Identity Access

Management
IAM Introductions Sub-topic

● Introduction to Identity Access Management

● Automated vs. Manual Identity and Access Provisioning (Sailpoint)
● Role of IAM in Cyber Security
● Introduction to User Access Management
● Best Practices for User Access Management
● Access Control Models
● Effective IAM Security Tools
● Case Study
What is Identity and Access Management?

● Identity and access management (IAM) is an enterprise system which

defines and designates roles and access privileges of individuals on the
network.
● The IAM system creates roles and dictates what resources those roles
have access to and then manages the assignment of roles to individuals
and ensures each individual can only access the resources which they
have been approved to use.
The primary goal of IAM is to ensure each user is assigned a single digital
identity, and each identity is assigned the roles that apply to them and the
access that each role permits them.

Each user is assigned a digital identity (a unique username and password)

and this identity is then assigned the roles which provide them with access to
the data and applications they require.

IAM is also sometimes called identity management or rights management and

is responsible for processing user requests to access resources.
What are the Benefits of IAM?
The implementation of IAM systems and best practices allows you to open up your
network to employees and customers alike without exposing the network to undue
risk.
Identity management allows access to be extended for on-premises applications as
well as mobile apps and SaaS tools without negatively impacting network security.
Properly managed identities provide administrators with enhanced control over user
activities and permissions.
IAM helps to ensure organizational networks remain secure and compliant with
regulations.
Role of Identity and Access Management (IAM) in Cyber Security
Introduction to User Access Management
● User Access Management (UAM), also known as identity and access
management (IAM), is the administration of giving individual users within a
system access to the tools they need at the right time.
● For businesses, this usually includes access to external applications,
permissions, and security requirements.
● User Access Management allows IT administrators to securely manage
access to services and resources for all the users in an organization.
● All this can be done simply within a Universal Directory.
Access Control Models

Access controls are designed to allow, deny, limit, and revoke access to resources
through identification, authentication, and authorization.

Concepts :
● Identification: Identification is the introduction or presentation of an entity
(person or device) to another entity.
● Authentication: Authentication is a process in which the credentials provided
by an entity are compared to the entity’s information stored on a system to
validate the identity.
● Authorization Authorization occurs after an entity’s identification and
authentication have occurred to determine exactly what they are allowed to do.
● Principle of Least Privilege The principle of least privilege dictates that we should
only allow the bare minimum of access to an entity which may be a person,
device, account, or process to allow it to perform the required function.
● Principle of Separation of Duties The Separation of Duties principle is achieved
by dividing a task and authority for a specific business process among multiple
users.
● Access Control List Access control list or ACL is a file, typically referred to a
computer file system, which attaches permissions to an object or entity.
● An ACL specifies which users or system processes are granted access to
objects, as well as what operations the objects are allowed.
Capabilities Where ACLs define the permissions based on a given
identity and a set of permissions, capability-based access provides an
alternative method of granting access based entirely on something we
possess such as a token, access badge, or pass code.
In a capability-based system, applications can share with other
applications the token that defines their level of access.
Access Control Methodologies

Depending on the access control methodology, access may be granted based on

something that we know, have, and are.

The most common set of simple access control models includes discretionary
access control, mandatory access control, rule-based access control, role-based
access control, and attribute-based access control.
Types of Access Control Models

● Discretionary Access Control Discretionary Access Control (DAC) is a model

of access control based on access being determined by the owner of the
target resource.
● Mandatory Access Control Mandatory Access Control (MAC) is a model of
access control in which the owner of the resource does not get to decide who
gets to access it, but instead access is decided by a group or individual who
has the authority to set access on resources.
● Role-Based Access Control Role-Based Access Control (RBAC) is a model of
access control that, similar to MAC, functions on access controls set by an
authority, rather than by the owner of the resource.
● Attribute-Based Access Control (ABAC) is based on attributes. These can be
the attributes of a particular person, of a resource, or of an environment.
● Multilevel access control models may be used by military and government
organizations which is not considered robust enough to protect the
information to which we are controlling access.
● Physical Access Controls When discussing physical access controls, we are
often largely concerned with controlling the access of individuals, devices,
and vehicles
Effective IAM Security Tools
Here question arises Why You Need Identity and Access Management Tools
● Improved Security
● Enhanced Business Productivity
● Enhanced Individual Productivity
● Collaboration
● One Control System
● Single Sign-On (SSO)
● Effective Time Management
Types of Identity and Access Management Tools

● Password Management Tools

● Provisioning Softwares

● Security Policy Enforcement Applications

● Reporting and Monitoring Apps

● Identity Repositories
thycotic
● thycotic.com

● Your privileged accounts are hackers’ favorite targets

Thycotic sub-topics
● Introduction to Privilege access Management (Life cycle)
● IAM/PAM Architecture
● Key Privilege access Management definitions
● Risks & Vulnerabilities related to privileged accounts
● Preventing privileged account attacks with PAM
● How to develop a comprehensive PAM solution
● Case Study
Introduction to Privilege access Management (Life cycle)
Privileged access management (PAM) can be defined as managing privileged accounts and delegating
privileged actions.
Steps of the PAM Lifecycle:
● Define :
○ Define and classify privileged accounts
○ Develop IT security policies that explicitly cover privileged accounts.
● Discover
○ Discover your privileged accounts
● Manage and protect
○ Protect your privileged account passwords
○ Limit IT admin access to systems.
● Monitor
○ Monitor and record sessions for privileged account activity
● Detect abnormal usage
○ Track and alert on user behavior
● Respond to incidents
○ Prepare an incident response plan in case a privileged account is compromised.
● Review and audit
○ Audit and analyze privileged account activity
○ The key to improving cyber security around Privileged Access Management stems from an understanding and implementation of a
PAM lifecycle approach
IAM/PAM Architecture

IAM focuses on managing general users through to customers, controlling the

access and experience that those users are granted within an application.

PAM, on the other hand, delivers for administrative and privileged users by
defining and controlling the administrative role of admin users.
Key Privilege access Management definitions
The PAM industry began with the core capabilities of privileged account management.

Privileged account management is the IT security process of using policy-based software

and strategies to control who can access sensitive systems and information.

Privileged accounts are the keys to your IT kingdom because they can be used to access a
sensitive server, adjust permissions, make backdoor accounts, or change or delete critical
data.
Risks & Vulnerabilities related to privileged accounts
Many high-profile breaches have one thing in common:

They were accomplished through the compromise of privileged credentials. Industry analysts
estimate that up to 80% of all security breaches involve the compromise of privileged accounts.

Every unknown or unmanaged privileged account increases your organization’s vulnerability

and presents an opportunity for an intrusion.

An employee may access it to perform unauthorized tasks, intentionally or unintentionally,

breaking compliance regulations, and increasing your liability.

A disgruntled ex-employee who retains privileged access can cause harm.

How does the cloud increase your risk of a privileged account attack?

As businesses migrate to the cloud, the diversity of privileged access

management use cases expands.

In a cloud model, managing privileged access to workloads, services, and

applications remains your responsibility, not the cloud providers’.

It’s also your responsibility to make sure data going to and from the cloud (via
Web browsers, Email, File exchanges such as SFTP, APIs, SaaS products, and
streaming protocols) is properly secured.
How do cyber-criminals compromise privileged accounts?
It is important to understand the tricks and techniques cybercriminals use to wrest control of
these accounts. The path to compromising a privileged account often follows a variation of this
pattern:
● Compromise a local account

● Capture a privileged account

● Hide and observe

● Impersonate employees

● Establish ongoing access

● Cause harm
Preventing privileged account attacks with PAM

There are some questions which needs to be answered first :

● How does PAM lower your risk of a privileged account attack?

The overall goal when designing your privileged access management process
and implementing solutions is to arm IT and security professionals with tools
they need to control access within their corporate environment, thus reducing
the attack surface by limiting privileged access and behavior
● Why is it so difficult to prevent attacks using network or perimeter security
tools?

Due to technology evolution traditional security perimeter tools, such as

firewalls, anti-virus, and intrusion detection solutions no longer sufficient for
critical assets

Effective privileged access management practices can help the

company avoid becoming the next victim of cybercrime.
Top 10 capabilities of PAM software that thwart malicious hackers and other external threats

Password Vaulting

Password Changing and Auto Generation

Automation

.Disaster Recovery

Access for Non-Employees

Emergency Access to Critical Systems

Multi-factor Authentication Protocols

Session Management

Mobile Access Points

Auditing and Reporting

How does PAM software protect organizations from insider threats?

PAM solutions contain multiple features to safeguard against insider threats.

Audit trails and email alerts keep administrators informed of what’s going on in the
IT environment. Session monitoring and recording increases visibility of privileged
account activity.

There are also permissions as well as role-based access controls to give users the
access they need to do their jobs.

Last but not least, PAM allows you to sever the access users had the moment they
leave your organization—an action that a surprising number of organizations fail to
include in their PAM strategy.
How to develop a comprehensive PAM solution
Before planning a phase you must answer several key questions:
How do you define a privileged account for your organization?
Who needs access to your privileged accounts?
Do you rely on third-party contractors that need access?
Do you set time windows for privileged account usage?
What happens if privileged accounts are compromised?
What’s the risk of privileged accounts being exposed or abused by an insider?
Do you have an IT security policy that explicitly covers privileged access management?
. Do you have to comply with government or industry regulations?
What reports does your CISO expect on privileged account use and exposure?
Building on the PAM basics
● Audit and analyze privileged account activity.

● Keep discovering privileged accounts

● Integrate PAM with other IT and security systems.

● Extend existing directories such as Active Directory to Unix/Linux.

● PAM can also be used to improve insights into vulnerability assessments, IT network inventory
scanning, virtual environment security, and administration and behavior analytics.
Loyola University Maryland Case Study
Background

Loyola University Maryland is a private university founded by the Jesuits in 1852. With nearly 5,000 students and more than 400 faculty, the university maintains
four campuses in the Baltimore metropolitan area. Tim Enders, Senior System Engineer in Loyola’s 55-member Department of Technology Services, serves on the
IT infrastructure team and is responsible for authentication and security for servers and storage. Having spent more than 20 years at Loyola, he has been a
customer of Thycotic Secret Server on-premiseand daily user for the past six years when the team transitioned to Secret Server Cloud.

Challenges

Loyola University Maryland initially deployed the on-premise version of Secret Server to gain control over privileged credentials used by the Technology Services
team.

Solution

While Enders was confident about the decision to move to Secret Server Cloud given his extensive experience with the on-premise version, the transition was
carefully planned. “Our CISO conducts a security audit of each of our vendors,” he said, “and she wanted to make very certain we were absolutely buttoned up
when making the transition.” “We set up the Secret Server Cloud environment in about a week or so and the actual migration took only a day,” Enders explained.
“We put a change hold on Secret Server on premise, and the move to the cloud was accomplished without a hitch. In fact, it’s probably one of the smoothest SaaS
migrations I’ve experienced.” Enders pointed to the exceptional attention he got from the Thycotic support team throughout the process. “Thycotic support people
are fantastic,” he said. “They helped us make sure the migration was successful.”
Sailpoint sub-topics
● Build an identity-centric Zero Trust framework
● Discover and remove unauthorized cloud access
● Identify and remediate risky access
● Protect access to unstructured data
● 2 Minutes to Joiner-Mover-Leaver
● Case Study
Build an identity-centric Zero Trust framework
Zero Trust is a cyber security model that runs on the belief of trusting no one inside or outside your
network until their identity has been verified.

Under this framework, identities are continuously validated through authentication and authorization
methods.

And security doesn’t stop once an identity enters the network, they are continuously validated as they
move laterally from within.

Zero Trust’s approach to security builds a defense through your identity infrastructure, rather than your
network perimeters

This methodology has been proven effective in warding off potential security threats and data breaches.
Discover and remove unauthorized cloud access

Cloud governance is a set of rules or controls used to manage user access,

compliance, budget and reduce security risk across your multi-cloud environment.

It helps discover, protect and govern access to all apps, data and privileged
accounts across your cloud infrastructure.

get a centralized view of which users have access and from which access points,
monitor suspicious activity and mitigate risk by preventing unauthorized access
from external networks, users and services
Cloud Governance Best Practices

Align Business and Governance Objectives

Incorporate Automation

Routinely Audit Your Security Tools

Keep Up to Date Cloud Resources

The Four Biggest Challenges to Managing Identity in the Cloud

Lack of visibility

The difficulty of federated access

Lack of automation.

.Inability to take action

Protect access to unstructured data

SailPoint service that provides identity governance for your unstructured data

Entitlement Reviews provide the oversight demanded by industry on all critical

information that your business possesses, and at SailPoint our reviews target both
applications and data

SailPoint’s unified platform gives you complete protection of applications and data
in a single place, providing unified policies that mitigates risk, ensures compliance,
and protects the sensitive information of your business wherever it resides.
MFA sub-topics
● Introduction Multi Factor Authentication
● Types of MFA Authentication Methods
● Attacks prevented by MFA
● User activity compliance
● Case Study
Introduction Multi Factor Authentication

Multi-factor authentication, or MFA, is a best practice for an additional security

layer to your user authentication

A high-assurance method, MFA helps secure access in the event of compromised

user credentials.

It creates an additional barrier that hackers would have to overcome when

attempting to gain access to your IT environment.
What is MFA?

it’s an access management tool that combines two or more security mechanisms
for accessing IT resources, including applications and devices.
How Does it Work?

MFA provides enhanced assurance that the right employee or customer is

accessing confidential or personal information

You can use MFA for access to devices, applications, websites and so on.

Multi-factor works similarly to two-factor authentication (2FA). Typically, 2FA

involves a password and requires a secondary mechanism
Types of Authentication

Authentication components, or factors, often fall into one of three categories:

Knowledge: “Something you know

Inheritance: “Something you are, ”

Possession: “Something you have, ”

Other authentication factors
Geolocation

action (e.g., making a gesture or choosing a series of images)

time windows.

Most commonly, MFA uses a memorized secret as one of the two or more
authentication layers.

However, the industry is moving toward a passwordless authentication future, which

would eliminate the knowledge-based factors due to their vulnerability.
Benefits of MFA

MFA is a preventative measure that not only enhances security but also improves
regulatory compliance.

MFA into your identity access management (IAM) platform, you create a :
● Seamless

● identity-aware infrastructure

● Secure

● better controls for your identity governance.

Examples of MFA

MFA can be applied both to your customer and your employee access.

1. A user trying to log into an account receives a link via email and enters login
credentials after clicking on that link.

This method is more likely in a customer access scenario

Example 2

After entering login credentials, a user receives a push notification on a mobile

device authenticator app and must either confirm the access attempt or enter the
displayed code (depending on the authenticator).
Example 3

When a user requests login, a time-based, one-time password (known as TOTP)

is sent via email, text message or phone call. This method is common for financial
institutions.
Attacks prevented by MFA

● Phishing

● Spear phishing

● Keyloggers

● Credential stuffing

● Brute force and reverse brute force attacks

● Man-in-the-middle (MITM) attacks

How MFA combats common cyber attacks
Multi-Factor Authentication works to thwart cyber criminals by requiring additional information or credentials from
the user

1. A phishing attack may garner a user’s credentials, but it won’t provide the hacker with a fingerprint, for
instance, or the answer to a personal security question.
a brute force or reverse brute force attack may manage to find a working
username and password, but the attacker doesn’t know what other authentication
factors the MFA system requires and doesn’t have those credentials.
MFA can combat more sophisticated attacks, such as MITM, by adding an extra layer of security.
Even if the hacker or program inserts itself and captures the information that the user enters, the
IT administrator can set up MFA to require that the user supply credentials from a different device
or channel. Push-based authenticators are extremely well suited to provide a secure mechanism
with minimal user inconvenience
MFA and IAM don’t stop all types of attacks, and it doesn’t guarantee security. But
it does add additional layers of authentication that make cyberattacks more
difficult.