ITI581 CYBER SECURITY FUNDAMENTALS

Topic 6
Identity and Access Management (IAM)
Topic Reading

• Chapter 8: Identity and Access Management.

• Interact content.
Important of Identity & Access Management (IAM)

• Are a vital security layer in modern digital systems.

• They allow associated accounts to access systems and services as

dictated by the controlling enterprise.

• Facilitate control of rights associated with accounts.

• Identity and Access Management is critical in ensuring the safe operation

of an enterprise network.
Some Quick Terminology

• Subject: Typically people, applications, devices or organizations.

• Most commonly refers to individual users.

• Attributes: any information related to a subject.

• Can include name, age, location, job role, hair or eye colour, height etc.

• Identity: Sets of claims made about a subject, linked to attributes.

Identity Use

• In order to use (claim) an identity a subject will authenticate via

presentation of one or more appropriate symbols asserting their identity.
• Examples may include:

• Usernames (most common).

• Certificates.
• Tokens.
• SSH Keys.
• Smartcards.
Authentication, Authorization

• Authentication: When an entities identity is confirmed/verified through a

specific system.
• May also be referred to as “access control” although it is typically
considered a component of access control.

• Authorization: When an entity is granted permissions to a resource.

• Authentication must occur before this is possible.
Authentication & Authorization Technologies

• Many of these exist but the following are more salient for our purposes.

• Extensible Authentication Protocol (EAP)

• Authentication framework most commonly used in wireless networks.
• Has many implementations (both vendor-specific and open).
– EAP-TLS, LEAP, EAP-TTLS are all open methods.

• Challenge Handshake Authentication Protocol (CHAP)

• Uses an encrypted challenge and 3-way handshake to send credentials.

• 802.1x
• IEEE standard for NAC and authenticates devices wanting to connect to
a network.
Authentication & Authorization Technologies

• Remote Authentication Dial-in User Service (RADIUS)

• Very common AAA systems for network devices, wireless networks and
various other services.
• Client-server based model.

• Terminal Access Controller Access Control System Plus (TACACS+)

• Cisco designed extension to TACACS.
• Full packet encryption, granular command controls.

• Kerberos
• Designed for untrusted networks.
• Uses authentication to shield its authentication traffic!
Single Sign On Authentication

• Used where access is required to several systems with separate logins.

• Necessarily complemented by Single Sign Off.

• Designed to relieve password “fatigue” or “confusion”.

• When implemented appropriately:

• Reduce IT costs significantly.
• Reduce incidents of phishing.
SSO & Identity Management

• Identity management.
– Using a single authenticated ID to be shared across multiple networks.

• Federated identity management (FIM).

– Used when networks are owned by different organizations.
– Single Sign On.

• Windows Live ID.

– When the user wants to log into a Web site that supports Windows Live
ID the user will first be redirected to the nearest authentication server.
– Once authenticated, the user is given an encrypted time-limited “global”
cookie.
Authentication Models

Single and multi-factor authentication (MFA).

• One-factor authentication.
– Use of single credential.

• Two-factor authentication.
– 2 different credentials.

• Three-factor authentication.
– 3 different credentials.
– Very secure.
Authentication Factors

Something you know. Somewhere you are.

• Password/Passphrase/PIN. • GPS/IP Subnet/VLAN.
• Knowledge factor. • At work/at home/in the car.

Something you have. Something you do.

• Token/swipe card. • Signature, gesture, typing
• Possession factor. cadence.
• Other habitual behaviour.
Something you are.
• Biometrics (thumb print, retina
scan).
• Inherence factor.
Authentication Factors

• Multifactor stronger than single factor but also more complex.

• More factors = stronger ≠ easier or cheaper to implement.

• MFA is also mostly static in nature.

• A more dynamic method is context-aware authentication.

Context Aware Authentication

• Adaptive method of authentication.

• Based on usage of resources and confidence the system has in an

authenticating entity.

• Automatically increase level of authentication required or

increase/decrease access to resources based on continuous analysis of
the entity in question.
Access Control Schemes (Models)
Access Control Terminology

• Computer access control can be accomplished in one of three ways:

– Hardware.
– Software.
– Policy.

• Access control can take different forms depending on what is being

protected.

• Other terminology is used to describe how computer systems impose

access control:
– Object.
– Subject.
– Operation.
Access Control Definition

• A simple definition is:

The process by which resources or services are granted or denied on a

computer system or network.

• Four main schemes/models to discuss.

Access Control Schemes/Models

• I use the terms Scheme and Model interchangeable.

• A Scheme/Model definition:

A predefined framework for hardware and software developers who need to

implement access control in their devices or applications.

• Once an access control scheme/model is applied.

– Custodians configure security based on parameters set by the owner.
– Enables end users to do their jobs.
Mandatory Access Control (MAC)
• End user cannot implement, modify, or transfer any controls.

• The owner and custodian are responsible for managing access controls.

• Most restrictive model as all controls are fixed.

• In the original MAC model, all objects and subjects were assigned a
numeric access level.

• The access level of the subject had to be higher than that of the object in
order for access to be granted.
Discretionary Access Control (DAC)

• The least restrictive.

• A user has total control over any objects that they own.

• Along with the programs that are associated with those objects.

• In the DAC model, a subject can also change the permissions for other
subjects over objects.
Discretionary Access Control (DAC) Weaknesses

1. Reliance on the end-user to set the proper security parameters.

2. A subject’s permissions will be “inherited” by any programs that the

subject executes.
Role Based Access Control (RBAC)

• Sometimes called Non-Discretionary Access Control.

• Considered a more “real world” approach than the other models.

• Assigns permissions to particular roles in the organization, and then

assigns users to that role.

• Objects are set to be a certain type, to which subjects with that particular
role have access.
Benefits of Role-Based Access Control

• Improving operational efficiency.

• Enhancing compliance.

• Giving administrators increased visibility.

• Reducing costs.

• Decreasing risk of breaches and data leakage.

Rule Based Access Control (RBAC)

• Also called the Rule-Based Role-Based Access Control (RB-RBAC) model.

• Dynamically assign roles to subjects based on a set of rules defined by

custodian.

• Each resource object contains a set of access properties based on the

rules.

• Rule Based Access Control is often used for managing user access to one
or more systems (SSO).
Access Control Models Summary

Name Restrictions Description

Mandatory Access End user cannot set Most restrictive
Control (MAC) security
Discretionary Access Owner has total Least restrictive
Control (DAC) control over objects
Role Based Access Permissions assigned Real world approach
Control (RBAC) to roles, users
assigned to roles
Rule Based Access Roles assigned Assigns access
Control (RBAC) dynamically based on across multiple
security parameters systems
Big Picture

• Identity is key with respect to organizational security.

• Authentication is how a claimant proves their identity.

• Authorization provides authenticated identities with appropriate restrictions.

• There are many authentication methods that can be used.

• Access control schemes determine which subjects can perform which

operations on which objects.
Thanks for watching!