EXAM POINTERS

DOMAIN 5
IDENTITY AND ACCESS
MANAGEMENT

ABHISHEK JHA
CISSP CISA CDPSE CEH
https://www.linkedin.com/in/abhishek-jha-b02a741aa/
KBA Knowledge-Based Authentication – Answers to which are sought from independent
and authoritative sources, such as credit bureaus or government agencies
Cognitive Password (aka security questions) - Authentication systems collect the answers to these
questions during the account’s initial registration.
Used for - self-service password reset Threat – Social Media
Authentication I Something You Know Memory based. Passwd, PIN, or Pass Phrase.
Factors II Something You Have Physical device possession. H/W Token, Smart Card
III Something You Are Biometrics. Fingerprints, retina patterns, iris patterns
IV Somewhere You Are Subject’s location. IP, Caller ID
Context-Aware Authn Used by MDM. Attributes – Location, Device, Time
Biometric The order of effectiveness from most effective to list effective:
Effectiveness Iris scan | Retina scan | Fingerprint | Hand geometry | Voice pattern | Keystroke
pattern | Signature
*IRIS pattern is considered lifelong (can be used for a long period of time)
Biometric Acceptance The order of acceptance most accepted first to least accepted:
Voice Pattern | Keystroke pattern | Signature | Hand geometry | Handprint |
Fingerprint | Iris | Retina pattern
I FRR - False Rejection Rate Ratio of False Negative authentication
II FAR - False Acceptance Rate Ration of False Positive authentication
CER – Crossover Error Rate Where FRR and FAR percentages are equal
Devices with Lower CERs are more accurate than devices with higher CERs.
Zephyr Chart Illustrates the comparative strengths and weaknesses of each biometric technology.
PCI DSS Password Passwords expire at least every 90 days.
Requirements Passwords must be at least 7 characters long.
*NIST Deprecates SMS for 2FA (Smartphones and tablets display texts on the lock screen).
Tokens Password-generating device that shows a six- to eight-digit number.
Synchronous Time based and synchronized with an authentication server
Asynchronous No clock , based on an incrementing counter
Authenticator Apps HOTP (Hash Asynchronous. HMAC-based One-Time Password (HOTP)
Based)
TOTP (Time Based) Synchronous. Time-based One-Time Password (TOTP )
FIDO - Fast Identity Reducing the over-reliance on passwords. Web Authentication or WebAuthn.
Online Alliance Recommended frameworks and protocol standards for Authentication.
Identity management Centralized Single entity performs all authorization verification.
(IdM) implementation Decentralize Various entities perform authorization verification.
d
Directory Service Centralized database that includes information about subjects and objects, including
authentication data. Many directory services are based on the LDAP. Eg : MS Active
Directory (AD DS)
Security Domain is a collection of subjects and objects that share a common security
policy.
Trusts are established between the domains to create a security bridge and allow users
from one domain to access another domain’s resources.
Trusts can be one-way only, or they can be two-way.
*PKI uses LDAP when integrating digital certificates into transmissions.
SSO Centralized access control in Single Domain
Allows a subject to be authenticated once on a system and to have access to multiple
resources without authenticating again
Federated Identity SSO for inter Domain Authentication and Authorization.
Management (FIM) Cloud-Based Uses a third-party service to share federated identities. Eg IDaas
On-Premises Created between Org of different Domain.
Hybrid combination of a cloud-based and an on-premises solution
Just-In-Time (JIT) Automatically create the relationship between two entities so that new users can access
provisioning resources without administrator intervention. Uses SAML.
Credential Provide storage space for usernames and passwords. Eg, many web browsers can
management remember usernames and passwords for any site that a user has visited.
systems
Scripted access (aka logon scripts) establish communication links by providing an automated process to
transmit login credentials at the start of a login session. It’s not SSO.
Identity and Access Refers to the creation, management, and deletion of accounts.
Provisioning
Lifecycle
Permissions Refer to the access granted for an object and determine what you can do with it
Rights Refers to the ability to take an action on an object.
Privileges Combination of rights and permissions.
Access Control Table that includes subjects, objects, and assigned privileges. Object Focused.
Matrix
Capability Tables Identify privileges assigned to subjects. Subject Focused
Content-Dependent Content-dependent access controls restrict access to data based on the content within
Control an object. Eg database view
Context-Dependent Require specific activity before granting users access.
Control

TYPES OF ACCESS CONTROL

Preventive Attempts to thwart or stop unwanted or unauthorized activity from occurring
Detective Attempts to discover or detect unwanted or unauthorized activity
Corrective Modifies the environment to return systems to normal after an unwanted or unauthorized
activity has occurred
Deterrent Discourages security policy violations
Recovery Repair or restore resources, functions, and capabilities after a security policy violation
Directive Direct, confine, or control the actions of subjects to force or encourage compliance with
security policies
Compensating Provides an alternative when it isn’t possible to use a primary control.
Increase the effectiveness of a primary control.
Administrative Policies and procedures
Logical / Hardware or software mechanisms
Technical
Physical Items you can physically touch

ACCESS CONTROL MODELS

Discretionary  Every object has an owner and the owner can grant or deny access to any other
Access Control subjects. Eg NTFS
(DAC)  Implemented using ACLs on objects.
 Identity-based access control is a subset of DAC.
 Does not offer a centrally controlled management system
Role-Based Access  aka Task-Based Access Controls and is Non-DAC
Control  Defines a subject’s ability to access an object based on the subject’s role or assigned
(RBAC) tasks. Eg. MS Windows use can group users.
 Implemented using groups (of subjects).
 Helps enforce the principle of least privilege by preventing privilege creep.
Rule-Based Access  Uses a set of rules, restrictions, or filters to determine what can and cannot occur on a
Control system.
(Ru-BAC)  Have Global Rules that apply to all subjects.
Attribute-Based  Uses policies that include multiple attributes for rules (Allow / Block traffic).
Access Control  Used in SDN.
(ABAC)
Mandatory Access  Access control policy decisions are made by a central authority, not by the individual
Control owner of an object. User cannot change access rights. Eg Linux
 Uses classification labels
 Hierarchical - TS can access Top Secret data and Secret data
 Compartmentalized – Subject must have specific clearance. Eg NTK
 Hybrid - Combines both hierarchical and compartmentalized
Risk-Based Access  Evaluate risk by considering several different elements, such as: The environment,
Control The situation, Security policies.
 can sometimes use binary rules to control access
 Used in MDM
 IMPLEMENTING IDENTITY MANAGEMENT
KERBEROS
KDC Trusted third party that provides authentication services
( Key distribution center)
AS Authentication service verifies or rejects the authenticity and timeliness of tickets
(Authentication Server)
TGT Provides proof that a subject has authenticated through a KDC and is authorized to
(Ticket granting ticket) request tickets to access other objects
ST ( Service Ticket) Encrypted message that provides proof that a subject is authorized to access an
object
Kerberos Login 1 User types a username and password into a client
Process 2 The client encrypts the username with AES for transmission to the KDC
3 The KDC verifies the username against a database of known credentials
4 The KDC generates a symmetric key that will be used by the client and the Kerberos
server, encrypts it with a hash of the user’s password, and generates a time-stamped
TGT
5 The KDC transmits the encrypted symmetric key and the encrypted time-stamped TGT
to the client
6 The client installs the TGT for use until it expires and decrypts the symmetric key using
a has of the user’s password
The Kerberos Ticket 1 The client sends its TGT back to the KDC with a request for access to the resource
Request Steps 2 The KDC verifies that the TGT is valid and checks its access control matrix to verify
that the user has sufficient privileges to access the requested resource
3 The KDC generates a service ticket and sends it to the client
4 The client sends the ticket to the server or service hosting the resource
5 The server or service hosting the resource verifies the validity of the ticket with the KDC
6 Once identity and authorization is verified, Kerberos activity is complete, and a session
is opened
FEDERATED IDENTITY MANAGEMENT
XML Describes data. Include tags to describe data as anything desired
SAML An XML-based language that is commonly used to exchange authentication and authorization (AA)
information between federated organizations. SAML 2.0
* SSO for Enterprise Apps.
Three Principal or User Agent Requests a service from the service provider.
Entities Service Provider (SP) Provides service to principal. The service provider requests
and obtains an authentication assertion from the identity
provider
Identity Provider (IdP) This is a third party that holds the user authentication and
authorization information
Authentication Provides proof that the user agent provided the proper
Assertions credentials, identifies the identification method, and identifies
(Messages) the time the user agent logged on
Authorization Indicates user agent is authorized for service, if not then why.
Attribute Any information about the user agent.
OAuth Open standard used for access delegation.
Eg. grant websites or applications access to their information on other websites but without giving
them the passwords.
OAuth is an authorization framework, not an authentication protocol. (Maintained by IETF).
*Used for API authorization
OpenID Open standard and decentralized authentication protocol promoted by the non-profit OpenID
Foundation.
Allows users to be authenticated by co-operating sites (known as relying parties, or RP) using a third-
party identity provider (IDP) service
OIDC An authentication layer using the OAuth 2.0. Provides both authentication and authorization.
Uses JWT.
* SSO for consumer Apps