IAM Flashcards
Identification
To announce ourselves to a system of facility
Claiming to be a specific user (ex. username)
Authentication
To challenge the user’s claimed identity (ex: ask for password or PIN)
Authorization
To enforce permissions for each user
Accounting
To track user’s activities
auditing/logging - provides accountability
Identity Management Phases
- Provisioning - creating user accounts baed on NTK and Least Privilege
- Review - Perform user access reviews at least once a year (at a minimum)
- Edit - Procedures are established so that when a user moves around within the organization we review privileges to prevent Authorization/Privilege-Creep
- Deprovisioning - When the employee leaves the organization, we remove all access and disable the account according to the Retention Policy. Once the required retention period has expired we delete the account
List and give example of authentication factors
- Something you know (e.g. password, PIN, SSN, etc)
- Something you have (e.g. door key, smart card, badge)
- Something you are (thumb print, retina scan, iris scan, facial recognition)
- Some where you are (device IP, GPS coords)
Retina Scan
scan that looks at blood vessels in your eyes
think: red-ina scan
List Types of passwords, and what type of authentication factor are they
Static password = Fixed password = Reusable password > something you know
One-time password = Session password = Dynamic password > something you have
Tokens
provide one time, one session, or dynamic passwords
can be hardware or software based
(e.g. RSA token)
Federated Identity Management
Provides policies, process, and mechanisms to manage identity authentication and authorization to systems across organizations
Identity Provider
In a federated environment, the identity provider holds all the identities and generates a token for known users
In cloud it is preferable for the organization to maintain identities and act as the identity provider (e.g NOT CSP)
Relying Party
In a federated environment the relying party is the service provider and consumes tokens issued by the identity provider
XACML
communicating policy enforcement through a standard protocol
Used in ABAC and OpenID Connect
WS-Federation (Web Service Federation)
A federation identity specification from WS-Framework
SAML 2.0
An XML framework to communicate authentication, authorization, and attributes
Authentication tokens/assertions are digitally signed XML transmitted over TLS
List SAML 2.0 Roles
Identity Provider
Service Provider/Relying Party
User/Principal
OAuth 2.0 (Open Authorization)
A framework that allows someone to grant a website or other application access to their information on another website without giving them their password
A way to enable a 3rd party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP server or by allowing the 3rd party application to obtain access on its behalf
Think authorization AuthZ policy enforcement - you can tell FB to authorize ESPN to access your FB profile or post updates to you timeline without giving ESPN your FB password
List and describe roles of OAuth 2.0 (Open Authorization)
- Resource owner/end user - the subject that allows access to a resource (facebook user)
- Resource server: the system that hold the resource (facebook)
- Client: the application requesting access to the resource (ESPN)
- Authorization server: the system issuing the access tokens to the client after the resource owner successfully authenticates and allows authorization
OpenID
A federated identity system that lets an application ask a backend federated identity provider, if an end user is who they claim to be
(Think authentication for Federated Identity Management system)
OpenID Connect (OIDC)
Combines the features of OpenID and Oauth into a single protocol
Allows an application to query a backend authority to
- Verify a user’s identity and fetch the users profile
- Gain limited access to the users information
Service Provision Markup Language (SPML)
XML based standard for provisioning (creating) user accounts in a Federated Identity system
Shibboleth
An open source federation, based on SAML, that is widely used in educational environments
Components of IAM
Account provisioning and deprovisioning
Directory services
Privileged access management
Account provisioning
Account deprovisioning
Account provisioning - creating user accounts and enabling access to cloud resources
Account deprovisioning - removing users and their access
Characteristics of Secure Account Provisioning
Consistent - Standardized Process
Easily Monitored
Audited
All should apply to newly created users and new access granted to existing users
- When Should Accounts be Deprovisioned?
2. What security principle is enforced when Accounts are Deprovisioned?
1A. When someone leaves the company
1B. When someone changes roles/job
- Principle of least privilege
Common protocols used by Directory Services
Lightweight Directory Access Protocol (LDAP)
Security Assertion Markup Language (SAML)
Privileged access management
Privileged access management includes the technologies and processes involved in managing the entire lifecycle of these sensitive accounts: from provisioning to deprovisioning, and everything in between.
What activity should be monitored for privilege user accounts?
What should these logs include?
successful and failed authentications, privileged access to cloud resources
date, time, user identifier, and location (or IP) of access
ad-hoc privileged access
elevated privileges only when needed rather than long-term privileged access
