sec835 identity and access management overview. tasks of iam specify the rules of electronic...
DESCRIPTION
Identity Basic identity User’s ID generated to be used by a given application Federated identity User’s ID assembled from many sites in distributed environment With a single ID a user can communicate to many sitesTRANSCRIPT
SEC835
Identity and Access ManagementOverview
Tasks of IAMSpecify the rules of electronic identityMaintain identity Validate identityDefine access privilegesValidate access privileges
Identity
Basic identityUser’s ID generated to be used by a given application
Federated identityUser’s ID assembled from many sites in distributed environmentWith a single ID a user can communicate to many sites
Identity lifecycle User provisioning
Create an electronic identity and access privilegesIdentity lifecycle
Electronic identity is an object that change its state from being created to being destroyed. Between the two ends it can have other states to reflect the user’s state, e.g. pending, not-active.
Identity assuranceThe method of determining that the electronic identity belongs to the right person
AuthenticationIdentity validation
Verify that this identity is correct (belongs to the group of valid identities)Identity proof
Verify that the validated identity belongs to the right person. We need validation factors to do that. That is user’s authentication.
Credential issuingMatch the valid identity to relevant access privileges. Two things together are known as a user’s credentials.
Credential assuranceCredentials also need assurance since they may be intercepted and misused (impersonation attack)
Graded authenticationAuthentication may be completed in stages, starting from more simple one (e.g. one factor) and growing up to more secure if there are business needs.
Authentication factorsSomething you know
PasswordSecret word
Something you haveSmart CardToken
Something you areBiometrics (finger prints, eyes retina)
A single factor authenticationPassword
Must be strong• Long• Complicated structure• Not using dictionary
Changed regularly• Always change system generated password• Periodic changes of user-selected passwords
Stored hashed or encrypted• Hash cannot be restored
Resistant to brute-force attacksMeasures of precautions against information disclosure attacks
• Information disclosure through security holes in the application
Two-factor authenticationSecond factor – identify the type
RSA certificate (PKI technology)Smart card (Entrust card)Telephone factorSecret wordsFingerprints
Out-of-band authenticationUse additional input, that does not belong to the system
Authentication mechanismsBasic authentication
Mechanism provided by web browsersThis is weak authentication
Form-based authenticationMechanism that is built and controlled by the applicationRecommended for commercial applicationsRequired to implement two-factor authentication
Single Sign On (SSO)The access control mechanism that allow authenticating a user just once when a user needs access to a few applications.
Strong authentication mechanismStrong identity –at least two factorsStrong authentication protocol combined with secure session management and supported with other security mechanisms like encryption
Second factor choice – Lab 5, part1How to decide about the second factor?Read the articleProvide written answer to the following question:
1. For each of the factors, please identify the category of an authentication mechanism (out of three known categories: smth you know, smth you have, smth you are).
Work individually or with your teammates (up to 3 people)Send the answer by email today
Access controlAccess Control List (ACL)
Map identity to resources and show allowed actions in terms of Read/Write/Update
Role-based access controlApplication considers the end users rolesPrivileges are assigned to the roles, not to peoplesPrivileges specify access to functions and data
Attribute-based access controlPrivileges take into account the level of sensitivity of data and functions in addition to the roles.
Role-based Access ControlOften used for eCommerce applicationsThe users have been assigned with their roles in business processes, e.g. operator, teller, customer service representative, etc.Privileges have been assigned to roles, not to individualsAll users that play the same role have the same level of privilegesIndividuals move in and out but roles sustain
Attribute-based Access ControlDifferentiate access privileges within a group of users who play the same roleData attributes values or characteristics of functions are used as differentiating factorsExamples
Operator has the right to read data but do not have the right to delete them Teller has the right to perform transactions that are below $500. For greater amount of money she needs her manager
RBAC vs. ABACABAC provides more granular access control than RBACBoth are used for eCommerceABAC always assume custom developmentRBAC tools is a part of nowadays Application Servers (Web Sphere, Web Logic)
Access control policyAccess control policy sets the rules for
ID and password creating• Length, characters to be used
Assigning privileges• Map privileges to business functions or attributes
Maintaining identity and access privileges• Periodical changes, review, etc.
Access Control (cont.)Additional security measures
Least privileges• One has the access to data or functions on “need to
know” basis
Separation of duties• Sensitive functions always require more than one
person to complete
Access Control ImplementationID and passwords are stored in LDAP or RDBPrivileges for RBAC or for ABAC are stored in RDB or in a special data repositoryPasswords must be hashedApplication must implement different views for different roles
View Patterns for RBACFull View with Exceptions
The operations available in an application are made visible to users, but access attempts are guarded.
Limited ViewA user can see, and access, only the operations he/she is entitled to use.
IAM technology conceptual architecture
Strong access control requirementsA strong access-control mechanism must be:
Policy basedCentralized at a single pointInvoked on every access requestCannot be avoidedReliable in that its operation cannot be subverted by hostile partiesAuditable
Strong Access Control Mechanism Checklist
Ensure that the access-control matrix is built for all development stages of the application (business, architecture, and design).Ensure that all URLs and business functions are protected, as well as data.Ensure that the request for data stored in the RDB goes through the access-control mechanism. At this point, the process must be authenticated and access privileges verified.Avoid having files or libraries located at the Web root directory.Block access to all file types that are not used by the application.Keep virus protection and patches up-to-date.
Data classificationHow to determine the need in strong access control mechanism?
Each organization has its data classification policyData is classified by the degree of sensitivity in terms of confidentiality and integrityStandard classification includes:
• Highly confidential• Confidential• Public
This provides a clue to how strong the access control mechanism must be, and reflect the requirements to each category of users
Users discretionUsers have different level of privileges to access to dataOverall consideration of privileges assumes
Need to knowWhat operations are required (R/W/U)How sensitive is the data
Access Management FeaturesAccess ManagementGiven that the account is viable, the application will use it to protect its assets by
Identify a userAuthenticate a userCheck a user’s privileges to access the system assetsProvide the access in accordance to the privileges
Strong authentication, session management, and access control patterns are recommended.In a distributed environment we recommend using a Single Sign-On (SSO) component as the Portal’s access-management front-end.
Top IAM technologiesSunMicrosystems IBMOracle
RBAC matrix exerciseGRP projectRole – GRP Portal AdminFunctions – create support tablesDatabase tables – Catalog, Event Types, Categories
RBAC Access control in practice – Lab 5, Part 2
Complete RBAC matrix for a GRP role relevant to your mini-projectsSend by email today