Chapter 2 - Understanding Identity and Access Management.pdf

Full Transcript

Chapter 2 Understanding Identity and Access Management Successful Passing SY0-701 Summarize fundamental security concepts. Given a scenario, analyze indicators of malicious activity. Explain the purpose of mi...

Chapter 2 Understanding Identity and Access Management Successful Passing SY0-701 Summarize fundamental security concepts. Given a scenario, analyze indicators of malicious activity. Explain the purpose of mitigation techniques used to secure the enterprise. OBJECTIVES Given a scenario, modify enterprise capabilities to enhance security. Given a scenario, implement and maintain identity and access management. Access Control Definitions Subject Active entity that requests access to an object or the data within an object Object Passive entity that contains information Access Ability of subject to “do something” Read, create, delete, modify Flow of information between a subject and an object Access Control (Identification, Authentication, Authorization, Accounting) Security features that control how subjects and objects communicate and interact with other subjects and objects Identification Associates a subject (user or software process) with an action performed on a network system Identifier – unique to subject Account Credentials – information used to authenticate Username / password, smartcard / pin Profile – information stored about the subject Contact info, group membership Issuance / Enrollment (Identity proofing) Processes by which a subject's credentials are recorded and issued and linked to the correct account and by which the account profile is created and maintained. Identity Management Refers to the issues and problems that must be overcome in implement the identification and authentication system across different network sand applications (password reset – reduce administrative cost/work, SSO – application compatibility, difficult to secure across third-party networks) Authentication (Proving it) Verifying the claimant Four types: Something you know Something you have Something you are Somewhere you are Multi-factor authentication (MFA) Type 1 – Something the User Knows Passwords PINs Passphrases Passwords Password Characteristics Cheapest, least secure, most widely used authentication technology Least secure because users choose easy passwords, share them, write them down, or do not change them Lack of strict password policy enforcement reduces security Password generators can create complex passwords, but users will just write them down Password Best Practices At least twelve characters (alphanumeric and symbols) with upper- and lower-case values User should not be able to use same password or share passwords Password history Passwords should not be easily guessed or dictionary words Threshold (clipping level) of acceptable number of failed logins logged Audit log should contain date, time, user ID, and workstation logged in from Password lifetime should be short, but practical Authentication A sequence of characters longer than a password More secure than a password because it’s longer Mechanism – Once entered, the software transforms it into a virtual password Passphrase Usually easier for a user to remember Passphrase Virtual Password Authentication Password Managers A password manager is a software application that helps you create, store, and use strong passwords for your online accounts. Password managers can also help you store other sensitive information, such as credit card numbers, addresses, and phone numbers. What is knowledge- based authentication? Knowledge-based authentication (KBA) is an authentication method in which users are asked to answer at least one secret question. KBA is often used as a component in multifactor authentication (MFA) and for self- service password retrieval. Dynamic KBA is a high level of authentication that uses knowledge questions to verify each individual identity but does not require the person to have provided the questions and answers beforehand Type 2 - Something You Have Something you have Smart card Require for smart card : PKI and Embedded certificate (hold users private key) Often use with another factor Tokens or key fobs (one-time password) Displays a number that changes periodically, such as every 60 seconds Token is synced with a server that knows what the number is at any moment HOTP – use HMAC to combine a secret key and an incrementing counter, then use HMAC to create a hash of the result, then converts that into an HOTP value of six to eight digits (remains valid until used) TOTP – similar to HOTP but uses a timestamp instead of counter and will expire after 30 seconds – usually cheaper CACs and PIVs Common access cards (DoD), Personal Identity Verification (federal agencies) Security Key A security key, also known as a security token, is a physical device that can be used to add an extra layer of protection to online accounts and systems. They are often small and look like a thumb drive or tag, and can have features like near-field communication (NFC) capabilities and fingerprint scanners. Security keys can be used for two-factor authentication (2FA) or multi- factor authentication (MFA) to help protect against account takeover fraud, identity theft, and other online threats Soft Token A soft token, also known as a software token, is a digital security device that generates a one-time passcode for two-factor or multi-factor authentication (MFA). Soft tokens are usually apps that are downloaded and installed on a computer or mobile device, such as a smartphone, and can be used to protect sensitive data and networked information. Two-Step Verification / Push Authentication Push authentication is a mobile-centric authentication whereby the service provider sends the user a notification over the most secure available communication channel. The user responds to the challenge by performing an action to verify their identity and access the service. 2-step verification adds an extra layer of security to your Google Account. In addition to your username and password, you'll enter a code that Google will send you via text or voice message upon signing in. Type 3 – Something the User “Is” Sophisticated Expensive Type 1 error – false reject rate (FRR) Type 2 error – false accept rate (FAR) Crossover error rate (CER) Biometrics Process – Enrollment User must complete an enrollment process that stores the physical attributes in a reference file When the user needs to authenticate, his attributes are compared to this file Process looks at highly detailed information, so it is prone to errors (Type I error) – incorrectly rejects an authorized user Also known as False Reject Rate (FRR) – identifies the percentage of times the false rejection occurred (false positive) – true positive (good) (Type II error) – incorrectly identifies an unauthorized user as an authorized user. Also known as False Acceptance Rate (FAR) – identifies the percentage of times the false acceptance occurred (false negative) – true negative (good) True acceptance – accurately determines a positive match True rejection – accurately determines a non-match Types of Biometrics Fingerprint Vein Matching Retina Imaging Iris Scan Facial Recognition Voice recognition Gait analysis Something You Do Signature Dynamics Voice-Scan Signature may change Cold or illness High false rejection rate Speaking softly Pressure points may change because of Variation in background noise weather or disease System can get fooled by imitating Gait analysis Keyboard Dynamics is the systematic study of animal User susceptibility to fatigue locomotion, more specifically the study Dynamic change in typing patterns of human motion, using the eye and the brain of observers, augmented by Injury, skill of all users instrumentation for measuring body Change of keyboard hardware movements, body mechanics, and the activity of the muscles Slide 19 Other Types – Somewhere a User is (Geolocation) GPS-tracked individual System is authenticated through geographic location Multifactor Authentication Strong authentication requires two (or more) types Something you know AND something you HAVE Something you know AND something you are NOT something you know AND something else you know. Passwordless authentication is an authentication Passwordless method in which a user can log in to a computer authentication system without the entering a password or any other knowledge-based secret Authentication log files record information about Authentication authentication events that occur when users try to access network resources. This information can be used to Log Files troubleshoot access issues, adjust authentication policies, and detect security threats MANAGING ACCOUNTS Credential Policies and Account Types Personnel or End-user Accounts The authorization given to users that enables them to access specific resources on the network, such as data files, applications, printers and scanners. User permissions also designate the type of access; for example, can data only be viewed (read only) or can they be updated (read/write). Administrator and Root Accounts In Windows operating systems, root access is called “Administrator” access or privileges. Users with Administrator access have the highest level of control over the system, including installing and removing software and modifying system settings Administrators can change security settings, install software and hardware, access all files on the computer, and make changes to other user accounts. Service Account Service accounts can have different permissions depending on the system they are used on: Local system - Service accounts can have privileged access to local system resources. Off-system resources - Some service accounts, like Windows domain accounts, can also access resources outside of the system. Google Cloud - Service accounts can be granted access to Google Cloud resources, such as Compute Engine resources, by assigning them roles. For example, a service account can be granted the Compute Admin role on a project. Service accounts can also be used to grant permissions to virtual machines. Device Accounts Service accounts are special types of accounts in Active Directory that provide a security context for services running on a server. These accounts have unique permissions and privileges that allow them to perform specific tasks Third party account A third party account has a different legal ownership from your main account. So, if your organization owns your main account, a third party account is any account not owned by your organization. PayPal is one good example of an online payment portal that acts as a third party in a retail transaction. A seller offers a good or service, and a buyer uses a credit card entered through the PayPal payment service. The payment is run through PayPal and is thus a third-party transaction. Guest Accounts A default set of permissions and privileges given to non-registered users of a system or service. Shared and Generic Accounts Shared and generic accounts are computer accounts that can be used by more than one person. They can be used across platforms, networks, or databases and can be ideal for representing a group or project team. For example, a technical services department might create a shared account for two students who process items physically, one in the morning and one in the afternoon PAM Privileged access management (PAM) is an identity security solution that helps protect organizations against cyberthreats by monitoring, detecting, and preventing unauthorized privileged access to critical resources. Privileged Access Management (PAM) is a cybersecurity strategy that protects organizations from cyberthreats by preventing unauthorized access to critical resources. PAM is also known as privileged identity management (PIM) or privileged access security (PAS) Why it is safer for administrators to use two different accounts? By having separate accounts, you can configure strict Conditional Access for your administrator accounts, without hindering regular user accounts. The same approach is viable for other security policies such as the allowed authentication methods and password policies since these policies are scoped to user accounts. Many organizations have account management policies Disabling (sometimes called account disablement policies) that specify how to manage accounts in different situations. and For example, most organizations require administrators to disable user accounts as soon as Deleting possible when employees leave the organization. Disabling is preferred over deleting the account, at User least initially. If administrators delete the account, they also delete any encryption and security keys associated Accounts with the account. However, these keys are retained when the account is disabled. As an example, imagine that an employee encrypted files with his account. If the account was deleted, these files may remain encrypted forever unless the organization has a key escrow or recovery agent that can access the files. Terminated employee. An account disablement policy specifies that accounts for ex-employees are disabled as soon as possible. This ensures a terminated employee doesn’t become a disgruntled ex-employee who wreaks havoc on the network. Note that “terminated” refers to both employees who resign and (Deprovisioning) employees who are fired. Some contents Leave of absence. If an employee will be absent for an extended period, the account should be disabled while the employee is of an account away. Organizations define extended period differently, with some organizations defining it as only two weeks, whereas other disablement organizations extend it out to as long as two months. policy include: Delete account. When the organization determines the account is no longer needed, administrators delete it. For example, the policy may direct administrators to delete accounts that have been inactive for 60 or 90 days. Time of day restrictions can limit access to a system or network based on the time of day. They can be used to ensure that only certain users can access specific resources during Time-Based certain hours. This can help to reduce the risk of unauthorized access or misuse, especially in environments that require high levels of security or regulatory compliance. For example, time of day restrictions can be used to: Logins Allow administrators to update records at night without interference from other users Limit when shift workers can access company resources Give users temporary access to resources between certain times Privilege Creep Gradual accumulation of network access rights that exceed what an individual needs to perform their job. It can be a significant security risk that can lead to internal data breaches, insider threats, cyberattacks, and compliance violations. Attestation Attestation security permissions, also known as identity and access attestation, is a process that verifies and manages access to systems, applications, and resources within an organization. It ensures that only authorized individuals have access based on their roles and responsibilities. Attestation is a key component of identity governance, which is vital to an organization's information security COMPARING AUTHENTICATION SERVICES Federation and Trusts (ADFS) Federation or identity federation, defines polices, protocols, and practices to manage identities across systems and organizations. Allows users to access data or systems across domains Federation means networks must establish a trust relationship of some kind One-way (child trusts parent but parent does not trust child ) Two-way (child trusts parent and parent trusts child) Non-transitive trust means the trust relationship remains only between those domains Transitive trust means that trust extends to other trusted domains SAML Security Assertion Markup Language (SAML) is an open standard that allows parties to exchange authentication and authorization data. It's an XML-based markup language that's used to enable single sign-on (SSO) technology. SAML works by allowing an identity provider (IdP) to authenticate users and then pass an authentication token to a service provider (SP). The SP can then use this information to determine if the user is authorized to access certain systems or conten OAuth OAuth is an open-standard authorization protocol or framework that provides applications the ability for “secure designated access.” For example, you can tell Facebook that it's OK for ESPN.com to access your profile or post updates to your timeline without having to give ESPN your Facebook password. SAML is designed for authentication and authorization while OAuth was built solely for authorization. Understanding the different purposes of each is key to understanding how an access management system works. Authorization Models  Discretionary Access Control (DAC)  ACLs  Ownership  Flexible  Decentralized  Rule-based Access Control (RBAC)  ACLs  Non-discretionary Formal Access  Centralized (administrative control)  Mandatory Access Control (MAC) Control  Labels and clearance  Inflexible Models  Role-based Access Control  Job role based  Attributes –base Access Control (ABAC)  Object or Resource Attributes  Subject Attributes  Environment Attributes  Most flexible model RBAC Characteristics Allows access to objects based on the role the user holds within the company Role-Based Administrators assign a user to a role and then assign access rights to that role, not Access directly to the user This is best used in environments with a high Control rate of turnover of employees Roles can be based on Role user fulfills in organization Tasks user performs Role-Based (matrix – project server) Role Server Privileges Project Privileges Administrative All All Executives None All Project managers None All on assigned projects No access on unassigned projects Team members None Access for assigned tasks Limited views within scope of their assigned tasks No views outside the scope of their assigned tasks Access Rule-based Access ◦ Rule-based Access Control techniques are based on specific rules that indicate what can and cannot happen to an object Control ◦ Explicit allow – specify what you want to allow access ◦ Explicit deny – specify what you do not want to allow access Technique – ◦ Implicit deny – default rule to block traffic that has not been specified ◦ Implicit allow – should not be set as a default will allow all traffic in that does not Rule-based match ◦ Access is not necessarily granted based on subject’s identity ◦ IP address, protocol, port number, source and destination, access request, command DAC Characteristics Data owner specifies who can access resources Data owner is usually the creator and has full control of object Called discretionary because control of access is based on the discretion of the owner Mostly implemented through ACL's, based on “need-to-know” DAC model is used in environments that do not require a high level of centralized security User-controlled sharing that reduces central system administration End users are usually not the owners of all the objects they access – the corporation is the actual owner DAC Weaknesses – 1. Poses risks in that it relies on decisions by the end user to set the proper permissions. 2. A subject’s permission will be “inherited” by any programs that the subject executes Discretionary Access Control MAC Characteristics Access is based on security clearance of subject and classification of object Each user is assigned a clearance, and each object has a classification and compartment stored in its security label Access is decided by the system and not up to the discretion of a data owner Subject cannot pass access permission to another subject Used in environments that require higher levels of security and structure DAC can be used for unclassified data MAC is used for classified data Used in many military institutions Example: If the object label is top secret, yet the subject only has a lower secret clearance, than access is denied. Subjects cannot change the labels of objects or other subjects in order to modify the security setting UAC Settings in Windows – would be a prime example of this Mandatory Access Control ▪ Key to Mandatory Access Control decision making ▪ To access and modify an object, the subject’s label must dominate the object’s label ▪ A physically unique label is not necessary for every object. ▪ All files on one system can share the same label ▪ Trusted computer system ensures that labels cannot be arbitrarily changed ▪ Installed and maintained by specified systems administrators ▪ Trusted computer controls flow of information between classification levels LABELS Attribute-Based Access Control (ABAC) ABAC (Attribute-Based Access Control) A mechanism for assigning access and privileges to resources through a scheme of attributes or characteristics. Attributes include: –Object or Resource Attributes –Subject Attributes –Environment Attributes Most flexible model Chapter 2 Understanding Identity and Access Management Successful Passing SY0-701

Use Quizgecko on...
Browser
Browser