Domain 5 Identity and Access Management (IAM)

The identity and Access Management (IAM) domain focuses on issues related to granting and revoking privileges to access data or perform actions on systems

• Assets include information, systems, devices, facilities, and applications
• Organizations use both physical and logical access controls to protect them
• Identification is the process of a subject claiming, or professing, an identity
• Authentication verifies the subject’s identity by comparing one or more authentication factors against a database holding authentication info for users
• The three primary authentication factors are something you know, something you have, and something you are
• Single sign-on (SSO) technologies allow users to authenticate once and access any resources in a network or the cloud, without authenticating again
• Federated Identity Management (FIM) systems link user identities in one system with other systems to implement SSO
• Access Control System: ensuring access to assets is authorized and restricted based on business and security requirements
• Access Control Token: based on the parameters like time, date, day etc a token defines access validity to a system
• Crossover Error Rate: point at which false acceptance (Type 2) error rate equals the false rejection (Type 1) error rate for a given sensor, in a given system and context; it is the optimal point of operation if the potential impacts of both types of errors are equivalent
• FRR: False Rejection Rate (Type 1) incorrectly denying authentication to a legit identity and therefore denying access
• FAR: False Acceptance Rate (Type 2) incorrectly authenticating a claimed identity as legit, recognizing and granting access on that basis
• Ethical Wall: the use of administrative, phyiscal/logical controls to establih/enforce separation of information, assets or job functions for need-to-know boundaries or prevent conflict of interest situations; AKA compartmentalization
• Granularity of controls: level of abstraction or detail which in a security function can be configured or tuned for performance and sensitivity
• IDaaS: cloud-based service that broker IAM functions to target systems on customers’ premise and/or in the cloud
• Identity proofing: process of collecting/verifying info about someone who has requested access/credential/special privilege to establish a relationship with that person
• Self-service identity management: elemnts of the identity management lifecycle which the end-user (identity in question) can initiate or perform on their own (e.g. password reset, changes to challenge questions etc)
• Whaling attack: phishing attacks targeting highly-placed officials/private individuals with sizeable assets authorizing large fund wire transfers

5.1 Control physical and logical access to assets (OSG-9 Chpt 13)

• Controlling access to assets (tangible: things you can touch, or nontangible: info and data) is a central theme of security
• In addition to personnel, assets can be information, systems, devices, facilities, or applications:
  • 5.1.1 Information: an org’s information includes all of its data, stored in simple files (on servers, computers, and small devices), or in databases
  • 5.1.2 Systems: an org’s systems include anything that provide one or more services; a web server with a database is a system; permissions assigned to user and system accounts control system access
  • 5.1.3 Devices: refers to any computing system (e.g. routers & switches, smartphones, laptops, and printers); BYOD has been increasingly adopted, and the data stored on the devices is still an asset to the org
  • 5.1.4 Facilities: any physical location, building, rooms, complexes etc; physical security controls are important to help protect facilities
  • 5.1.5 Applications: apps provide access to data; permissions are an easy way to restrict logical access to apps
• Understand what assets you have, and how to protect them
  • physical security controls: such as perimeter security and environmental controls
    • control access and the environment
  • logical access controls: automated systems that auth or deny access based on verification that identify presented matches that which was previously approved; technical controls used to protect access to information, systems, devices, and applications
    • includes authentication, authorization, and permissions
    • permissions help ensure only authorized entities can access data
    • logical controls restrict access to config settings on systems/networks to only authed individuals
    • applies to on-prem and cloud

5.2 Manage identification and authentication of people, devices, and services (OSG-9 Chpt 13)

• Identification: the process of a subject claiming, or professing an identity
• Authentication: verifies the subject’s identity by comparing one or more factors against a database of valid identities, such as user accounts
  • a core principle with authentication is that all subjects must have unique identities
  • identification and authentication occur together as a single two-step process
  • users identify themselves with usernames and authenticate (or prove their identity) with passwords
• 5.2.1 Identiy management (IdM) implementation
  • Identity and access management is a collection of processes and techologies that are used to control access to critical assets; it’s purpose is the management of access to information, systems, devices, and facilities
  • Identity Management (IdM) implementation techniques generally fall into two categories:
    • centralized access control: implies a single entity within a system performs all authorization verification
      • potentially creates a single point of failure
      • small team can manage initially, and can scale to more users
    • decentralized access control: (AKA distributed access control) implies several entities located throughout a system perform auth verification
      • requires more individuals or teams to manage, and admin may be spred across numerous locations
      • difficult to maintain consistency
      • changes made to any individual access control point needs to be repeated at others
  • With ubiquitious mobile computing and anywhere, anytime access (to apps & data), identity is the “new perimeter”
• 5.2.2 Single/Multi-Factor Authentication (MFA)
  • Single-factor authentication: any authentication using only one proof of identity
  • Two-factor authentication (2FA): requires two different proofs of identity
  • Multifactor authentication (MFA): any authentication using two or more factors
    • multifactor auth must use multiple types or factors, such as something you know and something you have
    • note: requiring users to enter a password and a PIN is NOT multifactor (both are something you know)
  • Two-factor methods:
    • Hash Message Authentication Code (HMAC): includes a hash function used by the HMAC-based One-Time Password (HOTP) standard to create onetime passwords
    • Time-based One-Time Password (TOTP): similar to HOTP, but uses a timestamp and remains valid for a certain time frame (e.g. 30 or 60 seconds)
      • e.g. phone-based authenticator app, where your phone is mimicking a hardware TOTP token (combined with userid/password is considered two-factor or two-step authentication)
    • Email challenge: popular method, used by websites, sending the user an email with a PIN
    • Short Message Service (SMS) to send users a text with a PIN is another 2-factor method; note that NIST SP 800-63B points out vulnerabilities, and deprecates use of SMS as a two-factor method for federal agencies
• 5.2.3 Accountability
  • Two important security elements in an access control system are authorization and accountability
    • Authorization: subjects are granted access to objects based on proven identities
    • Accountability: users and other subjects can be held accountable for their actions when auditing is implemented
  • Auditing: tracks subjects and records when they access objects, creating an audit trail in one or more audit logs
  • Auditing provides accountability
• 5.2.4 Session management
  • Session management is important to use with any type of authentication system to prevent unauthorized access
  • Desktop/laptops: recommendation to use screensavers, although modern OSs have timeout/lock features
  • Secure online sessions should terminate after a timeout period
  • The Open Web Application Security Project (OWASP) publishes “cheat sheets” that provide app developer’s specific recommendations
• 5.2.5 Registration, proofing, and establishment of identity
  • Within an organization, new employees prove their identity with appropriate documentation during the hiring process
    • in-person identity proofing includes things like passport, DL, birth cert etc
  • Online orgs often use knowledge-based authentication (KBA) for identity-proofing of someone new (e.g. a new customer creating a new bank/savings account)
    • example questions include past vehicle purchases, amount of mortgage payment, previous addresses, DL numbers
    • they then query authoritative information (e.g. credit bureaus or gov agencies) for matches
  • Cognitive Passwords: security questions that are gathered during account creation, which are later used as questions for authentication (e.g. name of pet, color of first car etc)
    • one of the flaws associated with cognitive passwords is that the information is often available on social media sites or general internet searches
• 5.2.6 Federated Identity Management (FIM)
  • Federated Identity Management (FIM) systems (a form of SSO) are often used by cloud-based apps
  • A federated identity links a user’s identity in one system with multiple identity management systems
  • FIM allows multiple orgs to join a federation or group, agreeing to share identity information
    • users in each org can log in once in their own org, and their credentials are matched with a federated identity
    • users can then use this federated identity to access resources in any other org within the group
    • where each organization decides what resources to share
  • Methods used to implement federated identity management systems include:
    • Security Assertion Markup Language (SAML)
    • OAuth
    • OpenID Connect (OIDC)
  • Cloud-based federation typically uses a third-party service to share federated identities
  • Federated identity management systems can be hosted on-premises, in the cloud, or in a combination of the two as a hybrid system
• 5.2.7 Credential management systems
  • Credential management systems: provide storage space for usernames and password
    • e.g. web browsers that remember usernames and passwords for visited sites
  • The World Wide Web Consortium (W3C) published the Credential Management Level 1 API as a working draft in January 2019, which many browsers have adopted
  • Some federated identity management solutions use the Credential Management API, allowing web apps to implement SSO using a federated identity provider
    • e.g. using your Google or Facebook account to sign into Zoom
• 5.2.8 Singe Sign On (SSO)
  • Single Sign-On (SSO): a centralized access control technique allowing a subject to be authenticated once on a system and access multiple resources without authenticating again
  • Advantages of using SSO include:
    • reduces the number of passwords that users need to remember, and they are less likely to write them down
    • eases administration by reducing the number of accounts
  • Disadvantages:
    • once an account is compromised, an attacker gains unrestricted access to all of the authorized resources
  • Within an organization, a central access control system, such as a directory service, is often used for SSO
    • directory service: a centralized database that includes information about subjects and objects, including authentication data
    • many directory services are based on the Lightweight Directory Access Protocol (LDAP)
• 5.2.9 Just-In_time (JIT)
  • Federated identity solutions that support just-in-time (JIT) provisioning automatically create the relationship between two entities so that new users can access resources
  • A JIT solution creates the connection without any administrative intervention
  • JIT systems commonly use SAML to exchange required data

5.3 Federated Identity with a third-party service (OSG-9 Chpt 13)

• 5.3.1 On-premise
  • Federated identity management can be hosted on-premise, and typically provides an organization with the most control
• 5.3.2 Cloud
  • Cloud-based apps used federated identify management (FIM) systems, which are a form of SSO
  • Cloud-based federation typically uses a third-party service to hsare federated identities (e.g. training sites use federated SSO systems)
    • commonly matching the user’s internal login ID with a federated identify
• 5.3.3 Hybrid
  • A hybrid federation is a combination of a cloud-based solution and an on-premise solution

5.4 Implement and manage authorization mechanisms (OSG-9 Chpt 14)

• 5.4.1 Role Based Access Control (RBAC)
  • A key characteristic of the Role-Based Access Control (RBAC) model is the use of roles or groups
  • Instead of assigning permissions directly to users, user accounts are placed in roles and administrators assign privileges to the roles (typically defined by job function)
    • if the user account is in a role, the user has all privileges assigned to the role
  • MS Windows OS uses this model with groups
• 5.4.2 Rule Based access control
  • A key characteristic of the Rule-Based access control model is that it applies global rules to all subjects
    • e.g. firewalls uses rules that allow or block traffic to all users equally
  • Rules within the rule-based access control model are sometimes referred to as restrictions or filters
• 5.4.3 Mandatory Access Control (MAC)
  • Mandatory Access Control (MAC): access control that requires the system itself to manage access controls in accordance with the org’s security policies
  • A key characteristic of the MAC model is the use of labels applied to both subjects and objects
    • e.g. a label of top secret grants access to top-secret documents
  • When documented in a table, the MAC model sometimes resembles a lattice (i.e. climbing rosebush framework), so it is referred to as a lattice-based model
• 5.4.4 Discretionary Access Control (DAC)
  • Discretionary Access Control (DAC): access control model in which the system owner decides who gets access
  • A key characteristic of the DAC model is that every object has an owner, and the owner can grant or deny access to any other subjects
    • e.g. you create a file and are the owner, and can grant permissions to that file
  • New Technology File System (NTFS) used in Windows, uses the DAC model
• 5.4.5 Attribute Based Access Control (ABAC)
  • Attribute-Based Access Control (ABAC): an access control paradigm where access rights are granted to users with policies that combine attributes together
  • A key characteristic of the ABAC model is its use of rules that can include multiple attributes
    • this allows it to be much more flexible than a rule-based access control model that applies the rules to all subjects equally
    • many software-defined networks (SDNs) use the ABAC model
  • ABAC allows administrators to create rules within a policy using plain language statements such as “Allow Managers to access the WAN using a mobile device”
• 5.4.6 Risk based access control
  • Risk-based access control model grants access after evaluating risk; evaluating the environment and the situation and making risk-based decisions using policies embeded within software
    • Using machine learning, making predictive conclusions about current activity based on past activity

5.5 Manage the identity and access provisioning lifecycle (OSG-9 Chpts 13,14)

• 5.5.1 Account accesss review
  • Administrators need to periodically review user, system and service accounts to ensure they meet security policies and that they don’t have excessive privileges
  • Be careful in using the local system account as an application service account; although it allows the app to run without creating a special service account, it usually grants the app more access than it needs
  • You can use scripts to run periodically and check for unused accounts, and check priveleged group membership, removing unauthorized accounts
  • Guard against two access control issues:
    • excessive privilege: occurs when users have more privileges than assigned work tasks dictate; these privileges should be revoked
    • creeping privileges (AKA privilege creep): user accounts accumulating additional privileges over time as job roles and assigned tasks change
• 5.5.2 Provisioning and deprovisioning
  • Identity and access provisioning lifecycle refers to the creation, management, and deletion of accounts
    • this lifecycle is important because without properly defined and maintained user accounts, a system is unable to establish accurate identity, perform authentication, provide authorization, and track accountability
  • Provisioning/Onboarding
    • proper user account creation, or provisioning, ensures that personnel follow specific procedures when creating accounts
      • new-user account creation is AKA enrollment or registration
    • automated provisioning: information is provided to an app, that then creates the accounts via pre-defined rules (assigning to appropriate groups based on roles)
      • automated provisioning systems create accounts consistently
    • provisioning also includes issuing hardware, tokens, smartcards etc to employees
    • it’s important to keep accurate records when issuing hardware to employees
    • after provisioning, an org can follow up with onboarding processes, including:
      • the employee reads and signs the acceptable use policy (AUP)
      • explaining security best practices (like infected emails)
      • reviewing the mobile device policy
      • ensuring the employee’s computer is operational, and they can log in
      • configure a password manager
      • explaining how to access help desk
      • show to access, share and save resources
  • Deprovisioning/Offboarding
    • Deprovisioning/offboarding occurs when an employee leaves the organization or is transferred to a different department
    • Account revocation: deleting an account is the easiest way to deprovision
      • an employee’s account is usually first disabled
      • supervisors can then review the user’s data and determine if anything is needed
      • note: if terminated employee retains access to a user account after the exit interview, the risk for sabatage is very high
    • Deprovisioning includes collecting any hardware issued to an employee such as laptops, mobile devices and auth tokens
• 5.5.3 Role definition
  • Employee responsibilities can change in the form of transfers to a different role, or into a newly created role
    • for new roles, it’s important to define the role and the privileges needed by the employees in that role
  • Roles and associated groups need to be defined in terms of privileges
• 5.5.4 Privilege escalation (e.g. managed service accounts, use of usdo, minimizing its use)
  • Privilege escalation refers to any situation that gives users more privileges than they should have
  • Attackers use privilege escalation techniques to gain elevated privileges
  • Horizontal privilege escalation: gives an attacker similar privileges as the first compromised user, but from other accounts
  • Vertical privilege escalation: provides an attacker with significantly greater privileges
    • e.g. after compromising a regular user’s account an attacker can use vertical privilege escalation techniques to gain administrator privileges on the user’s computer
    • the attacker can then use horizontal privilege escalation techniques to access other computers in the network
    • this horizontal privilege escalation throughout the network is AKA lateral movement

5.6 Implement authentication systems (OSG-9 Chpt 14)

• 5.6.1 OpenID Connect (OIDC) / Open Authorization (Oauth)
  • OAuth 2.0 authorization framework enables third-party apps to obtain limited access to an HTTP service, either on behalf of a resource owner (by orchestrating an approval interaction), or by allowing third-party applications to obtain access on its own behalf
  • OAuth is an open framework used for authentication and authorization protocols
  • The most common protocol built on OAuth is OpenID Connect (OIDC)
  • OAuth 2.0 is often used for delegated access to applications, e.g. a mobile game that automatically finds all of your new friends from a social media app is likely using OAuth 2.0
  • Conversely, if you sign into a new mobile game using a social media account (instead of creating a user account just for the game), that process might use OIDC
  • OpenID Connect (OIDC): an authentication layer using the OAuth 2.0 authorization framework, maintained by the OpenID Foundation, providing both authentication and authorization
  • OIDC uses JSON (JavaScript Object Notation) Web Tokens (JWT) – AKA ID token
  • OAuth and OIDC are used with many web-based applications to share information without sharing credentials
    • OAuth provides authorization
    • OIDC uses the OAuth framework for authorization and builds on the OpenID technologies for authentication
• 5.6.2 Security Assertion Markup Language (SAML)
  • Security Assertion Markup Language (SAML): an open XML-based standard commonly used to exchange authentication and authorization (AA) information between federated orgs
  • SAML provides SSO capabilities for browser access
  • SAML is a popular SSO standard on the internet - used to exchange authentication and authorization (AA) information
  • Organization for the Advancement of Structure Information Standards (OASIS) maintains it
  • SAML 2 spec utilizes three entities:
    • Principal or User Agent
    • Service Provider (SP): providing the service a user is interested in using
    • Identity Provider (IdP): a third-party that holds the user authentication and authorization info
  • IdP can send three types of XML messages known as assertions:
    • Authentication Assertion: provides proof that the user agent provided the proper credentials, identifies the identification method, and identifies the time the user agent logged on
    • Authorization Assertion: indicates whether the user agent is authorized to access the requested service; if denied, includes why
    • Attribute Assertion: attributes can be any information about the user agent
• 5.6.3 Kerberos
  • Kerberos is a network authentication protocol widely used in corporate and private networks and found in many LDAP and directory services solutions such as Microsoft Active Directory
  • It provides single sign-on and uses cryptography to strengthen the authentication process
  • The purpose of Kerberos is authentication; Kerberos offers a single sign-on solution for users and protects logon credentials
  • Ticket authentication is a mechanism that employs a third-party entity to prove identification and provide authentication - Kerberos is a well-known ticket system
  • After users authenticate and prove their identity, Kerberos uses their proven identity to issue tickets, and user accounts present these tickets when accessing resources
  • Kerberos version 5 relies on symmetric-key cryptography (AKA secret-key cryptography) using the Advanced Encryption Standard (AES) symmetric encryption protocol
  • Kerberos provides confidentiality and integrity for authentication traffic using end-to-end security and helps protect against eavesdropping and replay attacks
  • Kerberos elements:
    • Key Distribution Center (KDC): the trusted third party that provides authentication services
    • Kerberos Authentication Server: hosts the functions of the KDC:
      • ticket-granting service (TGS): provides proof that a subject has authenticated through a KDC and is authorized to request tickets to access other objects
        • a TGT is encrypted and includes a symmetric key, an expiration time, and user’s IP address
        • subjects present the TGT when requesting tickets to access objects
      • authentication service (AS): verifies or rejects the authenticity and timeliness of tickets. Often referred to as the KDC
    • ticket (AKA service ticket (ST)): an encrypted message that provides proof that a subject is authorized to access an object
    • Kerberos Principal: typically a user but can be any entity that can request a ticket
    • Kerberos realm: a logical area (such as a domain or network) ruled by Kerberos
  • Kerberos login process:
    • user types a username/password into the client
    • client encrypts the username with AES for transmission to the KDC
    • the KDC verifies the username against a db of known credentials
    • the KDC generates a symmetric key that will be used by the client and the Kerberos server
      • it encrypts this with a hash of the user’s password
      • the KDC also generates an encrypted timestamped TGT
    • the KDC then transmits the encrypted symmetric key and the encrypted timestamped TGT to the client
    • the client installs the TGT for use until it expires
      • the client also decrypts the symmetric key using a hash of the user’s password
      • NOTE: the client’s password is never transmitted over the network, but it is verified
        • the server encrypts a symmetric key using a hash of the user’s password, and it can only be decrypted with a hash of the user’s password
        • as long as the user enters the correct password, this step works
  • When a client wants to access an object (like a hosted resource), it must request a ticket through the Kerberos server, in the following steps:
    • the client sends its TGT back to the KDC with a request for access to the resource
    • the KDC verifies that the TGT is valid, and checks its access control matrix to verify user privileges for the requested resource
    • the KDC generates a service ticket and sends it to the client
    • the client sends the ticket to the server or service hosting the resource
    • the server or service hosting the resource verifies the validity of the ticket with the KDC
    • once identity and authorization are verified, Kerberos activity is complete
      • the server or service host then opens a session with the client and begins communication or data transmission
• 5.6.4 Remote Authentication Dial-in User Service (RADIUS) / Terminal Access Controller Access Control System Plus (TACACS+)
  • Remote Authentication Dial-in User Service (RADIUS): centralizes authentication for remote access connections, such as VPNs or dial-up access
    • a user can connect to any network access server, which then passes on the user’s credentials to the RADIUS server to verify authentication and authorization and to track accounting
    • in this context, the network access server is the RADIUS client, and a RADIUS server acts as an authentication server
    • the RADIUS server also provides AAA services for multiple remote access servers
    • RADIUS uses the User Datagram Protocol (UDP) by default and encrypts only the password’s exchange
    • RADIUS using Transport Layer Security (TLS) over TCP (port 2083) is defined by RFC 6614
    • RADIUS uses UDP port 1812 for RADIUS messages and UDP port 1813 for RADIUS Accounting messages
    • RADIUS encrypts only the password’s exchange by default
    • it is possible to use RADIUS/TLS to encrypt the entire session
  • Cisco developed Terminal Access Control Access Control System Plus (TACACS+) and released it as an open standard
    • provides improvements over the earlier version and over RADIUS, it separates authentication, authorization, and accounting into separate processes, which can be hosted on three different servers
    • additionally, TACACS+ encrypts all of the authentication information, not just the password, as RADIUS does
    • TACACS+ uses TCP port 49, providing a higher level of reliability for the packet transmissions