Identity and Access Management (IAM) is one of the basics of information security.
Concepts related to Authentication
Continuous authentication Monitors user behavior continuously to ensure that the authenticated user remains the same throughout a session.
Risk-based authentication analyzes user behavior and contextual information to determine the level of risk and adjust authentication requirements accordingly.
Zero trust security model may apply authentication dynamically.
Zero Trust Network Access (ZTNA) is an IT security solution that provides secure remote access to an organization’s applications, data, and services based on clearly defined access control policies.
You can read more about zero trust security on this post.
Secrets management includes password management. You can read more about secrets management on this post.
Access Control Models
You can read about access control models on this post.
Primary Authentication Factors
Primary authentication factors:
- Type 1 – Something you know
- Type 2 – Something you have
- Type 3 – Something you are
Types of Authentication
Types of authentication:
- Password-based authentication
- Multi-factor authentication (MFA)
- Public Key Infrastructures (PKI)
- Challenge-response authentication
- Biometric Authentication
- Token-based authentication
- Risk-based authentication
- Knowledge-based authentication
Multi-factor Authentication (MFA)
Multi-factor Authentication requires two or more of the above mentioned primary authentication factors.
An example of MFA solution is PIV (Personal Identify Verification).
You can read more about challenge-response authentication on this post.
Biometric authentication is any authentication method that is based on human biometrics.
You can read more about biometric authentication on this post.
Token-based authentication may include Time-based One-Time Passwords (TOTP) and hardware tokens (like smart cards).
Knowledge-based authentication is used by some financial institutions to validate the identity of new users. It uses information from tax and financial records that is unlikely to be available to others, allowing new users to provide details like their last credit car payment, mortgage payment, or other information to validate their identity.
7 Laws of Identity
The 7 laws of identity were published in 2005 by Kim Cameron.
They consisted of:
- Law 1: User control and consent
- Law 2: Minimum disclosure for a constrained use
- Law 3: Justifiable Parties
- Law 4: Directed Identity
- Law 5: Pluralism of Operators and Technologies
- Law 6: Human Integration
- Law 7: Consistent Experience Across Contexts
You can read them on this external document.
Account provisioning or user provisioning refers to the activities related to the creation, modification, disabilitation and deletion of user accounts and their profiles across IT applications.
Just-in-time provisioning (JIT provisioning) creates accounts when they are needed rather than creating them in advance. This is an effective method to limit the number of accounts being maintained and can be useful if user account numbers are part of a licensing agreement.
An standard format for account provisioning data is Service Provisioning Markup Language (SPML). It is an XML-based language designed to allow platforms to generate and respond to provisioning requests.
You can find a list of directory protocols on this post.
Authentication, Authorization and Accounting Protocols
You can find a list of identity and authentication protocols on this post.
Authentication, authorization and accounting (AAA) network protocols on this post.
Network Access Control Methods
Network Access Control Methods:
- MAC address filtering
- Port Security
- Authentication Protocols
- Internal Network AAA
- Web-based IAM
- DHCP snooping
- Directory Services
- Identity Federation
MAC Address Filtering
Network devices are allowed or denied access based on their MAC addresses.
It is not very safe as MAC addresses can be spoofed.
Also they are difficult to handle when there are many devices or there are many connection and disconnections.
It could either mean physical port security or OSI transport layer port security.
You can read more about this on “CISSP Study Guide 9th Edition”, p. 585.
You can read more about authentication protocols like EAP / IEEE 802.1x, CHAP, PAP on this post.
Internal Network AAA
You can read about protocols for authentication, authorization and accountability (AAA) in an internal network on this post.
The most popular internal network AAA protocols are Kerberos, RADIUS and TATACS+.
Network Access Control (NAC) is a security solution that enforces policy on devices that access networks to increase network visibility and reduce risk. You can read more about it on this post.
Dynamic Host Configuration Protocol (DHCP) Snooping
DHCP snooping verifies the legitimacy of DHCP servers and prevents unauthorized DHCP servers on the network
Nevertheless, it does not provide user-level authentication.
You can read about web-based identity and access management (IAM) protocols on this post.
The most popular protocols are SAML, OAuth and OIDC.
You can read more about directory services on this post.
The most popular protocol is LDAP.
Identity federation implies sharing identity information.
You can read more about identity federation on this post.
Session management is enabled through:
- Hidden form fields
- URL rewriting
- Session built fraemworks (e.g., Java’s JavaHTTPS)
Secure session ID requisites:
- Session ID should be impredictible
- Session ID should be meaningless.
- Session length should be at least 128 bits
- Session ID should have at least 64 bits of entropy
Single Sign-on (SSO) allows a user to access multiple applications with a single set of credentials.
You can read more about single sign-on on this post.