CISSP - 5) Identity and Access Management Domain

Cross Certification

Federated ID management systems use one of two basic process for linking the member organizations processes together. Cross-certification - each organization mush individually certify the every other participating organization is worth of its trust. (n*(n-1)/2) problem. Many partners to compare. Third-Party Model (bridge model) - each organization subscribe to the standards and practices of a third party that manages the verification and due diligence processes for all participating companies.

Office of Chief Information Officer (OCIO)

OMB Memorandum 11-11 to use the GSA Access Card for access to GSA facilities and information systems - GSA Credential and Identity Management System (GCIMS) - provides authoritative information on GSA personnel. - GSA Access Management System (GAMS) - logical access control system.

Benefits of GSA Government Access Management System

Offers SSO Provides self-service Protects against unauthorized access Reduces audit reporting time Enables the reuse of identity data - no need for collecting same data multiple times. Expedite employee and contractor on-boarding

Management benefits of IAM

Decreased disaster recovery time Reduces risk of rogue employee tampering

SID (Security Identifier) RID (Relative Identifier)

Security related processes, such as authentication, authorization, delegation, and auditing, use SID to uniquely identify security principles. Important property of the SID is its uniqueness in time and place.

Biometrics

Selected characteristics are stored in a device's memory, which stores reference data that can be analyzed and compared with the presented template. A one-to-many or one-to-one comparison of the presented template with the stored template can be made and access granted if a match is found. False Rejection - Failure to recognize a legitimate user False Acceptance: Erroneous recognition, either by confusing one user with another, or by accepting an imposter as a legitimate user ID or Auth Pulse / no pulse Pushback

State-machine

Start on a known state and upon request, change to an new state.

RFID User Identification Guidelines

Uniqueness - so that each entity on a system can be unambiguously identified. non-descriptive - should try to disclose as little as possible about the user Secure issuance -

Authentication

verify by system offer proof to the system should be strong provided to the reference monitor of a y/n Either you keyed in the password correctly or you don't

Electronic Authentication

the process of establishing confidence in user identities electronically presented to an information system.

Once In-unlimited access

the user authenticates once and then has access to all resources participating in the model. beyond the initial authorization, it does not have an authentication mechanism to speak of.

Database Security

Atomicity Consistency Isolation Durability

Cloud IAM considerations

- APIs - cloud providers are unlikely to have all connections needed. - Authorization mapping: many ways to specify authorization rules such as by role or by attribute - Audit - may not be able to get logs from cloud providers - Privacy - user information is in the cloud - Latency - speed of authentication and convergence when changes are made. - App Identiy - Mobile support (BYOC) bring your own cloud.

Access Control Examples

- Directive - Policy - warning banner - "Do not Enter" - Deterrent - Demotion - Violation report - beware of dog - Preventive - User registration - passwords, tokens - fences, bollards - Detective - Report reviews - audit logs, IDS - sensors, CCTV - Corrective - employee term - connection mgt.- Fire extinguisher - Recovery - DRP - Backups - Reconstruct - rebuild - Compensating - supervision job rotation - keystroke logging - layered defenses.

SAML Standards

- Extensible Markup Language - exchanges are expressed in XML - XML Schema - assertions and protocols are specified using the XML schema. - XML Signatures - use digital signatures for authentication and message integrity. - XML Encryption - provides elements for encrypted name identifiers, encrypted attributes, and encrypted assertions. - Hypertext transfer protocol - relies heavily on HTTP as its communications protocol - SOAP - specifies the use of SOAP

Integrate Identity as a Service (IDaaS)

- Identity Governance and Administration (IGA), - Access includes user authenticatio, sso, authorization enforcement. - Intelligence includes loggin events and providing reporting such as what and when. Services that broker IAM to target systems web based (onsite or cloud) independent of platform: supports BYOD Identity refers to a set of attributes associated with something to make it recognizable.

Hard Token

- Look up secret token - physical token that stores a set of secrets, and is used to look-up the secret based on a prompt from the authentication protocol. Must have 64-bits of entropy - Out of Band Token - a one-time token received over a separate channel from the primary channel and presented to the authentication protocol using the primary channel (SMS message via cell phone) - One-Time password device - a device that generates one-time use passwords, e.g., sequence based or time based. - Cryptographic device - a device that contains non-programmable logic and non-volatile storage, dedicated to all cryptographic operations and protection of private keys.

Access and Authentication Services

- Mediation of users interactions with resource (subjects (users) and objects (resources) with a reference monitor) - The reference monitor logs, provides access, mediating subjects and objects via a reference model

Soft Token Guidelines

- Private keys must be non-exportable Never store keys in plaintext or unencrypted - Distribution the seed record and initial paraphrases requires a confidential channel to ensure it is not duplicated in transit - Activation of the token user occur every time user authenticates using the soft token software - Token time limit mus be 2 minutes - Soft token software passwords should follow password management guidelines - Audit all access to software tokens - Always install the latest version of malware prevention software. - Always use FIPS 140-2 validated cryptographic modules.

Single/Multi-factor authentication

- Something you know - Something you have - Something you are Single factor - using one of the three available factors for the authentication process. Multi-Factor any combination of two or more factors for the authentication process Dual Control Mutual authentication Tokens (soft/physical)

Biometric Readers

-Finger Print - scans the loops, whorls, and other characteristics of a fingerprint - Facial Image - measures the geometric proprieties of the subjects face relative to an archived image - Hand Geometry - tend to giver higher false acceptance rates than fingerprint - height, width, and distance between knuckle joints and finger length. - Voice recognition - generally not performed as one function. Less expensive, hands free operation. disadvantage, background noise needs to be mitigated. - Iris Patterns - scans surface of eye and compares iris pattern - iris is less susceptible to wear, typical throughput time is two seconds. This may be slow for some environments. - Retinal Scanning - analyzes the layer of blood vessels at the back of the eye. 10 seconds throughput; continuity of the retinal pattern throughout life and the difficulty in fooling such a device also make it a great long-term, high-security option. - Signature Dynamics - Vascular Patterns - Palm reader - vascular pattern of the human body is unique to each individual and does not change with age. - Keystroke Dynamics

Additional soft token security controls

-Public-Key Infrastructure (PKI) is preferred key management platform -Use available Trusted Platform Modules (TPM) TPM is a local hardware encryption engine and secured storage for encryption keys. - Perform self-validation before issuing a token.

Access control defined

Access Control - is the basic foundation of information security Sensitive and critical information A comprehensive threat analysis will identify the areas that will provide the greatest cost-benefit impact Access to data or other areas often has to do with "need-to-know" Access control assurance addresses the due diligence aspect of security.

Access control system considerations

Access control policies - high-level requirements that specify how access is managed, who may access information, and under what circumstances (i.e., need-to-know, competence, authority, obligation, or conflict-of-interest) Mechanisms - access control policies are enforced through a mechanism that translates user's access request, often in terms of a structure that a system provides. Models - bridge the gap in abstraction between policy and mechanism. Security models are usually written to describe the security properties of an access control system. Security models are formal presentations of the security policy enforced by the system and are useful for proving theoretical limitations of a system. Discretionary access control is one of the simplest models.

National Strategy for Trusted Identities in Cyberspace

Aims to reduce online fraud and identity theft by increasing the level of trust associated with identities in cyberspace

Integrate 3rd party identity services

Amazon, Google, IBM Government (US, AUS) Assurance Framework Directory sync, federation, trust

IDM is about process

Apply least privilege with rigor - just enough to do your job, over and over again

Web based attacks

Authentication Attack - attacks occur when a web application authenticates users unsafely, granting access to web clients that lack the appropriate credentials Access control attack - access control check in the web application is incorrect or missing, allowing users unauthorized access to privileged resources. Access aggregation - gathering pieces of non-sensitive information and combining, or aggregating, the pieces to learn sensitive information. Reconnaissance Attacks - are access aggregation attacks that combine multiple tools to identify multiple elements of a system, e.g., ip address, ports, running services, and OS.

Law and regulations

Basel II HIPPA SOX

Credential Management Systems

Built with many features: - History, enforcement of stronger pwd, gen pwd, find pwd fast, fine grained access (who, what, how, when), limit access, keep pwd safe, migrate pwd, diaster preparedness, always on, keep control of credentials, track access. Risks: Attackers can gain control of the CMS, compromised CMS would result in needing to reissue credentials, performance, compliance claims. Benefits: higher levels of assurance, highest security standards while meeting performance and resilience, simplify admin, future proof.

Managing user accounts with Cloud IAM

Cloud Identity - users are created and managed in the cloud provider and not local directory integration. Directory synchronization - users created in on-premise directory and synchronized to cloud provider directory. Federated identity - in addition to directory synchronization, the on-premiss identity provider handles login requests. Federated identity is usefully used to implement single sign-on.

View-based Access Control

Constrained views Sensitive data is hidden from unauthorized users Controls located in the front-end application (user interface)

Protect against access control attacks

Control physical access to systems Control electronic access to password files Encrypt password files Create a strong password policy Use password masking Deploy multifactor authentication Use account lockout controls Use last logon notification Educate users about security Audit access controls Actively manage accounts Use vulnerability scanners

Access Control Attack prevention

Control physical access to systems Control electronic access to password files Encrypt password files both at rest and in transit. Create a strong password policy Use password masking - ensure application never display passwords in cleartext on any screen Deploy multifactor authentication Use account lockout controls Use last logon notification Educate users about security - strong passwords, shoulder surfing, password use on multipal accounts, etc. Audit access controls - Actively manage accounts - regular user entitlement and access reviews can discover excessive or creeping privileges Use vulnerability scanners

Information Management Policies (IMP)

Determine Users Roles of Users Define Resources

Identity Management - solution is the implementation of appropriate processes, and technologies to consolidate and streamline the management of user IDs, authentication and access information consistently across multiple systems.

Directory / Account / Profile / Password management Password management system - designed to mange passwords consistently across the enterprise.; assist with routine password management tasks (resets); self-registration. Account management - attempt to streamline the administration of user identity across multiple systems. -central facility for managing user access to multiple systems - Workflow system where user can submit requests - Automatic replication of data - Facility fr loading batch changes - Automatic creation, change or remove of access - Central Repository (ASOR) Authoritative System of Record - Credential Management Systems Directories - X.500 (hierarchical) /LDAP (hierarchical tree)/AD (hierarchical forest/trees)/x.400 (message trnsf/storage) - SSO, Kerberos, Weakness=OIUA: Once In Unlimited Access - Web Access Management (coupled with SSO, provides a cookie that allows seamless transition to related sites.)

IDM Tools

Directory services: LDAP DNS SAML (security assertion markup language)

Federated Identity Management

Extranets - business partners, etc. - subscribes to a common set of policies, standards, and procedures for the provisioning and management of user identification, authentication and authorization information.

Trust among US Federal Agencies

Establishing and binding a validated identity to a Personal Identity Verification (PIV) credential, at the time the credential is issued, is the foundation for a trusted common identity credential.

Information Systems - Networks

Even how our networks are designed is an access control measure.

Biometric Accuracy Formulas

False Rejection Rate (FRR), Type 1 False Acceptance Rate (FAR), Type 2 Crossover Error Rate (CER)

ISO Standards

ISO/IEC 24760-1 A framework for identity management—Part 1: Terminology and concepts ISO/IEC CD 24760-2 A Framework for Identity Management—Part 2: Reference architecture and requirements ISO/IEC WD 24760-3 A Framework for Identity Management—Part 3: Practice

IAAA

Identification - an assertion of who you are Authentication - proof of the assertion Authorization - what you can do Accounting - logging

Manage identification and authentication

Identification: an assertion of who you are (critical first step) - objective is to bind a user to the appropriate controls based on the unique user instance. (Uniqueness) Authentication: Proof of that assertion (Validity) Authorization: what you can do (Control) Methods: badges, userid, biometrics, Account Number/PIN, MAC/IP address

Manage identification and authentication of people and devices

Identity management implementation (e.g., SSO, LDAP)

Control physical and logical access to assets

Information Systems Devices Facilities

Access Control Tokens

Information is stored on the token and when presented to a reader, it reads the information and sends it to the system for processing. Biometric System process - Involves and observation, or collection of the biometric data - converts and describes the observed data using a digital representation called a template - newly acquired template is compared with one or more previously generated templates stored in the database. The acceptance or rejection of biometric data is dependent on the match score falling above or below the threshold.

Identity Credential and Access Management (ICAM)

Is a comprehensive approach combining digital identities and associated attributes, credentials, and access controls. Homeland Security Presidential Directive 12 (HSPD-12)

Accountability

Is being able to determine whom or what is responsible for an action and can be held responsible. Repudiation is the ability to deny an action, event, impact, or result. Non-repudiation is the process of ensuring a user may not deny an action. Accountability relies heavily on non-repudiation to ensure users, processes and actions may be held responsible.

Kerberos - essentially a network authentication protocol

Kerberos security system guards a network with three elements: authentication, authorization, and auditing. Designed to provide strong authentication for client/server applications by using secret key cryptography. Kerberos is based on symmetrical encryption and a secret key shared amongst the participants. The KDC maintains a database of secret keys for all the principals on the network. Components: Client / Server Authentication Server (KDC) Ticket Granting server (KDC) *time sensitive Goal is to ensure private communications between systems over a network. Drawback - depend on careful implementation; enforcing limited lifetimes for authentication credentials minimizes the threats of replayed credentials. The achilles heel is that the encryption process ultimately is based on passwords and therefore can fall victim to traditional password-guessing attacks

Privacy and Fraud

Loss of market share

Federated identity management

Partners are capable of (move, add, change), that relate to their employees on the partners site. Agreements Standards Technologies

Control Physical and Logical Access

Physical (Facility): protects enterprise assets and provides a history of who gained access and when the access was granted. (doors, locks, fences) - can provide time and attendance functionality. Logical: protection mechanisms that limit users' access to information and restrict their forms of access on the system to only what is appropriate for them. (passwords, logins) Hybrid: biometrics, swipe cards Administration: centralized/distributed Visitor management In truly integrated environments, physical, time & attendance, and logical access controls can be provided with a single set of credentials.

IDM is not a technology, its a management issue

Poor management Policy Political issues Project management scope creep Use of product with out considering the uniqueness of the organization Lack of understanding of business context

Prevent or mitigate access control attacks

Protecting the enterprise IAM Recertifiacation Vulnerability/penetration testing Identity and follow best practices

Access Modes

Read Only - provide users with the capability to view, copy and print information. Read and Write - allowed to view and print as well as add, delete, and modify information Execute -

Identity

Refers to a set of attributes associated with something to make it recognizable

IDM Life Cycle

Registration/Creation Provisioning Modification Termination - Delete, cripple, disable (middle of the road, usually cripple)

Implement and manage (operating system enabled) authorization mechanisms. Primary benefit of an RBAC access system is that it is easily modeled after the organization or functional structure on an organization. As is their movement and adjusting their information accordinly.

Role-Based Access Control - basses access control authorizations on roles, functions, that are assigned to a user within an organization. Non-RBAC - application and service mapping via ACL's Limited -RBAC- mapped to roles within a single application rather than through an organization-wide structure Hybrid RBAC - Role based for some and not for others Full RBAC all systems are controlled by roles defined at the organizational level Rule based - on predefined list of rules that determine their access Mandatory Access Control - require the system to manage access controls in accordance with the organizations security policies (High security environments) -- system decides control and data owner provides need to know Discretionary ACLs, are placed on the data by the owner of the data. Very early form of access control non-Discretionary - requires the admin to define and tightly control access rule for files in the system

Features / Benefits of IDaaS

SSO authentication Federation Granular authorization controls Administration Integration with internal directory services Integration with external services

Access Control Criteria

Security Reliability Transparency Scalability Maintainability Audibility Integrity Authenticity

SSO

Single Sign-on is the goal Reduces threat Myth - can you get there

Ensuring Accountability

Strong identification/authentication User training and awareness Comprehensive, timely, and through monitoring Accurate and consistent audit logs Independent audits Policies enforcing accountability Organizational behavior supporting accountability Session management Desktop sessions - Logging, timeouts, screen savers, session / login limitation, schedule limitations; logical sessions

Manage the identity and access provisioning life cycle

The concepts of access control and identity management combine to form a "life cycle" with regards to resources. Provisioning - when a new or existing user requires additional access to a resource. (consider least privilege, separation of duties, and access aggregation) Review - Access rights and usage must be monitored on a basis commensurate with risk. Revocation - access rights for most users typically come to an end for one reason or another.

Tokens

Tokens are used by claimants to prove their identity and authenticate to a system. Token input data, such as a challenge or nonce (number or bit string used only once), may be required to generate the token authenticator. Token input data may be supplied by the user or may be a feature of the token itself e.g., the clock in a one time password device

Identification - claim to system - A week assertion

Unique on the system Standard naming convention Non-description of job function (no root, admin, etc.) Process for issuance (how do they get issued) Job function context needs to be there

Policy that supports IDM

Web site declarations Employee's interaction with the Data use and abuse Noncompliance penalties Disclosures to person the record is about Contracts with business partners Use 27001 as a tool to build policy

RFID Components: - RFID Tag or transponder that carries object-identifying data - RFID tag reader or transceiver, that reads and writes tag data - Back-end database/ middleware that stores records associated with tag contents.

a non-contact, automatic identification technology that uses radio signals to identify, track, sort, and detect a variety of objects including people, vehicles, goods, and assets without the need for direct contact. RFID Tag Components (electronic barcodes): - Integrated circuit for modulating and demodulating radio signals and performing other functions - An antenna for receiving and transmitting the signal Chiples Tags - RF Fibers no integrated circuit. Unprotected tags may be vulnerable to: Evesdropping/skimming Traffic Analysis Spoofing Denial of service/DDoS RFID Reader integrity Privacy

Physical Access Control Systems (PACS)

a security technology integration application suite used to control and manage physical access devices, intrusion detection, and video surveillance at DHS HQ facilities. - Identification - Visitor Management - Parking Permit Management - Alarm monitoring and Intrusion Detection An access control system is safe if no permissions can be leaked to an unauthorized or uninvited principle.

Single Sign-On

describe a unified login experience, from the viewpoint of the end user, when accessing one or more systems (federated ID management)

Authorization DAC look a your permissions first

granular rites/permissions - do the permissions match (subject to object

IdM - Identity Management

identity management (IdM) describes the management of individual principals, their authentication, authorization,[1] and privileges within or across system and enterprise boundaries[2] with the goal of increasing security and productivity while decreasing cost, downtime and repetitive tasks IdM covers issues such as how users gain an identity, the protection of that identity and the technologies supporting that protection (e.g., network protocols, digital certificates, passwords, etc.)

Administration of logical access

involves implementing, monitoring, modifying, testing, and terminating user access on the system. - Central administration: one element is responsible for configuring access controls so that users can access data and perform the activities they need to.- - Decentralized administration: access to information is controlled by the owners or creators of the files, whoever or wherever those individuals may be. - Hybrid - centralized control is exercised for some information and decentralized is allowed for other information.

SAML

is a standard for exchanging authentication and authorization data between security domains. Enables web-based authentication and authorization scenarios including SSO uses software tokens (like cookies/tickets) to pass assertions from an access control authority to a service. - Principle (typically a user) - requests a service from the service provider. - identity provider (IdP) - Service provider (SP) - requests and obtains an identify assertion from the identity provider. SAML specifies the assertions between the three parties; in particular, the messages that assert identity passed from the IdP to the SP

Physical Access control

is accessibility of space - granting or restricting access to buildings, rooms ,floors, is controlling access to certain spaces. If tailgating occurs, then the access control system assumes that the individual is still within an area and they may have "passed back" their key or access validator, to someone else when they entered. Therefore the key is not allowed to access any system that ordinarily is valid - "anti-passback" solution. Dual custody or dual key entry - requires two valid keys to be presented to the reader within a certain time for access to be grated.

Identity Proofing

is the process of collecting and verifying information about a person for the purpose of proving that person who has requested and account credential, or other special privilege is indeed who he claims to be.