Identity and access management involves four main concepts: identification, authentication, authorization, and accounting. Identification occurs when a user claims an identity, such as with a username. Authentication is the process of proving an identity by providing credentials. Authorization determines what resources a user has access to after authentication. Accounting tracks and logs user activity. Common authentication methods include passwords, smart cards, biometrics, and multifactor authentication using multiple methods. Standards like Kerberos, LDAP, SAML, OAuth and OpenID Connect are used to enable single sign-on and secure authentication across systems.
Identity and access management involves four main concepts: identification, authentication, authorization, and accounting. Identification occurs when a user claims an identity, such as with a username. Authentication is the process of proving an identity by providing credentials. Authorization determines what resources a user has access to after authentication. Accounting tracks and logs user activity. Common authentication methods include passwords, smart cards, biometrics, and multifactor authentication using multiple methods. Standards like Kerberos, LDAP, SAML, OAuth and OpenID Connect are used to enable single sign-on and secure authentication across systems.
Identity and access management involves four main concepts: identification, authentication, authorization, and accounting. Identification occurs when a user claims an identity, such as with a username. Authentication is the process of proving an identity by providing credentials. Authorization determines what resources a user has access to after authentication. Accounting tracks and logs user activity. Common authentication methods include passwords, smart cards, biometrics, and multifactor authentication using multiple methods. Standards like Kerberos, LDAP, SAML, OAuth and OpenID Connect are used to enable single sign-on and secure authentication across systems.
Identity and access management involves four main concepts: identification, authentication, authorization, and accounting. Identification occurs when a user claims an identity, such as with a username. Authentication is the process of proving an identity by providing credentials. Authorization determines what resources a user has access to after authentication. Accounting tracks and logs user activity. Common authentication methods include passwords, smart cards, biometrics, and multifactor authentication using multiple methods. Standards like Kerberos, LDAP, SAML, OAuth and OpenID Connect are used to enable single sign-on and secure authentication across systems.
Download as PPTX, PDF, TXT or read online from Scribd
Download as pptx, pdf, or txt
You are on page 1of 35
Identity and Access
Management Identification
• Identification occurs when a user (or any subject) claims or professes
an identity. This can be accomplished with a username, a process ID, a smart card, or anything else that can uniquely identify a subject. Security systems use this identity when determining if a subject can access an object. Authentication • Authentication is the process of proving an identity and it occurs when subjects provide appropriate credentials to prove their identity. • For example, when a user provides the correct password with a username, the password proves that the user is the owner of the username. Authorization
• When a user is granted access to specific resources after
authentication is complete. • happens after authentication and can be determined in several ways, including permissions, access control lists, time-of-day restrictions, and other login and physical restrictions. Accounting • methods track user activity and record the activity in logs Comparing Authentication Factors • Something you know, such as a password or personal identification number (PIN) • Something you have, such as a smart card or USB token • Something you are, such as a fingerprint or other biometric identification • Somewhere you are , such as your location using geolocation technologies use the Internet Protocol (IP) The IP address provides information on the country, region, state, city, and sometimes even the zip code, use MAC address • Something you do, such as gestures on a touch screen password security concepts • Password Complexity • Password Expiration • Password Recovery • Password History • Password Reuse Something You Have • CACs and PIVs include a picture and • Token : A token is an electronic device other information about the owner, so about the size of a remote key for a owners often use them for identification. car.. They include a liquid crystal Example : ID Card display (LCD) that displays a number, • Smart Cards : Smart cards are often used and this number changes periodically, with another factor of authentication. such as every 60 seconds. This For example, a user may also enter a PIN number is a one-time use It isn’t or password, in addition to using the useful to attackers for very long, even smart card. Because the smart card is in if they can discover the something you have factor and the PIN is in the something you know factor, this combination provides dualfactor authentication. Example : Bank Card HOTP and TOTP • HOTP: based One-Time • (TOTP) Time-based One-Time Password : is an open standard Password is similar to HOTP, but used for creating one-time it uses a timestamp instead of a passwords, similar to those used counter. One-time passwords in tokens created with TOTP typically expire after 30 seconds. • Your organization is planning to implement remote access capabilities. Management wants strong authentication and wants to ensure that passwords expire after a predefined time interval. Which of the following choices BEST meets this requirement? TOTP Biometric Errors • False acceptance. This is when a biometric system incorrectly identifies an unauthorized user as an authorized user. • False rejection. This is when a biometric system incorrectly rejects an authorized user • crossover error rate (CER) for two biometric systems. The CER is the point where the FAR crosses over with the FRR. Multifactor Authentication • uses two or more factors of authentication. For example, you can combine the something you are factor with one or more other factors of authentication. Comparing Authentication Services • Kerberos • LDAP and LDAPS • Single Sign-On • Transitive Trusts Kerberos • An authentication protocol that enables computers to prove their identity to each other in a secure manner. Kerberos is available in many commercial products as well. • Kerberos includes several requirements for it to work properly: • - A method of issuing tickets used for authentication. Tickets provide authentication for users when they access resources such as files on a file server • - Time synchronization. :using NTP protocol • - A database of subjects or users • A company is deploying a file-sharing protocol access a network and needs to select a protocol for authenticating clients. Management requests that the service be configured in the most secure way possible. The protocol must also be capable of mutual authentication, and support SSO and smart card logons. Which of the following would BEST accomplish this task? A. Store credentials in LDAP B. Use NTLM authentication C. Implement Kerberos D. Use MSCHAP authentication Answer: C • A security administrator is evaluating three different services: radius, diameter, and Kerberos. Which of the following is a feature that is UNIQUE to Kerberos? A. It provides authentication services B. It uses tickets to identify authenticated users C. It provides single sign-on capability D. It uses XML for cross-platform interoperability Answer: B • A security analyst is hardening an authentication server. One of the primary requirements is to ensure there is mutual authentication and delegation. Given these requirements, which of the following technologies should the analyst recommend and configure? A. LDAP services B. Kerberos services C. NTLM services D. CHAP services Answer: B Explanation: Only Kerberos that can do Mutual Auth and Delegation. LDAP and LDAPS • Lightweight Directory Access Protocol (LDAP) An application layer protocol used for accessing and modifying directory services data. • used by services such as Microsoft Active Directory on Windows Server domain controllers. • LDAP acts as the protocol that controls the directory service. This is the service that organizes the users, computers, and other objects within the Active Directory Single Sign-On • Single sign-on (SSO) refers to the ability of a user to log on or access multiple systems by providing credentials only once SSO and Transitive Trusts • Transitive trust : When two or more networks have a relationship where users from one network can gain access to resources on the other. SSO and SAML • Security Assertion Markup Language (SAML) SAML based standard used to exchange authentication and authorization information between different parties. SAML is used with web-based applications. • SAML defines three roles: • - Principal. This is typically a user. The user logs on once • - Identity provider. An identity provider creates, maintains, and manages identity information for principals • - Service provider. A service provider is an entity that provides services to principals. SAML and Authorization • The purpose of SSO is for identification and authentication of users • SSO does not provide authorization •- • Which of the following is commonly used for federated identity management across multiple organizations? . SAML • Which of the following technologies employ the use of SAML? (Select two.) A. Single sign-on B. Federation • A web developer improves client access to the company's REST API. Authentication needs to be tokenized but not expose the client's password. Which of the following methods would BEST meet the developer's requirements? A. SAML • Which of the following allows an application to securely authenticate a user by receiving credentials from a web domain? SAML • Which of the following would enhance the security of accessing data stored in the cloud? (Select TWO) B. SAML authentication + . Multifactor authentication • An e-commerce company that sells sports equipment wants to partner with an ecommerce company that sells clothing by offering authenticated users access to the second company’s products. Which of the following types of authentication would be best for the sports equipment company to use to connect to integrate the two environments? A: SAML • A company has purchased a new SaaS application and is in the process of configuring it to meet the company’s needs. The director of security has requested that the SaaS application be integrated into the company’s IAM processes. Which of the following configuration should the security administrator set up in order to complete this request? SAML OAuth and OpenID Connect • OAuth is an open standard for authorization many companies use to provide secure access to protected resources. Instead of creating a different account for each web site you access, you can often use the same account that you’ve created with Google, Facebook, PayPal, Microsoft, or Twitter. • OpenID Connect works with OAuth 2.0 and it allows clients to verify the identity of end users without managing their credentials. • Which of the following uses tokens between the identity provider and the service provider to authenticate and authorize users to resources? C. OAuth • An organization wants to utilize a common, Internet-based third-party provider for authorization and authentication. The provider uses a technology based on OAuth 2.0 to provide required services. To which of the following technologies is the provider referring? A. Open ID Connect Account Types • End user accounts. Most accounts are for regular users. Administrators create these accounts and then assign appropriate privileges based on the user’s job responsibilities • privileged account has additional rights and privileges beyond what a regular user has. As an example, someone with administrator privileges on a Windows computer has full and complete control over the Windows computer. • Guest account. These are useful if you want to grant someone limited access to a computer or network without creating a new account • Service accounts. Some applications and services need to run under the context of an account and a service account fills this need. As an example, SQL Server is a database application that runs on a server and it needs access to resources on the server and the network. Require Administrators to Use Two Accounts • It’s common to require administrators to have two accounts. They use one account for regular day-to-day work. It has the same limited privileges as a regular end user • The other account has elevated privileges required to perform administrative work, and they use this only when performing administrative work Prohibiting Shared and Generic Accounts • each user has at least one account, which is only accessible to that user. If multiple users share a single account, you cannot implement basic authorization control Time-of-Day Restrictions • Time-of-day restrictions specify when users can log on to a computer. If a user tries to log on to the network outside the restricted time, the system denies accessto the user Location-Based Policies • Location-based policies restrict access based on the location of the user. • For example, geolocation technologies can often detect a location using the IP address, and block any traffic from unacceptable addresses, such as from foreign countries • It’s also possible to identify a set of IP addresses as the only addresses that are acceptable. This is often referred to as whitelisting the IP addresses. Comparing Access Control Models • Role-based access control (role-BAC) • Rule-based access control (rule-BAC) • Discretionary access control (DAC) • Mandatory access control (MAC) • Attribute-based access control (ABAC) Mandatory Access Control or MAC • Resources are classified using labels by owner • Clearance labels are assigned to users who need to work with resources For example, some data may have “top secret” or level 1 label. Other information may have a “secret” or level 2 level. If we have clearance level 1, we can access all data. If we have clearance level 2, we can access data labeled with “secret” , but we can’t access information labeled with “top-secret”. Discretionary Access Control (DAC) • Used in most operating systems • You create a spreadsheet as the owner, you control who has access • You can modify access at any time • Very flexible access control but very weak Role Access Control (RBAC) • Provides access control based on the position • Instead of assigning John permissions as a security manager, the position of security manager already has permissions assigned to it Rule Access Control (RBAC) • Access is determined through rules by System administrators, not users • Ex: network access is only available between 9-5 • Ex: Allow only from this this GPS location Attribute-based access control (ABAC) • evaluates attributes and grants access based on the value of these attributes. Attributes can be almost any characteristic of a user, the environment, or the resource. ABAC uses policies to evaluate attributes and grant access when the system detects a match in the policy