Identity, Access Management

For example, in a Dynamic Scenario, A printer (object) receiving a print job from a computer (subject). The same printer then becomes a subject when it requests ink level details from an ink cartridge (object).

Access refers to the relationship between subject and object. Types of operations: reading, writing, changing, deleting, printing, moving, backing up, etc. 

Transitive Trust: If A trusts B and B trusts C, then A may trust C because of the relationship with B. Can lead to bypassing security restrictions. Example: A can't access C, but if A accesses B and B can access C, A might indirectly access C through B.

Real-world Example: Workers (A) blocked from certain sites (C). Workers use a VPN (B) that isn't blocked and can access those sites. Workers, through VPN (B), can now access blocked sites (C). This bypasses network restrictions via transitive trust.

Identification, Authentication, Authorization, and Accountability

Identification

• The process where a subject claims an identity.
• Typically involves providing a unique identifier like a username.
• Think of it as claiming "This is who I am."

Authentication

• The process where a subject claims an identity.
• Typically involves providing a unique identifier like a username.
• Think of it as claiming "This is who I am."

Multi-Factor Authentication (MFA)

• Something you know: PIN or Password
• Something you have: Trusted device (like a smartcard)
• Something you are: Biometric data (e.g., fingerprint)

MFA requires two or more authentication factors, making it more secure than a single factor.

Single Sign-On (SSO)

• Common in internal networks.
• Also used on the internet with third-party services.
• Many cloud-based applications adopt SSO for ease of access over the internet.

Certificate-based authentication

• Digital certificates may be used as an authentication technique for user, service, and device identities. These are akin to those that secure websites (x.509).
• Contains both a public and private key.
• Typically issued by a CA in a PKI.
• Reference: Key exchange asymmetric cryptography in domain 3 security architecture and engineering section.

Biometric Systems

1. Fingerprint scanner:

   • Common for MFA, travel, finance, legal contexts.

2. Retina scanner:

   • Identifies using blood vessels of the retina which absorb light.

3. Iris scanner:

   • Scans the iris to confirm identity. Requires physical devices.

4. Voice recognition:

   • Stores voice patterns for authentication.

5. Facial recognition:

   • Uses face features. Windows Hello is an example which employs an IR camera to address light direction issues.

6. Vein and Gait analysis:

   • Vein analysis uses blood vessels in the palm.
   • Gait analysis identifies based on the walking pattern.

Crossover Error

• False Acceptance (FAR): Invalid subject gets authenticated.
• False Rejection (FRR): Valid subject is rejected.
• Crossover Error Rate (CER): Point where FAR equals FRR. Adjusting device sensitivity can change the CER.

While false rejection is undesirable, false acceptance is generally considered worse.

Let's take the example of implementing Hand Geometry Scanners in a secure environment:

• While these devices measure the dimensions of an individual's hand, they don't assess other unique factors or verify if the individual is alive.
• Even though their False Rejection Rate (FFR) isn't notably high and they're reasonably accessible, they shouldn't be the only security measure in place for high-security areas.

Measure not just the performance CER of the device, but where it will be implemented and if it should be used in conjunction with other methods. 

Authorization

• Post-authentication phase.
• Determines what subjects (based on their authenticated identity) can do/access within a system or network.
• Only after authentication, subjects are given permissions to perform actions or access resources.

Need to Know

1. • Subjects access only necessary information for their tasks.
   • Clearance is provided if they need it for the organization. 

Least Privilege

• Key concept: Least privilege refers to rights on system actions. Not just access.
• Subjects are granted privileges essential for their tasks.
• It's akin to 'need to know'. However, it also includes rights for actions on a system.

Separation of Duties and Responsibilities

• Sensitive functions are divided among multiple employees.
• Helps to prevent fraud through a system of checks and balances.

Approaches

• Just in Time (JIT): Allows temporary privilege elevation, which is revoked after a specified time.
• Often used in PIM/PAM.
• Implemented via ephemeral accounts or a broken and remove access strategy.
• Example: A system admin needs access to a secure server for a software update. With JIT, they're granted temporary access only for the update duration, after which the access is revoked.

Accountability

• This ties everything together.
• Involves maintaining logs and audit trails of activities.
• Records provide details about who did what, when it was done, and the action performed.
• It's the evidence or proof of actions performed within the system.

Remember: "Identification + Authentication + Auditing = Accountability."

AAA Protocols

• AAA stands for authentication, authorization, and accounting.
• Used by network access or remote access systems.
• Network Access Server: A client of the RADIUS server, which provides AAA services.
  • RADIUS uses UDP and encrypts only the password.
  • TACACS+ uses TCP and encrypts the entire session.
    • TACAS+ is partically proprietary, owned by CISCO.
  • Diameter improves upon RADIUS but isn't compatible. Found in 4G networks.

XTACAS is the old standard of TACAS+ and should be avoided. 

Identity and Access Provisioning Lifecycle

Identity and Access Provisioning Lifecycle encompasses the three main stages through which an account passes during its existence in an organization. These stages ensure that only authorized individuals can access specific resources and that their access remains appropriate and timely.

1) Creation: This is the initial stage where an account or identity is created for a user, typically when they first join an organization. Depending on the organization and its policies, the creation might involve:

• Assignment of a username, password, or other authentication methods.
• Granting initial permissions, based on job function or role.
• Setting up security measures, like multi-factor authentication.

2) Management: As the user continues with the organization, their role might change, necessitating adjustments in their access levels. This phase involves:

• Monitoring and logging of user activities.
• Regularly reviewing and updating access rights based on role-based access control (RBAC). For instance, a promotion might give someone access to more confidential information.
• Implementing security updates or changes in authentication procedures.

3) Deletion: This is the final phase, which occurs when a user's relationship with the organization ends. It's crucial to ensure that:

• All access rights are revoked.
• The account is deprovisioned or archived, ensuring no remnants that could pose a security risk.

Ensure timely deprovisioning! Always deprovision accounts promptly upon separation.

Example: Imagine Jane Doe, who's just been hired as a junior accountant in a company.

• Creation: Her IT department sets up an account for her, granting her access to the accounting software and relevant databases. She receives a username and a complex password, with instructions to set up two-factor authentication.

• Management: After two years, Jane gets promoted to a senior accountant. Her access rights are modified to include access to more sensitive financial data. She's also required to update her password and undergo a cybersecurity training refresher.

• Deletion: Jane decides to leave the company five years later for a new opportunity. On her last day, her account is flagged for deprovisioning. By the next week, her account is deactivated, ensuring she no longer has access to the company's resources.

Regular audits of active accounts can help catch any oversight in the deprovisioning process.

Types of Provisioning

• Discretionary account provisioning
  • Where a manager might just create an account themselves for a new hire. 
• Workflow-based account provisioning
  • Through a workflow i.e submitting forms to HR for them to manually create the account
• Automated account provisioning
  • If there was a central, software-driven process instead of any type of form. 
    
• Self-service account provisioning
  • Allows the new-hire to create an account completely on their own, but some manual intervention required. 

Key Issues in Access Control

• Excessive Privilege: Users have more rights than needed for their tasks.
• Creeping Privileges: Accumulation of additional rights over time due to role changes.
  • Example: Karen, moving from accounting to sales, might retain both sets of rights.

Just-In-Time (JIT) Provisioning

A dynamic approach in federated identity solutions where the system automatically establishes the required relationship between user entities the moment it's needed. This eliminates the need for pre-defined user accounts in external systems.

• SAML SESAME: Security Assertion Markup Language (SAML) is often used in JIT provisioning because of its ability to securely exchange authentication and authorization data between parties.

Reprovisioning

• A provisioning system should have a blank reset request to reset the right and reprovision the new position
• Deleting an account and creating a new one after a new role is setup is sometimes done, but this is not best practice as it can lead problems with ID inconsistencies, and how existing credentials work (like new email addresses). 
• Simply adding new rights leads to privilege creep and should never be done. 

Authentication & Access Methods

• Passwords:
  • Weakest form of authentication.
  • To strengthen: Implement password policies that enforce complexity and history requirements.
• Smartcards:
  • Microprocessors, NFC, or cryptographic solutions are included.
  • Good option for authentication.
• Tokens:
  • Used to create One-Time Passwords (OTP).
• Biometrics:
  • Identifies users based on unique physical characteristics.
  • Examples include fingerprints, retina, iris, voice, face, vein, and gait.
  • Biometric systems can have crossover errors.

Federation

1. Identity Management: It pertains to the management of user identities and their associated credentials.

2. Federated Identity: This ties a user’s identity across multiple identity management systems, effectively allowing a single set of credentials to be used across several interconnected platforms.

3. FIM: Extends the concept of federated identity beyond one organization, enabling multiple organizations to share identity data and create a unified authentication system.

1. A federation is an alliance of multiple entities (organizations, networks, etc.) that have agreed to use a shared identity management system.

2. Joining a federation doesn't mean unrestricted access. Each member of the federation still maintains control over its resources and decides which other members get access.

3. Interoperability is key in a federation. Entities might be using different technologies, so standards like SAML, OAuth, and OpenID Connect are crucial to ensure seamless communication.

Types of Federations

1. Cloud-Based Federation: This involves a third-party service that manages and shares federated identities. It's useful for entities that want to offload the complexity of identity management to external service providers.

2. On-Premise Federation: This is a system maintained within an organization's own infrastructure. It provides the most control over data and processes but might require more resources for maintenance.
   

   1. • Example: Active Directory does this in the format of DOMAIN\Username. If you were a Volkswagen employee at a federated environment at a Bugatti office.

    

3. Hybrid Federation: As the name suggests, this is a mix of both on-premise and cloud-based systems. It combines the best of both worlds – the flexibility of cloud solutions and the control of on-premise systems.

Modern Approaches to Least Privilege:

• Just in Time (JIT): Allows temporary privilege elevation, which is revoked after a specified time.
• Often used in PIM/PAM.
• Implemented via ephemeral accounts or a broken and remove access strategy.
• Example: A system admin needs access to a secure server for a software update. With JIT, they're granted temporary access only for the update duration, after which the access is revoked.

Active Directory and Kerberos

• Kerberos is primarily used for authentication.
• Provides confidentiality and integrity with a symmetric key.
• Lacks logging capabilities, hence doesn't provide accountability.

Watch out for attacks: Replay, pass-the-ticket (not hash), golden ticket, kerberoasting.

• Introduction:

  • Kerberos is an authentication system using ticketing.
    
  • Main function: Provides users with tickets for accessing resources after authenticating their identity.

• Key Features:

  • Single Sign-On: Users sign in once and can access multiple resources without signing in again.
  • Encryption: Uses symmetric-key cryptography, particularly AES.
    • Ensures confidentiality and integrity.
    • Protects against eavesdropping and replay attacks.

• Key Elements:

  1. Key Distribution Center (KDC):
     • Central entity in Kerberos.
     • Maintains secret keys for all network users.
     • All servers and clients are registered here.
  2. Kerberos Authentication Server:
     • Contains both the Ticket-Granting Service (TGS) and Authentication Service (AS).
     • AS verifies the authenticity of tickets. Often called the KDC.
  3. Ticket:
     • Encrypted proof of authorization to access a resource.
     • Limited lifetime; needs renewal or reissue after expiry.
  4. Ticket-Granting Ticket (TGT):
     • Proof of KDC authentication.
     • Used to request other tickets.
  5. Kerberos Principal:
     • Any entity, usually a user, that requests a ticket.
  6. Kerberos Realm:
     • Logical network or domain area managed by Kerberos.

• Operational Aspects:

  • Storage: Kerberos requires an account database (e.g., Microsoft's Active Directory).
  • Ticket Exchange: Allows mutual authentication between clients, servers, and the KDC.
  • Login Process:
    1. User provides credentials.
    2. Client sends encrypted username to KDC.
    3. KDC checks username in its database.
    4. KDC generates and sends encrypted symmetric key and TGT to client.
    5. Client uses TGT until expiry; decrypts symmetric key using user's password hash.
  • Resource Access:
    1. Client sends TGT and resource access request to KDC.
    2. KDC validates TGT and checks user privileges.
    3. KDC sends service ticket to client.
    4. Client presents this ticket to the required server.
    5. Resource-hosting server checks ticket validity with KDC.
    6. Upon verification, the server starts a session with the client.

• Advantages:

  • Works across various network configurations including LANs, remote access, and client-server setups.

• Challenges:

  • Single Point of Failure: KDC. If compromised, all system's secret keys are at risk.
  • Availability: If KDC goes offline, authentication halts.
  • Time Synchronization: Systems must sync within 5 minutes of each other. Otherwise, tickets become invalid.

• Note: Passwords are never transmitted over the network, ensuring security. Instead, a hashed version of the password is used to encrypt and decrypt symmetric keys.

• Best Practice: Time synchronization is vital. One domain controller (DC) should sync with an external NTP. Other DCs sync with the first, and all systems sync with one DC during login.

Access Control Methods

Discretionary Access Control (DAC)

• Key Characteristic:
  • Every object has an owner.
  • The owner can grant or deny access to any other subjects.
• Example:
  • New Technology File System (NTFS).

The owner's discretion is pivotal in DAC.

Mandatory Access Control (MAC)

• Key Characteristic:

  • Labels are applied to both subjects (e.g., users) and objects (e.g., documents).
  • Access is based on matching labels between the subject and object.
  • Also known as a lattice-based model.
• Description: Uses a system-enforced access policy where individual object owners can't set access. Operates based on labels assigned to every object and subject.
• Hierarchical Environment: Classifications are assigned in a structured order, ranging from low to high security.
• Compartmentalized Environment: Focuses on specific clearances over domains or compartments rather than individual objects.
• Hybrid Environment: A mix of both hierarchical and compartmentalized systems where security levels possess sub-compartments.
• Key Point: Every object and subject in the MAC model has one or more predefined labels, with the system determining access based on these labels.
• Software Example: SELinux in Linux employs MAC by assigning labels to every file, process, port, etc., and uses these labels to enforce policy decisions.

• Example:

  • A system where a user labeled "Top Secret" can only access documents with the same "Top Secret" label.

Matching labels are crucial in MAC to determine access.

Network Access Control (NAC)

NAC is a MAC method for controlling who and what can access a network based on a set of security policies. Its main aim is to automatically detect and respond to security threats in real-time. It ensures all systems are up-to-date and follow the latest security standards while keeping unauthorized devices away. Initially, 802.1X (port-based NAC) was seen as the embodiment of NAC. Now, it as just a basic or optional component of a full NAC solution. NAC follows the key philosophies:

• Preadmission: Systems must satisfy all security standards before they can join the network.
• Postadmission: Access is granted or denied based on user actions, using a set authorization matrix.

Objectives:

• Block or limit known and new (zero-day) threats.
• Consistently apply security policies throughout the network.
• Base access decisions on user or device identities.

Use comprehensive security policies that specify how every device and communication (internal or external) should be secured to achieve the NAC objectives. 

Agent-based can be either:

• Dissolvable: Temporary, runs once typically via a web/mobile interface.
• Permanent: Constantly runs in the background on the system.

Considerations

• Monitoring Method: Choose between out-of-band (monitoring that's separate from the main network data flow) or in-band (monitoring within the main network data flow).
• Remediation Strategies: Decide how to handle non-compliant systems, whether to isolate them, provide a restricted access portal, or some other method.
• Before implementing NAC, it's crucial to address and plan for these and other potential issues.

Non-discretionary Access Control

Role-Based Access Control (RBAC)

• Key Characteristic:

  • Access is based on defined job roles, each associated with specific permissions.

• Example:

  • In many business ERP systems, users are given access based on their roles such as 'Manager', 'Accountant', or 'Clerk'.
  • Azure roles such as "Global Admin", "Access Admin", or "Security Reader" allow individuals occupying these roles to access specific resources or perform certain tasks.

RBAC simplifies access control management by grouping users under roles.

Rule-Based Access Control

• Key Characteristic:
  • Global rules apply to all subjects.
  • These rules can also be termed as restrictions or filters.
• Example:
  • Firewall rules that allow or deny access based on IP address or protocol type.
  • Cisco's Access Control Lists (ACLs) in their IOS or firewall solutions like pfSense. Additionally, Windows Group Policy can be viewed as implementing rule-based controls in the context of domain environments.

Rules are overarching and apply universally in this model.

Attribute-Based Access Control (ABAC)

• Key Characteristic:

  • Uses rules with multiple attributes.
  • More flexible than rule-based access control.
  • Tailored access decisions based on a variety of attributes and conditions.

• Example:

  • Software-defined networks where access is defined based on device type, location, time of access, and more.

ABAC provides fine-grained access control based on diverse criteria.

Common Standards

1. SAML SESAME

   • XML-based standard for exchanging authentication data between parties.
   • Common more AD federation services, and less in SSO. Popularity is waning.

2. OAuth 2.0

   • Open standard for authorization.
   • Allows users to log into third-party sites using their main accounts (like Google).
   • Developed by the Internet Engineering Task Force.

3. OpenID

   • Works well with OAuth 2.0
   • Offers decentralized authentication.
   • Uses a third-party service (OpenID provider) for users to log into multiple unrelated websites.
4. KryptoKnight

SPML (Service Provisioning Markup Language)

It's about provisioning (creation) and management of user access. This involves tasks like setting up new user accounts, updating them, or even deleting them across various systems and services. In other words, provisioning and de-provisioning of user access rights to services.

SAML (Security Assertion Markup Language)

It's about AuthN/AuthZ. Specifically, it allows for Single Sign-On (SSO) where users authenticate once with an Identity Provider (IdP) and then can access multiple Service Providers (SPs) without needing to log in to each one individually.

XACML (Extensible Access Control Markup Language)

It's about defining rights or access control. It expresses detailed, fine-grained policies about who can do what and under which conditions. So, when a user tries to access a resource, XACML can be used to determine if they're allowed to based on various attributes and conditions.