Identity and Access Management (IAM)

It’s all about accounts and permissions.
Account Types
- User accounts
- Endpoint accounts
- Server accounts
- Software accounts
- Roles
IAM System Responsibilities
- Store and keep track of accounts
- Onboarding and offboarding
- Daily management tasks
- Auditing activity
- Scanning for threats (ideally)
- Maintaining compliance
Two Big Problems with IAM
- Root/administrator users
- Shared accounts
Password Policy
- Guideline that tells users how to protect their credentials
- Password length, complexity, expiry
- Can be enforced by OS
- NIST SP 800-63B
- Some things cannot be technically enforced
Mitigating Password Reuse
- Lots of accounts, lots of passwords
- SSO (Signle Sign-On)
  - Sign in once, gain broad access
  - Kerberos in Windows.
  - Pro: one password to remember
  - Con: one password to compromise
- MFA (multifactor authentication
  - Something you know
  - Something you have
  - Something you are
Privilege Management
- Privileges are tied to the authorization function
- Least privilege principle
- Separation of duties
- DAC – Discretionary Access Control
  - Creator of resource is initial owner
  - Owner can grant access to others
  - Example: file system permissions
- MAC – Mandatory Access Control
  - Clearance levels and labels
  - Users can access objects at their clearance level or below
  - Compartments
  - Enforced by the system (non-discretionary)
  - Example: SELinux, AppArmor, military, secret service
- RBAC – Role Based Access Control
  - Move the discretionary part of DAC to the admins
  - Privileges assigned per roles
  - Example: user groups with permissions attached
- ABAC – Attribute Based Access Control
  - Based on multiple subject and object attributes
Directory Services
- Database for IAM
- Manages authentication and authorization
- Can be queried (AAA, Radius, TACACS+)
- Windows AD, OpenLDAP, Apache DS, OpenDS, RedHat Directory
Federation
- Extending SSO across companies or services
- Service provider (SP) trusts a third-party Identity Provider (IdP)
- Issues with password rreset/recovery
SAML, OAuth, OpenID
- SAML
  - XML framework
  - Exchanges security info: authentication, entitlement, attributes
  - Allows SSO, federation
  - Communication based on assertions
    Authentication assertions
    Attribute assertions
- OAuth, OpenID: Sharing profile-related info between web apps
  - App to app interaction and REST APIs
  - Oauth focuses on authentication
  - OpenID focuses on authorization
IAM monitoring and logging
- Accounting
- Manual review
- Privilege Creep – as users change roles, they get more permissions than they need

PreviousNetwork Access Control and Port Security NextWeb Application Scanners

Last updated 2 years ago

Identity and Access Management (IAM)

It’s all about accounts and permissions.
Account Types
- User accounts
- Endpoint accounts
- Server accounts
- Software accounts
- Roles
IAM System Responsibilities
- Store and keep track of accounts
- Onboarding and offboarding
- Daily management tasks
- Auditing activity
- Scanning for threats (ideally)
- Maintaining compliance
Two Big Problems with IAM
- Root/administrator users
- Shared accounts
Password Policy
- Guideline that tells users how to protect their credentials
- Password length, complexity, expiry
- Can be enforced by OS
- NIST SP 800-63B
- Some things cannot be technically enforced
Mitigating Password Reuse
- Lots of accounts, lots of passwords
- SSO (Signle Sign-On)
  - Sign in once, gain broad access
  - Kerberos in Windows.
  - Pro: one password to remember
  - Con: one password to compromise
- MFA (multifactor authentication
  - Something you know
  - Something you have
  - Something you are
Privilege Management
- Privileges are tied to the authorization function
- Least privilege principle
- Separation of duties
- DAC – Discretionary Access Control
  - Creator of resource is initial owner
  - Owner can grant access to others
  - Example: file system permissions
- MAC – Mandatory Access Control
  - Clearance levels and labels
  - Users can access objects at their clearance level or below
  - Compartments
  - Enforced by the system (non-discretionary)
  - Example: SELinux, AppArmor, military, secret service
- RBAC – Role Based Access Control
  - Move the discretionary part of DAC to the admins
  - Privileges assigned per roles
  - Example: user groups with permissions attached
- ABAC – Attribute Based Access Control
  - Based on multiple subject and object attributes
Directory Services
- Database for IAM
- Manages authentication and authorization
- Can be queried (AAA, Radius, TACACS+)
- Windows AD, OpenLDAP, Apache DS, OpenDS, RedHat Directory
Federation
- Extending SSO across companies or services
- Service provider (SP) trusts a third-party Identity Provider (IdP)
- Issues with password rreset/recovery
SAML, OAuth, OpenID
- SAML
  - XML framework
  - Exchanges security info: authentication, entitlement, attributes
  - Allows SSO, federation
  - Communication based on assertions
    Authentication assertions
    Attribute assertions
- OAuth, OpenID: Sharing profile-related info between web apps
  - App to app interaction and REST APIs
  - Oauth focuses on authentication
  - OpenID focuses on authorization
IAM monitoring and logging
- Accounting
- Manual review
- Privilege Creep – as users change roles, they get more permissions than they need

PreviousNetwork Access Control and Port Security NextWeb Application Scanners

Last updated 2 years ago