IAM Flashcards

1
Q

Identification

A

To announce ourselves to a system of facility

Claiming to be a specific user (ex. username)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Authentication

A

To challenge the user’s claimed identity (ex: ask for password or PIN)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Authorization

A

To enforce permissions for each user

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Accounting

A

To track user’s activities

auditing/logging - provides accountability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Identity Management Phases

A
  1. Provisioning - creating user accounts baed on NTK and Least Privilege
  2. Review - Perform user access reviews at least once a year (at a minimum)
  3. Edit - Procedures are established so that when a user moves around within the organization we review privileges to prevent Authorization/Privilege-Creep
  4. Deprovisioning - When the employee leaves the organization, we remove all access and disable the account according to the Retention Policy. Once the required retention period has expired we delete the account
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

List and give example of authentication factors

A
  1. Something you know (e.g. password, PIN, SSN, etc)
  2. Something you have (e.g. door key, smart card, badge)
  3. Something you are (thumb print, retina scan, iris scan, facial recognition)
  4. Some where you are (device IP, GPS coords)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Retina Scan

A

scan that looks at blood vessels in your eyes

think: red-ina scan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

List Types of passwords, and what type of authentication factor are they

A

Static password = Fixed password = Reusable password > something you know

One-time password = Session password = Dynamic password > something you have

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Tokens

A

provide one time, one session, or dynamic passwords

can be hardware or software based

(e.g. RSA token)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Federated Identity Management

A

Provides policies, process, and mechanisms to manage identity authentication and authorization to systems across organizations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Identity Provider

A

In a federated environment, the identity provider holds all the identities and generates a token for known users

In cloud it is preferable for the organization to maintain identities and act as the identity provider (e.g NOT CSP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Relying Party

A

In a federated environment the relying party is the service provider and consumes tokens issued by the identity provider

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

XACML

A

communicating policy enforcement through a standard protocol

Used in ABAC and OpenID Connect

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

WS-Federation (Web Service Federation)

A

A federation identity specification from WS-Framework

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

SAML 2.0

A

An XML framework to communicate authentication, authorization, and attributes

Authentication tokens/assertions are digitally signed XML transmitted over TLS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

List SAML 2.0 Roles

A

Identity Provider
Service Provider/Relying Party
User/Principal

17
Q

OAuth 2.0 (Open Authorization)

A

A framework that allows someone to grant a website or other application access to their information on another website without giving them their password

A way to enable a 3rd party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP server or by allowing the 3rd party application to obtain access on its behalf

Think authorization AuthZ policy enforcement - you can tell FB to authorize ESPN to access your FB profile or post updates to you timeline without giving ESPN your FB password

18
Q

List and describe roles of OAuth 2.0 (Open Authorization)

A
  1. Resource owner/end user - the subject that allows access to a resource (facebook user)
  2. Resource server: the system that hold the resource (facebook)
  3. Client: the application requesting access to the resource (ESPN)
  4. Authorization server: the system issuing the access tokens to the client after the resource owner successfully authenticates and allows authorization
19
Q

OpenID

A

A federated identity system that lets an application ask a backend federated identity provider, if an end user is who they claim to be

(Think authentication for Federated Identity Management system)

20
Q

OpenID Connect (OIDC)

A

Combines the features of OpenID and Oauth into a single protocol

Allows an application to query a backend authority to

  1. Verify a user’s identity and fetch the users profile
  2. Gain limited access to the users information
21
Q

Service Provision Markup Language (SPML)

A

XML based standard for provisioning (creating) user accounts in a Federated Identity system

22
Q

Shibboleth

A

An open source federation, based on SAML, that is widely used in educational environments

23
Q

Components of IAM

A

Account provisioning and deprovisioning
Directory services
Privileged access management

24
Q

Account provisioning

Account deprovisioning

A

Account provisioning - creating user accounts and enabling access to cloud resources
Account deprovisioning - removing users and their access

25
Q

Characteristics of Secure Account Provisioning

A

Consistent - Standardized Process
Easily Monitored
Audited

All should apply to newly created users and new access granted to existing users

26
Q
  1. When Should Accounts be Deprovisioned?

2. What security principle is enforced when Accounts are Deprovisioned?

A

1A. When someone leaves the company
1B. When someone changes roles/job

  1. Principle of least privilege
27
Q

Common protocols used by Directory Services

A

Lightweight Directory Access Protocol (LDAP)

Security Assertion Markup Language (SAML)

28
Q

Privileged access management

A

Privileged access management includes the technologies and processes involved in managing the entire lifecycle of these sensitive accounts: from provisioning to deprovisioning, and everything in between.

29
Q

What activity should be monitored for privilege user accounts?
What should these logs include?

A

successful and failed authentications, privileged access to cloud resources

date, time, user identifier, and location (or IP) of access

30
Q

ad-hoc privileged access

A

elevated privileges only when needed rather than long-term privileged access