Lesson 8 Flashcards
Federated Identify management
cloud based identify manage provider enables access to many platforms. similar to Kerberos SSO
• Certificates and smart cards
- Public key cryptography
- Subject identified by a public key, wrapped in digital certificate
- Private key must be kept secure
Tokens
- Authorizations issued under single sign-on
* Avoids need for user to authenticate to each service
• Identity provider
- Provisions and manages accounts
- Processes authentication
- Federated identity management
• Separation of duties
- Separation of duties
- Standard operating procedures (SOPs)
- Shared authority
• Least privilege
Assign sufficient permissions only
• Reduce risk from compromised accounts
• Job rotation
- Distributes institutional knowledge and expertise
* Reduces critical dependencies
• Mandatory vacations
During that time, the
corporate audit and security employees have time to investigate and discover any
discrepancies in employee activity.
• User-assigned privileges
• Assign privileges directly to user
accounts
• Unmanageable if number of users
is large
• Group-based privileges
• Assign permissions to security groups and assign user accounts to relevant groups • Issues with users inheriting multiple permissions
Service accounts
are used by scheduled processes and application server software, such
as databases.
Must manage share service acccount credentials
Shared/Generic/Device Accounts and Credentials
- Shared accounts
- Accounts whose credentials are known to more than one person
- Generic accounts
- Accounts created by default on OS install
- Only account available to manage a device
- Might use a default password
- Risks from shared and generic accounts
- Breaks principle of non-repudiation
- Difficult to keep credential secure
- Credential policies for devices
- Privilege access management software
• Privilege access management software
stores high-risk credentials somewhere other than a spreadsheet
SSH
• Secure Shell (SSH) used for remote access • Host key identifies the server • User key pair used to authenticate to server • Server holds copy of valid users’ public keys • Keys must be actively managed
• Third-party credentials
Passwords and keys to manage
cloud services
• Highly vulnerable to accidental
disclosure
Account Password Policy Settings
- Length
- Complexity
- Character combinations
- Aging
- History and reuse
- NIST guidance
- Password hints
Account Restrictions
Network location • Connecting from a VLAN or IP subnet/remote IP • Connecting to a machine type or group (clients versus servers) • Interactive versus remote logon • Geolocation • By IP address • By Location Services • Geofencing • Geotagging • Time-based restrictions • Logon hours • Logon duration • Impossible travel time/risky login
geoloction vs geotagging vs geofencing
geolocation: location of a user or device can also be calculated using a geolocation
Geofencing: refers to accepting or rejecting access requests based on location.\
Geotagging refers to the addition of location
metadata to files or devices.
Account Audits
• Accounting and auditing to detect account misuse • Use of file permissions to read and modify data • Failed login or resource access attempts
• Recertification • Monitoring use of privileges • Granting/revoking privileges • Communication between IT and HR
Account Permissions
• Impact of improperly configured accounts • Insufficient permissions • Unnecessary permissions • Escalating and revoking privileges • Permission auditing tools
Disablement vs lockout
• Disablement • Login is disabled until manually reenabled • Combine with remote logoff • Lockout • Login is prevented for a period and then re-enabled • Policies to enforce automatic lockout
Discretionary vs Role-based access
- Discretionary Access Control (DAC)
- Based on resource ownership
- Access Control Lists (ACLs)
- Vulnerable to compromised privileged user accounts
- Role-Based Access Control (RBAC)
- Non-discretionary and more centralized control
- Based on defining roles then allocating users to roles
- Users should only inherit role permissions to perform particular tasks
File System Security
- Access Control List (ACL)
- Access Control Entry (ACE)
- File system support
- Linux permissions and chmod
- Symbolic (rwx)
- User, group, world
- Octal
- r=4
- w=2
- x=1
Mandatory vs Attribute-based access control
Mandatory Access control
Labels applied to objects (secret, top seecrat) and clearanced applied subjects
Attribute-Based Access Control (ABAC)
• Access decisions based on a combination of subject and object attributes plus
any context-sensitive or system-wide attributes
• Conditional access
Rule-Based Access Control
Rule-based access control is a term that can refer to any sort of access control model
where access control policies are determined by system-enforced rules rather than
system users.
Non-discretionary • System determines rules, not users Conditional access • Continual authentication • User account control (UAC) Privileged access management • Policies, procedures, and technical controls to prevent the malicious abuse of privileged accounts
Directory Services
Database of subjects (Windows = Active Directory)
• Users, computers, security groups/roles, and service Access Control Lists (authorizations)
X.500 and Lightweight Directory Access Protocol (LDAP)
• Distinguished names
• Attribute=Value pairs
Protocol used for Directory Services
• X.500 and Lightweight Directory Access Protocol (LDAP)
The Lightweight Directory Access Protocol (LDAP) is a
protocol widely used to query and update X.500 format directories.
Federated identity
management
Federation -is the notion that a network needs to be accessible to more than just a
well-defined group of employees. As an example, you can log into twitter with your google account. google verifies the identity.
Attestation
verification from and identity provider (IdP) that that user is who she says she is
Security Assertions Markup Language (slide 31)
skipped this one
API
API is the acronym for Application Programming Interface, which is a software intermediary that allows two applications to talk to each other.
REST
• Representational State Transfer (REST) Application Programming
Interfaces (APIs) (RESTful APIs)
• Framework for implementation not a protocol
Many public clouds use application programming interfaces (APIs) based on
Representational State Transfer (REST) rather than SOAP. These are often called
RESTful APIs. Where SOAP is a tightly specified protocol, REST is a looser architectural
framework. This allows the service provider more choice over implementation
elements.
OAuth
• Designed to communicate authorizations rather than explicitly
authenticate a subject
• Client sites and apps interact with OAuth IdPs and resource servers
that hold the principal’s account/data
• Different flow types for server to server or mobile app to server
• JavaScript object notation (JSON) web token (JWT)
• OpenID Connect (OIDC)
• Adds functions and flows to OAuth to support explicit
authentication
**Remember, OAuth is more designed to communicat authorizations vs authenticating a subject
AUP
Acceptable use policy (AUP)
• Employee use of employer’s hardware and software assets
