Chapter 8 - Identity and Access Management Flashcards
Identity
Identities are the sets of claims made about a subject. Subjects are typically people, applications, devices, systems, or organizations, but the most common application of Identity is to individuals.
What are some of the common ways of claiming an identity?
- Usernames
- Certificates
- Tokens
- SSH keys
- Smartcards
Single Sign-On (SSO)
Single Sign-On systems allow a user to log in with a single identity and then use multiple systems or services without reauthenticating.
Lightweight Directory Access Protocol (LDAP)
The Lightweight Directory Access Protocol is commonly deployed as part of an identity management infrastructure and offers hierarchically organized information about the organization. LDAP is commonly used as part of SSO infrastructures.
What are some of the core technologies that internet-based systems and architectures often rely on for authentication, authorization, and SSO?
- Security Assertion Markup Language (SAML)
- OpenID
- OAuth
Security Assertion Markup Language (SAML)
Security Assertion Markup Language is an XML-based open standard for exchanging authentication and authorization information. SAML is often used between identity providers and service providers for web-based applications.
OpenID
OpenID is an open standard for decentralized authentication. A common example of this is the “Log in with Google” functionality that many websites provide. Relying Parties (RPs) redirect authentication requests to the Identity Providers (IdPs) and then receive a response with an assertion that the user is who they claim to be due to successful authentication.
OAuth
OAuth is an open standard for authorization used by many websites. OAuth provides a method for users to determine what information to provide to third-party applications and sites without sharing credentials.
Identity Provider (IdP)
Identity Providers manage the life cycle of digital identities from creation through maintenance to eventual retirement of the identity in the systems and services it supports.
What is meant by a Federated environment in IT?
In a federated environment, user authentication is separated from user access through the use of one or more external entities that provide independent authentication of user credentials.
Passwordless Authentication
Passwordless Authentication often relies on something you have (security tokens, certificates) or something you are (biometric factors).
Multifactor Authentication (MFA)
Multifactor Authentication ensures that a single compromised factor like a password does not create undue risk. MFA relies on two distinct factors for authentication.
What are the four commonly used authentication factors?
- Something you know (password, PIN)
- Something you have (smartcard, USB, Bluetooth token)
- Something you are (physical/biometric characteristics)
- Somewhere you are (GPS, network location)
One-Time Passwords (OTP)
One-Time Passwords are usable only once. Brute-force attacks against an OTP will be constantly attempting to identify a constantly changing target.
Time-Based One-Time Passwords (TOTP)
Time-Based One-Time Passwords use an algorithm to derive a one-time password using the current time as part of the code-generation process. The code is valid for a set period of time and then moves on to the next time-based code.
HMAC-Based One-Time Passwords (HOTP)
HMAC-Based One-Time Passwords use a seed value that both the token or HTOP code-generation application and the validation server use, as well as a moving factor. For many hardware HOTP tokens that work when a button is pressed, the moving factor is often a counter.
SMS-Based One-Time Passwords (SMS OTP)
SMS-Based One-Time Passwords involve an SMS message with an OTP being sent to the users phone when they attempt to authenticate. Of the OTP methods, SMS OTP is the most susceptible to attacks.
False Rejection Rate (FRR)
False Rejection Rate (Type 1 Errors) describes when a biometric measure was presented and the system rejected it.
False Acceptance Rate (FAR)
False Acceptance Rate (Type 2 Errors) describes when a biometric factor is presented and is accepted when it shouldn’t be.
What are some of the basic account types?
- User accounts
- Privileged or administrative accounts
- Shared and generic accounts or credentials
- Guest accounts
- Service accounts (associated with applications and services)
Permission Creep
Permission Creep occurs when users take on new roles or are granted new permissions baed on tasks they are doing.
Deprovisioning
Deprovisioning is the process of removing the account, permissions, related data, files, or other artifacts required by the organization’s processes and procedures when an account is terminated.
Privileged Access Management (PAM)
Privileged Access Management tools can be used to handle administrative and privileged accounts. PAM tools focus on ensuring that the concept of least privilege is maintained by helping administrators specify only the minimum set of privileges needed for a role or task.
What are the three most important features of PAM tools?
- Just-in-time (JIT) permissions
- Password vaulting
- Ephemeral accounts
