authentication
– OAuth provides authorization between applications
* Relatively popular
– Used by Twitter, Google, Facebook, LinkedIn, and more

Question 9

Federation

Answer 9

Provide network access to others
– Not just employees - Partners, suppliers,
customers, etc.
– Provides SSO and more
* Third-parties can establish a federated network
– Authenticate and authorize between the two
organizations
– Login with your Facebook credentials
* The third-parties must establish a trust relationship
– And the degree of the trust

Question 10

Interoperability

Answer 10

Many different ways to communicate with an
authentication server
– More than a simple login process
* Often determined by what is at hand
– VPN concentrator can talk to a LDAP server
– We have an LDAP server
* A new app uses OAuth
– Need to allow authentication API access
* The interoperability is dependent on the
environment
– This is often part of a much larger IAM strategy

Question 11

Access control

Answer 11

Authorization
– The process of ensuring only authorized rights are
exercised
– Policy enforcement
– The process of determining rights
– Policy definition
* Users receive rights based on
– Access Control models
– Different business needs or mission requirements

Question 12

Least privilege

Answer 12

Rights and permissions should be set to the bare
minimum
– You only get exactly what’s needed to complete your
objective
* All user accounts must be limited
– Applications should run with minimal privileges
* Don’t allow users to run with administrative privileges
– Limits the scope of malicious behavior

Question 13

Mandatory Access Control (MAC)

Answer 13

The operating system limits the operation on an object
– Based on security clearance levels
* Every object gets a label
– Confidential, secret, top secret, etc.
* Labeling of objects uses predefined rules
– The administrator decides who gets access to what
security level
– Users cannot change these settings

Question 14

Discretionary Access Control (DAC)

Answer 14

Used in most operating systems
– A familiar access control model
* You create a spreadsheet
– As the owner, you control who has access
– You can modify access at any time
* Very flexible access control
– And very weak security

Question 15

Role-based access control (RBAC)

Answer 15

You have a role in your organization
– Manager, director, team lead, project manager
* Administrators provide access based on the role of the
user
– Rights are gained implicitly instead of explicitly
* In Windows, use Groups to provide role-based access
control
– You are in shipping and receiving, so you can use the
shipping software
– You are the manager, so you can review shipping logs

Question 16

Rule-based access control

Answer 16

Generic term for following rules
– Conditions other than who you are
* Access is determined through system-enforced rules
– System administrators, not users
* The rule is associated with the object
– System checks the ACLs for that object
* Rule examples
– Lab network access is only available between 9 AM
and 5 PM
– Only Chrome browsers may complete this web form

Question 17

Attribute-based access control (ABAC)

Answer 17

Users can have complex relationships to applications
and data
– Access may be based on many different criteria
* ABAC can consider many parameters
– A “next generation” authorization model
– Aware of context
* Combine and evaluate multiple parameters
– Resource information, IP address, time of day, desired
action, relationship to the data, etc.

Question 18

Time-of-day restrictions

Answer 18

Almost all security devices include a time-of-day option
– Restrict access during certain times or days of the
week
– Usually not the only access control
* Can be difficult to implement
– Especially in a 24-hour environment
* Time-of-day restrictions
– Training room network is inaccessible between
midnight and 6 AM
– Conference room access is limited after 8 PM
– R&D databases are only after between 8 AM and 6 PM

Question 19

Multifactor authentication

Answer 19

Prove who you are
– Use different methods
– A memorized password
– A mobile app
– Your GPS location
* Factors
– Something you know
– Something you have
– Something you are
– Somewhere you are
* There are other factors as well

Question 20

Something you know

Answer 20

Password
– Secret word/phrase, string of characters
– Very common authentication factor
* PIN
– Personal identification number
– Not typically contained anywhere on a smart card
or ATM card
* Pattern
– Complete a series of patterns
– Only you know the right format

Question 21

Something you have

Answer 21

Smart card
– Integrates with devices
– May require a PIN
* USB security key - Certificate is on the USB device
* Hardware or software tokens
– Generates pseudo-random authentication codes
* Your phone
– SMS a code to your phone

Question 22

Something you are

Answer 22

Biometric authentication
– Fingerprint, iris scan, voice print
* Usually stores a mathematical representation of your
biometric
– Your actual fingerprint isn’t usually saved
* Difficult to change
– You can change your password
– You can’t change your fingerprint
* Used in very specific situations
– Not foolproof

Question 23

Somewhere you are

Answer 23

Provide a factor based on your location
– The transaction only completes if you are in a
particular geography
* IP address
– Not perfect, but can help provide more info
– Works with IPv4, not so much with IPv6
* Mobile device location services
– Geolocation to a very specific area
– Must be in a location that can receive GPS information
or near an identified mobile or 802.11 network
– Still not a perfect identifier of location

Question 24

Password complexity and length

Answer 24

Make your password strong
– Resist guessing or brute-force attack
* Increase password entropy
– No single words, no obvious passwords
– Mix upper and lower case, letters, and special characters
* Stronger passwords are commonly at least 8 characters
– These requirements change as processing
speed gets faster
– Consider a phrase or set of words

Question 25

Password age and expiration

Answer 25

Password age
– How long since a password was modified
* Password expiration
– Password works for a certain amount of time
– 30 days, 60 days, 90 days, etc.
– After the expiration date, the password does not work
– System remembers password history, requires
unique passwords
* Critical systems might change more frequently
– Every 15 days or every week

Question 26

Password managers

Answer 26

Important to use different passwords for each account
– Remembering all of them would be impractical
* Store all of your passwords in a single database
– Encrypted, protected
– Can include multifactor tokens
* Built-in to many operating systems
– And some browsers
* Enterprise password managers
– Centralized management and recovery options

Question 27

Passwordless authentication

Answer 27

Many breaches are due to poor password control
– Weak passwords, insecure implementation
* Authenticate without a password
– This solves many password management issues
* You may already be passwordless
– Facial recognition, security key, etc.
* Passwordless may not be the primary
authentication method
– Used with a password or additional factors

Question 28

Just-in-time permissions

Answer 28

In many organizations, the IT team is assigned
administrator/root elevated account rights
– This would be a great account to attack
* Grant admin access for a limited time
– No permanent administrator rights
– The principle of least privilege
* A breached user account never has elevated rights
– Narrow the scope of a breach
* Request access from a central clearinghouse
– Grants or denies based on predefined security policies
Password vaulting
– Primary credentials are stored in a password vault
– The vault controls who gets access to credentials
* Accounts are temporary
– Just-in-time process creates a time-limited account
– Administrator receives ephemeral credentials
– Primary passwords are never released
– Credentials are used for one session then deleted