Webinar - 1: Identity and Access Management

Webinar – 1
Identity and Access Management
Copyright © 2018-2019, All rights reserved

• This webinar focuses on Identity and Access
Management basics.
• The webinar is divided into two parts –
• Identity and Access Management -1A
• Identity and Access Management -1B
Disclaimer • There might be many technologies which are
now insecure, given the present day
advancements. The advanced and newer
technologies mentioned in the slides will be
taken up in the upcoming webinars as this
webinar focuses on fundamentals only.

Learning Objectives:
• By the end of this webinar, you will learn:
• The meaning of identity
• Foundations of Identity and Access Management
• Factors of Authentication:
• Something you know
• Something you have
• Something you are
• Information Security Models
• Access Control Models
• Threats and Attacks to Access Controls

Introduction

Introduction – Cont.
• Identity or ‘Who am I’!!!
• The definition of identity is who you are, the way you think about yourself, the way
you are viewed by the world and the characteristics that define you
• Identities are necessarily the product of the society in which we live
• Example – person’s name
• Digital Identity
• Digital identity is the network or Internet equivalent to the real identity of a person
or entity
• Is information on an entity used by computer system to represent an external
agent., where agent may be a person, organization, application, or device
• Example – Username and password, DOB, Purchasing history, Electronic
transactions etc.

Identity theft

Digital Identity
Attributes Entitlements Traits

• Department • Resources available • Biometric
• Role in company • Authoritative rights information
• Shift time • Sex
• Clearance • Medical Records

Access based on Digital Identity
User 1 User 2
Attribute (Department Technical Role) :Developer Attribute (Department Technical Role): NOC Admin
Trait (Biometric) :n/a Trait (Biometric): Fingerprints for Server Room Access
Entitlement: Database access(R) Entitlement: Server Access
Permissions Granted: Modification of Permissions Granted: Only Read

Database Access to Database not modification

Identity theft

Identity theft – Few trends

What is Identity Management(IdM)?
• IdM involves the use of different products to identify, authenticate,
and authorize users through automated means
• IdM includes –
• User account management
• Access control
• Password management
• Single sign-on (SSO) functionality
• Managing rights and permissions for user accounts
• Auditing etc.

Challenges!!!
• An increasingly distributed workforce

• Distributed applications
• Productive provisioning
• Bring your own device (BYOD)
• Password Problem
• Regulatory Compliance

How IdM helps?
• An increasingly distributed workforce

• Distributed applications
• Productive provisioning
• Bring your own device (BYOD)
• Password Problem
• Regulatory Compliance

Advantages of IdM
• Improves user experience

• Enhances security profiles
• Simplifies auditing and reporting
• Allow easy access no matter where you are
• Increases productivity and reduces IT costs

Identity as a Perimeter
• Traditional perimeter protection (firewalls, intrusion detection

systems, anti-virus software, and so on) is valuable, but clearly no
longer sufficient to keep attackers from gaining access to corporate
networks
• To achieve this, organization need to add additional layers of security
around the use of any credentials through Two-Factor Authentication,
Adaptive Authentication, and Single Sign-On (SSO).
Note - The above mentioned technologies

will be covered in later webinars

Two Factor Authentication
• Two-Factor Authentication requires not only something the user

knows like a username and password but also something the user has
like one time password
• Two-Factor Authentication mitigates the risk of attackers misusing
legitimate credentials

Adaptive Authentication
• Adaptive Authentication provides an effective option for enabling

stronger authentication by analyzing the context of the user behind
the scenes.
• It takes various aspects in consideration while assessing the user’s
context
• Example – IP address, time, geographical location, behavior etc.

Single Sign On (SSO)
• Single Sign-On improves the user experience as users have to log on

only once to get access
• SSO helps in safeguard a user’s identity.
• In the absence of SSO, users will suffer from username and password fatigue,
and reuse relatively easy to guess usernames and passwords across
applications.

IdM - Questions for Organization
• What should each user have access to?
• Who approves and allows access?
• How do the access decisions map to policies?
• Do former employees still have access?
• How do we keep up with our dynamic and ever-changing environment?
• What is the process of revoking access?
• How is access controlled and monitored centrally?
• Why do employees have eight passwords to remember?
• We have five different operating platforms. How do we centralize access when
each platform (and application) requires its own type of credential set?
• How do we control access for our employees, customers, and partners?
• How do we make sure we are compliant with the necessary regulations?
IdM Technologies
• The main goals of IdM technologies are to streamline the

management of identity, authentication, authorization, and the
auditing of subjects on multiple systems throughout the enterprise
• Identity management solutions and products
• Directories
• Web access management
• Password management
• Legacy single sign-on
• Account management
• Profile update
Note - The above mentioned technologies

will be covered in later webinars

Identification and Authentication

What is Identification and Authentication?
• Identification - The action or process of identifying someone or

something
• Describes a method by which a subject claims to have a specific identity
• Subject – User, Program or Process
• Specific identity – Name, Account Number or Email-Address
• Authentication is a process of verifying a subject who he/she claims

to be using a specific piece of credential set
• Credential set – Password, PIN etc.

Working -
• Authentication involves a 2-step process –

• Entering Public information – Username, Account
Number etc.
• Entering Private information – Password, PIN etc.
• Entering public information is the
identification process
• Entering private information is the
authentication process

IAM - Authentication

What is Authentication?
• Authentication is a process of verifying a person who he/she claims to be

• Authentication Factors –
• Authentication by knowledge - Something you know
• Example – Password, PIN
• Authentication by ownership - Something you have
• Example – Swipe Card, Access Card
• Authentication by characteristic - Something you are
• Example – Biometrics

Password
• A password is a protected string of characters that is used to

authenticate an individual
• Strong Password –
• Should be atleast 8 characters long
• Should contain atleast one upper case and one lower case character
• Should have atleast one number
• Should have atleast one special character
• Should not be a dictionary word
• Should be less than 3 months old

Common Passwords
• According to SplashData, following is the list of most common

passwords used in the year 2017 –
• 123456
• Password
• 12345678
• Qwerty
• 12345
• 123456789
• letmein
• 1234567

Password Attack
• If an attacker is after a password, he/she can try a few different

techniques:
• Electronic Monitoring
• Access the password file
• Brute force attacks
• Dictionary attacks
• Social Engineering
• Rainbow table

Cognitive Password
• A cognitive password is a form of knowledge-based authentication

that requires a user to answer a question, presumably something
they intrinsically know, to verify their identity
• Example – What is your mother’s name?, What is your favourite color? etc.
• The cognitive password are of two types –
• Fact based
• Opinion based
• Weakness - Social Media can be used to obtain information about a
user and allow cognitive passwords to be easily guessed.

Passphrase
• Unlike passwords, which typically use a word for authentication,

passphrases use a phrase for authentication
• The passphrases are converted into virtual passwords
• Virtual passwords help in formatting long passphrases into bit string specific
to encryption algorithm.
• Length of passphrases makes them more strong than a password

One Time Password (OTP)
• OTPs are dynamic passwords valid for a particular session

• Typically used in high security environments
• OTPs are implemented in three formats
• Token Device
• Synchronous
• Asynchronous
Note - Counter measures to OTP hacks

are FIDO and PUSH authentication, to be
covered in the later webinars.

Cryptographic Key - DS
• Passwords are the weakest form of authentication and can easily be sniffed.
• Solution – Digital Signatures (Private Key)
• Digital signature is a technology that uses a private key to encrypt a hash
value (message digest).
• The act of encrypting this hash value with a private key is called digitally signing a
message
• A private key is a secret value that is in the possession of one person, and
one person only
• A digital signature attached to a message proves the message originated
from a specific source and that the message itself was not changed while in
transit.

Cryptographic Key - DS

Memory Card
• Memory card is a storage device that can hold user information used
for authentication
• During authentication, user needs to type in a user ID or PIN and
present the memory card, and if the data that the user entered
matches the data on the memory card, the user is successfully
authenticated (Strong Auth.)
• Example – Swipe cards, ATM cards etc
• Memory card provides a more secure authentication method than
using a password
• But they add cost as they require reader to process the information

Smart Card
• A smart card has the capability of processing information because it

has a microprocessor and integrated circuits incorporated into the
card itself.
• Types of Smart cards –
• Contact smart card
• Contactless smart card

Smart Card - Contact
• The contact smart card has a gold seal (integrated chip) on the face of
the card and an external terminal

Smart Card - Contactless
• The contactless smart card has an antenna wire that surrounds the
perimeter of the card

Smart Card - Attacks
Few attacks on Smart Cards are –

• Side Channel attack
• Attacks are nonintrusive and are used to uncover sensitive information about how
a component works, without trying to compromise any type of flaw or weakness.
• Software attack
• A smart card has software just like any other device. Attacker targets this software
and input instructions into the card that will allow the attacker to extract account
information, which he can use to make fraudulent purchases.
• Microprobing
• Microprobing uses needless and ultrasonic vibration to remove the outer
protective material on the card’s circuits. Once this is completed, data can be
accessed and manipulated by directly tapping into the card’s ROM chips.

Biometrics
• Biometrics verifies an individual’s identity by analyzing a unique

personal attribute or behavior
• Two types of biometrics –
Physiological – Behavioural –
• Based on physical attributes • Based on a characteristic of an
unique to a specific individual. individual to confirm his identity
• Example – Fingerprints, Iris scan • Example – Signature dynamics

Biometrics

How Biometric works

Authorization

Authorization
• Authorization is the process of giving someone permission to do or

have something.

Authentication vs Authorization
• Authentication (Who you are) and authorization (What you can do)
comprise a two-step process that determines whether an individual is
allowed to access a particular resource
• First step - The individual must prove to the system that he is who he
claims to be
• Second step - After successful authentication, the system must
establish whether the user is authorized to access the particular
resource and what actions he is permitted to perform on that
resource.

Access Criteria
• Granting access rights to subjects should be based on the level of

trust a company has in a subject and the subject’s need to know.
• Example - If John fulfills the need-to-know criteria to access employees’ work
histories, it does not mean the company trusts him to access all of the
company’s other files.
• Therefore, there should be a way to enforce different access criteria,
that can on the basis of –
• Roles
• Groups
• Location
• Time
• Transaction types

Access Criteria – Cont.
• Roles - is an efficient way to assign rights on the basis of job assignment or

function
• Groups – are used to assign access to multiple users who require the same
type of access to information and resources
• Location – used to restrict/allow access to resources on location basis.
• Example – To access the resource, the user must be physically at the computer and
enter the credentials locally versus logging on remotely from another computer.
• Time – is used to restrict/allow access to resources within certain time
window
• Transaction – is used to control what data is accessed during certain types
of functions and what commands can be carried out on the data.

Default-No-Access
• Access control mechanism should default to no access

• This means, that if nothing has been specifically configured for an
individual or the group she belongs to, that user should not be able to
access that resource
• If access is not explicitly allowed, it should be implicitly denied.
• Most ACLs are configured with default to no access.

Example - Default-No-Access

Need-to-know
• Need-to-know also know as least privilege principle

• Under this, the individuals should be given access only to the information
they absolutely require in order to perform their job duties
• ‘Who decide the access level’
• Management will decide what a user needs to know, or what access rights are
necessary, and the administrator will configure the access control mechanisms to
allow this user to have that level of access
• ‘Who is responsible’

Single-sign-on (SSO)
• Single sign-on (SSO) is a session and user authentication service that

permits a user to use one set of login credentials (e.g., name and password)
to access multiple applications
• SSO advantages –
• Eliminates credential reauthentication and help desk requests; thus, improving
productivity.
• Streamlines local and remote application and desktop workflow.
• Minimizes phishing.
• Improves compliance through a centralized database.
• Provides detailed user access reporting

Single-sign-on (SSO)
Note - We will study the SSO

technologies in later webinar.

Federation
• A federation is a group of computing or network providers agreeing

upon standards of operation in a collective fashion.

Federated Identity
• A federated identity is a portable identity, and its associated

entitlements, that can be used across business boundaries.
Illustration: A user in company A

can be authenticated to B,C,D via
Federated Identity without the
need of Consolidation and
synchronisation of directory
information.

Security Assertion Markup Language (SAML)
• It is the most widely used standard for Federation

• Provides exchange of authentication and authorization data to be
shared between security domains.
• Helps to maintain control over user access credentials.
1. User accessing Gmail
2. Google creates SAML & User 3. Browser opens SSO URL &
Google redirects browser to SSO URL ABC corp. authenticates user. ABC Corp.
(Coming
(Service (identity
5. Browser sends SAML From 4. ABC corp. sends back
Provider) provider)
encoded response to Google Browser) encoded SAML response.
6. Google verifies response &
authenticates user to Gmail.

Strong Authentication
• Single authentication token is not sufficient.

• What to do??
• It is important that a combination of the following should be used:
• Something the person knows – Passwords, Passphrases
• Something the person has – Access tokens
• Something the person is – Biometrics
• But with the upcoming advancements in the attacks, the IAM systems
are moving towards:
• Context
• Adaptive
• Continuous Adaptive Risk and Trust Assessment (CARTA)
Note - More on Adaptive IAM in the upcoming webinars.

Security Models & Access Controls

Access Controls
• Access control is a security technique that can be used to regulate

who or what can view or use resources in a given environment.
• The two classic Security Models are:
• Bell LaPadula
• BIBA
• There are four main Access Control Models:
• Discretionary Access Control (DAC)
• Mandatory Access Control (MAC)
• Role Based Access Control (RBAC)
• Rule Based Access Control (RB-RBAC)
Access Control Models will be discussed in upcoming slides

Bell LaPadula Model (BLP) - read down, write up
• It is a state machine model used for enforcing access control in

government and military applications.
• This model focuses on data confidentiality and controlled access to
classified information.

BLP Access Model - read down, write up

BIBA - read up, write down
• A formal state transition system of computer security policy that

describes a set of access control rules designed to ensure data integrity.
• This model focuses on data integrity and controlled access to classified
information.
• Contrary to BLP model, this model focuses on data integrity and not data
confidentiality.

BIBA Access Model - read up, write down
Top Secret
No read down
No write up
Secret
Confidential
Unclassified

Access Controls
• Access control is a security technique that can be used to regulate who

or what can view or use resources in a given environment.
• The two classic Security Models are:
• Bell LaPadula
• BIBA
• There are four main Access Control Models:
• Discretionary Access Control (DAC)
• Mandatory Access Control (MAC)
• Role Based Access Control (RBAC)
• Rule Based Access Control (RB-RBAC)

Discretionary Access Control (DAC)
• It enables the owner of the resource to specify which subjects

can access specific resources.
• In DAC access is restricted based on the authorization granted to
the users.
• Implementation of DAC is through ACLs
• It can be applied to both the directory tree structure and the files
it contains.

How a malware can exploit DAC !
• If a user opens an attachment that is infected with a virus, the code

can install itself in the background without the user’s being aware of
this activity. This code basically inherits all the rights and permissions
that the user has.
• It can send copies of itself to all contacts listed in the user’s e-mail
client, install a back door, attack other systems, delete files on the
hard drive, and more.
• All this is possible because the user has very powerful discretionary
rights and is considered the owner of many objects on the system.

Mandatory Access Control (MAC)
• Users do not have the discretion of determining who can access objects.
• MAC model greatly reduces the amount of rights, permissions, and
functionality a user has for security purposes.
• Systems having MAC are very specialized and are in place to protect
highly classified data.
• MAC works on security clearance model.
• The only OS to support MAC is SE-Linux.

Why Malware Fails in MAC model?
• MAC systems enforce strict access control.

• Malware is the bane of DAC systems.
• Users cannot install software on a MAC model system.

Role Based Access Control (RBAC)
• A centrally administrated set of controls to determine how subjects

and objects interact.
• This model lets access to resources be based on the role the user
holds within the company.
• RBAC approach simplifies access control administration by allowing
permissions to be managed in terms of user job roles.
• In Users, roles, permissions, operations, and sessions are defined and
mapped according to the security policy.

Rule Based Access Control (RB-RBAC)
• It uses specific rules that indicate what can and cannot happen between a
subject and an object.
• Based on the simple concept of “if X then Y”
• Rule-based access control is not necessarily identity-based.
• A type of compulsory control, because the administrator sets the rules and
the users cannot modify these controls.

Are all access controls based on Identity? [1/2]
• DAC is identity based: An identity-based control would stipulate that Tom

Jones can read File1 and modify File2. So when Tom attempts to access
one of these files, the operating system will check his identity and compare
it to the values within an ACL to see if Tom can carry out the operations he
is attempting.
• MAC is identity based: The MAC uses security clearance levels to grant
access to objects, these security clearances
• RBAC is identity based : The RBAC controls are identity based as the access
controls are based on the roles each user is assigned.

Are all access controls based on Identity? [2/2]
• Rule Based is not identity based : A company may have a policy that
dictates that e-mail attachments can only be 5MB or smaller. This rule
affects all users.
• If rule based was identity based : If rule-based was identity-based, it
would mean that Sue can accept attachments of 10MB and smaller, Bob
can accept attachments 2MB and smaller, and Don can only accept
attachments 1MB and smaller.

Threats to Access Control

Threats to Access Control
• There are two types of threats to an access control:

• Internal Threats
• Internal threats are from individuals that have legitimate access such as employees, students,
and contractors.
• Insiders misusing privileges
• External Threats
• Outside intruders can be hackers/crackers, saboteurs and thieves.
• Many entry points
• More risk and a higher probability of an attacker causing mayhem from
within an organization than from outside it.
• Access control mechanisms work to keep the outsiders out and restrict
insiders’ abilities to a minimum and audit their actions.

Attacks on Access Controls
• Specific attacks are commonly carried out in environments today by

insiders or outsiders.
• Some famous attacks on access control systems are:
• Dictionary Attack
• Brute Force Attack
• Spoofing at Logon
• Phishing and Pharming

Dictionary Attack
• Several programs can enable an attacker to identify user credentials.

• Program hashes the dictionary words and compares the resulting message
digest with the system password file that stores passwords as 1-way hash.
• Countermeasures
• Do not allow passwords to be sent in cleartext.
• Encrypt the passwords with encryption algorithms or hashing functions.
• Employ one-time password tokens.
• Protect password files!
• Use hard-to-guess passwords
• Dictionary-cracking tools to find weak passwords chosen by users.
• Use special characters, numbers, and upper- and lowercase letters within the password.

Brute Force Attack
• Brute force is defined as “trying every possible combination until the

correct one is identified”.
• These attacks are also used in war dialling efforts
• inserts a long list of phone numbers into a war - dialling program in hopes of
finding a modem that can be exploited to gain unauthorized access
• Countermeasures
• Perform brute-force attacks to find weaknesses and hanging modems.
• Make sure only necessary phone numbers are made public.
• Provide stringent access control methods
• Set lockout thresholds.
• Employ an IDS to watch for suspicious activity.

Spoofing at Logon
• An attacker can use a program that presents to the user a fake logon
screen, which often tricks the user into attempting to log on.
• The user is asked for a username and password, which are stored for
the attacker to access at a later time. A fake error message can appear,
indicating that the user mistyped his credentials.
• At this point, the fake logon program exits and hands control over to the
operating system, which prompts the user for a username and password.
• The user assumes he mistyped his information and doesn’t give it a
second thought, but an attacker now knows the user’s credentials.

Phishing and Pharming
• Phishing is a type of social engineering with the goal of obtaining personal
information, credentials, credit card number, or financial data.
• Phishers create convincing e-mails requesting potential victims to click a link to update
their bank account information.
• Expert attackers even use JavaScript commands designed to show the victim an
incorrect web address.
• Phishing attacks have increased in both complexity and number.
• Financial institutions have been implementing two-factor authentication for online transactions.
• Spear – Phishing
• When a phishing attack is crafted to trick a specific target and not a large generic group of people,
this is referred to as a spear-phishing attack.
• Whaling -
• Whaling is a specific form of spear phishing that's targeted at high-profile business executives
and managers
• In whaling, the emails or web pages serving the attack take on a more official or serious look and
are targeted.

Pharming
• A similar type of attack is called pharming, which redirects

a victim to a seemingly legitimate, yet fake, website.
• The benefit of a pharming
attack to the attacker is that
it can affect a large number
of victims without the need
to send out e-mails,
• The victims usually fall for
this more easily since they
are requesting to go to a
website themselves.

Countermeasures to Phishing and Pharming
• Be sceptical of e-mails indicating you must make changes to your accounts,

or warnings stating an account will be terminated if you don’t perform
some online activity.
• Review the address bar to see if the domain name is correct.
• When submitting any type of financial information or credential data check
for a TLS connection which may be indicated in the address bar (https://) or
as a closed-padlock icon in the browser.
• Do not click an HTML link within an e-mail. Type
the URL out manually instead.
• Do not accept e-mail in HTML format.

Key Concepts Covered in this Webinar
In this webinar we broadly covered the Foundation concepts in IAM

and brief overview of the following :
• Factors of Authentication:
• Information Security Models
• Access Control Models
• Threats and Attacks to Access Controls

Thank You

Webinar - 1: Identity and Access Management

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Webinar - 1: Identity and Access Management

Încărcat de

Drepturi de autor:

Formate disponibile

Webinar – 1

Identity and Access Management

Copyright © 2018-2019, All rights reserved

Copyright © 2018-2019, All rights reserved

Copyright © 2018-2019, All rights reserved

Copyright © 2018-2019, All rights reserved

Copyright © 2018-2019, All rights reserved

Copyright © 2018-2019, All rights reserved

Attributes Entitlements Traits

Copyright © 2018-2019, All rights reserved

Entitlement: Database access(R) Entitlement: Server Access

Permissions Granted: Modification of Permissions Granted: Only Read

Copyright © 2018-2019, All rights reserved

Copyright © 2018-2019, All rights reserved

Copyright © 2018-2019, All rights reserved

Copyright © 2018-2019, All rights reserved

• An increasingly distributed workforce

Copyright © 2018-2019, All rights reserved

• An increasingly distributed workforce

Copyright © 2018-2019, All rights reserved

• Improves user experience

Copyright © 2018-2019, All rights reserved

• Traditional perimeter protection (firewalls, intrusion detection

Note - The above mentioned technologies

Copyright © 2018-2019, All rights reserved

• Two-Factor Authentication requires not only something the user

Copyright © 2018-2019, All rights reserved

• Adaptive Authentication provides an effective option for enabling

Copyright © 2018-2019, All rights reserved

• Single Sign-On improves the user experience as users have to log on

Copyright © 2018-2019, All rights reserved

• The main goals of IdM technologies are to streamline the

Note - The above mentioned technologies

Copyright © 2018-2019, All rights reserved

Copyright © 2018-2019, All rights reserved

• Identification - The action or process of identifying someone or

• Authentication is a process of verifying a subject who he/she claims

Copyright © 2018-2019, All rights reserved

• Authentication involves a 2-step process –

Copyright © 2018-2019, All rights reserved

Copyright © 2018-2019, All rights reserved

• Authentication is a process of verifying a person who he/she claims to be

Copyright © 2018-2019, All rights reserved

• A password is a protected string of characters that is used to

Copyright © 2018-2019, All rights reserved

• According to SplashData, following is the list of most common

Copyright © 2018-2019, All rights reserved

• If an attacker is after a password, he/she can try a few different

Copyright © 2018-2019, All rights reserved

• A cognitive password is a form of knowledge-based authentication

Copyright © 2018-2019, All rights reserved

• Unlike passwords, which typically use a word for authentication,

Copyright © 2018-2019, All rights reserved

• OTPs are dynamic passwords valid for a particular session

Note - Counter measures to OTP hacks

Copyright © 2018-2019, All rights reserved

Copyright © 2018-2019, All rights reserved

Copyright © 2018-2019, All rights reserved

Copyright © 2018-2019, All rights reserved

• A smart card has the capability of processing information because it

Copyright © 2018-2019, All rights reserved

Copyright © 2018-2019, All rights reserved

Copyright © 2018-2019, All rights reserved