BUS-538 Identity and Access Management
Access Control in SQL
- Authentication is not access control - it's one part of it, but could be the whole thing in simple systems - Account sharing problems: one gets fired or demoted, accountability, etc. - Sharing account vs having the same role: easy to revoke privileges from one user, accountability for specific users is role-based access control
Physical access controls
- Control access to spaces - Grant or restrict access to facilities, buildings, floors, and rooms
Vulnerabilities of Passwords
- Cracking - Popular Attack theft of file - Specific Account Attack - Guessing against Single User - Exploiting User Mistakes - Exploiting Multiple Use - Workstation Hijacking - Electronic Monitoring
Monitoring: Determining Control
- Determining Users: who should access what, involves trust, consistency in access is important - Defining Resources: role-based - Specify Use: level of use & actions permitted - RWX - Accountability: provide evidence for forensics
Password Countermeasures: Use hashed passwords
- Don't store plaintext passwords - instead hash before storing - Hash what user enters and compare hashes - If file is lost, passwords are not immediately known
Remote Authentication Security Issues
- Eavesdropping - Replay - Client attacks - Server attacks - Trojan horse - Denial-of-service
Monitoring: Information Classification
- Evaluating risk level of info to ensure appropriate level of protection - Establishing Data Classification Program: depends on nature of organization & information in organization - Labeling & Marking: public, internal use only, confidential, restricted - Data Classification Assurance: testing data classification
Password Vulnerabilities: File Access Control
- O/S Bugs - Accidental permissions making password files readable - Password reuse - Access from unprotected backup media - Password sniffer in unprotected network traffic
SAML Process
- Principal requests service from Service Provider - Service Provider requests & obtains identity assertion from identity provider ---- Before delivering identity assertion, Identity Provider may request some info from Principal in order to authenticate - Service Provider can make access control decision - grant or deny
Monitoring: Identity & Access Lifecycle
- Provisioning: new/existing users require additional access to resource - Review: regular monitoring of access rights & usage in form of automated checks & manual audits - Revocation: removing some of or all access rights of a user
Monitoring: Access Control Requirements
- Reliability: consistent results - Transparency: reduce user interaction with security system - Scalability/Maintainability - Integrity/Auditability: provable performance - Secured Authentication Data
Biometric Considerations
- Resistance to counterfeiting - Data storage requirements - User acceptance - Reliability and accuracy - E.g., RBAC with Biometric access
Other SSO terms
- SAML: What we've seen. Can use existing IdP. (e.g., IU-Outlook) - Facebook Connect: Similar to above but proprietary to Facebook - OpenID: Similar to SAML. User credentials are maintained by third party (e.g., Google, MS, Yahoo, etc.).
Monitoring enables management to
- Specify which users can access system - Specify what resources they can access - Specify what operations they can perform - Enforce individual accountability
Access controls enable management to:
- Specify which users can access the system - Specify what resources they can access - Specify what operations they can perform - Enforce individual accountability
Password Countermeasures
- Stop unauthorized access to password file - what if file is stolen? - Account lockout mechanism - Policies again using common password - Training & enforcement of policies - Automatic workstation logout - Intrusion detection measures - Offline Dictionary Attack?? - Block offline guessing attacks by denying access to hashed passwords
Authorization Mechanisms: Access Control Lists (ACLs)
- Subject: entity that can access objects --- Classes: owner, group, world - Object: access-controlled resource --- File, directories, records - Access Right: way in which subject accesses object --- Read, write, execute
Identity Management in Cloud: Process
- Subscriber requires to provision user accounts for subscriber users to access cloud & synchronization of enterprise system-wide user accounts from enterprise data center-based infrastructure to cloud 🡪 if someone is demoted from a management position, their access rights should reflect that immediately - Subscriber users log in to cloud apps/services after authentication using standard protocols like SAML or Kerberos - Subscriber administrators manage (add/delete/change) data access authorization policies for data stored in cloud - Subscriber requires changes to user credentials in enterprise's identity provider system to be automatically communicated to infrastructure in provider's system for integrity of access & maintenance of policies - Continuously monitor provider infrastructure to demonstrate compliance with subscriber security policies & auditing requirements
Access Control Concepts - Specifying use
- The level of use and actions permitted by a user of a specific resource - Common permissions are (RWX)
Password Countermeasures: Password Creation
- Use computer-generated passwords - Proactive Check: reject choices that are too short - Reactive check: use crackers with lists of likely passwords
SP Initiated SAML SSO
- User chooses browser bookmark/link that takes them directly to Service Provider app resource - Service Provider sends user to Identity Provider to authenticate - Identity Provider builds assertion representing user's authentication & then sends user back to Service Provider with assertion - Service Provider processes assertion & determines whether to grant or deny access
IdP Initiated SAML SSO
- User visits Identity Provider where they are already authenticated & click link to partner Service Provider - Identity Provider builds assertion for user's authentication - Identity Provider sends user's browser to Service Provider's assertion consumer service, which processes assertion & create local security context for user at Security Provider
Access Control Concepts - Defining resources
- What resources does the user need access to? - Based on need/role - Role Based Access Control
Access Control Concepts - Determining Users
- Who can access a particular system or specific information? - Giving access involves a trust relationship - Consistency in access is very important
Authorization Mechanisms: Discretionary Access Controls (DACs)
- controls placed on data by data owner; controls on use are determined by owner - Identity-based access controls - Commonly seen in general purpose OS
Authorization Mechanisms: Mandatory Access Controls (MACs)
- controls placed on data by owner & system - more restrictive & specialized - System enforces security policies - Based on classification/security clearance of object*** - Classification: clearance - Category: need-to-know - Owner provides need-to-know control & system controls access
Object reuse
- double use of a variable (software), reusing a hard drive ( hardware)
Shoulder surfing
- looking over someones shoulder for finding their password
Improve Password Implementation: MD5 Crypt
48-bit salt, unlimited password length
Improve Password Implementation: Crypt 3
8-character password with 56-bit key & 12-bit salt 🡪 very insecure, but used for compatibility
Rainbow table attacks
A mammoth table of hash values E.g. 1.4GB table cracks 99.9% of alphanumeric Windows passwords in 13.8 seconds
Backdoor/trapdoor
A software bug or some undocumented software feature that a cracker leaves behind, after exploiting a system, to be able to reenter at a later point in time.
Principle of Least Privilege
A user or process should be given no more privilege than necessary to perform a job Limits users and processes to access only those resources necessary to perform that job Requires that users job be clearly defined
_______________ is the backbone of information security
Access control
Popular password attack countermeasures
Account lockout mechanisms Policies against using common passwords Training & enforcement of policies Automatic workstation logout Intrusion detection measures
Software token
An app, or other software that generates a token for authentication. Stored on a device (desktop, laptop, mobile etc.)
Monitoring: Access Control Assurance
Audit Trail Monitoring: network, system, application, user, keystroke Auditing Issues: volume of data, clipping levels (amount of info), protect logs against unauthorized access/changes, store/archive securely
Asynchronous Token System
Based on challenge-response scheme The authentication server will provide a challenge to the remote entity Only the token that is assigned to the individual can provide the correct response, which the user will enter to authenticate
Synchronous Token System
Based on event, location or time-based synchronization Time-based model - User is given a token or smart device that uses an embedded key to generate a unique number or character string in a given timeframe - User must provide currently displayed number or character string when challenged by the system
Four means of authenticating user's identity
Based on something the individual... Knows - e.g. password, PIN Possesses - e.g. key, token, smartcard Is (static biometrics) - e.g. fingerprint, retina Does (dynamic biometrics) - e.g. voice, sign
What a Person Is
Biometric authentication Physiological - Fingerprint, facial image, retinal scanning Behavioral - Keystroke dynamics, signature dynamics Biometric systems use a technical and mathematical guess to identify a person Concerns - Changing physical and environmental conditions are an issue - False rejection and false acceptance issues
Improve Password Implementation: OpenBSD
Blowfish block cipher-based hash algorithm called Bcrypt; uses 128-salt to create 192-bit hash value
Password File Access Control
Can block offline guessing attacks by denying access to hashed passwords - Make available only to privileged users - Often using a separate shadow password file Still have vulnerabilities - Exploit O/S bug - Accident with permissions making it readable - Users with same password on other systems - Access from unprotected backup media - Sniff passwords in unprotected network traffic
Essential features of Account Management
Central facility for managing user accounts to multiple systems simultaneously Workflow system to submit requests for new, changed, or terminated system access Automatic replication of user records between multiple directories
Password Management
Centralized _____________ ___________ and synchronization Self-registration process - Set password and reset
Access Control Protocols: Kerberos Architecture
Components: - Requesting System & Services (principal) - Endpoint Destination Server - Server Also called ________ distribution center (KDC) ---- Authentication Server ---- Ticket Granting Server uses symmetrical encryption with a shared key
Access Control Protocols: AKA Federated Identity Management
Cross-Certification Trust Model Third-Party Certification Trust Model
Access Control Threats
Denial of service Distributed denial of service Buffer overflows Mobile code ActiveX, Java applets, scripts Malicious software Password crackers Spoofing/masquerading Sniffers/Eavesdropping Emanations Shoulder surfing Tapping Object reuse Data remnants Unauthorized targeted data mining Dumpster diving Backdoor/trapdoor Theft Intruders Social Engineering
Monitoring: Access Control Threats
DoS, DDoS, Buffer Overflows, Mobile Code (ActiveX, Java Applets, Scripts), Malicious Code, Emanation (emits sound), Password Crackers, Spoofing/Masquerading, Sniffers/Eavesdropping, Should Surfing, Tapping, Object Reuse, Data Remnants, Unauthorized Targeted Data Mining, Dumpster Diving, Backdoor/Trapdoor, Theft, Intruders, Social Engineering
Don'ts in Your Password Policy; "Penalize" offenders
Don't reveal a password over the phone Don't reveal a password in an e-mail message Don't talk about a password in front of others Don't hint at the format of a password (e.g., "my family name") Don't reveal a password on questionnaires or security forms Don't share a password with family members Don't reveal a password to co-workers while on vacation Don't write a password in an obvious place accessible to others
Why use hashed passwords
Don't store plaintext passwords in the password file Instead "hash" each before storing When a user enters his/ her password, "hash" it and then compare for authentication Advantage: if the file is lost, passwords are not immediately known
Physical Controls
Each zone (area) must have specified physical security controls - E.g. perimeter security, data center security, research lab security - Safe exit must be possible in case of emergency Physical entry controls
Information Classification
Evaluating the risk level of information to ensure appropriate level of protection Establishing a data classification program - Depends on nature of organization and nature of information in the organization Labeling and marking - Public, internal use only, confidential, restricted Data Classification Assurance - Testing the data classifications
Smartcard
Executes protocol to authenticate with reader/ computer E.g. contactless cards, USB dongles Increasingly popular in healthcare - Portable health records
FAR
False Acceptance Rate
FRR
False Rejection Rate
Account Management
Involves creation, modification, and decommissioning of user accounts Very complex due to the heterogeneous account management capabilities of various systems and applications, and the difficulty in interfacing
Review
Involves regular monitoring of the access rights and usage in the form of automated checks and manual audits
Revocation
Involves removing some of all of the access rights of an user
Provisioning
Involves the process when new or existing users require additional access to a resource
Logical access controls
Limit users' access to information and restrict their access on the system to only what is appropriate for them
Buffer overflows
MAC table flooding->overflowing table that is available there; programs closer to machine level need to have memory space assigned to each variable (i.e. var x = this (8bytes) ) if that overflows it can contaminate other variables and their instructions
Memory card
Magnetic stripe card Store but do not process data Magnetic stripe card, e.g. bank card Electronic _______ _____ Used alone for physical access With password/PIN for computer use Drawbacks include: - Need special reader - Loss of token issues - User dissatisfaction
Biometric Accuracy
Never get identical templates Problems of false match / false non-match
Password Vulnerabilities
Offline dictionary attack Popular password attack Specific account attack Password guessing against single user Exploiting user mistakes Exploiting multiple password use Workstation hijacking Electronic monitoring
OAuth
Open standard for authorization (not authentication) to third parties. (e.g., LinkedIn pulling your contact list from Google)
Communicating Passwords: Encrypted Network Link
Password Authentication Protocol (PAP) as legacy purpose only
Separation of Duties
Prevent fraud and errors Makes collusion a requirement for committing fraud No individual acting alone can compromise the system Requires defining the elements of a business process or a job function
Access Control Concepts - Accountability
Provide evidence for forensics
Identity and Access Lifecycle
Provisioning -> Review -> Revocation
Combining RBAC and ABAC
RBAC trades up-front role structuring effort for ease of administration and user permission review, while ABAC makes the reverse trade-off: it is easy to set up, but analyzing or changing user permissions can be problematic. ABAC makes it easy to specify access rules, but to determine the permissions available to a particular user a potentially large set of rules might need to be executed in exactly the same order in which the system applies them.
Access Control Requirements
Reliability - consistent results Transparency - reduce user interaction with security system (seen as obstacle to getting work done) Scalability/Maintainability Integrity/Auditability - provable performance Secured Authentication Data
Password policy
Require users to sign a non-disclosure agreement Allow temporary passwords to be used only once Never store passwords in clear text History of passwords should be maintained so they cannot be reused Implement a password lockout mechanism, etc.
Password Remote Authentication
Security Issues: eavesdropping, replay, client attacks, server attacks, trojan house, DoS
Access control policy should be based on:
Separation of duties Principle of least privilege
Access Control List/Matrix:
Shows which subject can access which objects. Are used in the provisioning of permissions within a given system based on policy. - ACM is a set of this - Implementation of DAC
Types of Authentication
Single factor, Two factor, or Three factor
Countermeasures
Stop unauthorized access to the password file Q. What should we do if the file is indeed stolen?
Actors in Access Control
Subject, Object, Operation, Policy
Access Control Definition
The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner The process of allowing only authorized users, programs, or other computer systems to observe, modify, or otherwise take possession of the resources of a computer system
Offline dictionary attacks
Try each word then obvious variants in a large "password dictionary" against hash in password file
Monitoring Prevention
Unauthorized use of resource
identification Essential security practices
Uniqueness - Each person or entity must be uniquely identified Non descriptiveness - User ID should not expose role or job function (e.g. root, admin, web-admin, hr, finance etc.) Secure issuance - Must use a secure and documented process to issue IDs
Password Choices
Use computer-generated passwords Users may pick short passwords Users may pick guessable passwords
Technical Controls
User controls Network access Remote access System access Application access Malware control Encryption
What a Person Has
Uses a token or physical device Can be synchronous or asynchronous
Password Authentication
Widely used user authentication method - User provides name/login and password - System compares password with "that" saved in the system itself Authenticates ID of user logging and that the ID is authorized to access system
Common directory standards
X.500: Common standard for directory format Lightweight Directory Access Protocol (LDAP): Common standard for access protocol Active Directory Domain Services (ADS/ADDS): Microsoft version
Secure Assertion Markup Language (SAML)
XML-based - creates & exchanges authentication & authorization between trusted entities over the Internet -Allows businesses to make assertions regarding identity, attributes, & entitlements of subject entity (human user) to other entities (partner companies, other enterprise apps) 3 roles: - Principal: user - Identity Provider (IdP): asserts identity of user - Service Provider (SP): consumers assertion
Profile
a collection of information associated with a particular identity or group. E.g., User ID, date of birth, home address, telephone number can also contain information related to privileges and rights on specific systems
Denial of service/Distributed denial of service
a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.
Monitoring Actors: Subject
active entity that causes info to flow among objects or changes the system state; user, requestor, or mechanism acting on behalf of user or requestor
Subject
an active entity (generally an individual, process, or device) that causes information to flow among objects or changes the system state. It can be the user, requestor, or mechanism acting on behalf of the user or requestor
Spoofing/masquerading
an attack that falsifys data or uses a fake identity such as a network through legitimate access identification.
Communicating Passwords: Challenge-Response
authentication over network that is more complex 🡪 because of replay, Challenge Handshake Authentication Protocol (CHAP)
Authorization Mechanisms: Roles-Based Access Controls (RBACs)
based on roles a user is assigned - Determination of roles if done by owner of data or can be applied based on security policy - Higher upfront design time, but easier to manage - Works well for DBMS - eases admin burden & improves security --- Category of Database Users: Application Owner, End User, Administrator, Accounts Payable Clerk, Account Payable Manager, etc. - SQL Actions: create role, grant, revoke - Facebook Example: Bob cannot see because of minimum privilege 🡪 similar to firewalls - go by priority
Authorization Mechanisms: Rule-Based Access Controls
based on set of predefined rules which determine which access should be granted - if X then Y - Rules are created by system owners - If ID matches, grant access - If it's from IP address, grant access
security domain
based on trust between resources or services in realms (zones) that share a single security policy and single management Supports a hierarchical relationship The security policy defines the set of objects each user can access
Access Control Protocols: Sign Sign-On (SSO)
central authorization server enables user to authenticate one time in order to achieve access to multiple apps, machines, & domains operating with a variety of authentication methods; provides unified login experience when accessing one or multiple systems. Also known as federated ID management
Identity as a Service (IDaaS)
cloud-based service offering that broker identity & access management functions on customers' premises & in the cloud - Combination of administration & account provisioning, authentication & authorization, & reporting functions Functionality: -Identity Governance & Administration (IGA): ability to provision identities held by service to target apps - Access: authentication, single sign-on, & authorization enforcement - Intelligence: logging events & providing reporting that can answer questions (i.e., who access what & when)
2-Factor Authentication
combination of two of what you know/have/are/do; decreases chance of being hacked - if someone finds out your password, you can use your phone to deny access - Demanding two emails isn't enough 🡪 two what you knows - Google Voice: can make it so your two factors are what you know - Example: duo login with what you know & what you have - Most use what you know & what you have - MUST BE INDEPENDENT OF EACH OTHER
A corporate directory
contains a hierarchy of objects storing information about users, groups, systems, servers, printers, etc. Provides a centralized collection of data that can be used by many applications
Types of Controls: Physical
controls access to spaces, grants or restricts access to facilities, buildings, floors, & rooms - Each zone/area must have specified physical security controls - perimeter, data center, & research lab security - Safe exit must be possible in case of emergency (fire alarm pulled to make people leave the building) - Physical Entry Controls: biometrics, key cards, etc.
Monitoring/Auditing
detect any deviation from established access control policies Record: authentication process, authentication attempts, rights usage, rights access & denial, monitor status of controls
Monitoring Actors: Operation
execution of function at request of subject upon object; includes read, write, edit, delete, author, copy, execute, & modify
Monitoring Actors: Policy
formal representation of rules/relationships that define set of allowable operations a subject may perform upon an object in permitted environment conditions
RBAC-A
handles the relationship between roles and attributes, while retaining some of the administrative and user permission review advantages of RBAC while allowing the access control system to work in a rapidly changing environment: - Dynamic roles. Attributes such as time of day are used by a front-end module to determine the subject's role, retaining a conventional role structure but changing role sets dynamically. Some implementations of dynamic roles might let the user's role be fully determined by the front-end attribute engine, while others might use the front end only to select from among a predetermined set of authorized roles. - Attribute-centric. A role name is just one of many attributes. In contrast with conventional RBAC, the role is not a collection of permissions but the name of an attribute called role. This approach's main drawback is the rapid loss of RBAC's administrative simplicity as more attributes are added. - Role-centric. Attributes are added to constrain RBAC. Constraint rules that incorporate attributes can only reduce permissions available to the user, not expand them. Some of ABAC's flexibility is lost because permission sets are still constrained by role, but the system retains the RBAC capability to determine the maximum set of user-obtainable permissions.
Communicating Passwords: Is Encrypting safe?
if it has a time stamp & can't be replayed
object
is a passive information system-related entity containing or receiving information. It can be the resource or requested entity, as well as anything upon which an operation may be performed by a subject including data, applications, services, devices, and networks
Types of Controls: Logical/Technical
limits users' access to info & restrict their access on system to only what is appropriate for them Tools: User Controls: Network Access: Remote Access: System Access: Malware Control: Encryption: - Security Domain: based on trust between resources/services in realms/zones that share single security policy & single management ---- Supports hierarchical relationship ---- Security policy defines set of objects each user can access
Authorization Mechanisms: Attribute-Based Access Controls (ABACs)
logical access control where authorization to perform operations is determined by evaluating attributes associated with subject, object, requested operations, and sometimes environment conditions against policy, rules, or relationships - Attributes: characteristics that define specific aspects of subject, object, environment conditions and/or requested actions predefined & pre-assigned by authority - Environmental Conditions: dynamic factors, independent of subject & object, that may be used as attributes at decision times to influence access decision --- Time, location, threat level, temperature
Password Cracking: Rainbow Table Attack
mammoth table of hash values; can be easily cracked because you just compare hashes
Profile management
manages and propagates any changes to a user profile to key systems like corporate directory and the individual systems a user logs into
Monitoring: Audit Logs
necessary in event an action must be traced back to user Collected from IDS, servers, firewalls, & other network devices & stored in Security Information & Event Management (SIEM) system for analysis through tools
Access Control Protocols: Kerberos
network authentication protocol; designed to provide strong authentication for client/server apps by using secret-key (symmetric key) cryptography - Guards network with authentication, authorization, & auditing - Often in environments where users need unique ID for each app - Integral part of MS active directory domain services - App Server trusts Authentication Server
SAML Assertion
package of security info - Authentication Statement: includes info about assertion issuers, authenticated subject, validity period, & other authentication info ---- John was authenticated using a password at 10:32 pm on 6-6-24 - Attribute Statement: contains additional characteristics related to subject ---- John's role is manager - Authorization Statement: request to allow specified subject to access specified resource has been granted or denied ---- John may read on webserver1002 given manager role
Monitoring Actors: Object
passive info system-related entity containing or receiving info; resource or request entity or anything upon which an operation may be performed by subject including data, apps, services, devices, & networks
Identification
providing the assurance that the entity requesting access is accurately associated with the role defined within the system - Downstream controls depend on this
Salt
random data that is used as an additional input to a one-way function that "hashes" data, a password or passphrase. defend against dictionary attacks or against their hashed equivalent, a pre-computed rainbow table attack.
Password Countermeasures: Hash with a Salt
randomly generated for each password; causes same passwords to have different hash outputs as you're hashing the password with the salt - this is in plaintext, not a secret
CyberVor
sent malware through emails & obtained 1.2 billion IDs & password
Monitoring: Access Control Policies
should be based on: - Separation of Duties: prevents fraud & errors, makes collusion a requirement for committing fraud, no individual acting alone can compromise system, requires defining elements of business process of job function - Principle of Least Privilege: user or process should be given no more privilege than necessary to perform job; limits users & processes to access only those resources necessary to perform job & requires that user's job is clearly defined
Emanations
side channel attack; computer runs and emits some frequency, someone could see what is running depending on what is emitted from the computer
Communicating Passwords: Behavioral Patterns
signature dynamics pad, sample keystrokes dynamics measurement
To thwart security attack on your authentication system, sometimes, you want to make things run ____! (e.g., MD5 Crypt algorithm)
slow
Hard token
sometimes called an "authentication token," is a hardware security device that is used to authorize a user. Physical tokens that store credentials Eg. Smart cards, one-time password device
Secure European System for Applications in a Multiple-Vendor Environment (SESAME)
sophisticated single sign-on with added distributed access control & cryptographic protection of data - Uses public key cryptography to distribute symmetric keys - Provides RBAC - Uses Privileged Attribute Certificate (PAC) - similar to Kerberos ticket
Mobile code
the ability for running programs, code or objects to be migrated (or moved) from one machine or application to another. ActiveX, Java applets, scripts
Sniffers
the electronic form of eavesdropping on the communications that computers have across networks.
operation
the execution of a function at the request of a subject upon an object. Operations include read, write, edit, delete, author, copy, execute, and modify
Policy
the formal representation of rules or relationships that define the set of allowable operations a subject may perform upon an object in permitted environment conditions
Password crackers
the process of recovering this from data that have been stored in or transmitted by a computer system.
Authentication
the process of verifying the identity of an user The combination of the identity and information only known by the user acts to verify that the user identity is being used by the expected and assigned entity
Data remnants
the residual representation of digital data that remains even after attempts have been made to remove or erase the data
Crossover Error Rate (CER; a.k.a., Equal Error Rate)
the value of FAR and FRR when the sensitivity is configured so that FAR and FRR are equal. Ideally want to make this = 0
Your system is as secure as ____________ in it.
the weakest link
Password Cracking: Offline Dictionary Attack
theft of password file; try each word then obvious variants in large Password Dictionary
Identity Management in Cloud
unauthorized access to sensitive info in public, private, & hybrid clouds is a major concern - Need to specify identity proofing, strength of credentials, & access control mechanisms for federal cloud-based authentication & authorization - For effectiveness & scalability, seamless extension of controls from agencies to cloud is needed - Establish trust between cloud customers & providers & potentially identity, credential, & attribute providers is key
Tokens
used by claimants to prove their identity and authenticate to a system can contain either asymmetric keys or symmetric keys Can be software or hardware based
Password vulnerabilities
written-down passwords, Shoulder Surfing, social engineering, dictionary/rainbow attacks, system breach, sniffing Wi-Fi traffic, malware