Identity and Access Management

CISSP: CHAPTER 5
Identity and Access Management

IDENTITY AND ACCESS MANAGEMENT

Identity Management
Controls the life cycle for all accounts in a system
Access Management
Controls the assignment of rights/privileges to those accounts
Per ISC2, Identity and Access Management solutions
“focus on harmonizing the provisioning of users and managing their access across multiple systems with different native access control systems”.

ACCESS CONTROLS OBJECTIVES

IAAA
Identification
Authentication
Type I (Knowledge)
Type II (Possession)
Type III (Biometrics)
Authorization
Accounting
Single Sign On
Access Control Models
Access Control Methods
Access Control Administration
Data Emanation

ACCESS CONTROLS

Access controls are security mechanisms that control how subjects can interact with objects.
Controls should be layered and provide both proactive and reactive protection.

ACCESS
Access is the data flow between an subject and an object.
Subject is active–a person, process or program
Object is passive–a resource (file, printer etc..)
Access controls should support the CIA triad and regulate what a subject can do with an object

ACCESS CONTROLS

Access controls are security features that control how people can interact with systems, and resources.
Logical
Physical
Administrative

IAAA OF ACCESS CONTROL
The components of Access Control that we are about todiscuss are:
Identification:
Make a claim (userid etc..)
Authentication:
Provide support (proof) for your claim
Authorization:
What rights and permissions you have
Auditing:
Accountability—matching actions to subjects

IDENTIFICATION

Public Information (usually we aren’t concerned with protecting identities)
Identification must be unique for accountability
Standard naming schemes should be used
Identifier should not indicate extra information about user (like job position)
User ID
Account Number
RFID
IP or MAC address

AUTHENTICATION

Proving your identity
Type 1: Something you know
Type 2: Something you have
Type 3: Something you are

TYPE 1: SOMETHING YOU KNOW
Passwords/Passphrases/Cognitive Password
Best practices
No less than 8 characters
Change on a regular basis
Enforce password history
Consider brute force and dictionary attacks
Ease of cracking cognitive passwords
Graphic Image
Enable clipping levels and respond accordingly

TYPE 2: SOMETHING YOU HAVE

Token Devices
Smart Card
Memory Card
Hardware Key
Cryptographic Key
Certificate
Cookies

TOKEN DEVICES: ONE TIME PASSWORD GENERATORS

Password that is used only once then no longer valid
One time password reduces vulnerability associated with sniffing passwords.
Simple device to implement
Can be costly
Users can lose or damage
Two Types: Synchronous/Asynchronous

SYNCHRONOUS TOKEN DEVICES

•Rely upon synchronizing with authentication server.
Frequently time based, but could be event based
•If damaged, or battery fails, must be re-synchronized
•Authentication server knows what
“password” to expect based on time or event.

ASYNCHRONOUS TOKEN DEVICES

Asynchronous/ Challenge Response User logs in
Authentication returns a challenge to the user
User types challenge string into token device and presses enter.
Token devices returns a reply
Only that specific user’s token device could respond with the expected reply. More Complex than synchronous
May provide better protection against sniffing

MEMORY CARDS

MEMORY CARDS
Holds information, does NOT process
A memory card holds authentication info, usually you’ll want to pair this with a PIN… WHY?
A credit card or ATM card is a type of memory card, so is a key/swipe card
Usually insecure, easily copied.*

SMART CARD

SMART CARD (191)

More secure than memory cards
Can actually process information
Includes a microprocessor
Often integrated with PKI
Two types
Contact
Contactless

SMART CARD ATTACKS

There are attacks against smart cards
Fault generation – manipulate environmental controls and measure errors in order to reverse engineer logic
Side Channel Attacks – Measure the cards while they work
Differential power analysis – measure power emissions
Electromagnetic analysis – example frequencies emitted
Micro probing – using needles to vibrations to remove the outer protection on the cards circuits. Then tap into ROMS if possible or “die” ROMS to read data.

TYPE 3: SOMETHING YOU ARE

Biometrics
Static: Should not significantly change over time.Bound to a user’s physiological traits
Fingerprint, hand geometry, iris, retina, etc..
Dynamic: Based on behavioral traits
Voice, gait, signature, keyboard cadence, etc..
Even though these can be modified temporarily, they are very difficult to modify for any significant length of time.

BIOMETRIC CONCERNS
Accuracy
Type I Error: False Rejection–A legitimate user is barred from access. Is caused when a system identifies too much information. This causes excessive overhead.
Type II Error: False Acceptance—An impostor is allowed access.
This is a security threat and comes when a system doesn’t evaluate enough information
As FRR goes down, FAR goes up and vice versa
The level at which the two meet is called CER (Crossover Error Rate). The lower the number, the more accurate the system Iris Scans are the most accurate

CROSSOVER ERROR RATE

BIOMETRIC CONCERNS

User Acceptance
Many users feel biometrics are intrusive
Retina scans can reveal health care information
Time for enrollment and verification can make user’s resistant
Cost/benefit analysis
No way to revoke biometrics

BIOMETRIC CONCERNS

Cost
Biometric systems can be very costly and require unwieldy technology
Though costs are coming down for means like fingerprint recognition, other technologies still remain prohibitive

STRONG AUTHENTICATION

Strong Authentication is the combination of 2 or more of these and is encouraged!
Strong Authentication provides a higher level of assurance*
Strong Authentication is also called multi-factor authentication*
Watch out! Most people want to choose biometrics as the best authentication, but any one source can be compromised. Always look for more than one type!
Mutual Authentication is beneficial

AUTHORIZATION

The concept of ensuring that someone who is authenticated is allowed access to a resource.
Authorization is a preventative control
Race conditions would try to cause authorization to happen before authentication

AUDITING

Logging and reviewing accesses to objects.
What is the purpose of auditing?
Auditing is a detective control

AUTHORIZATION

AUTHORIZATION
Now that I proved I am who I say I am, what can I do?
Both OSes and Applications can provide this functionality.
Authorization can be provided based on user, groups, roles, rules, physical location, time of day (temporal isolation)* or transaction type (example a teller may be able to withdrawal small amounts, but require manager for large withdrawals)

AUTHORIZATION PRINCIPALS

Default NO access (implicit deny)* – Unless a subject is explicitly given access to an object, then they are implicitly denied access.
Principle of Least Privilege
Need to know
Content-based

AUTHORIZATION CREEP

As a subject stays in an environment over time, their permissions accumulate even after they are no longer needed.

Auditing authorization can help mitigate this. SOX requires yearly auditing.

SINGLE SIGN ON

As environments get larger and more complex it becomes harder and harder to manage users accounts securely.
Multiple users to create/disable
Passwords to remember, leads to passwords security issues
Reduces user frustration as well as IT frustration!
Wastes your IT budget trying to manage disparate accounts.

SINGLE SIGN ON

Single sign on systems try to mitigate this problem. Some SSO systems are.
Kerberos
LDAP
Sesame
KryptoKnight

SSO SINGLE SIGN-ON PROS AND CONS

Pros
Ease of use for end users
Centralized Control
Ease of administration
Cons
Single point of failure
Standards necessary
Keys to the kingdom

SSO TECHNOLOGIES

Kerberos
SESAME
LDAP
Microsoft Active Directory*

KERBEROS

A network authentication protocol designed from MITs project Athena. Kerberos tries to ensure authentication security in an insecure environment
Used in Windows2000+ and some Unix
Allows for single sign on
Never transfers passwords
Uses Symmetric encryption to verify Identifications
Avoids replay attacks

KERBEROS COMPONENTS

Essential Components:
AS (Authentication Server): Allows authentication of the user and issues a TGT
TGS: After receiving the TGT from the user, the TGS issues a ticket for a particular user to access a particular service
KDC (Key Distribution Center) a system which runs the TGS (Ticket Granting Service) and the AS (Authentication Service)
Ticket: Means of distributing Session Key
Principles (users, applications, services)
Kerberos Software (integrated into most Operating Systems. MS Windows 2000 and up support Kerberos)
Main Goal: User needs to authenticate himself/herself without sending passwords across the network—needs to prove he/she knows the password without actually sending it across the wire.

Welcome to the Kerberos Carnival

Realm

Welcome to the Kerberos CarnivalFile Server

Database ServerRealm
Ticket Granting Service
Print Server A

Authentication Service
1. Username
2. TGT

KERBEROS CONCERNS

Computers must have clocks synchronized within 5 minutes of each other
Tickets are stored on the workstation. If the workstation is compromised your identity can be forged.
If your KDC is hacked, security is lost
A single KDC is a single point of failure and performance bottleneck
Still vulnerable to password guessing attacks

SESAME

European technology, developed to extend Kerberos and improve on it’s weaknesses
Sesame uses both symmetric and asymmetric cryptography.
Uses “Privileged Attribute Certificates” rather than tickets, PACS are digitally signed and contain the subjects identity, access capabilities for the object, access time period and lifetime of the PAC.
PACS come from the Privileged Attribute Server.

KRYPTOKNIGHT

Should only be known as an older obsolete SSO Technology

SUPER SIGN-ON AND FEDERATED SERVICES
XML: Universal format for storing information
SPML: XML based format for exchanging user and resource information and controlling provisioning
SAML: provides an XML-based framework for exchanging security-related information over networks

ACCESS CONTROL MODELS

ACCESS CONTROL MODELS

A framework that dictates how subjects access objects.
Uses access control technologies and security mechanisms to enforce the rules
Supported by Access Control Technologies
Business goals and culture of the organization will prescribe which model is used
Every OS has a security kernel/reference monitor (talk about in another chapter) that enforces the access control model.

ACCESS CONTROL MODELS

The models we are about to discuss are
From the TCSEC(Trusted Computer System Evaluation Criteria—Orange Book)
DAC (Discretionary Access Control)
MAC (Mandatory Access Control)
Established Later
RBAC (Role based Access Control)

DAC

Discretionary Access Control
Security of an object is at the owner’s discretion
Access is granted through an ACL (Access Control List)
Commonly implemented in commercial products and all client based systems
Identity Based

MAC

Mandatory Access Control
Data owners cannot grant access!
OS makes the decision based on a security label system
Subject’s label must dominate the object’s label
Users and Data are given a clearance level (confidential, secret, top secret etc..)*
Rules for access are configured by the security officer and enforced by the OS.

MAC

MAC is used where classification and confidentiality is of utmost importance… military.
Generally you have to buy a specific MAC system, DAC systems don’t do MAC
SELinux
Trusted Solaris (now called Solaris with Trusted Extensions)

MAC SENSITIVITY LABELS

All objects in a MAC system have a security label*
Security labels can be defined the organization.
They also have categories to support “need to know” at a certain level.
Categories can be defined by the organization

ROLE BASED ACCESS CONTROL

ROLE BASED ACCESS CONTROL

Uses a set of controls to determine how subjects and objects interact.
Don’t give rights to users directly. Instead create “roles” which are given rights. Assign users to roles rather than providing users directly with privileges.

Advantages:
This scales better than DAC methods
Fights “authorization creep”*

ROLE BASED ACCESS CONTROL

When to use*
If you need centralized access
If you DON’T need MAC
If you have high turnover

THAT SUPPORT ACCESS CONTROL MODELS

We will talk more in depth of each in the next few slides. Rule-based Access Control
Constrained User Interfaces
Access Control Matrix
Access Control Lists
Content-Dependant Access Control
Context-Dependant Access Control

RULE BASED ACCESS CONTROL

Uses specific rules that indicate what can and cannot transpire between subject and object. Also called non-discretionary.
“if x then y” logic
Before a subject can access and object it must meet a set of predefined rules.
ex. If a user has proper clearance, and it’s between 9AM – 5PM then allow access (Context based access control)
However it does NOT have to deal specifically with identity/authorization
Ex. May only accept email attachments 5M or less

RULES BASED ACCESS CONTROL

Is considered a “compulsory control” because the rules are strictly enforced and not modifiable by users.
Routers and firewalls use Rule Based access control*

CONSTRAINED USER INTERFACES

Restrict user access by not allowing them see certain data or have certain functionality (see slides)
Views – only allow access to certain data (canned interfaces)
Restricted shell – like a real shell but only with certain commands. (like Cisco’s non-enable mode)
Menu – similar but more “GUI”
Physically constrained interface – show only certain keys on a keypad/touch screen. – like an ATM. (a modern type of menu) Difference is you are physically constrained from accessing them.

PHYSICALLY CONSTRAINED INTERFACE

CONTENT DEPENDANT ACCESS CONTROLS

Access is determined by the type of data.
Example, email filters that look for specific things like“confidential”, “SSN”, images.
Web Proxy servers may be content based.

CONTEXT DEPENDANT ACCESS CONTROL

System reviews a Situation then makes a decision on access.
A firewall is a great example of this, if session is established, then allow traffic to proceed.
In a web proxy, allow access to certain body imagery if previous web sessions are referencing medical data otherwise deny access.

ACCESS CONTROL ADMINISTRATION

CENTRALIZATION VS. DECENTRALIZATION
Centralization:
Greater Consistency
Ease of Administration
Greater Control
Usually considered more secure Decentralization
Granularity
Flexibility

CENTRALIZED ACCESS CONTROL ADMINISTRATION

A centralized place for configuring and managing access control
All the ones we will talk about (next) are “AAA” protocols
Authentication
Authorization
Auditing

CENTRALIZED ACCESS CONTROL TECHNOLOGIES

We will talk about each of these in the upcoming slides
Radius
TACACS, TACACS+
Diameter

RADIUS

Remote Authentication Dial-in User Service (RADIUS) is an
authentication protocol that authenticates and authorizes
users
Handshaking protocol that allows the RADIUS server to provide authentication and authorization information to network server (RADIUS client)
Users usually dial in to an access server (RADIUS client) that
communicates with the RADIUS server
RADIUS server usually contains a database of users and
credentials
Communication between the RADIUS client and server is
protected

RADIUS PROS/CONS

Radius Pros
•  It’s been around, a lot of vendor support

Radius Cons
Radius can share symmetric key between NAS and Radius server, but does not encrypt attribute value pairs, only user info. This could provide info to people doing reconnaissance

TACACS+

Provides the same functionality of Radius
TACACS+ uses TCP port 49
TACACS+ can support one time passwords
Encrypts ALL traffic data
TACACS+ separates each AAA function.
For example can use an AD for authentication, and an SQL server for accounting.
Has more AVP than Radius… more flexible

DIAMETER

DIAMETER is a protocol designed as the next generation
RADIUS RADIUS is limited to authenticating users via SLIP and
PPP dial-up modem connections
– Other device types use different protocol types
Internet protocol that supports seamless and continuous connectivity for mobile devices – such as PDAs, laptops, or cell phones with Internet data capabilities
Move between service provider networks and change
their points of attachment to the Internet
Including better message transport, proxying, session
control, and higher security for AAA transactions

CENTRALIZED ACCESS CONTROLS
OVERVIEW

Idea centralize access control
Radius, TACACS+, diameter
Decentralized is simply maintaining access control on all nodes separately.

EMANATION SECURITY

EMANATION SECURITY

All devices give off electrical / magnetic signals.
A non-obvious example is reading info from a CRT bouncing off something like a pair of sunglasses.
Tempest is a standard to develop countermeasures to protect against this.

EMANATION COUNTERMEASURES

Faraday cage – a metal mesh cage around an object, it negates a lot of electrical/magnetic fields.
White Noise – a device that emits radio frequencies designed to disguise meaningful transmission.
Control Zones – protect sensitive devices in special areas with special walls etc…

ACCESS CONTROLS REVIEW
IAAA
Identification
Authentication
Type I (Knowledge)
Type II (Possession)
Type III (Biometrics)
Single Sign On
Access Control Models
Access Control Methods
Access Control Administration
Data Emanation