Domain 5 Identity and Access Management (IAM) Flashcards
Control of Physical Access to Assets
Physical access control represents the tangible layer of security, focusing on measures that restrict unauthorized access to an organization’s facilities, equipment, and resources.
Information:
Ensuring secure storage and handling of sensitive documents is paramount. Hospitals might use locked cabinets to store patient records, employing shredding protocols for no longer needed documents.
Systems:
Access to computers and servers can be restricted through locked rooms, cabinets, or cages. Data centers might employ biometric scanners, limiting entry solely to authorized personnel.
Devices:
Security measures for portable devices like laptops and mobile phones are essential. Corporations might use cable locks for laptops in shared spaces or store them in locked cabinets when not in use.
Facilities:
Implementing access control systems, such as card readers or security personnel, is vital. Research laboratories might utilize retina scanners, ensuring only authorized scientists can enter sensitive areas.
Control of Logical Access to Assets
Logical access control, in contrast, focuses on the virtual realm, securing digital assets by managing user access and permissions within IT systems.
Information:
Implementing access controls on databases and file systems is vital. Banks might limit access to customer financial data based on employee roles, ensuring that only authorized staff can view sensitive information.
Systems:
Employing security controls like firewalls and intrusion detection systems is essential. Ecommerce companies might deploy advanced firewalls, preventing unauthorized access to internal networks.
Devices:
Enforcing device security policies such as password protection and encryption is crucial. Government agencies might uphold strict encryption standards on mobile devices to protect classified information.
Applications:
Managing user access within applications ensures role-appropriate access. Universities might configure student information systems so that professors can access only the grades and attendance records relevant to their courses.
Understanding Access Control Models
Access control models are the architectural blueprints for managing and securing access to an organization’s resources. These models articulate the principles and mechanisms that define how permissions are granted, ensuring that users can only access the data and resources necessary for their job functions.
Discretionary Access Controls (DAC)
Discretionary access controls empower resource owners to determine who has access to their resources and to what extent. In the DAC model, users can grant or revoke permissions for other users at their discretion.
Example: In a shared file system within a collaborative research project, a lead scientist with the necessary permissions can grant read or write access to specific files or folders to other team members, tailoring access based on individual responsibilities.
Mandatory Access Controls (MAC)
Mandatory access controls enforce access based on predefined security policies and classification levels. The MAC model is rigid, allowing access only to those with the appropriate security clearance and need-to-
know basis.
Example: In a government agency handling classified information, a user with “Secret” clearance can access only “Secret” or lower documents. Access to “Top Secret” documents is restricted, maintaining the integrity of sensitive information.
Nondiscretionary Access Control (Role-Based Access Control or RBAC)
Nondiscretionary access control assigns permissions based on users’ roles within an organization rather than their identities. The RBAC model grants access based on job responsibilities and functions.
Example: In a hospital’s patient management system, nurses are granted access to patient medical records, while administrative staff members are granted access to billing information. Each role has specific permissions, aligning access with job functions.
Rule-Based Access Controls
Rule-based access controls enforce access permissions based on predefined rules or conditions, such as time of day, location, or network conditions.
Example: A financial institution might implement a rule-based access control policy that allows traders to access certain internal trading platforms only during market hours or from secure trading floors.
Content-Dependent and Context-Dependent Access Controls
Content-dependent access controls grant or deny access based on the content of the resources accessed. At the same time, context-dependent access controls consider the context in which the access request is made.
Example: A content-dependent policy in a law firm might restrict access to legal documents based on their confidentiality level. A context-dependent policy might grant access to specific resources only when a lawyer is connected to the firm’s secure network using a firm-issued device.
The landscape of access control models is diverse and nuanced, reflecting the complexity of modern organizational structures and technological environments. Understanding these models is more than a theoretical exercise; it is a practical necessity for securing an organization’s resources.
Identity Management (IdM) Implementation
Identity Management involves creating, maintaining, and validating unique user identities across an organization. IdM implementation is the bedrock of access control, ensuring that users are accurately identified and authenticated.
Example: In a multinational corporation, IdM might include a centralized directory service that manages employee identities, roles, and permissions, ensuring consistency and security across global operations.
Single-factor authentication
Single-factor authentication relies on one method, such as a password or PIN. While simple, it can be vulnerable to attacks.
Multifactor authentication
Multifactor authentication combines two or more factors (e.g., something you know, something you have, and something you are) to provide a higher level of security. These factors are typically categorized into
Something you know (knowledge-based factors):
These are pieces of information that the user must know to authenticate, such as passwords, PINs, or answers to security questions.
Something you have (possession-based factors):
These are physical devices or objects the user must have to authenticate, such as a security token, smart card, or mobile phone with an authentication app.
Something you are (inherence-based factors):
These are biometric characteristics unique to the individual, such as fingerprints, facial recognition, or voice patterns.
Somewhere you are (location-based factors):
This newer category includes the user’s location as a factor, such as a specific geographical location verified through GPS.
Something you do (behavior-based factors):
This includes the unique ways in which a person interacts with a system, such as typing rhythm or mouse movement patterns.
Accountability
Accountability in information security is the mechanism that ensures users are held responsible for their actions within a system.
Audit trails:
Audit trails are chronological records of user activities, providing evidence of system usage and helping trace unauthorized activities back to the responsible individual.
Example: In a healthcare system, audit trails might record who accessed patient records, when, and what changes were made, ensuring compliance with privacy regulations.
Monitoring:
Continuous monitoring of user activities is essential for detecting potential security breaches, anomalies, and policy violations.
Example: An ecommerce platform might employ real-time monitoring to detect and alert unusual purchasing patterns, potentially indicating fraudulent activity.
Access controls:
Enforcing strict access controls, such as the principle of least privilege, ensures that users have the minimum necessary access to perform their job functions. Example: In a manufacturing company, access controls might restrict engineers from designing files relevant to their projects, while managers have broader access to project management tools.
Federated Identity Management (FIM):
FIM allows users to use the same Identity across different organizations or services. It’s commonly used in collaborations between businesses.
Credential Management Systems:
These systems manage user credentials securely, often in conjunction with MFA.
Single Sign-On (SSO):
SSO enables users to log in once and gain access to multiple related systems without reauthenticating.
Just-in-Time (JIT) provisioning:
JIT provisioning creates user accounts on the fly when needed, often used in cloud environments to enhance efficiency.
Session Management
Session management is a multifaceted process that ensures a secure and continuous user experience within a system. It involves the creation of unique session identifiers, secure maintenance of session information, and proper termination to prevent unauthorized access.
Example: In an online healthcare portal, session management ensures patients can securely access their medical records, schedule appointments, and communicate with healthcare providers without interruption.
Creation:
A unique session identifier is generated when users log in, allowing the system to track their activities and preferences.
Maintenance:
The system must securely maintain session information, such as session cookies and tokens, to ensure that the user’s interaction remains seamless and secure.
Termination:
The session must be terminated adequately upon logout or timeout, and any session data must be invalidated to prevent unauthorized access.
Registration:
Users must provide personal information, such as name, email address, and phone number, to create an account.
Proofing:
The system verifies the user’s Identity by validating the provided information, often through multi-step verification processes.
Establishment:
Once verified, a unique identifier and authentication credentials are assigned, forming the basis of the user’s digital Identity within the system.
Storage:
Credentials are stored in encrypted formats, often in secure hardware or virtual vaults, to prevent unauthorized access.
Management:
Regular updates, deactivation of obsolete credentials, and immediate revocation are managed systematically in case of suspected compromise.
Single Sign-On (SSO) Deployment Options
Single Sign-On (SSO) is a user-friendly authentication process that allows users to access multiple systems with a single set of credentials.
Example: A multinational corporation may use a hybrid SSO solution to enable employees to access local intranet resources and global collaboration platforms with a single login.
On-premise:
Managed within the organization’s local data center, allowing complete control but requiring significant investment in infrastructure and maintenance
Cloud:
Leveraging third-party cloud services, reducing maintenance overhead and providing scalability
Hybrid:
Combining on-premise and cloud-based solutions, offering flexibility and a tailored approach to different systems or applications
Federated Identity with a Third-Party Service
Federated Identity Management (FIM) extends the principles of SSO across organizational boundaries
Example: Universities in a research consortium may use Federated Identity to allow researchers to access shared research databases and collaboration tools across institutions.
On-premise:
Complete control over the Federated Identity infrastructure, suitable for organizations with strict security requirements
Cloud:
Reduced maintenance overhead and scalability, suitable for organizations primarily using cloud-based services
Hybrid:
A combination of both, providing flexibility and a tailored approach
Just-in-Time (JIT) Provisioning
JIT provisioning is an agile approach to account management
Example: A cloud-based project management tool might use JIT provisioning to create and manage user accounts for external contractors, granting them access only to relevant projects.
On-demand creation:
User accounts are created as needed rather than in advance, improving efficiency.
Dynamic permissions:
Permissions are assigned dynamically based on predefined rules, such as user roles or group memberships, ensuring that users have the appropriate level of access.
Managing the Identity and Access Provisioning Life Cycle
Managing the Identity and access provisioning life cycle is critical to an organization’s security posture. This process includes account access review, provisioning and deprovisioning, role definition, and privilege escalation. Like SSO and Federated Identity Management, the Identity and access provisioning life cycle can be managed using on-premise, cloud, or hybrid approaches.
On-premise:
Identity and access provisioning involves deploying and managing an organization’s local data center infrastructure. This approach allows the organization to control its infrastructure and processes completely.
Example: An organization may implement on-premise Identity and access management solutions, such as Microsoft Active Directory, to manage the provisioning life cycle, including user access review, role definition, and privilege escalation within its local network.
Cloud:
Cloud-based Identity and access provisioning leverages third-party cloud services to host and manage the infrastructure. This approach offers advantages such as reduced maintenance overhead, scalability, and access to resources from anywhere with an Internet connection.
Example: An organization may use cloud-based Identity and access management services, such as Okta or AWS Identity and Access Management (IAM), to manage the provisioning life cycle for its cloud-based resources.
Hybrid:
A hybrid approach combines on-premise and cloud-based solutions, allowing organizations to choose the most appropriate solution for each system or application. This approach is useful for organizations with a mix of on-premise and cloud-
based resources and those transitioning from on-
premise to cloud-based infrastructure.
Example: An organization may use an on-premise solution like Microsoft Active Directory to manage the provisioning life cycle for local resources while integrating with a cloud-based identity and access management service like Azure Active Directory to manage cloud-based resources.
Account access review:
Reviewing user, system, and service accounts ensures only authorized users can access resources. This process includes verifying that accounts are still active, permissions are set correctly, and no unauthorized access has been granted. Depending on an organization’s infrastructure, an account access review can be managed through on-premise, cloud, or hybrid tools.
Provisioning and deprovisioning:
Provisioning involves granting access rights to new users, systems, or services, while deprovisioning involves removing access rights when no longer needed (e.g., during off-boarding or transfers). Proper provisioning and deprovisioning help maintain a secure environment by ensuring access rights are only granted to authorized users. On-premise, cloud, and hybrid solutions can be used to manage these processes.
Role definition:
Defining roles within an organization helps streamline the provisioning process by assigning predefined permissions to users based on their job responsibilities. Role definition can be managed through on-premise, cloud, or hybrid Identity and access management tools, depending on the organization’s infrastructure.
Privilege escalation:
Privilege escalation involves temporarily granting elevated permissions to users or services to perform specific tasks. This process should be carefully managed to minimize security risks associated with unauthorized access or misuse of elevated privileges. On-premise, cloud, and hybrid solutions can be used to manage privilege escalation, such as managed service accounts or using sudo in a Linux environment.
OpenID Connect (OIDC)/Open Authorization (OAuth)
OIDC is an identity layer built on top of the OAuth 2.0 protocol, which allows users to authenticate and authorize applications to access resources on their behalf. OIDC and OAuth are often used in cloud and hybrid environments to provide secure authentication and authorization for web and mobile applications.
Security Assertion Markup Language (SAML):
SAML is an XML-based standard for exchanging authentication and authorization data between parties, particularly between an identity provider (IdP) and a service provider (SP). SAML is commonly used in cloud and hybrid environments for Single Sign-On (SSO) and Federated Identity Management (FIM) implementations.
Kerberos:
Kerberos is a network authentication protocol that uses secret-key cryptography to securely authenticate users and services within a local network. Kerberos is typically implemented in on-premise environments, often as part of Microsoft Active Directory infrastructure, to provide secure authentication for internal resources.
Remote Authentication Dial-In User Service (RADIUS)/Terminal Access Controller Access Control System Plus (TACACS+):
RADIUS and TACACS+ are authentication, authorization, and accounting (AAA) protocols commonly used for controlling access to network devices and services. RADIUS is often used in on-premise and hybrid environments for remote access solutions like VPNs. In contrast, TACACS+ is typically used for managing access to network devices like routers and switches.
