Lesson 6: Implementing Identity and Access Management Controls Flashcards
access control system
An access control system is the set of technical controls that govern how subjects may interact with objects.
Subjects
users, devices, or software processes, or anything else that can request and be granted access to a resource.
A subject is identified on a computer system by an account. An account consists of an identifier, credentials, and a profile.
Objects
resources; these could be networks, servers, databases, files, and so on.
Access Control List (ACL)
In computer security, the basis of access control is usually an Access Control List (ACL). This is a list of subjects and the rights or permissions they have been granted on the object.
An Identity and Access Management (IAM) system is usually described in terms of four main processes:
- Identification—creating an account or ID that identifies the user, device, or process on the network.
- Authentication—proving that a subject is who or what it claims to be when it attempts to access the resource.
- Authorization—determining what rights subjects should have on each resource, and enforcing those rights.
- Accounting—tracking authorized usage of a resource or use of rights by a subject and alerting when unauthorized use is detected or attempted.
IAM enables you to define the attributes that comprise an entity’s identity, such as its purpose, function, security clearance, and more. These attributes subsequently enable access management systems to make informed decisions about whether to grant or deny an entity access, and if granted, decide what the entity has authorization to do.
Identification
associates a particular user (or software process) with an action performed on a network system.
Authentication
proves that a user or process is who it claims to be; that is, that someone or something is not masquerading as a genuine user.
verifies that only the account holder is able to use the account, and that the system may only be used by account holders. Authentication is performed when the account holder supplies the appropriate credentials to the system. These are compared to the credentials stored on the system. If they match, the account is authenticated. One of the primary issues with authentication is unauthorized exposure or loss of the information being used to authenticate. If a user’s credential, such as a password, is exposed, it may be used in an unauthorized fashion before it can be changed.
Identification and authentication are vital first steps in the access control process:
- To prove that a user is who he or she says he is. This is important because access should only be granted to valid users (authorization).
- To prove that a particular user performed an action (accounting). Conversely, a user should not be able to deny what he or she has done (non-repudiation).
Security Identifier (SID)
An identifier must be unique. For example, in Windows® a subject may be represented by a username to system administrators and other users. The username is often recognizable by being some combination of the user’s first and last names or initials. However, the account is actually defined on the system by a Security Identifier (SID) string. If the user account was deleted and another account with the same name subsequently created, the new account would have a new SID and, therefore, not inherit any of the permissions of the old account.
Credentials
Credentials means the information used to authenticate a subject when it tries to access the user account. This information could be a username and password or smart card and PIN code.
profile
The profile is information stored about the subject. This could include name and contact details as well as group memberships.
Issuance (or enrollment)
means processes by which a subject’s credentials are recorded, issued, and linked to the correct account, and by which the account profile is created and maintained.
Some of the issues involved in issuance or enrollment are:
• Identity proofing—verifying that subjects are who they say they are at the time the account is created. Attackers may use impersonation to try to infiltrate a company without disclosing their real identity. Identity proofing means performing background and records checks at the time an account is created.
Note: Websites that allow users to self-register typically employ a CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart). A CAPTCHA is usually a graphic or audio of some distorted letters and digits. This prevents a software process (bot) from creating an account.
- Ensuring only valid accounts are created—for example, preventing the creation of dummy accounts or accounts for employees that are never actually hired. The identity issuance process must be secured against the possibility of insider threats (rogue administrative users). For example, a request to create an account should be subject to approval and oversight.
- Secure transmission of credentials—creating and sending an initial password securely. Again, the process needs protection against snooping and rogue administrative staff. Newly created accounts with simple or default passwords are an easily exploitable backdoor.
- Revoking the account if it is compromised or no longer in use.
The difficulties of issuance or enrollment can be mitigated by two techniques:
- Password reset—automating the password reset process reduces the administration costs associated with users forgetting passwords but making the reset process secure can be problematic.
- Single sign-on—this means that all network resources and applications accept the same set of credentials, so the subject only needs to authenticate once per session. This requires application compatibility and is difficult to make secure or practical across third-party networks.
There are many different technologies for defining credentials. They can be categorized as the following factors:
- Something you know, such as a password.
- Something you have, such as a smart card.
- Something you are, such as a fingerprint.
- Something you do, such as making a signature.
- Somewhere you are, such as using a mobile device with location services.
something you know authentication
The typical something you know technology is the logon: this comprises a username and a password. The username is typically not a secret (though it should not be published openly), but the password must be known only to the account holder. A passphrase is a longer password comprising several words. This has the advantages of being more secure and easier to remember. A Personal Identification Number (PIN) is also something you know, though long PIN codes are hard to remember and short codes are too vulnerable for most authentication systems. If the number of attempts are not limited, it is simple for password cracking software to try to attempt every combination to brute force a 4-digit PIN.
often used for account reset mechanisms
something you have authentication
There are numerous ways to authenticate a user based on something they have. Examples include a smart card, USB token, or key fob that contains a chip with authentication data, such as a digital certificate. Compared to something you know authentication, token-based systems are more costly because each user must be issued with the token and each terminal may need a reader device to process the token. The main concerns with cryptographic access control technologies are loss and theft of the devices. Token-based authentication is not always standards-based, so interoperability between products can be a problem. There are also risks from inadequate procedures, such as weak cryptographic key and certificate management.
Something you are authentication
employing some sort of biometric recognition system. Many types of biometric information can be recorded, including fingerprint patterns, iris or retina recognition, or facial recognition. The chosen biometric information (the template) is scanned and recorded in a database. When the user wants to access a resource, he or she is re-scanned, and the scan is compared to the template. If the confirmation scan matches the template to within a defined degree of tolerance, access is granted. The main problems with biometric technology generally are:
- Users can find it intrusive and threatening to privacy.
- The technology can be discriminatory or inaccessible to those with disabilities.
- Setup and maintenance costs to provision biometric readers.
- Vulnerability to spoofing methods.
Something you do authentication
refers to behavioral biometric recognition. Rather than scan some attribute of your body, a template is created by analyzing a behavior, such as typing or writing a signature. The variations in speed and pressure applied are supposed to uniquely verify each individual. In practice, however, these methods are subject to higher error rates and are much more troublesome for a subject to perform. Something you do authentication is more likely to be deployed as an intrusion detection or continuous authentication mechanism. For example, if a user successfully authenticates using a password and smart card, their use of the keyboard might be subsequently monitored. If this deviates from the baseline, the IDS would trigger an alert.
something where you are authentication
Location-based authentication measures some statistic about where you are. This could be a geographic location, measured using a device’s location service and the GPS (Global Positioning System) and/or IPS (Indoor Positioning System), or it could be by IP address. The IP address could also be used to refer to a logical network segment or it could be linked to a geographic location using a geolocation service. Geolocation by IP address works by looking up a host’s IP address in a geolocation database, such as GeoIP (https://www.maxmind.com/en/geoip-demo), IPInfo (https://ipinfo.io), or DB-IP (https://www.db-ip.com), and retrieving the registrant’s country, region, city, name, and other information. The registrant is usually the ISP, so the information you receive will provide an approximate location of a host based on the ISP. If the ISP is one that serves a large or diverse geographical area, you will be less likely to pinpoint the location of the host.
multifactor authentication (MFA)
An authentication product is considered strong if it combines the use of more than one type of something you know/have/are (multifactor). Single-factor authentication systems can quite easily be compromised: a password could be written down or shared, a smart card could be lost or stolen, and a biometric system could be subject to high error rates or spoofing.
two-factor (2FA)
combines something like a smart card or biometric mechanism with something you know, such as a password or PIN. Three-factor authentication combines all three technologies, or incorporates an additional location-based factor. An example of this would be a smart card with integrated fingerprint reader. This means that to authenticate, the user must possess the card, the user’s fingerprint must match the template stored on the card, and the user must input a PIN or password.
Mutual authentication
a security mechanism that requires that each party in a communication verifies each other’s identity. Before the client submits its credentials, it verifies the server’s credentials. Mutual authentication prevents a client from inadvertently submitting confidential information to a non-secure server. Mutual authentication helps in avoiding Man-in-the-Middle and session hijacking attacks.
Mutual authentication can be configured on the basis of a password-like mechanism where a shared secret is configured on both server and client. Distributing the shared secret and keeping it secure is a significant challenge, however. Most mutual authentication mechanisms rely on digital certificates and Public Key Infrastructure (PKI).
LAN Manager (LM or LANMAN)
Most computer networks depend on “something you know” authentication, using the familiar method of a user account protected by a password. There are many different ways of implementing account authentication on different computer systems and networks. LAN Manager (LM or LANMAN) was an NOS developed by Microsoft® and 3Com. Microsoft used the authentication protocol from LM for Windows 9x networking. LM is a challenge/response authentication protocol. This means that the user’s password is not sent to the server in plaintext.
- When the server receives a logon request, it generates a random value called the challenge (or nonce) and sends it to the client.
- Both client and server encrypt the challenge using the hash of the user’s password as a key.
- The client sends this response back to the server.
- The server compares the response with its version and if they match, authenticates the client.