Identity and Access

Management
Identification

• Identification occurs when a user (or any subject) claims or professes

an identity. This can be accomplished with a username, a process ID, a
smart card, or anything else that can uniquely identify a subject.
Security systems use this identity when determining if a subject can
access an object.
 Authentication
• Authentication is the process of proving an identity and it
occurs when subjects provide appropriate credentials to
prove their identity.
• For example, when a user provides the correct password
with a username, the password proves that the user is the
owner of the username.
Authorization

• When a user is granted access to specific resources after

authentication is complete.
• happens after authentication and can be determined in several
ways, including permissions, access control lists, time-of-day
restrictions, and other login and physical restrictions.
Accounting
• methods track user activity and record the activity in logs
 Comparing Authentication Factors
• Something you know, such as a password or personal identification number (PIN)
• Something you have, such as a smart card or USB token
• Something you are, such as a fingerprint or other biometric identification
• Somewhere you are , such as your location using geolocation technologies use the Internet
Protocol (IP) The IP address provides information on the country, region, state, city, and
sometimes even the zip code, use MAC address
• Something you do, such as gestures on a touch screen
password security concepts
• Password Complexity
• Password Expiration
• Password Recovery
• Password History
• Password Reuse
Something You Have
• CACs and PIVs include a picture and • Token : A token is an electronic device
other information about the owner, so about the size of a remote key for a
owners often use them for identification. car.. They include a liquid crystal
Example : ID Card display (LCD) that displays a number,
• Smart Cards : Smart cards are often used and this number changes periodically,
with another factor of authentication. such as every 60 seconds. This
For example, a user may also enter a PIN number is a one-time use It isn’t
or password, in addition to using the useful to attackers for very long, even
smart card. Because the smart card is in if they can discover
the something you have factor and the
PIN is in the something you know factor,
this combination provides dualfactor
authentication. Example : Bank Card
HOTP and TOTP
• HOTP: based One-Time • (TOTP) Time-based One-Time
Password : is an open standard Password is similar to HOTP, but
used for creating one-time it uses a timestamp instead of a
passwords, similar to those used counter. One-time passwords
in tokens created with TOTP typically
expire after 30 seconds.
• Your organization is planning to implement remote access capabilities.
Management wants strong authentication and wants to ensure that
passwords expire after a predefined time interval. Which of the
following choices BEST meets this requirement? TOTP
Biometric Errors
• False acceptance. This is when a biometric system incorrectly
identifies an unauthorized user as an authorized user.
• False rejection. This is when a biometric system incorrectly rejects an
authorized user
• crossover error rate (CER) for two biometric systems. The CER is the
point where the FAR crosses over with the FRR.
Multifactor Authentication
• uses two or more factors of authentication. For example, you can
combine the something you are factor with one or more other factors
of authentication.
Comparing Authentication Services
• Kerberos
• LDAP and LDAPS
• Single Sign-On
• Transitive Trusts
Kerberos
• An authentication protocol that enables computers to prove their identity to each other
in a secure manner. Kerberos is available in many commercial products as well.
• Kerberos includes several requirements for it to work properly:
• - A method of issuing tickets used for authentication. Tickets provide authentication for
users when they access resources such as files on a file server
• - Time synchronization. :using NTP protocol
• - A database of subjects or users
• A company is deploying a file-sharing protocol access a network and needs to select a protocol for authenticating
clients. Management requests that the service be configured in the most secure way possible. The protocol must
also be capable of mutual authentication, and support SSO and smart card logons. Which of the following would
BEST accomplish this task?
A. Store credentials in LDAP
B. Use NTLM authentication
C. Implement Kerberos
D. Use MSCHAP authentication
Answer: C
• A security administrator is evaluating three different services: radius, diameter, and Kerberos. Which of the
following is a feature that is UNIQUE to Kerberos?
A. It provides authentication services
B. It uses tickets to identify authenticated users
C. It provides single sign-on capability
D. It uses XML for cross-platform interoperability
Answer: B
• A security analyst is hardening an authentication server. One of the primary requirements is to ensure there is
mutual authentication and delegation. Given these requirements, which of the following technologies should the
analyst recommend and configure?
A. LDAP services
B. Kerberos services
C. NTLM services
D. CHAP services
Answer: B Explanation: Only Kerberos that can do Mutual Auth and Delegation.
LDAP and LDAPS
• Lightweight Directory Access Protocol (LDAP) An application layer
protocol used for accessing and modifying directory services data.
• used by services such as Microsoft Active Directory on Windows
Server domain controllers.
• LDAP acts as the protocol that controls the directory service. This is
the service that organizes the users, computers, and other objects
within the Active Directory
Single Sign-On
• Single sign-on (SSO) refers to the ability of a user to log on or access
multiple systems by providing credentials only once
SSO and Transitive Trusts
• Transitive trust : When two or more networks have a relationship
where users from one network can gain access to resources on the
other.
SSO and SAML
• Security Assertion Markup Language (SAML) SAML based standard
used to exchange authentication and authorization information
between different parties. SAML is used with web-based applications.
• SAML defines three roles:
• - Principal. This is typically a user. The user logs on once
• - Identity provider. An identity provider creates, maintains, and
manages identity information for principals
• - Service provider. A service provider is an entity that provides
services to principals.
SAML and Authorization
• The purpose of SSO is for identification and authentication of users
• SSO does not provide authorization
•-
• Which of the following is commonly used for federated identity management across multiple
organizations? . SAML
• Which of the following technologies employ the use of SAML? (Select two.) A. Single sign-on B.
Federation
• A web developer improves client access to the company's REST API. Authentication needs to be
tokenized but not expose the client's password. Which of the following methods would BEST
meet the developer's requirements? A. SAML
• Which of the following allows an application to securely authenticate a user by receiving
credentials from a web domain? SAML
• Which of the following would enhance the security of accessing data stored in the cloud? (Select
TWO) B. SAML authentication + . Multifactor authentication
• An e-commerce company that sells sports equipment wants to partner with an ecommerce
company that sells clothing by offering authenticated users access to the second company’s
products. Which of the following types of authentication would be best for the sports equipment
company to use to connect to integrate the two environments? A: SAML
• A company has purchased a new SaaS application and is in the process of configuring it to meet
the company’s needs. The director of security has requested that the SaaS application be
integrated into the company’s IAM processes. Which of the following configuration should the
security administrator set up in order to complete this request? SAML
OAuth and OpenID Connect
• OAuth is an open standard for authorization many companies use to
provide secure access to protected resources. Instead of creating a
different account for each web site you access, you can often use the
same account that you’ve created with Google, Facebook, PayPal,
Microsoft, or Twitter.
• OpenID Connect works with OAuth 2.0 and it allows clients to verify
the identity of end users without managing their credentials.
• Which of the following uses tokens between the identity provider and the service
provider to authenticate and authorize users to resources?
C. OAuth
• An organization wants to utilize a common, Internet-based third-party provider for
authorization and authentication. The provider uses a technology based on OAuth 2.0 to
provide required services. To which of the following technologies is the provider
referring? A. Open ID Connect
Account Types
• End user accounts. Most accounts are for regular users. Administrators create
these accounts and then assign appropriate privileges based on the user’s job
responsibilities
• privileged account has additional rights and privileges beyond what a regular user
has. As an example, someone with administrator privileges on a Windows
computer has full and complete control over the Windows computer.
• Guest account. These are useful if you want to grant someone limited access to a
computer or network without creating a new account
• Service accounts. Some applications and services need to run under the context
of an account and a service account fills this need. As an example, SQL Server is a
database application that runs on a server and it needs access to resources on
the server and the network.
Require Administrators to Use Two Accounts
• It’s common to require administrators to have two accounts. They use
one account for regular day-to-day work. It has the same limited
privileges as a regular end user
• The other account has elevated privileges required to perform
administrative work, and they use this only when performing
administrative work
Prohibiting Shared and Generic Accounts
• each user has at least one account, which is only accessible to that
user. If multiple users share a single account, you cannot implement
basic authorization control
Time-of-Day Restrictions
• Time-of-day restrictions specify when users can log on to a computer.
If a user tries to log on to the network outside the restricted time, the
system denies accessto the user
Location-Based Policies
• Location-based policies restrict access based on the location of the
user.
• For example, geolocation technologies can often detect a location
using the IP address, and block any traffic from unacceptable
addresses, such as from foreign countries
• It’s also possible to identify a set of IP addresses as the only addresses
that are acceptable. This is often referred to as whitelisting the IP
addresses.
Comparing Access Control Models
• Role-based access control (role-BAC)
• Rule-based access control (rule-BAC)
• Discretionary access control (DAC)
• Mandatory access control (MAC)
• Attribute-based access control (ABAC)
Mandatory Access Control or MAC
• Resources are classified using labels by owner
• Clearance labels are assigned to users who need to work with resources
For example, some data may have “top secret” or level 1 label. Other information may have a “secret” or
level 2 level. 
If we have clearance level 1, we can access all data.
If we have clearance level 2, we can access data labeled with “secret” , but we can’t access information
labeled with “top-secret”.
Discretionary Access Control (DAC)
• Used in most operating systems
• You create a spreadsheet as the owner, you control who has access
• You can modify access at any time
• Very flexible access control but very weak
Role Access Control (RBAC)
• Provides access control based on the position
• Instead of assigning John permissions as a security manager,
the position of security manager already has permissions
assigned to it
Rule Access Control (RBAC)
• Access is determined through rules by System administrators,
not users
• Ex: network access is only available between 9-5
• Ex: Allow only from this this GPS location
Attribute-based access control (ABAC)
• evaluates attributes and grants access based on the value of these
attributes. Attributes can be almost any characteristic of a user, the
environment, or the resource. ABAC uses policies to evaluate
attributes and grant access when the system detects a match in the
policy