BUS-538 Identity and Access Management

Access Control in SQL

- Authentication is not access control - it's one part of it, but could be the whole thing in simple systems - Account sharing problems: one gets fired or demoted, accountability, etc. - Sharing account vs having the same role: easy to revoke privileges from one user, accountability for specific users is role-based access control

Physical access controls

- Control access to spaces - Grant or restrict access to facilities, buildings, floors, and rooms

Vulnerabilities of Passwords

- Cracking - Popular Attack theft of file - Specific Account Attack - Guessing against Single User - Exploiting User Mistakes - Exploiting Multiple Use - Workstation Hijacking - Electronic Monitoring

Monitoring: Determining Control

- Determining Users: who should access what, involves trust, consistency in access is important - Defining Resources: role-based - Specify Use: level of use & actions permitted - RWX - Accountability: provide evidence for forensics

Password Countermeasures: Use hashed passwords

- Don't store plaintext passwords - instead hash before storing - Hash what user enters and compare hashes - If file is lost, passwords are not immediately known

Remote Authentication Security Issues

- Eavesdropping - Replay - Client attacks - Server attacks - Trojan horse - Denial-of-service

Monitoring: Information Classification

- Evaluating risk level of info to ensure appropriate level of protection - Establishing Data Classification Program: depends on nature of organization & information in organization - Labeling & Marking: public, internal use only, confidential, restricted - Data Classification Assurance: testing data classification

Password Vulnerabilities: File Access Control

- O/S Bugs - Accidental permissions making password files readable - Password reuse - Access from unprotected backup media - Password sniffer in unprotected network traffic

SAML Process

- Principal requests service from Service Provider - Service Provider requests & obtains identity assertion from identity provider ---- Before delivering identity assertion, Identity Provider may request some info from Principal in order to authenticate - Service Provider can make access control decision - grant or deny

Monitoring: Identity & Access Lifecycle

- Provisioning: new/existing users require additional access to resource - Review: regular monitoring of access rights & usage in form of automated checks & manual audits - Revocation: removing some of or all access rights of a user

Monitoring: Access Control Requirements

- Reliability: consistent results - Transparency: reduce user interaction with security system - Scalability/Maintainability - Integrity/Auditability: provable performance - Secured Authentication Data

Biometric Considerations

- Resistance to counterfeiting - Data storage requirements - User acceptance - Reliability and accuracy - E.g., RBAC with Biometric access

Other SSO terms

- SAML: What we've seen. Can use existing IdP. (e.g., IU-Outlook) - Facebook Connect: Similar to above but proprietary to Facebook - OpenID: Similar to SAML. User credentials are maintained by third party (e.g., Google, MS, Yahoo, etc.).

Monitoring enables management to

- Specify which users can access system - Specify what resources they can access - Specify what operations they can perform - Enforce individual accountability

Access controls enable management to:

- Specify which users can access the system - Specify what resources they can access - Specify what operations they can perform - Enforce individual accountability

Password Countermeasures

- Stop unauthorized access to password file - what if file is stolen? - Account lockout mechanism - Policies again using common password - Training & enforcement of policies - Automatic workstation logout - Intrusion detection measures - Offline Dictionary Attack?? - Block offline guessing attacks by denying access to hashed passwords

Authorization Mechanisms: Access Control Lists (ACLs)

- Subject: entity that can access objects --- Classes: owner, group, world - Object: access-controlled resource --- File, directories, records - Access Right: way in which subject accesses object --- Read, write, execute

Identity Management in Cloud: Process

- Subscriber requires to provision user accounts for subscriber users to access cloud & synchronization of enterprise system-wide user accounts from enterprise data center-based infrastructure to cloud 🡪 if someone is demoted from a management position, their access rights should reflect that immediately - Subscriber users log in to cloud apps/services after authentication using standard protocols like SAML or Kerberos - Subscriber administrators manage (add/delete/change) data access authorization policies for data stored in cloud - Subscriber requires changes to user credentials in enterprise's identity provider system to be automatically communicated to infrastructure in provider's system for integrity of access & maintenance of policies - Continuously monitor provider infrastructure to demonstrate compliance with subscriber security policies & auditing requirements

Access Control Concepts - Specifying use

- The level of use and actions permitted by a user of a specific resource - Common permissions are (RWX)

Password Countermeasures: Password Creation

- Use computer-generated passwords - Proactive Check: reject choices that are too short - Reactive check: use crackers with lists of likely passwords

SP Initiated SAML SSO

- User chooses browser bookmark/link that takes them directly to Service Provider app resource - Service Provider sends user to Identity Provider to authenticate - Identity Provider builds assertion representing user's authentication & then sends user back to Service Provider with assertion - Service Provider processes assertion & determines whether to grant or deny access

IdP Initiated SAML SSO

- User visits Identity Provider where they are already authenticated & click link to partner Service Provider - Identity Provider builds assertion for user's authentication - Identity Provider sends user's browser to Service Provider's assertion consumer service, which processes assertion & create local security context for user at Security Provider

Access Control Concepts - Defining resources

- What resources does the user need access to? - Based on need/role - Role Based Access Control

Access Control Concepts - Determining Users

- Who can access a particular system or specific information? - Giving access involves a trust relationship - Consistency in access is very important

Authorization Mechanisms: Discretionary Access Controls (DACs)

- controls placed on data by data owner; controls on use are determined by owner - Identity-based access controls - Commonly seen in general purpose OS

Authorization Mechanisms: Mandatory Access Controls (MACs)

- controls placed on data by owner & system - more restrictive & specialized - System enforces security policies - Based on classification/security clearance of object*** - Classification: clearance - Category: need-to-know - Owner provides need-to-know control & system controls access

Object reuse

- double use of a variable (software), reusing a hard drive ( hardware)

Shoulder surfing

- looking over someones shoulder for finding their password

Improve Password Implementation: MD5 Crypt

48-bit salt, unlimited password length

Improve Password Implementation: Crypt 3

8-character password with 56-bit key & 12-bit salt 🡪 very insecure, but used for compatibility

Rainbow table attacks

A mammoth table of hash values E.g. 1.4GB table cracks 99.9% of alphanumeric Windows passwords in 13.8 seconds

Backdoor/trapdoor

A software bug or some undocumented software feature that a cracker leaves behind, after exploiting a system, to be able to reenter at a later point in time.

Principle of Least Privilege

A user or process should be given no more privilege than necessary to perform a job Limits users and processes to access only those resources necessary to perform that job Requires that users job be clearly defined

_______________ is the backbone of information security

Access control

Popular password attack countermeasures

Account lockout mechanisms Policies against using common passwords Training & enforcement of policies Automatic workstation logout Intrusion detection measures

Software token

An app, or other software that generates a token for authentication. Stored on a device (desktop, laptop, mobile etc.)

Monitoring: Access Control Assurance

Audit Trail Monitoring: network, system, application, user, keystroke Auditing Issues: volume of data, clipping levels (amount of info), protect logs against unauthorized access/changes, store/archive securely

Asynchronous Token System

Based on challenge-response scheme The authentication server will provide a challenge to the remote entity Only the token that is assigned to the individual can provide the correct response, which the user will enter to authenticate

Synchronous Token System

Based on event, location or time-based synchronization Time-based model - User is given a token or smart device that uses an embedded key to generate a unique number or character string in a given timeframe - User must provide currently displayed number or character string when challenged by the system

Four means of authenticating user's identity

Based on something the individual... Knows - e.g. password, PIN Possesses - e.g. key, token, smartcard Is (static biometrics) - e.g. fingerprint, retina Does (dynamic biometrics) - e.g. voice, sign

What a Person Is

Biometric authentication Physiological - Fingerprint, facial image, retinal scanning Behavioral - Keystroke dynamics, signature dynamics Biometric systems use a technical and mathematical guess to identify a person Concerns - Changing physical and environmental conditions are an issue - False rejection and false acceptance issues

Improve Password Implementation: OpenBSD

Blowfish block cipher-based hash algorithm called Bcrypt; uses 128-salt to create 192-bit hash value

Password File Access Control

Can block offline guessing attacks by denying access to hashed passwords - Make available only to privileged users - Often using a separate shadow password file Still have vulnerabilities - Exploit O/S bug - Accident with permissions making it readable - Users with same password on other systems - Access from unprotected backup media - Sniff passwords in unprotected network traffic

Essential features of Account Management

Central facility for managing user accounts to multiple systems simultaneously Workflow system to submit requests for new, changed, or terminated system access Automatic replication of user records between multiple directories

Password Management

Centralized _____________ ___________ and synchronization Self-registration process - Set password and reset

Access Control Protocols: Kerberos Architecture

Components: - Requesting System & Services (principal) - Endpoint Destination Server - Server Also called ________ distribution center (KDC) ---- Authentication Server ---- Ticket Granting Server uses symmetrical encryption with a shared key

Access Control Protocols: AKA Federated Identity Management

Cross-Certification Trust Model Third-Party Certification Trust Model

Access Control Threats

Denial of service Distributed denial of service Buffer overflows Mobile code ActiveX, Java applets, scripts Malicious software Password crackers Spoofing/masquerading Sniffers/Eavesdropping Emanations Shoulder surfing Tapping Object reuse Data remnants Unauthorized targeted data mining Dumpster diving Backdoor/trapdoor Theft Intruders Social Engineering

Monitoring: Access Control Threats

DoS, DDoS, Buffer Overflows, Mobile Code (ActiveX, Java Applets, Scripts), Malicious Code, Emanation (emits sound), Password Crackers, Spoofing/Masquerading, Sniffers/Eavesdropping, Should Surfing, Tapping, Object Reuse, Data Remnants, Unauthorized Targeted Data Mining, Dumpster Diving, Backdoor/Trapdoor, Theft, Intruders, Social Engineering

Don'ts in Your Password Policy; "Penalize" offenders

Don't reveal a password over the phone Don't reveal a password in an e-mail message Don't talk about a password in front of others Don't hint at the format of a password (e.g., "my family name") Don't reveal a password on questionnaires or security forms Don't share a password with family members Don't reveal a password to co-workers while on vacation Don't write a password in an obvious place accessible to others

Why use hashed passwords

Don't store plaintext passwords in the password file Instead "hash" each before storing When a user enters his/ her password, "hash" it and then compare for authentication Advantage: if the file is lost, passwords are not immediately known

Physical Controls

Each zone (area) must have specified physical security controls - E.g. perimeter security, data center security, research lab security - Safe exit must be possible in case of emergency Physical entry controls

Information Classification

Evaluating the risk level of information to ensure appropriate level of protection Establishing a data classification program - Depends on nature of organization and nature of information in the organization Labeling and marking - Public, internal use only, confidential, restricted Data Classification Assurance - Testing the data classifications

Smartcard

Executes protocol to authenticate with reader/ computer E.g. contactless cards, USB dongles Increasingly popular in healthcare - Portable health records

FAR

False Acceptance Rate

FRR

False Rejection Rate

Account Management

Involves creation, modification, and decommissioning of user accounts Very complex due to the heterogeneous account management capabilities of various systems and applications, and the difficulty in interfacing

Review

Involves regular monitoring of the access rights and usage in the form of automated checks and manual audits

Revocation

Involves removing some of all of the access rights of an user

Provisioning

Involves the process when new or existing users require additional access to a resource

Logical access controls

Limit users' access to information and restrict their access on the system to only what is appropriate for them

Buffer overflows

MAC table flooding->overflowing table that is available there; programs closer to machine level need to have memory space assigned to each variable (i.e. var x = this (8bytes) ) if that overflows it can contaminate other variables and their instructions

Memory card

Magnetic stripe card Store but do not process data Magnetic stripe card, e.g. bank card Electronic _______ _____ Used alone for physical access With password/PIN for computer use Drawbacks include: - Need special reader - Loss of token issues - User dissatisfaction

Biometric Accuracy

Never get identical templates Problems of false match / false non-match

Password Vulnerabilities

Offline dictionary attack Popular password attack Specific account attack Password guessing against single user Exploiting user mistakes Exploiting multiple password use Workstation hijacking Electronic monitoring

OAuth

Open standard for authorization (not authentication) to third parties. (e.g., LinkedIn pulling your contact list from Google)

Communicating Passwords: Encrypted Network Link

Password Authentication Protocol (PAP) as legacy purpose only

Separation of Duties

Prevent fraud and errors Makes collusion a requirement for committing fraud No individual acting alone can compromise the system Requires defining the elements of a business process or a job function

Access Control Concepts - Accountability

Provide evidence for forensics

Identity and Access Lifecycle

Provisioning -> Review -> Revocation

Combining RBAC and ABAC

RBAC trades up-front role structuring effort for ease of administration and user permission review, while ABAC makes the reverse trade-off: it is easy to set up, but analyzing or changing user permissions can be problematic. ABAC makes it easy to specify access rules, but to determine the permissions available to a particular user a potentially large set of rules might need to be executed in exactly the same order in which the system applies them.

Access Control Requirements

Reliability - consistent results Transparency - reduce user interaction with security system (seen as obstacle to getting work done) Scalability/Maintainability Integrity/Auditability - provable performance Secured Authentication Data

Password policy

Require users to sign a non-disclosure agreement Allow temporary passwords to be used only once Never store passwords in clear text History of passwords should be maintained so they cannot be reused Implement a password lockout mechanism, etc.

Password Remote Authentication

Security Issues: eavesdropping, replay, client attacks, server attacks, trojan house, DoS

Access control policy should be based on:

Separation of duties Principle of least privilege

Access Control List/Matrix:

Shows which subject can access which objects. Are used in the provisioning of permissions within a given system based on policy. - ACM is a set of this - Implementation of DAC

Types of Authentication

Single factor, Two factor, or Three factor

Countermeasures

Stop unauthorized access to the password file Q. What should we do if the file is indeed stolen?

Actors in Access Control

Subject, Object, Operation, Policy

Access Control Definition

The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner The process of allowing only authorized users, programs, or other computer systems to observe, modify, or otherwise take possession of the resources of a computer system

Offline dictionary attacks

Try each word then obvious variants in a large "password dictionary" against hash in password file

Monitoring Prevention

Unauthorized use of resource

identification Essential security practices

Uniqueness - Each person or entity must be uniquely identified Non descriptiveness - User ID should not expose role or job function (e.g. root, admin, web-admin, hr, finance etc.) Secure issuance - Must use a secure and documented process to issue IDs

Password Choices

Use computer-generated passwords Users may pick short passwords Users may pick guessable passwords

Technical Controls

User controls Network access Remote access System access Application access Malware control Encryption

What a Person Has

Uses a token or physical device Can be synchronous or asynchronous

Password Authentication

Widely used user authentication method - User provides name/login and password - System compares password with "that" saved in the system itself Authenticates ID of user logging and that the ID is authorized to access system

Common directory standards

X.500: Common standard for directory format Lightweight Directory Access Protocol (LDAP): Common standard for access protocol Active Directory Domain Services (ADS/ADDS): Microsoft version

Secure Assertion Markup Language (SAML)

XML-based - creates & exchanges authentication & authorization between trusted entities over the Internet -Allows businesses to make assertions regarding identity, attributes, & entitlements of subject entity (human user) to other entities (partner companies, other enterprise apps) 3 roles: - Principal: user - Identity Provider (IdP): asserts identity of user - Service Provider (SP): consumers assertion

Profile

a collection of information associated with a particular identity or group. E.g., User ID, date of birth, home address, telephone number can also contain information related to privileges and rights on specific systems

Denial of service/Distributed denial of service

a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.

Monitoring Actors: Subject

active entity that causes info to flow among objects or changes the system state; user, requestor, or mechanism acting on behalf of user or requestor

Subject

an active entity (generally an individual, process, or device) that causes information to flow among objects or changes the system state. It can be the user, requestor, or mechanism acting on behalf of the user or requestor

Spoofing/masquerading

an attack that falsifys data or uses a fake identity such as a network through legitimate access identification.

Communicating Passwords: Challenge-Response

authentication over network that is more complex 🡪 because of replay, Challenge Handshake Authentication Protocol (CHAP)

Authorization Mechanisms: Roles-Based Access Controls (RBACs)

based on roles a user is assigned - Determination of roles if done by owner of data or can be applied based on security policy - Higher upfront design time, but easier to manage - Works well for DBMS - eases admin burden & improves security --- Category of Database Users: Application Owner, End User, Administrator, Accounts Payable Clerk, Account Payable Manager, etc. - SQL Actions: create role, grant, revoke - Facebook Example: Bob cannot see because of minimum privilege 🡪 similar to firewalls - go by priority

Authorization Mechanisms: Rule-Based Access Controls

based on set of predefined rules which determine which access should be granted - if X then Y - Rules are created by system owners - If ID matches, grant access - If it's from IP address, grant access

security domain

based on trust between resources or services in realms (zones) that share a single security policy and single management Supports a hierarchical relationship The security policy defines the set of objects each user can access

Access Control Protocols: Sign Sign-On (SSO)

central authorization server enables user to authenticate one time in order to achieve access to multiple apps, machines, & domains operating with a variety of authentication methods; provides unified login experience when accessing one or multiple systems. Also known as federated ID management

Identity as a Service (IDaaS)

cloud-based service offering that broker identity & access management functions on customers' premises & in the cloud - Combination of administration & account provisioning, authentication & authorization, & reporting functions Functionality: -Identity Governance & Administration (IGA): ability to provision identities held by service to target apps - Access: authentication, single sign-on, & authorization enforcement - Intelligence: logging events & providing reporting that can answer questions (i.e., who access what & when)

2-Factor Authentication

combination of two of what you know/have/are/do; decreases chance of being hacked - if someone finds out your password, you can use your phone to deny access - Demanding two emails isn't enough 🡪 two what you knows - Google Voice: can make it so your two factors are what you know - Example: duo login with what you know & what you have - Most use what you know & what you have - MUST BE INDEPENDENT OF EACH OTHER

A corporate directory

contains a hierarchy of objects storing information about users, groups, systems, servers, printers, etc. Provides a centralized collection of data that can be used by many applications

Types of Controls: Physical

controls access to spaces, grants or restricts access to facilities, buildings, floors, & rooms - Each zone/area must have specified physical security controls - perimeter, data center, & research lab security - Safe exit must be possible in case of emergency (fire alarm pulled to make people leave the building) - Physical Entry Controls: biometrics, key cards, etc.

Monitoring/Auditing

detect any deviation from established access control policies Record: authentication process, authentication attempts, rights usage, rights access & denial, monitor status of controls

Monitoring Actors: Operation

execution of function at request of subject upon object; includes read, write, edit, delete, author, copy, execute, & modify

Monitoring Actors: Policy

formal representation of rules/relationships that define set of allowable operations a subject may perform upon an object in permitted environment conditions

RBAC-A

handles the relationship between roles and attributes, while retaining some of the administrative and user permission review advantages of RBAC while allowing the access control system to work in a rapidly changing environment: - Dynamic roles. Attributes such as time of day are used by a front-end module to determine the subject's role, retaining a conventional role structure but changing role sets dynamically. Some implementations of dynamic roles might let the user's role be fully determined by the front-end attribute engine, while others might use the front end only to select from among a predetermined set of authorized roles. - Attribute-centric. A role name is just one of many attributes. In contrast with conventional RBAC, the role is not a collection of permissions but the name of an attribute called role. This approach's main drawback is the rapid loss of RBAC's administrative simplicity as more attributes are added. - Role-centric. Attributes are added to constrain RBAC. Constraint rules that incorporate attributes can only reduce permissions available to the user, not expand them. Some of ABAC's flexibility is lost because permission sets are still constrained by role, but the system retains the RBAC capability to determine the maximum set of user-obtainable permissions.

Communicating Passwords: Is Encrypting safe?

if it has a time stamp & can't be replayed

object

is a passive information system-related entity containing or receiving information. It can be the resource or requested entity, as well as anything upon which an operation may be performed by a subject including data, applications, services, devices, and networks

Types of Controls: Logical/Technical

limits users' access to info & restrict their access on system to only what is appropriate for them Tools: User Controls: Network Access: Remote Access: System Access: Malware Control: Encryption: - Security Domain: based on trust between resources/services in realms/zones that share single security policy & single management ---- Supports hierarchical relationship ---- Security policy defines set of objects each user can access

Authorization Mechanisms: Attribute-Based Access Controls (ABACs)

logical access control where authorization to perform operations is determined by evaluating attributes associated with subject, object, requested operations, and sometimes environment conditions against policy, rules, or relationships - Attributes: characteristics that define specific aspects of subject, object, environment conditions and/or requested actions predefined & pre-assigned by authority - Environmental Conditions: dynamic factors, independent of subject & object, that may be used as attributes at decision times to influence access decision --- Time, location, threat level, temperature

Password Cracking: Rainbow Table Attack

mammoth table of hash values; can be easily cracked because you just compare hashes

Profile management

manages and propagates any changes to a user profile to key systems like corporate directory and the individual systems a user logs into

Monitoring: Audit Logs

necessary in event an action must be traced back to user Collected from IDS, servers, firewalls, & other network devices & stored in Security Information & Event Management (SIEM) system for analysis through tools

Access Control Protocols: Kerberos

network authentication protocol; designed to provide strong authentication for client/server apps by using secret-key (symmetric key) cryptography - Guards network with authentication, authorization, & auditing - Often in environments where users need unique ID for each app - Integral part of MS active directory domain services - App Server trusts Authentication Server

SAML Assertion

package of security info - Authentication Statement: includes info about assertion issuers, authenticated subject, validity period, & other authentication info ---- John was authenticated using a password at 10:32 pm on 6-6-24 - Attribute Statement: contains additional characteristics related to subject ---- John's role is manager - Authorization Statement: request to allow specified subject to access specified resource has been granted or denied ---- John may read on webserver1002 given manager role

Monitoring Actors: Object

passive info system-related entity containing or receiving info; resource or request entity or anything upon which an operation may be performed by subject including data, apps, services, devices, & networks

Identification

providing the assurance that the entity requesting access is accurately associated with the role defined within the system - Downstream controls depend on this

Salt

random data that is used as an additional input to a one-way function that "hashes" data, a password or passphrase. defend against dictionary attacks or against their hashed equivalent, a pre-computed rainbow table attack.

Password Countermeasures: Hash with a Salt

randomly generated for each password; causes same passwords to have different hash outputs as you're hashing the password with the salt - this is in plaintext, not a secret

CyberVor

sent malware through emails & obtained 1.2 billion IDs & password

Monitoring: Access Control Policies

should be based on: - Separation of Duties: prevents fraud & errors, makes collusion a requirement for committing fraud, no individual acting alone can compromise system, requires defining elements of business process of job function - Principle of Least Privilege: user or process should be given no more privilege than necessary to perform job; limits users & processes to access only those resources necessary to perform job & requires that user's job is clearly defined

Emanations

side channel attack; computer runs and emits some frequency, someone could see what is running depending on what is emitted from the computer

Communicating Passwords: Behavioral Patterns

signature dynamics pad, sample keystrokes dynamics measurement

To thwart security attack on your authentication system, sometimes, you want to make things run ____! (e.g., MD5 Crypt algorithm)

slow

Hard token

sometimes called an "authentication token," is a hardware security device that is used to authorize a user. Physical tokens that store credentials Eg. Smart cards, one-time password device

Secure European System for Applications in a Multiple-Vendor Environment (SESAME)

sophisticated single sign-on with added distributed access control & cryptographic protection of data - Uses public key cryptography to distribute symmetric keys - Provides RBAC - Uses Privileged Attribute Certificate (PAC) - similar to Kerberos ticket

Mobile code

the ability for running programs, code or objects to be migrated (or moved) from one machine or application to another. ActiveX, Java applets, scripts

Sniffers

the electronic form of eavesdropping on the communications that computers have across networks.

operation

the execution of a function at the request of a subject upon an object. Operations include read, write, edit, delete, author, copy, execute, and modify

Policy

the formal representation of rules or relationships that define the set of allowable operations a subject may perform upon an object in permitted environment conditions

Password crackers

the process of recovering this from data that have been stored in or transmitted by a computer system.

Authentication

the process of verifying the identity of an user The combination of the identity and information only known by the user acts to verify that the user identity is being used by the expected and assigned entity

Data remnants

the residual representation of digital data that remains even after attempts have been made to remove or erase the data

Crossover Error Rate (CER; a.k.a., Equal Error Rate)

the value of FAR and FRR when the sensitivity is configured so that FAR and FRR are equal. Ideally want to make this = 0

Your system is as secure as ____________ in it.

the weakest link

Password Cracking: Offline Dictionary Attack

theft of password file; try each word then obvious variants in large Password Dictionary

Identity Management in Cloud

unauthorized access to sensitive info in public, private, & hybrid clouds is a major concern - Need to specify identity proofing, strength of credentials, & access control mechanisms for federal cloud-based authentication & authorization - For effectiveness & scalability, seamless extension of controls from agencies to cloud is needed - Establish trust between cloud customers & providers & potentially identity, credential, & attribute providers is key

Tokens

used by claimants to prove their identity and authenticate to a system can contain either asymmetric keys or symmetric keys Can be software or hardware based

Password vulnerabilities

written-down passwords, Shoulder Surfing, social engineering, dictionary/rainbow attacks, system breach, sniffing Wi-Fi traffic, malware