IAM: Identity and Access Management

Cyber security contains a lot of acronyms, and IAAA is one of them.

 I: Identification
 A: Authentication
 A: Authorization
 A: Accountability
1: IDENTIFICATION
This basically refers to just identifying an entity, for example if you enter a bank and
the cashier asks you to identity yourself and you say, I'm John, this just means that
you have identified yourself, you have just provided your name, or if you're working
on a system you have just provided your username. It is important to understand that
identification is different from authentication.
1
 2: Authentication

 Now authentication is when you actually verify your identity. That is

after identification we have authentication, which basically means
that you prove who you claim to be. This can be done through several
mechanisms.
 For example, you can provide a secret password, your secret pin, or it
could be some sort of biometric data, for example, your fingerprints
or retina scans.
 Please keep in mind that authentication can only be done once you
have identified yourself because authentication is done against an
identity, i.e., your claimed identity. So only after you have provided
your identity can you authenticate.

2
 Authentication Cont…

 Authentication is important because it provides non repudiation. It is

an important term in cyber security. What it means is that you cannot
claim that it was not you who performed some actions on a system so
repudiation basically means that you are bound by what you do.
 So, for example, if you provide your identity and you authenticate it
by providing a password and then you do certain tasks on a system,
then you are responsible for that. You cannot later on claim that it
was someone else. So this is the concept of non repudiation. We know
exactly who did this task.

3
 3: Authorization

 After authentication, we have authorization. Now once you are

authenticated, it means that you are a legitimate user, you're allowed
access to different parts of the system. But not all users have equal
privileges. There are some users who have higher or elevated privileges.
 For example, a CEO of a company would obviously have elevated
privileges compared to a normal employee. Similarly, a network
administrator may have more extensive or more extended access on
different parts of the systems on databases, for instance, compared to a
normal user.
 Now, this is done through authorization, which basically means that it
specifies your level of clearance. What kind of data, what kind of
systems, and what kind of applications do you have access to? This is
enforced through access control lists, which define which user has which
type of access.
4
 Authorization Cont …

 Now, this can be very broad based.

 For example, you have a group of admins, you have a group of
normal employees, you have a group of accountants, and they have
the same privileges. Or you could also have a system in you in which
you use more fine tuned details and you drill down and you can even
go up to file level access.
 As you can say, for example, this user can access this file in read-only
mode so on. Now always remember, authorization can only be done
or consulted once a user has been authenticated because
authorization is always against an authenticated user.

5
 4: Accountability

 So the last step after authorisation is accountability, which basically

means holding users responsible for their actions.
 So even though you are a legitimate user of a system and you already
have predefined authorization, but it is still nice to double check if any
user has performed an activity he was not allowed to.
 This is not always malicious activities. Sometimes inadvertently, users
are assigned privileges that they were not meant to have.
 For example, this often happens when you change roles within an
organization or when you acquire more privileges over time. So basically
we need some sort of an audit mechanism to ensure that privileges are
appropriately assigned and updated.
 That tool is accountability. Now, accountability is done by doing account
audit and log reviews.
6
Summary Of IAAA

7
IDENTITY LIFECYCLE

 Let's have a look at the different phases in

an identity lifecycle which helps
organizations streamline their identity and
access management process.
 The first step is provisioning. In this step,
we create new accounts and we assign
privileges to those accounts.

8
IDENTITY LIFECYCLE Cont …

 The second process is the review process which

requires periodic account reviews. Now, this helps
highlight several serious problems sometimes.
 For example, we may detect accounts which are no
longer active, which should be disabled, but it also
helps us identify privilege creep.
 So privilege creep happens when a person moves
vertically up in an organization and over time he or
she may accumulate excessive privileges.
 So let's say a person joins the H.R. department and
later on they join the network department and they
become the network administrator, but they still
retain the privileges from their HR account. Now, this
is referred to as privilege creep, and this can only be
highlighted if you do periodic account reviews and
9
audits.
IDENTITY LIFECYCLE Cont …

 The last step is revocation. This refers to

disabling accounts of employees who leave,
retire or are terminated.
 Now, this is different from disabling inactive
accounts. And revocation is a very important
step from a cyber security perspective, because
especially if you have an employee who has
been terminated and if he still has access to his
account, he may leverage that access to launch
attacks on the company, for example, or cause
any other type of damage. So it is always a nice
idea to quickly revoke access to accounts of
users who leave, retire or terminated.
10
AUTHENTICATION FACTORS

11
TYPE 1: SOMETHING YOU KNOW

12
TYPE II: SOMETHING YOU HAVE

 This is something that you have so this refers to

something which you physically possess, it could
be your identity badge, a smart card, your mobile
sim on which you receive messages, or it could
even be an application.
 For example, you can install Google authenticator.
 So the contrast from Type-I is that in Type-I, it was
something that you knew, something stored in your
brain. Now, this is something which you have to
physically possess.

13
TYPE III: SOMETHING THAT YOU ARE
(BIOMETRICS)
 Retinal scan: which is top of the list, it is the most accurate and it
can even successfully differentiate between identical twins.
 Iris scan: which seems similar, but it's quite different from retinal
scan. So iris scans is slightly less accurate compared to retinal scan.
 However, there is a cost associated with retina scans because in
retina scans, you have to put your eye really close to the scanner
and then a beam of light enters your eye. This makes the whole
process quite uncomfortable for a lot of users. In contrast, Iris scan
can be done from a few feet away and it is not at all uncomfortable.
So there's always this human tradeoff between these two.
 Finger prints: So if you're scanning 4 or more fingers, then your
results would be pretty accurate around ninety nine point nine
percent accurate.
 Palm scans: Now this previously referred to the geography of your
palm, but modern palm scanners, they basically capture millions of
data points of your palm veins and they can produce amazingly
accurate results.
 Voice pattern: it is traditionally regarded not as accurate as other
type of biometric scans, such as retinal scans.
14
 Extra Factors to Consinder

 Another factor which you need to consider. Some of these biometrics are
constant throughout your life and some of them change over age.
 For example, your voice changes over age, your fingerprints. If you get really
old, they may start to fade.
 But your retina scan, for example, is something which never really changes
throughout your life until and unless, you know, if you have any medical problem
which can obviously affect any of these biometrics.

15
MULTIFACTOR AUTHENTICATION
 A great tool in the arsenal of cyber security specialists is multifactor
authentication.
 So the problem stems from the fact that, if you're just using a password,
you give your username and password to log into a system. So this is
single factor authentication because you're just using the password and
this provides very weak security. Only your password needs to be
compromised in order for the system to be breached.
 So this can be alleviated if you use multifactor authentication, which
combines more than one type of authentication. So often we combine
Type-I and Type-II.
 So Type-I was something that, you know, for example, your password and
Type-II is something that you have. For example, you have your mobile SIM
card and then you can receive an SMS.
 So the way this works is that let's say you're logging into a system, you
provide your username and password, but after providing your password, if
your password is authenticated, the system is going to generate an SMS
and send it to your mobile phone. Now, your SIM is something that you
have and then you need to put in the confirmation code that you receive in
your SMS.
 So this provides for two factors and hence the name multifactor
authentication. 16

 When we combine two factors, it's called 2FA.

 And when we combine three factors, it's called 3FA.
Authorization and Accountability

17
Authorization Basics
1: Need to Know
 Need to know is an important concept in
authorization, the basic idea is that you should
always give a subject the minimum amount of data
or information that he or she needs to complete
their job.
 This ensures that every subject has got the least
privileges that he or she need to complete the job
duties. It's the fundamental idea in cyber security
to provide least privileges.

18
2: Privilege Creep

 This happens when someone accumulates

privileges over time as the rule changes or as
they move vertically up the organization.
 However, ideally, whenever someone gets new
responsibilities, they get new privileges, but
their old privileges should be reviewed and
revoked accordingly. But this doesn't happen
often.

19
ACCOUNTABILITY

 This is enforced through log audits, account audits

and an interesting concept is job rotation.
 Job rotation is that once in a while you rotate
people among jobs.
 The problem stems from the fact that if there is
someone who has been performing a role for a very
long time, it is difficult to obtain visibility into what
exactly is he doing or if he is, you know, violating
any rules.
 But when you rotate people once in a while, this
allows for the new employee or a different
employee to gain visibility into the actions of the
predecessor.
 This can sometimes expose problems.
20
Accountability: LOG’S
 Accountability can only be enforced if we have non-repudiation, that
the subject must have done identification and authentication.
 Only then we can be sure that it was specifically the subject which
was performing this task.
 There are a number of sources of information which can help with
the accountability process, for example, if you have network logs
which contain routers, switches, logs, that can be firewall logs, now
they can show if a user has, for example, visited a particular Web
site.
 What are the sessions, created by that user and so on. We also
have database logs which basically log and monitor queries
recorded, files accessed and any modifications.
 So, for example, if a part of your sensitive database has been
modified or deleted, you can simply refer to database logs and see
which user executed those queries. Similarly, we have application
logs which basically record exceptions, crashes and anomalies.
 So if you have an inside user who's trying to crash your Web server,
he's definitely going to leave a footprint in application logs.
 Similarly, you have system logs which refer to recorded information
at the end stations. This refers to any resources used, any
applications executed. This can even expose if a user has installed
applications which were otherwise prohibited according to the
organization's policy. 21
 Critical Characteristics of
Information
 Thevalue of information comes from the
characteristics it possesses:
 Availability
 Accuracy
 Authenticity
 Confidentiality
 Integrity
 Utility
 Possession

22
Information Security

23
Components of an Information
System
 Informationsystem (IS) is entire set of
software, hardware, data, people,
procedures, and networks necessary to
use information as a resource in the
organization

24
 Securing Components

 Computer can be subject of an attack and/or the

object of an attack

 When the subject of an attack, computer is used

as an active tool to conduct attack

 When the object of an attack, computer is the

entity being attacked

25
Figure 1-5 – Subject and Object of
Attack

26
 Balancing Information Security and
Access
 Impossibleto obtain perfect security—it is a
process, not an absolute

 Securityshould be considered balance between

protection and availability

 Toachieve balance, level of security must allow

reasonable access, yet protect against threats

27
Figure 1-6 – Balancing Security and Access

28
 Security and reliability

 Security has a lot to do with reliability

 A secure system is one you can rely on to (for example):
 Keep your personal data confidential
 Allow only authorized access or modifications to resources
 Give you correct and meaningful results
 Give you correct and meaningful results when you want them

29
 What is privacy?

 There are many definitions of privacy

 A useful one: “informational self-determination”
 This means that you get to control information about you
 “Control” means many things:
 Who gets to see it
 Who gets to use it
 What they can use it for
 Who they can give it to
 etc.

30
 Example: PIPEDA

 PIPEDA (Personal Information Protection and Electronic Documents Act) is

Canada's private-sector privacy legislation
 It lists ten Fair Information Principles companies have to abide by:
 Be accountable
 Identify the purpose of data collection
 Obtain consent
 Limit collection
 Limit use, disclosure and retention
 Be accurate
 Use appropriate safeguards
 Be open
 Give individuals access
 Provide recourse
31
 Who are the adversaries?
 Who's trying to mess with you system ?
 Various groups:
 Amateurs
 “Script kiddies”
 Crackers
 Organised crime
 Terrorists
 Which of these is the most serious threat today?

32
 How secure should we make it?

 Principle of Easiest Penetration

 “A system is only as strong as its weakest link”
 The attacker will go after whatever part of the system is easiest for him, not most
convenient for you.
 In order to build secure systems, we need to learn how to think like an attacker!
 How would you get private information from the XYZ database?
 Principle of Adequate Protection
 “Security is economics”
 Don't spend Kshs100,000 to protect a system that can only cause Kshs1000 in damage

33
 Important Terminology in Cyber Security

 Assets
 Things we might want to protect, such as:
 Hardware
 Software
 Data

 Vulnerabilities
 Weaknesses in a system that may be able to be exploited in order to cause loss or
harm
 e.g., a file server that doesn't authenticate its users

34
 Important Terminology in Cyber Security

 Threats --a potential cause of an incident that may result in harm to a system or
organization
 A loss or harm that might befall a system
 e.g., users' personal files may be revealed to the public
 There are four major categories of threats:
 Interception
 Interruption
 Modification
 Fabrication
 When we design a system, we need to state a threat model
 This is the set of threats we are undertaking to defend against
 Whom do we want to stop from doing what?

35
 Important Terminology in Cyber Security

 Attack
 An action which exploits a vulnerability
 e.g., telling the file server you are a different user in an attempt to read or modify their
files

 Control
 Removing or reducing a vulnerability
 You control a vulnerability to prevent an attack and block a threat.
 How would you control the file server vulnerability?
 Our goal: control vulnerabilities

36
 Why Security?

 Security is not simple as it might first appear.

 Indeveloping a particular security measure one has to
consider potential counter measures.
 Becauseof the counter measures, the problem itself
becomes complex.
 Once you have designed the security measure, it is
necessary to decide where to use them.
 Security mechanisms usually involve more than a
particular algorithm or protocol.
37
 Security and Cost Analysis

cost

100%

Security level
3
8
 Security Attacks - Taxonomy

 Interruption – attack on availability

 Interception – attack on confidentiality
 Modification – attack on integrity
 Fabrication – attack on authenticity

Property
that is
compromised

3
9
 INTERRUPTION
 Also known as denial of services.
 Information resources (hardware, software and data) are deliberately made
unavailable, lost or unusable, usually through malicious destruction. e.g: cutting a
communication line, disabling a file management system, etc.

4
0
 INTERCEPTION

 Also known as un-authorised access.

 Difficult to trace as no traces of intrusion might be left. e.g: illegal
eavesdropping or wiretapping or sniffing, illegal copying.

4
1
 MODIFICATION

 Also known as tampering a resource.

 Resources can be data, programs, hardware devices, etc.

4
2
 FABRICATION

 Also known as counterfeiting (of objects such as data, programs,

devices, etc ).
 Allows to by pass the authenticity checks. e.g: Insertion of spurious
messages in a network, adding a record to a file, counterfeit bank
notes, fake cheques ,…
 impersonation/masquerading
 to gain access to data, services etc.

4
3
 Methods of defence

 How can we defend against a threat?

 Prevent it: block the attack
 Deter it: make the attack harder or more expensive
 Deflect it: make yourself less attractive to attacker
 Detect it: notice that attack is occurring (or has occurred)
 Recover from it: mitigate the effects of the attack

 Often, we'll want to do many things to defend against the same threat
 “Defence in depth”

44
 Example of defence: Class
exercise
 Threat: your laptop may get stolen
 How to defend?
 Prevent:
 Deter:
 Deflect:
 Detect:
 Recover:

45
 Example of defence

 Threat: your laptop may get stolen

 How to defend?
 Prevent: is it possible to absolutely prevent?
 Deter: Store your laptop in a secure place Use “laptop tie down brackets,
laptop locks
 Deflect:” do not openly display you laptop (e.g. while travelling )
 Detect: alarms, tracking features
 Recover: Insurance

46
 Defence of computer systems

 Remember we may want to protect any of our assets

 Hardware, software, data
 Many ways to do this; for example:
 Cryptography
 Protecting data by making it unreadable to an attacker
 Authenticating users with digital signatures
 Authenticating transactions with cryptographic protocols
 Ensuring the integrity of stored data
 Aid customers' privacy by having their personal information
automatically become unreadable after a certain length of time

47
Defence of computer systems

 Software controls
 Passwords and other forms of access control
 Operating systems separate users' actions from each
other
 Virus scanners watch for some kinds of malware
 Development controls enforce quality measures on the
original source code
 Personal firewalls that run on your desktop

48
 Defence of computer systems

 Hardware controls
 (Not usually protection of the hardware itself, but rather
using separate hardware to protect the system as a
whole.)
 Fingerprint readers
 Smart tokens
 Firewalls
 Intrusion detection systems(IDS)

49
 Defence of computer systems

 Physical controls
 Protection of the hardware itself, as well as physical
access to the console, storage media, etc.
 Locks
 Guards
 Off-site backups

50
Information Security Project
Team
 A number of individuals who are experienced in one or more facets of required
technical and nontechnical areas:
 Champion
 Team leader
 Security policy developers
 Risk assessment specialists
 Security professionals
 Systems administrators
 End users

51
 Defence of Computer Systems

 Policies and procedures

 Non-technical means can be used to protect against some
classes of attack
 If an employee connects his own Wi-fi access point to the
internal company network, that can accidentally open the
network to outside attack.
 So don't allow the employee to do that!
 Rules about changing passwords
 Training in best security practices

52
Vulnerabilities

 The three broad computing system resources are

 hardware
 interruption (denial of service), interception (theft)
 software
 interruption (deletion), interception, modification
 data
 interruption (loss), interception, modification and fabrication

53
 Principles of Computer Security
 Principleof Easiest Penetration
An intruder must be expected to use any
available means of penetration.
The penetration may not necessarily be by the most
obvious means, nor is it necessarily the one against
which the most solid defense has been installed.

 Principle of Adequate Protection

Computer items must be protected to a degree
consistent with their value and only until they
lose their value.
54
 Principle of Effectiveness
 Controls must be used—and used properly—to be
effective.
They must be efficient, easy to use, and appropriate.

 Principle of Weakest Link

Security can be no stronger than its weakest link.
Whether it is the power supply that powers the firewall or the
operating system under the security application or the human,
who plans, implements, and administers controls, a failure of
any control can lead to a security failure.

55