Chapter 2 - Understanding Identity and Access Management.pdf

Full Transcript

Chapter 2

Understanding Identity and Access Management
Successful Passing SY0-701
 Summarize fundamental security concepts.
Given a scenario, analyze indicators of malicious
activity.
Explain the purpose of mitigation techniques used to
secure the enterprise.
OBJECTIVES Given a scenario, modify enterprise capabilities to
enhance security.
Given a scenario, implement and maintain identity and
access management.
Access Control Definitions
Subject
Active entity that requests access to an object or the data within
an object
Object
Passive entity that contains information
Access
Ability of subject to “do something”
Read, create, delete, modify
Flow of information between a subject and an object
Access Control (Identification, Authentication, Authorization,
Accounting)
Security features that control how subjects and objects
communicate and interact with other subjects and objects
 Identification
Associates a subject (user or software process) with an action performed on a network system
Identifier – unique to subject
Account
Credentials – information used to authenticate
Username / password, smartcard / pin
Profile – information stored about the subject
Contact info, group membership
Issuance / Enrollment (Identity proofing)
Processes by which a subject's credentials are recorded and issued and linked to the correct
account and by which the account profile is created and maintained.
Identity Management
Refers to the issues and problems that must be overcome in implement the identification and
authentication system across different network sand applications
(password reset – reduce administrative cost/work, SSO – application compatibility, difficult to
secure across third-party networks)
Authentication
(Proving it)
Verifying the claimant
Four types:
Something you know
Something you have
Something you are
Somewhere you are
Multi-factor authentication (MFA)
Type 1 – Something
the User Knows
Passwords

PINs

Passphrases
Passwords

Password Characteristics
Cheapest, least secure, most
widely used authentication
technology

Least secure because users
choose easy passwords, share
them, write them down, or do
not change them

Lack of strict password policy
enforcement reduces security

Password generators can create
complex passwords, but users
will just write them down
Password Best
Practices
At least twelve characters (alphanumeric and
symbols) with upper- and lower-case values
User should not be able to use same password or
share passwords
Password history
Passwords should not be easily guessed or
dictionary words
Threshold (clipping level) of acceptable number of
failed logins logged
Audit log should contain date, time, user ID, and
workstation logged in from
Password lifetime should be short, but practical
Authentication A sequence of characters longer than a password
More secure than a password because it’s longer
Mechanism – Once entered, the software transforms it into a virtual
password
Passphrase Usually easier for a user to remember

Passphrase

Virtual Password

Authentication
Password
Managers
A password manager is a
software application that
helps you create, store,
and use strong passwords
for your online accounts.
Password managers can
also help you store other
sensitive information,
such as credit card
numbers, addresses, and
phone numbers.
What is knowledge-
based authentication?

Knowledge-based authentication (KBA)
is an authentication method in which
users are asked to answer at least one
secret question. KBA is often used as a
component in multifactor
authentication (MFA) and for self-
service password retrieval.
Dynamic KBA is a high level of
authentication that uses knowledge
questions to verify each individual
identity but does not require the person
to have provided the questions and
answers beforehand
 Type 2 - Something You Have
Something you have
Smart card
Require for smart card : PKI and Embedded certificate (hold users
private key)
Often use with another factor
Tokens or key fobs (one-time password)
Displays a number that changes periodically, such as every 60 seconds
Token is synced with a server that knows what the number is at any
moment
HOTP – use HMAC to combine a secret key and an incrementing
counter, then use HMAC to create a hash of the result, then converts
that into an HOTP value of six to eight digits (remains valid until used)
TOTP – similar to HOTP but uses a timestamp instead of counter and
will expire after 30 seconds – usually cheaper
CACs and PIVs
Common access cards (DoD), Personal Identity Verification (federal
agencies)
Security Key
A security key, also known as a security token, is a
physical device that can be used to add an extra layer
of protection to online accounts and systems. They are
often small and look like a thumb drive or tag, and can
have features like near-field communication (NFC)
capabilities and fingerprint scanners. Security keys can
be used for two-factor authentication (2FA) or multi-
factor authentication (MFA) to help protect against
account takeover fraud, identity theft, and other online
threats
Soft Token
A soft token, also known as a
software token, is a digital
security device that generates a
one-time passcode for two-factor
or multi-factor authentication
(MFA). Soft tokens are usually
apps that are downloaded and
installed on a computer or mobile
device, such as a smartphone, and
can be used to protect sensitive
data and networked information.
Two-Step Verification
/ Push Authentication
Push authentication is a mobile-centric
authentication whereby the service
provider sends the user a notification over
the most secure available communication
channel. The user responds to the
challenge by performing an action to verify
their identity and access the service.
2-step verification adds an extra layer of
security to your Google Account. In
addition to your username and password,
you'll enter a code that Google will send
you via text or voice message upon signing
in.
Type 3 – Something
the User “Is”
Sophisticated
Expensive
Type 1 error – false reject rate (FRR)
Type 2 error – false accept rate (FAR)
Crossover error rate (CER)
Biometrics Process – Enrollment
User must complete an enrollment process that stores the physical attributes in a reference file
When the user needs to authenticate, his attributes are compared to this file
Process looks at highly detailed information, so it is prone to errors
(Type I error) – incorrectly rejects an authorized user
Also known as False Reject Rate (FRR) – identifies the percentage of times the false
rejection occurred (false positive) – true positive (good)
(Type II error) – incorrectly identifies an unauthorized user as an authorized user.
Also known as False Acceptance Rate (FAR) – identifies the percentage of times the
false acceptance occurred (false negative) – true negative (good)
True acceptance – accurately determines a positive match
True rejection – accurately determines a non-match
Types of
Biometrics
Fingerprint
Vein Matching
Retina Imaging
Iris Scan
Facial Recognition
Voice recognition
Gait analysis
Something You Do
Signature Dynamics
Voice-Scan
Signature may change
Cold or illness
High false rejection rate
Speaking softly
Pressure points may change because of
Variation in background noise
weather or disease
System can get fooled by imitating

Gait analysis
Keyboard Dynamics
is the systematic study of animal
User susceptibility to fatigue locomotion, more specifically the study
Dynamic change in typing patterns of human motion, using the eye and the
brain of observers, augmented by
Injury, skill of all users instrumentation for measuring body
Change of keyboard hardware movements, body mechanics, and the
activity of the muscles

Slide 19
Other Types – Somewhere
a User is (Geolocation)

GPS-tracked individual
System is authenticated through geographic
location
Multifactor
Authentication
Strong authentication requires
two (or more) types
Something you know AND
something you HAVE
Something you know AND
something you are
NOT something you know AND
something else you know.
 Passwordless authentication is an authentication
Passwordless method in which a user can log in to a computer
authentication system without the entering a password or any
other knowledge-based secret
 Authentication log files record information about
Authentication authentication events that occur when users try to access
network resources. This information can be used to
Log Files troubleshoot access issues, adjust authentication policies, and
detect security threats
MANAGING
ACCOUNTS
Credential
Policies and
Account Types
Personnel or
End-user
Accounts
The authorization given to
users that enables them to
access specific resources on
the network, such as data
files, applications, printers
and scanners. User
permissions also designate
the type of access; for
example, can data only be
viewed (read only) or can
they be updated
(read/write).
Administrator and
Root Accounts
In Windows operating systems, root
access is called “Administrator” access or
privileges. Users with Administrator access
have the highest level of control over the
system, including installing and removing
software and modifying system settings
Administrators can change security
settings, install software and hardware,
access all files on the computer, and make
changes to other user accounts.
Service Account
Service accounts can have different permissions depending on
the system they are used on:
Local system - Service accounts can have privileged access to
local system resources.
Off-system resources - Some service accounts, like Windows
domain accounts, can also access resources outside of the
system.
Google Cloud - Service accounts can be granted access to
Google Cloud resources, such as Compute Engine resources,
by assigning them roles. For example, a service account can
be granted the Compute Admin role on a project. Service
accounts can also be used to grant permissions to virtual
machines.
Device Accounts
Service accounts are special types of
accounts in Active Directory that
provide a security context for services
running on a server. These accounts
have unique permissions and
privileges that allow them to perform
specific tasks
Third party
account
A third party account has a different legal
ownership from your main account. So, if
your organization owns your main account, a
third party account is any account not
owned by your organization.
PayPal is one good example of an online
payment portal that acts as a third party in a
retail transaction. A seller offers a good or
service, and a buyer uses a credit card
entered through the PayPal payment service.
The payment is run through PayPal and is
thus a third-party transaction.
Guest Accounts
A default set of permissions and
privileges given to non-registered
users of a system or service.
Shared and
Generic
Accounts
Shared and generic accounts
are computer accounts that can
be used by more than one
person. They can be used across
platforms, networks, or databases
and can be ideal for representing
a group or project team. For
example, a technical services
department might create a shared
account for two students who
process items physically, one in
the morning and one in the
afternoon
PAM
Privileged access management (PAM)
is an identity security solution
that helps protect organizations
against cyberthreats by monitoring,
detecting, and preventing
unauthorized privileged access to
critical resources.
Privileged Access Management (PAM)
is a cybersecurity strategy that
protects organizations from
cyberthreats by preventing
unauthorized access to critical
resources. PAM is also known as
privileged identity management (PIM)
or privileged access security (PAS)
Why it is safer for administrators
to use two different accounts?

By having separate accounts, you can
configure strict Conditional Access for
your administrator accounts, without
hindering regular user accounts. The
same approach is viable for other
security policies such as the allowed
authentication methods and password
policies since these policies are scoped
to user accounts.
 Many organizations have account management policies

Disabling (sometimes called account disablement policies) that
specify how to manage accounts in different situations.

and For example, most organizations require
administrators to disable user accounts as soon as
Deleting possible when employees leave the organization.
Disabling is preferred over deleting the account, at
User least initially. If administrators delete the account, they
also delete any encryption and security keys associated
Accounts with the account.
However, these keys are retained when the account is
disabled. As an example, imagine that an employee
encrypted files with his account. If the account was
deleted, these files may remain encrypted forever
unless the organization has a key escrow or recovery
agent that can access the files.
 Terminated employee. An account disablement policy specifies
that accounts for ex-employees are disabled as soon as possible.
This ensures a terminated employee doesn’t become a
disgruntled ex-employee who wreaks havoc on the network.
Note that “terminated” refers to both employees who resign and
(Deprovisioning) employees who are fired.

Some contents
Leave of absence. If an employee will be absent for an extended
period, the account should be disabled while the employee is

of an account
away. Organizations define extended period differently, with
some organizations defining it as only two weeks, whereas other

disablement
organizations extend it out to as long as two months.

policy include: Delete account. When the organization determines the account
is no longer needed, administrators delete it. For example, the
policy may direct administrators to delete accounts that have
been inactive for 60 or 90 days.
 Time of day restrictions can limit access to a system or network based on the time of day.
They can be used to ensure that only certain users can access specific resources during

Time-Based certain hours. This can help to reduce the risk of unauthorized access or misuse, especially in
environments that require high levels of security or regulatory compliance. For example,
time of day restrictions can be used to:

Logins Allow administrators to update records at night without interference from other users
Limit when shift workers can access company resources
Give users temporary access to resources between certain times
Privilege
Creep
Gradual accumulation of
network access rights that
exceed what an individual
needs to perform their
job. It can be a significant
security risk that can lead
to internal data breaches,
insider threats,
cyberattacks, and
compliance violations.
Attestation
Attestation security permissions, also
known as identity and access attestation,
is a process that verifies and manages
access to systems, applications, and
resources within an organization. It
ensures that only authorized individuals
have access based on their roles and
responsibilities. Attestation is a key
component of identity governance, which
is vital to an organization's information
security
COMPARING
AUTHENTICATION SERVICES
 Federation and Trusts (ADFS)
Federation or identity federation, defines polices, protocols, and
practices to manage identities across systems and organizations.
Allows users to access data or systems across domains

Federation means networks must establish a trust relationship of some
kind

One-way (child trusts parent but parent does not trust child )
Two-way (child trusts parent and parent trusts child)
Non-transitive trust means the trust relationship remains only between those domains
Transitive trust means that trust extends to other trusted domains
SAML
Security Assertion Markup Language (SAML)
is an open standard that allows parties to
exchange authentication and authorization
data. It's an XML-based markup language
that's used to enable single sign-on (SSO)
technology. SAML works by allowing an
identity provider (IdP) to authenticate users
and then pass an authentication token to a
service provider (SP). The SP can then use
this information to determine if the user is
authorized to access certain systems or
conten
OAuth
OAuth is an open-standard authorization protocol
or framework that provides applications the
ability for “secure designated access.” For
example, you can tell Facebook that it's OK for
ESPN.com to access your profile or post updates
to your timeline without having to give ESPN your
Facebook password.
SAML is designed for authentication and
authorization while OAuth was built solely for
authorization. Understanding the different
purposes of each is key to understanding how an
access management system works.
Authorization Models
  Discretionary Access Control (DAC)
 ACLs
 Ownership
 Flexible
 Decentralized
 Rule-based Access Control (RBAC)
 ACLs
 Non-discretionary
Formal Access  Centralized (administrative control)
 Mandatory Access Control (MAC)
Control  Labels and clearance
 Inflexible
Models  Role-based Access Control
 Job role based
 Attributes –base Access Control (ABAC)
 Object or Resource Attributes
 Subject Attributes
 Environment Attributes
 Most flexible model
 RBAC Characteristics
Allows access to objects based on the role
the user holds within the company

Role-Based Administrators assign a user to a role and
then assign access rights to that role, not

Access directly to the user

This is best used in environments with a high
Control rate of turnover of employees

Roles can be based on
Role user fulfills in organization
Tasks user performs
 Role-Based (matrix – project server)

Role Server Privileges Project Privileges
Administrative All All
Executives None All
Project managers None All on assigned projects
No access on unassigned projects
Team members None Access for assigned tasks
Limited views within scope of their assigned tasks
No views outside the scope of their assigned
tasks
Access Rule-based Access
◦ Rule-based Access Control techniques are based on specific rules that
indicate what can and cannot happen to an object
Control ◦ Explicit allow – specify what you want to allow access
◦ Explicit deny – specify what you do not want to allow access

Technique – ◦ Implicit deny – default rule to block traffic that has not been specified
◦ Implicit allow – should not be set as a default will allow all traffic in that does not

Rule-based match
◦ Access is not necessarily granted based on subject’s identity
◦ IP address, protocol, port number, source and destination, access request, command
DAC Characteristics
Data owner specifies who can access resources
Data owner is usually the creator and has full control of object
Called discretionary because control of access is based on the discretion of the owner
Mostly implemented through ACL's, based on “need-to-know”
DAC model is used in environments that do not require a high level of centralized security
User-controlled sharing that reduces central system administration
End users are usually not the owners of all the objects they access – the corporation is the actual owner
DAC Weaknesses –
1. Poses risks in that it relies on decisions by the end user to set
the proper permissions.
2. A subject’s permission will be “inherited” by any programs that the subject executes

Discretionary Access Control
MAC Characteristics
Access is based on security clearance of subject and classification of object
Each user is assigned a clearance, and each object has a classification and compartment stored in its security label
Access is decided by the system and not up to the discretion of a data owner
Subject cannot pass access permission to another subject
Used in environments that require higher levels of security and structure
DAC can be used for unclassified data
MAC is used for classified data
Used in many military institutions

Example: If the object label is top secret, yet the subject only has a lower
secret clearance, than access is denied. Subjects cannot change the labels of objects or other subjects in order to modify
the security setting

UAC Settings in Windows – would be a prime example of this

Mandatory Access Control
▪ Key to Mandatory Access Control decision making

▪ To access and modify an object, the subject’s label
must dominate the object’s label
▪ A physically unique label is not necessary for every
object.
▪ All files on one system can share the same label

▪ Trusted computer system ensures that labels cannot
be arbitrarily changed
▪ Installed and maintained by specified systems
administrators

▪ Trusted computer controls flow of information
between classification levels

LABELS
Attribute-Based
Access Control
(ABAC)
ABAC (Attribute-Based Access
Control)
A mechanism for assigning
access and privileges to
resources through a scheme of
attributes or characteristics.
Attributes include:
–Object or Resource Attributes
–Subject Attributes
–Environment Attributes
Most flexible model
Chapter 2

Understanding Identity and Access Management
Successful Passing SY0-701