Chapter 8 - Identity and Access Management

Question 1

Identity

Answer 1

Identities are the sets of claims made about a subject. Subjects are typically people, applications, devices, systems, or organizations, but the most common application of Identity is to individuals.

Question 2

What are some of the common ways of claiming an identity?

Answer 2

1. Usernames
2. Certificates
3. Tokens
4. SSH keys
5. Smartcards

Question 3

Single Sign-On (SSO)

Answer 3

Single Sign-On systems allow a user to log in with a single identity and then use multiple systems or services without reauthenticating.

Question 4

Lightweight Directory Access Protocol (LDAP)

Answer 4

The Lightweight Directory Access Protocol is commonly deployed as part of an identity management infrastructure and offers hierarchically organized information about the organization. LDAP is commonly used as part of SSO infrastructures.

Question 5

What are some of the core technologies that internet-based systems and architectures often rely on for authentication, authorization, and SSO?

Answer 5

1. Security Assertion Markup Language (SAML)
2. OpenID
3. OAuth

Question 6

Security Assertion Markup Language (SAML)

Answer 6

Security Assertion Markup Language is an XML-based open standard for exchanging authentication and authorization information. SAML is often used between identity providers and service providers for web-based applications.

Question 7

OpenID

Answer 7

OpenID is an open standard for decentralized authentication. A common example of this is the “Log in with Google” functionality that many websites provide. Relying Parties (RPs) redirect authentication requests to the Identity Providers (IdPs) and then receive a response with an assertion that the user is who they claim to be due to successful authentication.

Question 8

OAuth

Answer 8

OAuth is an open standard for authorization used by many websites. OAuth provides a method for users to determine what information to provide to third-party applications and sites without sharing credentials.

Question 9

Identity Provider (IdP)

Answer 9

Identity Providers manage the life cycle of digital identities from creation through maintenance to eventual retirement of the identity in the systems and services it supports.

Question 10

What is meant by a Federated environment in IT?

Answer 10

In a federated environment, user authentication is separated from user access through the use of one or more external entities that provide independent authentication of user credentials.

Question 11

Passwordless Authentication

Answer 11

Passwordless Authentication often relies on something you have (security tokens, certificates) or something you are (biometric factors).

Question 12

Multifactor Authentication (MFA)

Answer 12

Multifactor Authentication ensures that a single compromised factor like a password does not create undue risk. MFA relies on two distinct factors for authentication.

Question 13

What are the four commonly used authentication factors?

Answer 13

1. Something you know (password, PIN)
2. Something you have (smartcard, USB, Bluetooth token)
3. Something you are (physical/biometric characteristics)
4. Somewhere you are (GPS, network location)

Question 14

One-Time Passwords (OTP)

Answer 14

One-Time Passwords are usable only once. Brute-force attacks against an OTP will be constantly attempting to identify a constantly changing target.

Question 15

Time-Based One-Time Passwords (TOTP)

Answer 15

Time-Based One-Time Passwords use an algorithm to derive a one-time password using the current time as part of the code-generation process. The code is valid for a set period of time and then moves on to the next time-based code.

Question 16

HMAC-Based One-Time Passwords (HOTP)

Answer 16

HMAC-Based One-Time Passwords use a seed value that both the token or HTOP code-generation application and the validation server use, as well as a moving factor. For many hardware HOTP tokens that work when a button is pressed, the moving factor is often a counter.

Question 17

SMS-Based One-Time Passwords (SMS OTP)

Answer 17

SMS-Based One-Time Passwords involve an SMS message with an OTP being sent to the users phone when they attempt to authenticate. Of the OTP methods, SMS OTP is the most susceptible to attacks.

Question 18

False Rejection Rate (FRR)

Answer 18

False Rejection Rate (Type 1 Errors) describes when a biometric measure was presented and the system rejected it.

Question 19

False Acceptance Rate (FAR)

Answer 19

False Acceptance Rate (Type 2 Errors) describes when a biometric factor is presented and is accepted when it shouldn’t be.

Question 20

What are some of the basic account types?

Answer 20

1. User accounts
2. Privileged or administrative accounts
3. Shared and generic accounts or credentials
4. Guest accounts
5. Service accounts (associated with applications and services)

Question 21

Permission Creep

Answer 21

Permission Creep occurs when users take on new roles or are granted new permissions baed on tasks they are doing.

Question 22

Deprovisioning

Answer 22

Deprovisioning is the process of removing the account, permissions, related data, files, or other artifacts required by the organization’s processes and procedures when an account is terminated.

Question 23

Privileged Access Management (PAM)

Answer 23

Privileged Access Management tools can be used to handle administrative and privileged accounts. PAM tools focus on ensuring that the concept of least privilege is maintained by helping administrators specify only the minimum set of privileges needed for a role or task.

Question 24

What are the three most important features of PAM tools?

Answer 24

1. Just-in-time (JIT) permissions
2. Password vaulting
3. Ephemeral accounts

Question 25

Just-in-time (JIT) Permissions

Answer 25

Just-in-time (JIT) Permissions are permissions that are granted and revoked only when needed.

Question 26

Password Vaulting

Answer 26

Password Vaulting is commonly used as part of PAM environments to allow users to access privileged accounts without needing to know a password. This allows privileged credentials to be checked out as needed while creating a logged, auditable event related to the use of the credentials.

Question 27

Ephemeral Accounts

Answer 27

Ephemeral Accounts are temporary accounts with limited lifespans. They may be used for guests or for specific purposes in an organization when a user needs access but should not have an account on an ongoing basis.

Question 28

Mandatory Access Control (MAC)

Answer 28

Mandatory Access Control (MAC) systems rely on the operating system to enforce control as set by a security policy administrator. In a MAC implementation, users do not have the ability to grant access to files or otherwise change the security policies that are set centrally. Some examples include SELinux for Linux and Mandatory Integrity Control (MIC) for Windows.

Question 29

Discretionary Access Control (DAC)

Answer 29

Discretionary Access Control often assigns owners for objects like files and directories, and then allows the owner to delegate rights and permissions to those objects as they desire. Linux file permissions are an easy example of this system.

Question 30

Role-Based Access Control (RBAC)

Answer 30

Role-Based Access Control systems rely on roles that are then matched with privileges that are assigned to those roles. This makes RBAC a popular option for enterprises that can quickly categorize employees with roles such as “cashier” or “database administrator.”

Question 31

Rule-Based Access Control (RuBAC)

Answer 31

Rule-Based Access Control is applied using a set of rules, or access control lists (ACLs), that apply to various objects or resources. When an attempt is made to access an object, the rule is checked to see if the access is allowed.

Question 32

Attribute-Based Access Control (ABAC)

Answer 32

Attribute-Based Access Control relies on policies that are driven by attributes of the users. This allows for complex rulesets based on combinations of attributes that provide users with specific rights that match the attributes they have. ABAC policies can be complex to manage well due to their flexibility.

Question 33

Time-Of-Day Restrictions

Answer 33

Time-Of-Day Restrictions limit when activities can occur. For example, in Windows, logon hours can be set via Active Directory.

Question 34

Least Privilege

Answer 34

Least Privilege is the concept that accounts and users should only be given the minimum set of permissions and capabilities necessary to perform their role or job function.