ISC2 CISSP

CISSP Domain 5 Refresh: Identity and Access Management

Sumit Bhattacharya
August 7, 2018 by
Sumit Bhattacharya

The Certified Information Systems Security Professional, or CISSP, certification is the ideal certification for infosec professionals. As per the survey depicted in the below screenshot, it has been found that the CISSP is a core requirement for many mid- and senior-level cybersecurity positions. Earning this gold standard certification requires demonstrating sufficient work experience and passing an exam covering the eight domains of information security.

This article covers the fifth of those eight domains, Identity and Access Management. A total of 13% of the questions in the CISSP exam comes from this domain.

Earn your CISSP, guaranteed!

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Identity and Access Management

Identity and access management is the practice of ensuring that computer systems have a clear picture of the identity of each individual or resource authorized to access the system, and that the system can control access in a way that prevents unauthorized individuals from accessing resources while permitting authorized individuals to perform legitimate actions.

Access Control Process

The access control process consists of three steps:

  • Identification
  • Authentication
  • Authorization

Identification

Physical World: Physical access control deals with issues of identity and restricts admission to certain individuals. This covers cases where an individual makes a claim about his or her identity but doesn't present any proof. Imagine a situation where you want to enter a secure office building where you have an appointment, but during the identification step of the process you just walk up to the security desk and say "Hi, I'm Sam."

Computer World: When we go to login to a system we identify ourselves using a username, one most likely composed of some combination of the letters from our names.

Authentication

Physical World: During the authentication step proof comes into play as the individual proves his or her identity to the satisfaction of the access-control system. Consider the same case when entering the secure building: the guard would likely want to see Sam's driver's license to confirm whether this is Sam or not.

Computer World: In the authentication phase, the user commonly asked to enter a password.

Authorization

Physical World: In the same example above, the security guard might check a list of that day's appointments to see if it includes Sam's name. This authorizes Sam to enter the premises.

Computer World: In the electronic world, authorization often takes the form of access-control lists that itemize the specific file-system permissions granted to an individual user or group of users.

All access-control systems provide the means to accomplish these three steps of the access-control process. Remember, in the CISSP exam it's very important that you remember the distinction between the identification and authentication phases, as it sometime becomes confusing.

Note: The abovementioned steps only depict simple examples of access control steps. In the real world, there is a layered approach to these three steps which we are going to discuss in greater detail.

Now let's dive into it and see how organizations implement the abovementioned steps of access control.

Identification

As we have seen earlier, identification is one of the basic requirements of any access-control system. Users must have a way to identify themselves uniquely to a system that ensures they will not be confused with any other user of the system. Following are some common identification mechanisms that are often used in an organization and which are covered by the CISSP exam.

Usernames

An identification used by a person with access to a computer, network or online service.

Access cards

A card with a chip or a magnetic strip consist of encoded data that is read by passing the card through or over an electronic device. Used to provide access to restricted or secure areas or systems.

Biometrics

Biometric identification is increasing in popularity as users turn away from the inconvenience of identifying and authenticating themselves via a keyboard. Biometrics provide a means of identifying someone based on one or more physical characteristics of that person. They often serve as both identification and authentication mechanisms. Some types of biometric authentication techniques used are:

  • Fingerprint scanners
  • Eye scanners
  • Voiceprint identification
  • Facial recognition

Registration and identity-proofing

Every identity and access-management solution user must be given initial credentials when they are created in the system as entities.

  • The registration procedure incorporates gathering info about a user and making a corresponding entity in the system
  • The identity-proofing process guarantees that the user introducing himself/herself for registration is who they claim to be

Authentication

Once the person is identified to a system, the person must prove that claim of identity. That's where authentication comes into the picture.

Authentication Factors

Overall, there are three authentication factors:

  • Something you know. It comes as a password that the user remembers and enters into a system during the authentication procedure
  • Something you are. Biometrics measure one of your physical characteristics, such as eye pattern, voiceprint, fingerprint or facial geometry
  • Something you have. Requires the user to have physical ownership of a device, such as a cell phone or authentication token like RSA

The strength of techniques utilized by every one of these authentication factors may be estimated by the number of errors that it generates.

  • False acceptance rate (FAR) happens when the system misidentifies a person as an authorized user and allows access that ought to be denied
  • False rejection rate (FRR) happens when an authorized individual endeavors to access a system but is incorrectly denied access by that system

The FAR and FRR are not by themselves are appropriate measures to identify the strength of an authentication factor. Let's explore it with an example: system administrators may configure the system to just permit no one at all into the system, giving it an impeccable false acceptance rate but also a very high false rejection rate. And if the system permits anyone to access it, it has a perfect false rejection rate but an unacceptably-high false acceptance rate.

The solution for this measurement issue is to use a balanced measure of authentication strength, which is CER: crossover error rate.

  • Crossover error rate (CER) is measured as the error frequency that happens when  administrators tune the system to have equivalent false rejection rates and false acceptance rates.

Multi-Factor Authentication

Multi-factor authentication brings added security to the authentication system by combining multiple factors. For example: when an authentication system requires both a password (something you know) and a smart card (something you have), a hacker stealing the password still won't have the required smart card and vice versa. It becomes much more difficult for the attacker to gain access to the account because something you know and something you have are different factors.

The most common approach organizations take is to combine something you know, such as a password or PIN, with something you have, such as a physical (hardware) or soft token as shown below.

(Image 1)

(Image 2)

The code generated for these authentication mechanisms are called one-time passwords and use two protocols:

  • HMAC-based one-time password algorithm (HOTP) uses a shared secret and an incrementing counter to generate the code displayed on the token screen
  • Time-based one-time password algorithm (TOTP) uses the time of day in conjunction with a shared secret. This means that the code changes constantly and is only valid until the token generates the next code. The token and the authentication system must have synchronized clocks

Password Authentication Protocols

Many access-control systems rely on password-based mechanisms to implement something-you-know security, and one of the most common applications of password security is to secure VPNs and other remote access technologies. Protocols used for these authentication mechanisms:

  • PAP (Password Authentication Protocol)
  • CHAP (Challenge Handshake Authentication Protocol)

Federated Identity Management System

This leverages the fact that a single individual may have accounts across a wide variety of systems. When organizations agree to federate their identity management systems, they share some of this information across the organizations. This reduces the number of individual identities that a user must have and eases the burden on both the user and the organization. The most common example of federated identity management system is when you log into websites using your Google account, Facebook Connect, or Twitter account.

Single Sign-On (SSO)

In an SSO approach, users log into the first SSO-enabled system they encounter. That login session then persists across other systems until it reaches its expiration time. SSO basically shares authenticated sessions across systems. Many organizations create SSO solutions within their organizations to help users avoid the burden of repeatedly authenticating.

Trust relationships across different authentication domains are described in terms of their direction and their transitivity.

Security Assertion Markup Language (SAML)

This allows browser-based SSO across a variety of web systems. There are three actors in a SAML request:

  • Principle: The end user who wants to use web-based services
  • Identity provider: the organization providing the proof of identity
  • Service provider: the web-based service that the end user wishes to access

Trust direction can be either one-way or two-way:

  • If a one-way trust exists from domain1 to domain2, domain1 will trust authenticated sessions from domain2 but domain2 will not trust sessions from domain1
  • If the trust relationship is two-way, both domains will trust each other
  • Trust transitivity: it can be either transitive or nontransitive
  • In a transitive trust, trust relationships transfer across domains. For example, if domain1 has a transitive trust with domain2 and domain2 has a transitive trust with domain3, domain1 and domain3 will have a trust relationship as well without the administrator explicitly creating the trust
  • In a nontransitive trust, this trust relationship will not be automatically inferred. Domain1 will not trust domain3 unless the administrator creates that trust
  • Organizations' most common need is to have a centralized approach to network and application authentication, authorization and accounting. Protocols such as RADIUS and TACACS+ offer these services to enterprises

Remote Access Dial-In User Service (RADIUS)

A centralized RADIUS server could support modem pools located around the country, providing a single point of administration for password and account management and consolidating accounting records in a centralized location.

Terminal Access Controller Access Control System (TACACS+)

An alternative to RADIUS, performing a similar function. The current TACACS standard is the TACACS+ protocol. Developed by Cisco as a proprietary standard, it functions in a manner similar to RADIUS with two modifications:

  1. It uses TCP rather UDP
  2. It fully encrypts the entire authentication session

The Kerberos Access-Control System

Widely used to implement authentication and authorization systems, Kerberos is a ticket-based authentication system that allows users to authenticate to a centralized service and then use tickets from that authentication process to gain access to distributed systems that support Kerberos authentication. Kerberos uses port 88.

The Lightweight Directory Access Protocol (LDAP)

LDAP is an imperative protocol when it comes to access control. It allows services on a network to share data about users and their authorizations in a standardized open format. Active Directory utilizes LDAP in combination with Kerberos; while Kerberos handles authentication, LDAP provides the means to query information stored in the directory service. LDAP uses port 389 for unencrypted communication, and 636 for encrypted communication.

Identity and Access Management as a Service (IDaaS)

This is an area where enterprises are gaining significant benefits by using third-party providers, which allows organizations to move some or all of their identity and access management infrastructure to the cloud. This eliminates the need for costly and hard-to-find identity and management access specialists.

Certificates-Based Authentication

Digital certificates have various use cases when it comes to authentication. A certificate can connect to servers via SSH, to power smart cards or restrict network access to specific devices. When a digital certificate is utilized for authentication, you create a digital certificate similar to the one used to secure websites. The certificate's purpose is to provide a trusted copy of a public key to third parties. You retain the corresponding private key to prove that you are the owner of the public key in the certificate.

Accountability is the principle here: it means that every action taken on a system can be clearly traced back to an individual user without any ambiguity. It is achieved by two fundamental requirements:

  • Identification: Each user of the system must be identified by a unique identifier, such as a username
  • Authentication: Every account on the system must be protected by strong authentication that prevents unauthorized users from gaining access

Managing Credentials

The management of user accounts is a key responsibility for information security professionals. This includes designing strong processes which implement:

  • Principles of least privilege: Users should have only the minimum set of permissions necessary for their job function
  • Separation of duties: Sensitive functions should require action by two separate users
  • Job rotation/mandatory vacation schemes: Regularly move people between jobs to prevent fraud. Mandatory vacation enforces periods of time when employees have no access to systems; this enforced absence provides an opportunity for fraudulent activity to come to light
  • Managing the account life cycle: Security professionals are also responsible for managing the account and credential lifecycle. Their duties are to:
    • Administer the process of granting new users access to systems
    • Modifying roles when a user changes jobs
    • Review when a user's job requires new access
    • Review access on a regular basis and modify discrepancies found
    • Removing the access of terminated users
    • User account policies
    • Password policies
    • Managing roles

Authorization

Authorization is the final step in the access control process. Once an individual successfully authenticates in a system, authorization determines the privileges that individual has to access resources and information. There are many different authorization approaches; below are some which are covered on the CISSP exam.

Mandatory Access-Control Systems (MAC)

In mandatory access control, the OS itself confines the permissions that may be granted to users and processes on system resources. MAC is normally implemented as a rule-based access-control system, where users and resources have labels and the operating system makes access-control decisions by comparing those labels. The most common example of an operating system implementing MAC is Security-Enhanced Linux, or SELinux.

Discretionary Access Control

Discretionary access-control systems are the most common form of access control because they provide organizations with needed flexibility; unlike MAC, they offer a flexible approach to authorization, allowing users to assign access permissions to other users. The owners of files, computers and other resources have the discretion to configure permissions as they see fit. In a discretionary access-control system, file owners manage resource permissions by the creation of access-control lists. An access-control list is simply a table containing user names and the permissions granted to each user of a resource.

The Implicit Deny Principle

This principle, also known as default deny, says that anything that is not explicitly allowed should be denied. If a computer system doesn't have explicit instructions on how to handle a situation, it should default to denying access. Firewalls are a common example of implicit deny.

Role-Based Access Control Systems

Role-based access control systems simplify some of the work of managing authorizations. Instead of trying to manage all of the permissions assigned to each individual user, administrators create job-based roles and then assign permissions to those roles.

This is a little more work up front, but it makes life much easier down the road. When a user arrives, the administrator doesn't need to figure out all of the explicit permissions that user requires.

Time-of-Day Restrictions

Restricts users from accessing the system based on the time and day.

Access Control Attacks

Access control attacks are techniques typically used to bypass or circumvent access-control methods in order to steal data or user credentials.

Password Attacks

Some of the password-related attacks covered under the CISSP exam are:

  • Dictionary attacks
  • Rainbow table attacks
  • Hybrid attacks

Social Engineering Attacks

Social engineering uses psychological tricks to manipulate people into carrying out an action or divulging sensitive information that undermines the organization's security. Some of the social engineering attacks covered under the CISSP exam are:

  • Spearphishing
  • Whaling
  • Pharming
  • Vishing
  • Email spamming/spam via instant messaging
  • Identity spoofing

Watering Hole Attack

A watering hole attack is a client-side attack where the attacker identifies and compromises a highly-targeted website that their audience is likely to visit. The attacker chooses a client exploit that will breach the security of website visitors' browsers and then bundles in a botnet payload; as soon as the visitor visits this website, the malicious program gets downloaded on the visitor's computer and circumvents various access controls to achieve its malicious intent. Watering-hole attacks are especially dangerous because they often come from trusted websites.

Earn your CISSP, guaranteed!

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Conclusion

The identity and access management domain of CISSP gives security professionals insight on how to define and manage the roles and access privileges of individual network users in the enterprise, and what circumstances under which users are granted or denied those privileges. The main objective of this domain is one of digital identity, and once that digital identity has been established security professionals should know how it must be maintained, modified and monitored throughout each user's access life cycle.

Sumit Bhattacharya
Sumit Bhattacharya