Identity and Access Fundamentals PDF
Document Details
Uploaded by PlentifulMonkey
Universidad Autónoma de Nuevo León
Tags
Summary
This document provides a quick review of Identity and Access Fundamentals, covering topics such as identification, authentication, and authorization. It also touches on various authentication methods and concepts like salts, cognitive passwords, and token devices. It's geared towards a professional audience with specific focus on technical descriptions.
Full Transcript
Chapter 16: Identity and Access Fundamentals 757 Quick Review Identification describes a method by which a subject (user, program, or process) claims to have a specific identity (e.g., user...
Chapter 16: Identity and Access Fundamentals 757 Quick Review Identification describes a method by which a subject (user, program, or process) claims to have a specific identity (e.g., username, account number, or e-mail address). Authentication is the process by which a system verifies the identity of the subject, usually by requiring a piece of information that only the claimed identity should have. Credentials consist of an identification claim (e.g., username) and authentication information (e.g., password). Authorization is the determination of whether a subject has been given the necessary rights and privileges to carry out the requested actions. The three main types of factors used for authentication are something a person knows (e.g., password), something a person has (e.g., token), and something a person is (e.g., fingerprint), which can be combined with two additional factors: somewhere a person is (e.g., geolocation) and something a person does (e.g., keystroke behavior). Knowledge-based authentication uses information a person knows, such as a password, passphrase, or life experience. Salts are random values added to plaintext passwords prior to hashing to add more complexity and randomness. Cognitive passwords are fact- or opinion-based questions, typically based on life experiences, used to verify an individual’s identity. PART V A Type I biometric authentication error occurs when a legitimate individual is denied access; a Type II error occurs when an impostor is granted access. The crossover error rate (CER) of a biometric authentication system represents the point at which the false rejection rate (Type I errors) is equal to the false acceptance rate (Type II errors). Ownership-based authentication is based on something a person owns, such as a token device. A token device, or password generator, is usually a handheld device that has a display (and possibly a keypad), is synchronized in some manner with the authentication server, and displays to the user a one-time password (OTP). A synchronous token device requires the device and the authentication service to advance to the next OTP in sync with each other; an asynchronous token device employs a challenge/response scheme to authenticate the user. A memory card holds information but cannot process information; a smart card holds information and has the necessary hardware and software to actually process that information. CISSP All-in-One Exam Guide 758 Password managers or password vaults are a popular solution to remembering a myriad of complex passwords. Just-in-time (JIT) access is a provisioning methodology that elevates users to the necessary privileged access to perform a specific task. User provisioning refers to the creation, maintenance, and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business processes. An authoritative system of record (ASOR) is a hierarchical tree-like structure system that tracks subjects and their authorization chains. User provisioning refers to the creation, maintenance, and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business processes. A session is an agreement between two parties to communicate interactively. Auditing capabilities ensure users are accountable for their actions, verify that the security policies are enforced, and can be used as investigation tools. Deleting specific incriminating data within audit logs is called scrubbing. Identity management (IdM) is a broad term that encompasses the use of different products to identify, authenticate, and authorize users through automated means. Directory services map resource names to their corresponding network addresses, allowing discovery of and communication with devices, files, users, or any other asset. The most commonly implemented directory services, such as Microsoft Windows Active Directory (AD), implement the Lightweight Directory Access Protocol (LDAP). Single sign-on (SSO) systems allow users to authenticate once and be able to access all authorized resources, which reduces the amount of time users spend authenticating and enables administrators to streamline user accounts and better control access rights. A federated identity is a portable identity, and its associated entitlements, that allows a user to be authenticated across multiple IT systems and enterprises. Identity as a Service (IDaaS) is a type of Software as a Service (SaaS) offering that is normally configured to provide SSO, FIM, and password management services. There are three basic approaches to architecting identity management services: on-premise, cloud-based, and a hybrid of both.
