Professional Documents
Culture Documents
Management
IAM Introductions Sub-topic
Access controls are designed to allow, deny, limit, and revoke access to resources
through identification, authentication, and authorization.
Concepts :
● Identification: Identification is the introduction or presentation of an entity
(person or device) to another entity.
● Authentication: Authentication is a process in which the credentials provided
by an entity are compared to the entity’s information stored on a system to
validate the identity.
● Authorization Authorization occurs after an entity’s identification and
authentication have occurred to determine exactly what they are allowed to do.
● Principle of Least Privilege The principle of least privilege dictates that we should
only allow the bare minimum of access to an entity which may be a person,
device, account, or process to allow it to perform the required function.
● Principle of Separation of Duties The Separation of Duties principle is achieved
by dividing a task and authority for a specific business process among multiple
users.
● Access Control List Access control list or ACL is a file, typically referred to a
computer file system, which attaches permissions to an object or entity.
● An ACL specifies which users or system processes are granted access to
objects, as well as what operations the objects are allowed.
Capabilities Where ACLs define the permissions based on a given
identity and a set of permissions, capability-based access provides an
alternative method of granting access based entirely on something we
possess such as a token, access badge, or pass code.
In a capability-based system, applications can share with other
applications the token that defines their level of access.
Access Control Methodologies
The most common set of simple access control models includes discretionary
access control, mandatory access control, rule-based access control, role-based
access control, and attribute-based access control.
Types of Access Control Models
● Provisioning Softwares
● Identity Repositories
thycotic
● thycotic.com
PAM, on the other hand, delivers for administrative and privileged users by
defining and controlling the administrative role of admin users.
Key Privilege access Management definitions
The PAM industry began with the core capabilities of privileged account management.
Privileged accounts are the keys to your IT kingdom because they can be used to access a
sensitive server, adjust permissions, make backdoor accounts, or change or delete critical
data.
Risks & Vulnerabilities related to privileged accounts
Many high-profile breaches have one thing in common:
They were accomplished through the compromise of privileged credentials. Industry analysts
estimate that up to 80% of all security breaches involve the compromise of privileged accounts.
It’s also your responsibility to make sure data going to and from the cloud (via
Web browsers, Email, File exchanges such as SFTP, APIs, SaaS products, and
streaming protocols) is properly secured.
How do cyber-criminals compromise privileged accounts?
It is important to understand the tricks and techniques cybercriminals use to wrest control of
these accounts. The path to compromising a privileged account often follows a variation of this
pattern:
● Compromise a local account
● Impersonate employees
● Cause harm
Preventing privileged account attacks with PAM
The overall goal when designing your privileged access management process
and implementing solutions is to arm IT and security professionals with tools
they need to control access within their corporate environment, thus reducing
the attack surface by limiting privileged access and behavior
● Why is it so difficult to prevent attacks using network or perimeter security
tools?
Password Vaulting
Automation
.Disaster Recovery
Session Management
Audit trails and email alerts keep administrators informed of what’s going on in the
IT environment. Session monitoring and recording increases visibility of privileged
account activity.
There are also permissions as well as role-based access controls to give users the
access they need to do their jobs.
Last but not least, PAM allows you to sever the access users had the moment they
leave your organization—an action that a surprising number of organizations fail to
include in their PAM strategy.
How to develop a comprehensive PAM solution
Before planning a phase you must answer several key questions:
How do you define a privileged account for your organization?
Who needs access to your privileged accounts?
Do you rely on third-party contractors that need access?
Do you set time windows for privileged account usage?
What happens if privileged accounts are compromised?
What’s the risk of privileged accounts being exposed or abused by an insider?
Do you have an IT security policy that explicitly covers privileged access management?
. Do you have to comply with government or industry regulations?
What reports does your CISO expect on privileged account use and exposure?
Building on the PAM basics
● Audit and analyze privileged account activity.
● PAM can also be used to improve insights into vulnerability assessments, IT network inventory
scanning, virtual environment security, and administration and behavior analytics.
Loyola University Maryland Case Study
Background
Loyola University Maryland is a private university founded by the Jesuits in 1852. With nearly 5,000 students and more than 400 faculty, the university maintains
four campuses in the Baltimore metropolitan area. Tim Enders, Senior System Engineer in Loyola’s 55-member Department of Technology Services, serves on the
IT infrastructure team and is responsible for authentication and security for servers and storage. Having spent more than 20 years at Loyola, he has been a
customer of Thycotic Secret Server on-premiseand daily user for the past six years when the team transitioned to Secret Server Cloud.
Challenges
Loyola University Maryland initially deployed the on-premise version of Secret Server to gain control over privileged credentials used by the Technology Services
team.
Solution
While Enders was confident about the decision to move to Secret Server Cloud given his extensive experience with the on-premise version, the transition was
carefully planned. “Our CISO conducts a security audit of each of our vendors,” he said, “and she wanted to make very certain we were absolutely buttoned up
when making the transition.” “We set up the Secret Server Cloud environment in about a week or so and the actual migration took only a day,” Enders explained.
“We put a change hold on Secret Server on premise, and the move to the cloud was accomplished without a hitch. In fact, it’s probably one of the smoothest SaaS
migrations I’ve experienced.” Enders pointed to the exceptional attention he got from the Thycotic support team throughout the process. “Thycotic support people
are fantastic,” he said. “They helped us make sure the migration was successful.”
Sailpoint sub-topics
● Build an identity-centric Zero Trust framework
● Discover and remove unauthorized cloud access
● Identify and remediate risky access
● Protect access to unstructured data
● 2 Minutes to Joiner-Mover-Leaver
● Case Study
Build an identity-centric Zero Trust framework
Zero Trust is a cyber security model that runs on the belief of trusting no one inside or outside your
network until their identity has been verified.
Under this framework, identities are continuously validated through authentication and authorization
methods.
And security doesn’t stop once an identity enters the network, they are continuously validated as they
move laterally from within.
Zero Trust’s approach to security builds a defense through your identity infrastructure, rather than your
network perimeters
This methodology has been proven effective in warding off potential security threats and data breaches.
Discover and remove unauthorized cloud access
It helps discover, protect and govern access to all apps, data and privileged
accounts across your cloud infrastructure.
get a centralized view of which users have access and from which access points,
monitor suspicious activity and mitigate risk by preventing unauthorized access
from external networks, users and services
Cloud Governance Best Practices
Incorporate Automation
Lack of visibility
Lack of automation.
SailPoint service that provides identity governance for your unstructured data
SailPoint’s unified platform gives you complete protection of applications and data
in a single place, providing unified policies that mitigates risk, ensures compliance,
and protects the sensitive information of your business wherever it resides.
MFA sub-topics
● Introduction Multi Factor Authentication
● Types of MFA Authentication Methods
● Attacks prevented by MFA
● User activity compliance
● Case Study
Introduction Multi Factor Authentication
it’s an access management tool that combines two or more security mechanisms
for accessing IT resources, including applications and devices.
How Does it Work?
You can use MFA for access to devices, applications, websites and so on.
time windows.
Most commonly, MFA uses a memorized secret as one of the two or more
authentication layers.
MFA is a preventative measure that not only enhances security but also improves
regulatory compliance.
MFA into your identity access management (IAM) platform, you create a :
● Seamless
● identity-aware infrastructure
● Secure
MFA can be applied both to your customer and your employee access.
1. A user trying to log into an account receives a link via email and enters login
credentials after clicking on that link.
● Phishing
● Spear phishing
● Keyloggers
● Credential stuffing
1. A phishing attack may garner a user’s credentials, but it won’t provide the hacker with a fingerprint, for
instance, or the answer to a personal security question.
a brute force or reverse brute force attack may manage to find a working
username and password, but the attacker doesn’t know what other authentication
factors the MFA system requires and doesn’t have those credentials.
MFA can combat more sophisticated attacks, such as MITM, by adding an extra layer of security.
Even if the hacker or program inserts itself and captures the information that the user enters, the
IT administrator can set up MFA to require that the user supply credentials from a different device
or channel. Push-based authenticators are extremely well suited to provide a secure mechanism
with minimal user inconvenience
MFA and IAM don’t stop all types of attacks, and it doesn’t guarantee security. But
it does add additional layers of authentication that make cyberattacks more
difficult.