IAM

Question 1

Identification

Answer 1

To announce ourselves to a system of facility

Claiming to be a specific user (ex. username)

Question 2

Authentication

Answer 2

To challenge the user’s claimed identity (ex: ask for password or PIN)

Question 3

Authorization

Answer 3

To enforce permissions for each user

Question 4

Accounting

Answer 4

To track user’s activities

auditing/logging - provides accountability

Question 5

Identity Management Phases

Answer 5

1. Provisioning - creating user accounts baed on NTK and Least Privilege
2. Review - Perform user access reviews at least once a year (at a minimum)
3. Edit - Procedures are established so that when a user moves around within the organization we review privileges to prevent Authorization/Privilege-Creep
4. Deprovisioning - When the employee leaves the organization, we remove all access and disable the account according to the Retention Policy. Once the required retention period has expired we delete the account

Question 6

List and give example of authentication factors

Answer 6

1. Something you know (e.g. password, PIN, SSN, etc)
2. Something you have (e.g. door key, smart card, badge)
3. Something you are (thumb print, retina scan, iris scan, facial recognition)
4. Some where you are (device IP, GPS coords)

Question 7

Retina Scan

Answer 7

scan that looks at blood vessels in your eyes

think: red-ina scan

Question 8

List Types of passwords, and what type of authentication factor are they

Answer 8

Static password = Fixed password = Reusable password > something you know

One-time password = Session password = Dynamic password > something you have

Question 9

Tokens

Answer 9

provide one time, one session, or dynamic passwords

can be hardware or software based

(e.g. RSA token)

Question 10

Federated Identity Management

Answer 10

Provides policies, process, and mechanisms to manage identity authentication and authorization to systems across organizations

Question 11

Identity Provider

Answer 11

In a federated environment, the identity provider holds all the identities and generates a token for known users

In cloud it is preferable for the organization to maintain identities and act as the identity provider (e.g NOT CSP)

Question 12

Relying Party

Answer 12

In a federated environment the relying party is the service provider and consumes tokens issued by the identity provider

Question 13

XACML

Answer 13

communicating policy enforcement through a standard protocol

Used in ABAC and OpenID Connect

Question 14

WS-Federation (Web Service Federation)

Answer 14

A federation identity specification from WS-Framework

Question 15

SAML 2.0

Answer 15

An XML framework to communicate authentication, authorization, and attributes

Authentication tokens/assertions are digitally signed XML transmitted over TLS

Question 16

List SAML 2.0 Roles

Answer 16

Identity Provider
Service Provider/Relying Party
User/Principal

Question 17

OAuth 2.0 (Open Authorization)

Answer 17

A framework that allows someone to grant a website or other application access to their information on another website without giving them their password

A way to enable a 3rd party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP server or by allowing the 3rd party application to obtain access on its behalf

Think authorization AuthZ policy enforcement - you can tell FB to authorize ESPN to access your FB profile or post updates to you timeline without giving ESPN your FB password

Question 18

List and describe roles of OAuth 2.0 (Open Authorization)

Answer 18

1. Resource owner/end user - the subject that allows access to a resource (facebook user)
2. Resource server: the system that hold the resource (facebook)
3. Client: the application requesting access to the resource (ESPN)
4. Authorization server: the system issuing the access tokens to the client after the resource owner successfully authenticates and allows authorization

Question 19

OpenID

Answer 19

A federated identity system that lets an application ask a backend federated identity provider, if an end user is who they claim to be

(Think authentication for Federated Identity Management system)

Question 20

OpenID Connect (OIDC)

Answer 20

Combines the features of OpenID and Oauth into a single protocol

Allows an application to query a backend authority to

1. Verify a user’s identity and fetch the users profile
2. Gain limited access to the users information

Question 21

Service Provision Markup Language (SPML)

Answer 21

XML based standard for provisioning (creating) user accounts in a Federated Identity system

Question 22

Shibboleth

Answer 22

An open source federation, based on SAML, that is widely used in educational environments

Question 23

Components of IAM

Answer 23

Account provisioning and deprovisioning
Directory services
Privileged access management

Question 24

Account provisioning

Account deprovisioning

Answer 24

Account provisioning - creating user accounts and enabling access to cloud resources
Account deprovisioning - removing users and their access

Question 25

Characteristics of Secure Account Provisioning

Answer 25

Consistent - Standardized Process
Easily Monitored
Audited

All should apply to newly created users and new access granted to existing users

Question 26

1. When Should Accounts be Deprovisioned?

2. What security principle is enforced when Accounts are Deprovisioned?

Answer 26

1A. When someone leaves the company
1B. When someone changes roles/job

2. Principle of least privilege

Question 27

Common protocols used by Directory Services

Answer 27

Lightweight Directory Access Protocol (LDAP)

Security Assertion Markup Language (SAML)

Question 28

Privileged access management

Answer 28

Privileged access management includes the technologies and processes involved in managing the entire lifecycle of these sensitive accounts: from provisioning to deprovisioning, and everything in between.

Question 29

What activity should be monitored for privilege user accounts?
What should these logs include?

Answer 29

successful and failed authentications, privileged access to cloud resources

date, time, user identifier, and location (or IP) of access

Question 30

ad-hoc privileged access

Answer 30

elevated privileges only when needed rather than long-term privileged access