Identity and Access Management (IAM) - 2 PDF

Summary

This document is about Identity and Access Management (IAM). it details authentication, authorization, single sign-on (SSO), and multi-factor authentication (MFA) mechanisms, the benefits and security risks of each mechanism. It is about access management to resources, based on different policies, and related concepts.

Full Transcript

Identity and Access
Management (IAM) - 2
Outline
Access Management:
4.1.1. Authentication,
4.1.1.1. Types of Authentication Factors (something you know, have, are),
4.1.1.2. Single Sign-On (SSO), Multi-factor authentication (MFA)
4.1.1.3. Password less Authentication,
4.1.2. Authorization:
4.1.2.1. Attribute-based access control (ABAC),
4.1.2.2. Rule-based access control (RBAC),
4.1.2.3. Policy-based access control (PBAC).
Access Control:
Access control is the method by which systems determine whether and how
to admit a user into a trusted area of the organization that is information systems,
restricted areas such as computer rooms, and the entire physical location.

Access control is achieved by means of a combination of policies, programs, and
technologies.

Access controls can be categorized into
Mandatory
Non discretionary
Discretionary
 Mandatory: it uses data classification schemes. they give users and data owners limited
control over access to information resources.
Non discretionary: it is strictly-enforced version of MAC. that is managed by a central
authority in the organization and can be based on an individual’s role—role-based
controls—or a specified set of tasks (subject- or object-based)—task-based controls. It is
easy to maintain the controls and restrictions associated with a particular role or task,
especially if the individual performing the role or task changes often.
Discretionary: it is used to share resources in a peer-to-peer configuration allows users
to control and possibly provide access to information or resources at their disposal. For
example, a user has a hard drive containing information to be shared with office
coworkers. This user can elect to allow access to specific individuals by providing access,
by name, in the share control function.
In general, all access control approaches rely on as the following mechanisms:
Identification
Authentication
Authorization
Accountability
 Identification is a mechanism whereby an unverified entity—called a supplicant—that
seeks access to a resource proposes a label by which they are known to the system. The
label applied to the supplicant (or supplied by the supplicant) is called an identifier (ID),
and must be mapped to one and only one entity within the security domain.
Authentication is the process of validating a supplicant’s purported identity. There are
three widely used authentication mechanisms, or authentication factors:
Something a supplicant knows (a password, passphrase, or other unique
authentication code, such as a personal identification number (PIN).)
Something a supplicant has (dumb cards such as ID cards or ATM cards, smart card)
Something a supplicant is (fingerprints, palm prints, hand topography, hand
geometry, or retina and iris scans)
 Authorization is the matching of an authenticated entity to a list of information assets
and corresponding access levels
authorization can be handled in one of three ways:
Authorization for each authenticated user
Authorization for members of a group
Authorization across multiple systems: in which a central authentication and
authorization system verifies entity identity and grants it a set of credentials.

Accountability, also known as auditability, ensures that all actions on a system
authorized or unauthorized can be attributed to an authenticated identity. Accountability
is most often accomplished by means of system logs and database journals, and the
auditing of these records
Single Sign-On (SSO)
Single Sign-On (SSO) is an authentication process that allows a user to access multiple
applications or services with one set of login credentials. This means that after logging in
once, users can navigate between different platforms without needing to log in again for
each one.
Benefits of SSO:
Convenience: Users only need to remember one password.
Time-Saving: Reduces time spent logging in and out of different applications.
Improved Security: Reduces the chances of password fatigue, leading to stronger
password practices.
Centralized User Management: Easier for administrators to manage user access across
multiple services.
 Security Risks: A compromised SSO account can give access to multiple services.
Implementation Complexity: Setting up SSO can be technically challenging, especially
for large organizations.
How SSO Works
User Authentication: The user logs into an SSO service using their credentials (username
and password).
Token Issuance: Upon successful authentication, the SSO service generates an
authentication token (like a SAML assertion or a JWT) and sends it back to the user's
browser.
Accessing Applications: When the user tries to access a different application, the
application checks for the SSO token.
Validation: The application validates the token with the SSO service.
Access Granted: If the token is valid, the user is granted access without needing to log in
again.
Implementation Steps
Choose an SSO Solution: Depending on your needs, you might choose a cloud-based
service (like Okta or Auth0) or implement an open-source solution.
Configure the Identity Provider (IdP): Set up the IdP to manage user identities, roles,
and authentication methods.
Integrate Applications: Each application that will use SSO needs to be configured to trust
the IdP and accept its tokens.
Test the Setup: Ensure that users can log in through the IdP and access the applications
seamlessly.
Monitor and Maintain: Continuously monitor access logs and update security measures
as needed.
 Octa sso tutorial https://www.youtube.com/watch?v=fFTeenZvXuw

Smartdraw configure sso with okta
https://www.youtube.com/watch?v=gR1t81YOeKY

Sso explanation in detail
https://www.youtube.com/watch?v=O1cRJWYF-g4
Keyclock sso https://www.youtube.com/watch?v=6ye4lP9EA2Y
Multi-Factor Authentication (MFA)
Multi-Factor Authentication (MFA) is a security mechanism that requires users to provide
two or more verification factors to gain access to a resource, such as an application or
online account.
This adds an extra layer of protection beyond just a username and password.
How MFA Works
Something You Know: This is typically a password or PIN.
Something You Have: This could be a smartphone (for receiving a text message or using
an authenticator app), a hardware token, or a smart card.
Something You Are: This involves biometrics, such as fingerprint scans, facial recognition,
or voice recognition.
Benefits of MFA
Enhanced Security: Even if a password is compromised, unauthorized users would still
need the additional factors to access the account.
Reduced Risk of Data Breaches: MFA significantly decreases the likelihood of
unauthorized access to sensitive information.
Compliance: Many regulations and standards require MFA for sensitive data access.
Common MFA Methods
SMS or Email Codes: A code is sent to the user’s phone or email that they must enter to
log in.
Authenticator Apps: Apps like Google Authenticator or Authy generate time-based one-
time passwords (TOTPs) that users enter after their password.
Push Notifications: Users receive a push notification on their device to approve or deny
the login attempt.
Biometric Authentication: This includes using fingerprints, facial recognition, or iris
scans.
Security Best Practices
Multi-Factor Authentication (MFA): Add an extra layer of security beyond just
passwords.
Regular Audits: Periodically review access logs and user permissions.
Token Expiration: Ensure that tokens have expiration times to reduce risks in case they
are compromised.
Session Management: Implement policies for session timeouts and logouts to limit
exposure.
Password less Authentication
Passwordless authentication is a security method that allows users to access their accounts
without needing to enter a password.

Instead, it often relies on alternatives like:
Biometric Authentication: Uses fingerprints, facial recognition, or voice recognition.
One-Time Passwords (OTPs): Temporary codes sent via SMS, email, or an authenticator
app.
Magic Links: Users receive a link via email that logs them in when clicked.
Security Keys: Hardware tokens that provide a second factor of authentication.
Email or SMS Verification: Sending a verification code to the user’s registered contact
method.
Benefits include
improved security (fewer chances of phishing)
enhanced user experience
reduced password fatigue

However, it’s important to implement these methods securely to avoid
potential vulnerabilities.
Authorization

Authorization is the process of determining what actions a user or system can perform
within a system after they have been authenticated.

It ensures that users have the right permissions to access resources, perform actions, or
modify data.

Key concepts include:
Access Control: Defines who can access what resources, often through roles , attribute or
permissions.
Attribute-based access control (ABAC)
Attribute-Based Access Control (ABAC) is a dynamic access control method that determines
access rights based on various attributes rather than predefined roles.

Attributes:
User Attributes: Characteristics of the user, such as job title, department, or security
clearance.
Resource Attributes: Properties of the resource being accessed, like sensitivity level or
ownership.
Environment Attributes: Contextual information, such as time of access or location.
ABAC is used in complex environments such as,

cloud services
healthcare
finance

where user roles and contexts can vary widely.
Rule-based access control (RBAC)
Rule-Based Access Control (RBAC) is a method of regulating access to resources based on
predefined rules.
While it shares a name with Role-Based Access Control (also abbreviated RBAC), it operates
differently, focusing on specific conditions rather than user roles alone.

Here are the key features:
Rules: Access permissions are defined by a set of rules that specify conditions under which
access is granted or denied. For example, a rule might allow access to a resource only during
certain hours or from specific IP addresses.
Attributes: Similar to ABAC, rule-based systems may consider user attributes, resource
attributes, and environmental factors to evaluate whether the rules apply.
Conditions: These can include factors like user role, time of day, location, or any other
criteria relevant to the organization’s security policy.
RBAC is used as,

Enterprise Systems: Often used in environments where access needs to be tightly
controlled based on complex business rules.

Compliance: Useful in regulated industries where access to data must comply with specific
guidelines.
Policy-based access control (PBAC),
Policies: A collection of rules that define who can access what resources and under which
conditions.

Policy Engine: A system that evaluates incoming access requests against the defined
policies and makes decisions on whether to grant or deny access.

Policy-Based Access Control (PBAC) is an approach to managing access rights and
permissions based on a set of defined policies.
PBAC is used as,
Enterprise Security: Frequently used in large organizations to manage access to sensitive
data and systems.
Cloud Services: Common in cloud environments where dynamic access controls are
needed based on user activity and context.