Chapter 4 - 02 - Discuss Identity and Access Management (IAM)_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Identification, Authentication, and Authorization Exam 212-82 Module Discuss Access Control Principles, Terminologies, and Models !. l \ Flow i. Discuss Identity and Access Management (IAM) L All Rights Reserved. Reproduction is Strictly Prohibited Discuss Identity and Access Management (IAM) In an enterprise security, Identity and Access Management (IAM) plays an important role. It ensures that only authorized users have access to the network resources. The objective of this section is to explain the role of IAM and the security terminologies associated with it. Module 04 Page 463 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization Identity and Access Management O (IAM) 1AM is responsible for providing the right individual with right access at the right time Access Management V | Authentication Authorization Identity Management Identity Repository | Identity Management Copyright © by EC L All Rights Reserved. Reproductionis Strictly Prohibited 1 Identity and Access Management (IAM) (Cont’d) System Requester E a; ' Administrator App 3 3 ‘ Application Identity Management (iom) Application | — | ‘ i Identity. Repository | : Iy Human Resource L —8 |e——ro e Access ' —| - Management (Am) Application - i @.‘ e 3 (HR) Customer relationship management (cRM) Application. Application [¢+— g [ } Users Copyright © by EC- cil All Rights Reserved. Reproduction is Strictly Prohibited Identity and Access Management (IAIM) Identity and access management (IAM) is responsible for providing the right individual with the right access at the right time. It offers a role-based access control to the customers or employees of an organization for accessing critical information within the enterprise. It comprises of business processes, policies, and technologies that allow monitoring electronic or digital identities. IAM products provide the system administrators with tools and technologies for regulating user access (i.e., creating, managing, and removing access) to systems or Module 04 Page 464 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization networks based on the roles of individual users within the enterprise. Organizations generally prefer an all-in-one authentication implementation which can be extended to identity a federation. This is because the identity federation includes IAM with a single sign-on (SSO) and a centralized active directory (AD) account for a secured management. Organizations should ensure the correctness of data for the proper functioning of the IAM framework. An IAM framework can be divided into four areas, namely, authentication, authorization, user management, and central user repository/identity repository. All the IAM components are grouped under these four areas. Access Management Authentication Authorization Identity Management Identity Repository Identity Management Figure 4.7: 1AM Classification Working of an IAM: System Requester Administrator Approver & Identity oA Management (1DM) E Application Application - ry |¢—— — » ldentity Repository z Access iSRS Py " Human Management ~| Application |[¢+—— (AM) @ Resource (HR) Customer relationship management (CRM) —3 Application Application Users Figure 4.8: Working of IAM The key responsibility of the identity management (IDM) framework is to manage the shared identity repository that is being accessed by the applications and the access management system. Module 04 Page 465 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Identification, Authentication, and Authorization Exam 212-82 Identity O Identity refers to a set of attributes linked to an entity that can be stored and authenticated digitally User Identification Verifies user id ~ PESERRES———_N u [ & User V. l'lllllllllllllll) Il‘lI'llllllllllll.) Single Sign-on (SSO) Authentication i APPLICATION F EMAILSERVER l DATABASESERVER SERVER Figure 4.15: Single Sign-On (SSO) Authentication Advantages of SSO: * Reduces the chances of reauthentication, thereby increasing the productivity. * Removes the chances of phishing. * Provides a better management of applications owing to a centralized database. * Assists with the account lifecycle. Provisioning and simplified by the availability of a single source of truth. Module 04 Page 488 deprovisioning of accounts is Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization = No need to remember passwords of multiple applications or systems. = Reduces the time for entering a username and password. Disadvantages of SSO: = Losing credentials has a high impact as all the applications of the central service become unavailable. = There are many vulnerability issues related with the authentication for all the applications. = |tis an issue in multiuser computers and requires the implementation of certain security policies to ensure security. Module 04 Page 489 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Identification, Authentication, and Authorization Exam 212-82 User Access Management < (AM): Authorization Authorization involves controlling the access of information for an individual (E.g.: A user can only read a file, but not write in it or delete it) = I7 Application Server Application Server Read only Access Control Authorization User System g Application Server Copyright © by k User Access Management L All Rights Reserved. Reproduction is Strictly Prohibited (AM): Authorization (Cont’d) Types of Authorization Systems Centralized Authorization Implicit Authorization v’ Authorization for network access is done using a single v’ Users can access the requested resource on ¥’ It maintains a single database for authorizing all the network resources or applications v The access request goes through a primary resource to access the requested resource v’ Itis an easy and inexpensive authorization approach centralized authorization unit behalf of others 6 = Decentralized Authorization v’ v Each network resource maintains its authorization unit and performs authorization locally It maintains its own database for authorization il I @.. Explicit Authorization 1 \® v Unlike implicit authorization, explicit authorization requires separate authorization for each requested resource v It explicitly maintains authorization for each requested object ) e L Al Rights Reserved. Reproduction is Strictly Prohibited User Access Management (AM): Authorization Authorization refers to the process of providing permission to access the resources or perform an action on the network. s can decide the user privileges and access permissions of users on a multiuser system. The mechanism of authorization can allow the administrator to create access permissions for users as well as verify the access permissions created for each user. Module 04 Page 490 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization ¥, Application Server A e Read-write rrosesecsnsessentsscsnsnnssasaesnsnns " Application Server Read only P SRR A% AR F " Access Control Authorization User System Application Server Figure 4.16: lllustration of an authorization system Authorization can take different forms based on the needs of the organization. = (Centralized Authorization The need for centralized authentication came into existence when it became difficult to implement the authorization process individually for each resource. It uses a central authorization database that allows or denies access to the users and the decision on the access depends on the policies created by the centralized units. This enables an easy authorization for users accessing different platforms. Centralized authorization units are easy to handle and have low costs. A single database provides access to all applications, thereby enabling an efficient security. A centralized database also provides an easy and inexpensive method of adding, modifying, and deleting the applications from the centralized unit. = Decentralized Authorization A decentralized authorization maintains a separate database for each resource. The database contains the details of all users who are permitted to access a particular resource. The decentralized authorization process enables users to provide access to other users as well. This increases the level of flexibility of the users in using the decentralized method. However, certain issues related to the decentralized authorization include cascading and cyclic authorizations. * Implicit Authorization Implicit authorization provides access to the resources indirectly. A task is possible after a user receives authorization for a primary resource through which access to the requested resource is possible. For example, a user requesting a web page has permission to access the main page as well as all pages linked to the main page. Hence, the user is gaining an indirect access to the other links and documents attached to the main page. The implicit authorization provides a level of higher granularity. Module 04 Page 491 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization = Explicit Authorization An explicit authorization maintains separate authorization details for each resource request. This technique is simpler than the implicit technique. However, it takes up a large amount of storage space for storing all authorization details. Module 04 Page 492 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Identification, Authentication, and Authorization Exam 212-82 User Access Management (AM): Accounting O Accounting is a method of keeping track of user actions on the network. It keeps track of who, when, and how the users access the network O It helps in identifying authorized and unauthorized actions O The account data can be used for trend analysis, data breach detection, forensics investigations, etc. (What rights do you have?) User Access Management (AM): Accounting User accounting involves tracking the actions performed by a user on a network. It keeps track of who, when, and how the users access the network. This includes verifying the files accessed by the user and functions such as alteration or modification of the files or data. It helps in identifying authorized and unauthorized actions. The account data can be used for trend analysis, data breach detection, forensics investigations, etc. » Q Authentication ‘ @ (Who are you?) Authorization » a Identity (What rights do you have?) » fi Object Figure 4.17: User Accounting Module 04 Page 493 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization Account Types e User Accounts Guest Accounts Service Accounts = = = * Default accounts of operating systems passwords, created to share Run with the least privileges, with permissions such as running * and manipulating files = services to communicate with the operating system Do not have any privileges to and run programs modify system files, directories, or settings Administrator/Root Accounts o Domain or local accounts that allow applications or system resources applications/programs and creating o Least privileged accounts without. N Ha.svadmmlstratlve privileges based on the application requirement Privileged Accounts Privileged accounts that can perform = various system-level functions such Have administrative control over one or several systems as install and uninstall applications or system software and modify system-level settings = Permitted to access any resources in the system, configure drivers, add/discard applications from service, etc. Copyright © by | L All Rights Reserved. Reproductionis Strictly Prohibited Shared/Generic Accounts = (Credentials are shared among multiple users = Typically used when the network is divided and needs individual centralized units for network management Application Accounts * Used by applications to interact with databases and execute batch scripts * Have wide access to the data stored in the organization’s database Group-based Account = (Created to simplify the process of allocating access rights to individual users = Asingle user can be a participant in several groups and can have permissions from all the participating groups Third-party Accounts = Used by enterprises to handle cloud applications or other third-party services = Set up with a cryptographic key or password-based authentication to use hosts through APIs or SSH Copyright © by | L All Rights Reserved. Reproductionis Strictly Prohibited Account Types Organizations use different types of privileged accounts for managing systems, applications, and networks. Privileged accounts may be assigned to system or network engineers, network devices, and services. These accounts can be primary targets for attackers because they have elevated access to critical assets. Improper management or misuse of these accounts cause invite significant threats to the entire business infrastructure. Module 04 Page 494 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization The following are common account types generally found in every organization. User accounts: User accounts are the default accounts of operating systems (OSes). User accounts permit individuals to log into the system and access resources. Initially, the system can be accessed by a single account that an administrator creates during the OS installation. These accounts run with the least privileges, with permissions such as running applications/programs and creating and manipulating files that belong to their profile. Guest accounts: Guest accounts are least privileged accounts and have no password; they are created to share system resources. These accounts do not have any privileges to modify system files, directories, or settings. Windows automatically configures guest accounts, but they can be enabled or disabled based on preferences. In Linux-based systems, an administrator is required to manually create a guest account after installing the OS. Most web services have default guest accounts that allow users to access web servers without providing credentials. Service accounts: Service accounts, referred to as domain or local accounts, allow applications or services to communicate with the OS and run programs or services. Service accounts may also have administrative privileges based on the application requirement or purpose they are intended to serve. Windows has three types of services: system, local, and network services. System services run with higher privileges compared to other accounts. These services use a local system account to start the OS and will have complete privileges on the running system. Local and network services run with the same privileges as a standard user and are allowed to access only network resources. Linux also creates service accounts while installing web servers and applications. Administrator/root accounts: These accounts are privileged accounts that can perform various system-level functions such as installing and uninstalling applications or system software; modifying system-level settings; and reading, modifying, or deleting any file on the system. It is recommended to create a small number of such accounts with elevated privileges to perform administrative activities and access the components of the file system. In general, it is difficult to remove default administrator accounts, which are created by the application or OS during its installation. The default account can have all the permissions enabled. These accounts are also known as superuser accounts. They are called administrator accounts in Windows environments and root accounts in Linux environments. Privileged accounts: Privileged accounts are granted administrative control over one or several systems. These accounts are permitted to access any resources in the system, configure or run drivers, add/discard applications from services, and make configuration changes. Typically, few accounts will have this type of elevated privileges to manage the system, network, or applications. Shared/generic accounts: In shared accounts, the login credentials are shared among multiple users. This approach is typically used when the network is divided and needs Module 04 Page 495 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization individual centralized units for network management. Shared accounts can violate the non-repudiation mechanism; further, they can make the task of maintaining accurate audit trails challenging. If an organization’s password policy requires frequent password changes, then a password change needs to be intimated to every user having access to a shared account, which is a challenging task and may lead to many security risks. Shared accounts are not considered a best security practice because there is high probability of their credentials being compromised. = Application accounts: Application accounts are used by applications to interact with databases, execute batch scripts, and allow access to other applications. These accounts have wide access to the data or information stored in the organization’s database. If the credentials for these accounts are integrated and saved in unencrypted files, may pose a severe threat to the organization. = Group-based accounts: Group-based accounts are created to simplify the process of allocating access rights to individual users. Instead of providing rights directly, the owner of the system allocates them to individual group accounts. The rights are then reflected for all the group members. A single user can be a member of several groups; they can acquire permissions and access rights from all those groups. * Third-party accounts: Third-party credentials are used by enterprises to handle cloud applications or other services provided by third-party vendors. Along with administrative sign-ins, third-party services or devices should be set up with a cryptographic key or password-based authentication to use hosts through APIs or SSH. Inefficient handling of these keys or passwords, such as their insertion in code in an unencrypted form, can cause several security breaches. Module 04 Page 496 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.