Identity and Access Management (IAM)

  • It’s all about accounts and permissions.

  • Account Types

    • User accounts

    • Endpoint accounts

    • Server accounts

    • Software accounts

    • Roles

  • IAM System Responsibilities

    • Store and keep track of accounts

    • Onboarding and offboarding

    • Daily management tasks

    • Auditing activity

    • Scanning for threats (ideally)

    • Maintaining compliance

  • Two Big Problems with IAM

    • Root/administrator users

    • Shared accounts

  • Password Policy

    • Guideline that tells users how to protect their credentials

    • Password length, complexity, expiry

    • Can be enforced by OS

    • NIST SP 800-63B

    • Some things cannot be technically enforced

  • Mitigating Password Reuse

    • Lots of accounts, lots of passwords

    • SSO (Signle Sign-On)

      • Sign in once, gain broad access

      • Kerberos in Windows.

      • Pro: one password to remember

      • Con: one password to compromise

    • MFA (multifactor authentication

      • Something you know

      • Something you have

      • Something you are

  • Privilege Management

    • Privileges are tied to the authorization function

    • Least privilege principle

    • Separation of duties

    • DAC – Discretionary Access Control

      • Creator of resource is initial owner

      • Owner can grant access to others

      • Example: file system permissions

    • MAC – Mandatory Access Control

      • Clearance levels and labels

      • Users can access objects at their clearance level or below

      • Compartments

      • Enforced by the system (non-discretionary)

      • Example: SELinux, AppArmor, military, secret service

    • RBAC – Role Based Access Control

      • Move the discretionary part of DAC to the admins

      • Privileges assigned per roles

      • Example: user groups with permissions attached

    • ABAC – Attribute Based Access Control

      • Based on multiple subject and object attributes

  • Directory Services

    • Database for IAM

    • Manages authentication and authorization

    • Can be queried (AAA, Radius, TACACS+)

    • Windows AD, OpenLDAP, Apache DS, OpenDS, RedHat Directory

  • Federation

    • Extending SSO across companies or services

    • Service provider (SP) trusts a third-party Identity Provider (IdP)

    • Issues with password rreset/recovery

  • SAML, OAuth, OpenID

    • SAML

      • XML framework

      • Exchanges security info: authentication, entitlement, attributes

      • Allows SSO, federation

      • Communication based on assertions

        • Authentication assertions

        • Attribute assertions

    • OAuth, OpenID: Sharing profile-related info between web apps

      • App to app interaction and REST APIs

      • Oauth focuses on authentication

      • OpenID focuses on authorization

  • IAM monitoring and logging

    • Accounting

    • Manual review

    • Privilege Creep – as users change roles, they get more permissions than they need

PreviousNetwork Access Control and Port SecurityNextWeb Application Scanners

Last updated