MALNAD COLLEGE OF

ENGINEERING, HASSAN
DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

WORKSHOP
ON
CYBER SECURITY,
IDENTITY AND ACCESS
MANAGEMENT
WORKSHOP
PATRON
Dr. GEETHA KIRAN A
PROF & HEAD, DEPT OF
CSE, MCE
RESOURCE
Mr. RAVI KUMAR PERSONS
Mrs. Mrs. KAVYA D
D SANGEETHA ASST. PROFESSOR
ASST. PROFESSOR DEPT OF CSE,MCE
S
 Objectives
Understand fundamentals around
Identity, Authentication,
Authorization, Accountability &
Access Control

Appreciate the basics of IAM & its

importance in business and security
perspective

Know various types of access

control & access administration at
high level

Explain the concept of zero trust

Delve into perspectives around

password protection
 Identity(Recognition)

Tom Jack

Bank Card

Jill Tim

Burger Pizza
Identity In The Digital Work
Identity in digital space, is a collection
of data points about an entity,
individual, organization or an
electronics device.

Identity or recognition of individuals

or their devices is possible by
associating unique & reliable identifiers
or partners

Such an information is often used

advertisers, banks, computers and so on
to uniquely users so as to provide
personalized experience and targeted
promotion content
 Digital Identity Artefact
Below are few Digital
Identity Artefacts:
 User-ID username,
passphrase, password

 Phone number

 Date of birth

 Aadhaar ID or SSN

 Electronic transaction
records
Authentication And
Authorization
 What is Authentication?

Authentication is a process where a user proves

his/her identity to gain access to a resource such
as application, system, device and so on.
What do you mean by Authorization?

 Responsible to determine user permission to access a particular

resource
 Performed by checking the resource access request. Against set of
authorization policies typically stored in backend
 Usually process authentication verifies a user’s identity and then
enables authorization
 Authorization Access Control
 The authorization model could also provide complex controls based
on:
 Data, information, policies including user attributes

 User roles, groups as allocated

 Access channel

 Time of access

 Resource requested by user

 Externally associated data

 Business rules
 Authentication Process

Single Factor

Authenticator
Two- Factor
Management

Multi Factor
Authentication
 Single Factor Authenticator

Authenticators Implementation Usability

• Single Challenge • Inexpensive
• One Easy To Use
• Simple
Authenticator
(password only)
 Multi Factor Authenticator

Authenticator Implementation Usability

• Multiple • Expensive • Not very difficult in
•2 or More • Complex w.r.t case of OTP
•Ex: password + Single Factor •Bio metric may be bit
Mobile based Authenticator tedious
authcode
 Identity Management
Strategy for identity
fundamental
requirement of a
secured and reasonable
access of entities
towards its sensitive
resources management
is a crucial for an
Process used to organization as logical Background checks,
“recognize” individuals access control is a vendor management
(entities, people,
& contractual
resources or processes)
clauses help in
accurately before
overall identity
granting access to
management
intended resources
process
Authenticator Management

04 01
Authenticator

03 02
Tenets Of Authorization
Segregation of Duties (SoD)

Need to know basics

Principle of least privilege

Unsuccessful logons

Session concurrency/ last login

notification

Notification of system usage

 Segregation Of Duties

 SoD primarily separates the responsibilities associated with an action

of process to decrease the opportunity for misbehavior or policy
violations

 One developer and another tester concept

Developer Tester Analyst Consultant

 Need To Know Basis
 Access to systems should only be granted to entities with a legitimate need
to know the information contained within the system

 This principle prevents over exposure of sensitive information which then

becomes likely to be misused

 Example 1 An employee using an allotted virtual machine may need to

credentials for local user for login however may never need the credential of
hypervisor or even the root/admin.

 Example 2 :A manager in an organization may need to know some

personal information including salary information about the directors reports
but whenever and require information about other employees in the
organization
 Principle Of Least Privilege
The least privilege States that individuals are systems should
only have the access necessary to perform specific activities
required for their job role

When entities or individuals are not performing work on these

type of activities they should use the privileged access accounts

The least privilege principle and shoes that what can be done
with the information (rwx) is limited to least amount of access
necessary to perform these actions
 Unsuccessful Logons

Limiting the number of unsuccessful login attempts by a user during a

specific period can reduce the potential for guessing credentials

Unsuccessful Successful Successful Unsuccessful Successful

Session Concurrency/ Last login
Notification
 Notifying the end user of the last login can provide information to the end
user in order to determine if unauthorized access was obtained using

 Concurrent sessions occur when two or more

sessions exit at the same time this may be
prohibited because most users would only create a
single session for system access

 Additional sessions using the same credentials might be an indication of

malicious behavior or a compromised account
 Notification Of System Usage

 Banners and login displays notify the user who are accessing a confidential
system and if their access the system they may be subject to monitoring , auditing
and justification of system
 Access
Access Denied

Match
? Access
Granted
User Credentials
Login Password

IAM Database
 Access Control

Access Forms Of Types Of Access

Control Access Control Control
Access control is  Mandatory
referred to as a Access Control
Physical Access (MAC)
security method
Control
used to control who
or what can access  Discretionary
(read, use, modify Access
and so on )resource Logical Access Control(DAC)
in digital Control
environment.  Role- Based
Access
Control(RBAC)

 Rule-Based
Access Control
Key Consideration

Prevent access

Determine Access

Grant Access

Revoke Access

Audit Access
Mandatory Access Control (MAC)

 Primary MAC is a way of assignment of access rights, based on

policies/restrictions enforced by a desired designated Central authority

Criteria Can’t be
Enforced By
‘Defined’ by altered by

System OS, Application End User

Admin access control
Discretionary Access Control (DAC)
 Discretionary access control policy is a way to allocate access
rights on the basis of rules specified by user (typically the
information owner)

 The fundamental concept behind the DAC is typically the

information that the owners can govern access to files and
objects

User File: A.txt File: B.txt

Rey rwx r--

John r-- rwx

Role- Based Access Control (RBAC)
 RBAC is a strong security control, because it enables user
(employees) to access only the relevant information that pertains to
their current role in the organization

User permissions are mapped to a specific enterprise roles and

whenever an employee changes the role the corresponding access
permissions changes.

Access
User Role
Permissons
Rule Base Access Control (RuBAC)
 Rules based access control strategy to manage user access on
multiple systems, based on dynamically triggered user rules

 RuBAC is also referred to as automatic provisioning

With RuBAc, once your request is sent for accessing a network

resource ,some security control , for example : firewall – would verify
the properties of request against a set of predefined roles example:
corresponding rule may be blocking and IP address, for specific port
And So on
Access Administration Process

Monitoring
&
Reviewing
Provisionin
g

Termination
 Access Provisioning
 User provisioning

High level categories of user provisioning

Discretionary account provisioning

Self service account provisioning

Workflow based account provisioning

Automated account provisioning

Access Monitoring & Review
I have access to
Database, bank
account, mail
server, credit card
Access Termination

My Access
is
Terminated
Managing digital Identities
 IdAM

Identity and Access Management Key Capabilities

•It is a harmonious group of policies

• Management of ion digital
process and systems
identities
• It helps an organization to define,
• Management of user
create, govern the utilization, security
authentication
identity information and manage
access permissions of various
• Management of resource access
resources to the user.
authorization
IdAM – Authentication Of Users
User Authentication

• Provides verification of digital identity of a user

• Provides the resources a level of confidence that the requesting user authentic

• Achieved by submitting and validating credentials as proof of Identity

Types of user credentials:

• Something you know

• Something you have example tokens OTP can be changed over time – modern
easy

• Something you are. Example. Biometrics such as thumb impression, retina

image and so on dash particular constant for an individual – difficult to
implement and protect
IdAM – Authorization Of Access
To Resource
Authorization to
users
 Controlling resource access in key while protecting sensitive, confidential,
private information from unauthorized users.

 Enables a designated activity (roll ) to grant restrict access permissions to

given set of resource in an enterprise based on the evaluation of applicable
policies.
Authorization process usually involves two steps at high level

 User request to access a resource( for a time, extent )

 An authority takes access control decisions based on the compliance with

several organizational policies and security context of this requested access
IdAM
 IdAM LIFE CYCLE
Provisioning account

0
initiation

De-
provisioni
ng
0 1 0 Authentication
identity
Account
terminatio 6 2 establishment

0
n

Monitori
0
ng &
Complian
ce
5 0 3
Authorization
user

4
Account Self-
service
IdAM Implementation
Perspectives
Employees

Customer

Partners

Organization
Business Reality Vs Traditional
IdAM
Hurdles
around
standardizati
on in cross
domain user
provisioning

Disconnected between
soloed IAM traditional IDAM and Weaken
approaches today's digital business control of
different reality authenticatio
audience n and
functional authorizatio
groups n
 Concept Of Zero Trust
Zero trust is a security concept according to which, organizations should
never spontaneously trust any request for access irrespective of its location
with respect to the boundaries of its perimeters fully stop each and every
connection request must be thoroughly verified before permitting the access

Operate on the principle of least privilege in

the right context

Based on sensitive sensitivity of applications

and data

Uniformly handle access channel, hosting

models and business functions

Integrate cyber - security and log aggregation

solution with IdAM tools
 Zero Trust Model

The zero trust model of information security primary helps

organisation to transient beyond the traditional castle based
approach of security which considered everything inside as
secure.
With the advancement in technology, as the boundaries of organisations
perimeter is diminishing – the old castle based approach no longer works
well and if not altered, the way too complex and server data breaches. For
example double: as per the old approach if an attacker gets inside a
perimeter firewall he is then practically free to move anywhere within the
organisation network without any major hurdles
Approach To An Effective IdAM
strategy
Maintain or improve
customer experience
across channel

identify and
dependencies and
other risks.

Analyse executive
attention and buy-in

Avoid disrupting
existing
employees service.
 Password Policies and Practices
 Having a strong and up-to-date password policy is a security requirements
for an organisation

 A good password has primarily to attributes

easy for user to remember difficult for anyone
else to guess or discover

 Key attacks on unknown passwords

1) Dictionary attack
2) Brute force attack
Know password :
 leak passwords are known and may be used unless they are changed our, when the
password gets leaked it also shows the pattern in which a user is prompted to choose
his or her passwords
Password Handling User’s View

Easy passwords can be set and authentication remark quick

Expect the provider to be secured against typical applications security

attacks and password leakage

Easy password servicing (resets, change and so on)

Establishment of copy pasting passwords bracket not as safe bracket

Identity Theft

Identity
Theft
True-
name
identity
Account- theft
takeover
identity
theft
Common Techniques For Identity
Theft

Dumpster
Driving
Shoulder Spammin
Surfing g

Malware
THANK
YOU