Certified Information Systems Security Professional

(CISSP) Certification Training Course

CISSP® is a registered trademark of (ISC)²®

Domain 05: Identity and Access Management (IAM)
 Learning Objectives

By the end of this lesson, you will be able to:

Control physical and logical access to assets

Manage identification and authentication of people,

devices, and services

Implement and manage authorization mechanisms

Manage the identity and access provisioning lifecycle and

implement authentication systems
Introduction to Identity and Access Management
Importance of Identity and Access Management in Information Security

Kevin received an email from Sergei Stankevich, the project manager

of the firewall division. The email stated that, as a part of the strong
focus on security that financial year, Nutri Worldwide Inc. would
perform two cycles of security audits instead of one. The following
processes would be audited during the year:

Access Control Access Control

Access Controls
Implementation Monitoring
Importance of Identity and Access Management in Information Security

Mission Statement:

Protecting networks, applications, and data

from attack is of utmost importance. This
will be achieved by:

• Auditing current security practices,

policies, and processes to suggest
improvement actions to be implemented

• Examining and authenticating security

through penetration testing and
vulnerability assessments
 Access, Subject, Object, and Access Controls

The terms access, subject, object, and access controls are defined below.

Access is the transfer Subject is an active Object is a passive Access control is the
of data between component that needs component that security feature that
subjects and objects. access to an object or contains data or controls how a user or
the data within it. information. system interacts and
communicates with
other systems and
resources.
Control Physical and Logical Access to Assets
 Controlling Access to Assets

Threats to information include loss of data confidentiality, integrity, and availability.

Information Access control must be implemented to prevent unauthorized access to the
information.

Systems Access to IT systems must be regulated to restrict who or what can view or use
resources in a computing environment.

Access to computing devices such as laptops, desktops, servers, tablets, and

smartphones must be restricted. As more organizations adopt bring your own
Devices
device (BYOD) policies, they need to protect these devices. Using mobile device
management (MDM) becomes important.

Organization’s facilities must be protected by implementing policies and

procedures to limit physical access to only authorized personnel. Employee access
Facilities to restricted business locations and proprietary areas, such as data centers must
be controlled, tracked and audited.

Application access controls are used for managing user authentication and
Applications implementing rules that determine user access to applications and data.
Manage Identification and Authentication of People, Devices, and Services
 Identity and Access Management Policy

The first element of an effective access

control program in an organization is to
establish identity and access management
policy and related standards and
procedures.
 Identity and Access Management Policy

The identity and access management policy:

Specifies the way users and

programs are granted access Specifies the guidelines of
through proper identification granting privileges to various
and authentication resources

Prevents inconsistencies in
Improves the governance provisioning, administration,
process and access control
management
 Identification, Authentication, and Authorization

To be able to access a set of data or a resource, a subject has to be identified, authenticated, and
authorized. The process is shown below:

Identification Authentication Authorization

Ensuring that a Testing or Testing or

subject, such as reconciliation of reconciliation of
user, program, or evidence of a evidence of a
user’s identity
process, is a real user’s identity
User
entity as it claims
to be
 Identity Management

It describes the management of individual

identities, their authentication, authorization,
and privileges or permissions within or across
the system and enterprise boundaries.

Identity management is the use of The goal is to increase the

different products to identify, security and productivity while
authenticate, and authorize the decreasing the cost, downtime,
users through automated means. and repetitive tasks.
 Identification Methods

To ensure that an application is authorized to make requests to potentially sensitive resources, the
system can use digital identification, such as a certificate or one-time session.

Some of the most common types of

identification methods are as follows:

• Username
• User ID
• Account number
• Personal Identification Number (PIN)
• Identification badge
• MAC address
• IP address
• Email address
• Radio Frequency Identification (RFID)
 Guidelines for User Identification

Three important security characteristics of identity are:

Uniqueness
• The user identification must be unique.

Non-descriptiveness
• The user’s role or job function should not be
exposed by Identity (ID).

Secure issuance
• ID issuing process must be well documented
and secure.
 Verifying Identification Information

• The function of identification is to map a known quantity to an unknown entity to make it known.
• There are three general factors that can be used for verifying identification.

Verifying Identification Information

Something you know Something you have Something you are

 Multi-Factor Authentication

Depending on the number of factors used, there are two ways of strengthening the authentication.

Two-Factor Authentication Three-Factor Authentication

A secure method of authentication in The highest level of security where the

which the user is required to provide at user is asked to provide all the three
least two out of the three identification identification factors
factors
 Biometrics: Characteristics

Biometrics, based on individuals’ physiological and behavioral characteristics, is one of the most
effective and accurate methods of verifying identification.

Acceptance Throughput Rate Enrollment Time

Physical controls

• Refers to user • Also called biometric • Refers to the time taken

acceptance of biometric system response time by the biometric system
system to register and create
• Refers to the time taken an account for the first
• Depends on privacy to process the time
intrusiveness and authentication request
psychological or physical
discomfort
 Types of Biometrics

Biometrics commonly used for identification:

Hand
Facial Scan Fingerprint Iris Scan
Geometry

Keyboard Voice Retina

Signature
Dynamics Print Scan
Discussion
 Discussion

A retina scan is a biometric technique that uses the unique patterns on a

person's retina blood vessels to identify them.

Even though the retina scan is considered to be one of the most accurate
biometric systems, why is it not preferred by most organizations?
 FRR, FAR, and CER

To measure the accuracy of a biometric system, the following are used:

False Rejection The biometric system rejects an

Rate (FRR): authorized individual.

FAR FRR
False Acceptance An impostor who should be rejected
Rate (FAR) or
is accepted by the system.
Type II error:
0%
When the false acceptance rate
equals the false rejection rate, that
point represents CER. The lower
Crossover Error the value of CER, higher the
accuracy of the biometric system. CER Sensitivity
Rate (CER):
For example, a system with a CER
of 3 has greater accuracy than a
system with a CER of 4. CER is also
known as Equal Error Rate (EER).
 Passwords

The combination of username and password is the most common identification and
authentication scheme.

Problems with Passwords Common Password Attacks

• Insecure • Dictionary (Crack, John the

Ripper)
• Easily broken
• Brute force (Lophtcrack)
• Inconvenient
• Hybrid attack (Dictionary and
• Repudiable
Brute Force)

• Trojan horse login program

(Password sending Trojans)

• Social engineering
 Password Types

Different types of passwords are described below:

Longer than a password, in the form of a sequence of characters

• I will pass CISSP exam
Passphrase
• Manchester United is my favorite team
• A quick brown fox jumps over a lazy dog

Individual’s identity is verified based on opinion or fact-based information

Cognitive • What is the name of the high school you attended?
Passwords • How many family members do you have?
• What is your mother’s maiden name?

One-time Dynamic password will be valid for only one login session or transaction.
password (OTP) • OTP a bank sends to a customer via SMS
 Password-Based Attacks

Access to the password file:

Electronic monitoring (replay Brute-force attack:
• Usually done on the
attack): • Performed through
authentication server
• Listening to network traffic automated tools that cycle
• Capturing the file will give
to capture authentication possible combinations on
access to the passwords of
information the password dump
many users

Dictionary attack:
Social engineering: Rainbow table:
• Comparing thousands of
• Falsely convincing an • Using a table that contains
dictionary words to a users’
individual to share all possible passwords in a
password for a successful
authentication information hash format
match
 Tokens

Tokens are used to prove the identity of a user and

authenticate the user to a system or an application.

• They can be software based or hardware based.

• An attacker can compromise the security by gaining control

of the token and impersonating the token owner. This may
also compromise the authentication protocol.

• Tokens must be secured, as they may be cloned, damaged,

lost, or stolen from the owner.
 Token Device: Synchronous

Time based:

• This requires synchronized internal clocks

between the token device and the
authentication server.

• The secret key and time on token are used to

generate one-time password.

• RSA token is an example of time-based

synchronous token.
 Token Device: Synchronous

1 2 3
Every minute clock reading is Authentication Server knows
User reads secret key and enters
enciphered with a secret key and secret keys to all cards by clock
the data into workstation along
displayed. This is one-time synchronization with the cards.
password. with the PIN.
It verifies the entered data.
 Token Device: Asynchronous

Challenge-response is used to authenticate a user.

Example: Grid Cards.

User enters challenge

Challenge number number and PIN
is displayed on permanently associated
workstation. with pad.
1 2

5 4 3
Authentication User enters
server verifies response from Response is read.
response. handheld device.
 Authorization Concepts

Authorization is based mainly on the following concepts.

Need-to-know According to this principle, the subject is given access to specific

principle information depending on the subject’s job, duties, and requirements.

This occurs when an employee who works for an organization moves

Authorization
from one department to another and is assigned new access rights and
creep
permissions without the old permissions being reviewed and removed.

Access control It specifies the subjects who are granted access and the operations
list (ACL) allowed on objects.

Access controls should always start with zero access. The administrator can
Default to zero
then allow various accesses based on the organization’s security policy.
 Accountability

Accountability helps hold users responsible for their own actions and ensures proper
enforcement of security policies. The following gives a broad overview of the items and
actions that can be audited and logged:

System-level events Application-level events User-level events

Physical controls

• System or computer • Error messages • Identification and

performance authentication attempts
• File modifications
• Successful and • Commands used
unsuccessful login
attempts
• Timestamps of the login
attempts
 Accountability

Non-repudiation plays an important role in accountability to ensure that users, processes, and actions
are responsible for impacts.

Strong identification Strong authentication

Policies to enforce
Independent audits
accountability
Requirements to
ensure
accountability of Consistent and
Organizational behavior actions accurate audit logs

Comprehensive and
timely monitoring User awareness and training
 Session Management

Session is the term used to describe a single entity communicating with another for a
specified period of time. The way a single instance of identification, authentication, and
authorization is applied to the entities is termed session management.

Control and protection of desktop

sessions can be achieved through:

• Screensavers
• Session or login limitation
• Timeouts
• Automatic logouts
• Schedule limitations
 Registration, Proofing, and Establishment of Identity

Identity proofing is the process of establishing a reliable relationship electronically

between the individual and the credential for electronic authentication purposes.

This is done by collecting and verifying information to prove that the person who has requested
a credential, an account, or other special privileges is indeed who they claim to be.

• It involves in-person evaluation of a driver’s license, birth certificate, passport, or any other
identity issued by the government.
• Certification and accreditation should be carried out for the process of identity proofing and
registration.
 Federated Identity Management (FIM)

Federated identity

• It is a portable identity, and it along with its

associated entitlements can be used across
business boundaries.

• It allows a user to be authenticated across

multiple IT systems and enterprises.

• Identity federation is based upon linking a

user’s otherwise distinct identity at two or
more locations without the need to
synchronize or consolidate directory
information.
 Federated Identity Management (FIM)

Federated identity management

• Federated identity management addresses the

identity management issues that arise when multiple
organizations need to share the same applications
and users between them.

• In a federated environment, each organization in the

federation subscribes to a common set of policies,
standards, and procedures for the provisioning and
management of user identification, authentication,
and authorization information.

• A trust relationship is established among

participating organizations.
 Federated Identity Management (FIM): Example

When you book a flight on Expedia,

the website asks if you also want to John is authenticated
to company B
book a hotel room. If you click Yes,
you could then be brought to the Taj
Hotel website, which provides
information on the hotel closest to
the airport you are flying into. John is authenticated
John is authenticated
to company A to company C

You don’t have to log in again to

book a room. You logged in on the
Southwest website, and that website
sent your information over to the John is authenticated
Hilton website, all of which to company D
Assertions
happened transparently.
 Credential Management Systems

A security practitioner can build a good Credential Management

System by incorporating the following:

• Password history
• Strong passwords
• Fast password retrieving
• Generating passwords effortlessly
• Well-defined access control
• Controlling credentials
• Failover and redundancy
• Safely keeping passwords
• Preparedness for disasters
• Tracking and auditing access
 Credential Management Systems: Risks and Benefits

Risks Benefits

• Attackers can compromise the • High level of assurance

Credential Management System
• Meets the required security standards
• Reissuing credentials can be time-
• Simplifies compliance, administration,
consuming and expensive and auditing

• Compromise may lead to compliance

issues
 Single Sign-On (SSO)

In single sign-on (SSO), the user needs to enter credentials only once to get access to all the corporate
resources that are entitled to the user.

Pros Cons

The user has one password for all enterprise systems

Difficult to implement
and applications

Only one strong password needs to be remembered

Centralized point of failure
and used

The user accounts can be easily created on hire and

Compromises data
modified and deleted on dismissal
 Difference Between FIM and SSO

Federated identity Single sign-on (SSO)

management (FIM)
• FIM enables a single • SSO enables a single
credential to access credential to access
multiple applications multiple applications
and resources within
and resources across
one organization.
multiple organizations.
• SSO doesn’t necessarily
• FIM gives you SSO. give you FIM.
 Just-In-Time (JIT)

Just-in-time (JIT) enables organizations to grant users on-demand and privileged

access to applications or systems for a predetermined period of time on an as-
needed basis.

These time-restricted accesses can be automated so that users don’t have to wait
for human approval.

The requests can be verified against a pre-approval policy or can be reviewed by

an administrator who has the power to grant or deny the requests for short-term
privileged access.

JIT access can be provided using ephemeral certificates which is a type of limited
access security token that is automatically created on-demand, automatically
expires, and requires no installation, configuration, or updation.

JIT enforces the security principle of least privilege by providing users the least
amount of access to perform the required job for the minimum duration
required.

Information source: www.centrify.com/pam/privilege-elevation/time-based-role-assignment/

 Business Scenario

Kevin was concerned about the security of the cloud virtual machines and wanted to
reduce the risk of privileged access abuse and lateral movement by threat actors.

He learnt about the just-in-time (JIT) access, which enables always-on access by enforcing
time-based restrictions based on behavioral and contextual parameters.

After he enabled the JIT feature on the VMs, he created a policy which can determine the
ports to be protected, how long ports remain open, and the approved IP addresses from
where these ports can be accessed.

He enabled just-in-time access to lock down the virtual machines at the network level by
blocking inbound traffic to management ports such as 22 (SSH) and 3389 (RDP).

The JIT access allowed Kevin to control the access and reduce the attack surface to his
virtual machines by allowing need-based access for a limited period of time.
Federated Identity with a Third-Party Service
 Identity as a Service (IDaaS)

Identity as a a service (IDaaS) is an SaaS-based IAM solution built and operated by a third-party
provider. An IDaaS is provided as a subscription-based service.

The key features of IDaaS are:

User management and Multi-factor

authentication (MFA) Single Sign-On (SSO)
access control

IDaaS provides administrative Users are required to submit SSO enables users to access all
tools for onboarding users and multiple factors to gain access their business applications and
managing their access privileges to their resources thus services using a single set of
throughout the course of their providing greater security than login credentials.
employment. single-factor authentication
(username and password).
 Federated Identity

Active directory can A unified identity

Most organizations rely
be federated with management system
on Microsoft Active
third-party IDaaS minimizes
Directory Domain administrative effort
provider such as
Services (AD DS) to in managing
Okta and Ping
provide a unified accounts and
Identity to provide
system to manage controlling access
a hybrid identity and provides a single
identities to ensure
solution that end-user
consistency and
integrates cloud authentication
administrative
services with on- process across a
efficiency. hybrid environment.
premise capabilities.
Implement and Manage Authorization Mechanisms
 Access Control Models

Discretionary access
Access control models control (DAC )
• An access control model is a framework that
dictates how subjects access objects. Mandatory access
control (MAC)
• Each model type uses different methods to
control how subjects access objects, and each
has its own merits and demerits. Types of access Role-based access
control models control (RBAC)
• The business and security goals of an
organization will help prescribe what access
Rule-based access
control model it should use.
control
• These models are built into the core or the
kernel of the different operating systems and Attribute-based
possibly their supporting applications as well. access control (ABAC)

Risk-based access
control
 Discretionary Access Control (DAC)

The way in which a subject will access an object is guided by an access control model. A model
must be chosen to fulfill the directives of the security policy.

Can read Can read

DAC model file file

Jane John

• Access to resources will be decided by data Can write to file

Can’t write
PAYROLL FILE to file
owners. Access control list
• Jane can read and
• The access control depends on the owner’s write file
• John can read file
discretion and authorization granted to the
users.
Can’t write
• Access control lists (ACLs) are used to Can’t read file
to file
enforce the security policy.

Sam
 Mandatory Access Control (MAC)

TOP SECRET [VENUS

SECRET [ALPHA]
MAC model TANK ALPHA]

Can read Can read

Jane file John
file
• System’s security policy is enforced by the
Can write to file
operating system with the use of security labels. Can’t write
to file
• The resources have security labels that contain
data classification, and the users have security LOGISTIC FILE
clearances. Sensitivity Label

• When information classification and SECRET[VENUS

confidentiality is important, this model is used. ALPHA]
 Role-Based Access Control (RBAC)

Also known as nondiscretionary access control, access here is granted depending on the
subject’s role and designation.

Identities Role Roles Resources

RBAC model assignments Permissions

Four commonly used RBAC architectures:

• Non-RBAC

• Limited RBAC

• Hybrid RBAC

• Full RBAC
 Rule-Based Access Control

Access requests are evaluated against a specified list of predefined

rules that determine what access should be granted.

The rules are in the form of if or then statements.

They are not necessarily identity-based, that is, they can be applicable to
all the users or subjects irrespective of their identities.

Example: Routers and firewalls use rules to filter within an ACL incoming
and outgoing, defined by an administrator. The firewall examines all the
traffic going through it and only allows traffic that meets one of the rules.
 Attribute-Based Access Control (ABAC)

“An access control method where subject requests to perform operations on objects are granted or
denied based on assigned attributes of the subject, assigned attributes of the object, environment
conditions, and a set of policies that are specified in terms of those attributes and conditions.”
~ NIST

Granular policies can be Attributes provide details

established based on a for building authorization
combination of these policies, like WHO wants
attributes to grant or access to WHAT from
deny access. WHERE, WHEN, and WHY.
 Attribute Based Access Control (ABAC)

The diagram given below describes the ABAC principle.

Environment Information
User
Asset

Subject Environment Resource and

Attributes Attributes Action Attributes

Permit managers to …
PERMIT
provided that ……
if ……… or ……. DENY
unless …… Authorization
Engine
 RBAC vs. ABAC

Role-Based Access Control (RBAC) Attribute-Based Access Control (ABAC)

Access Access is based on roles Access is based on attributes
• Not well suited
Distributed • Even more difficult when subject and • Well suited to handle complex distributed
environment resource belong to different security environments
domains

Environment Does not consider environment A new rule involving an environment

attributes attributes explicitly attribute can be easily added

MAC Does not handle MAC Security labels can be treated as attributes

It can handle complex scenarios where

Complexity Simpler than ABAC contextual information needs to be
evaluated
Cost Cheaper than ABAC More costly to implement and maintain
 Risk-Based Access Control
Copyright

Risk-based access control model is a dynamic authentication method that takes into account the
security risk value related to each access request as a criterion to determine access decisions.
• Users authenticating from known devices, locations, and networks with low risk score could be
automatically signed in.
• Suspicious users are required to provide additional credentials using MFA.
• Access request with a high risk score would be denied access.

Low Risk SSO

Medium Risk MFA 1

High Risk Access Blocked X

User Profile

Information source: https://www.youtube.com/watch?v=elAHAt95QQk

 Risk-Based Access Control

Main elements of a risk-based access control model:

Risk
Factors

Access Request
Risk Access
Estimation Decision

User / Agent

Access
Policies
Manage the Identity and Access Provisioning Lifecycle
 Account Access Review

• User access review is a periodic review of access rights

for all organization's employees and vendors. This can
help identify excessive or creeping privileges.

• Service accounts are accounts created specifically to be

used by services, applications, and virtual machines.
The service accounts usually have elevated privileges
and access to business-critical applications and data.

• Policies generally dictate when these accounts should

be reviewed, deactivated, or deleted.

• Regular review or audit of the service accounts will help

identify unusual behaviors that may indicate a breach
or misuse.
 Identity and Access Provisioning Lifecycle

The identity and access provisioning lifecycle must be maintained and secured.

Deprovisioning Provisioning
• Disable an account as soon • Create new accounts
as an employee leaves • Provision them with
• Set account expiry date for appropriate rights and
temporary accounts privileges
• Delete an expired account as
per organization policy

Review
• Check accounts periodically
• Disable inactive accounts
• Check for excessive and
creeping privileges
 Role Definition

A role is defined as a set of one or more A permission is used to grant users the
permissions that can be assigned to a ability to perform an action on a
user who will inherit these permissions. resource.

Assignment of roles and permissions to

A user can belong to one or more roles. a user must follow the principle of least
privilege and need to know.
 Privileged Accounts

• A privileged account is defined as an account that has more privileges than normal user
accounts.
• Superuser accounts are highly privileged accounts, such as administrator (in Windows
environments) or root (in Unix or Linux environments).
• In Unix and Linux systems, the sudo command allows a normal user to temporarily gain root
privileges for only a single command use.
• Service accounts are accounts created specifically to be used by services, applications and virtual
machines.
• Administrators often assign full administrative privileges to these service accounts without
considering the principle of least privilege. If an attacker manages to compromise the
application, they can potentially gain full administrative privileges of the service account.
 Privilege Escalation

• Privilege escalation occurs when a malicious

user is able to gain higher level of
permissions, access, or privileges than they
have been assigned.

• Privilege escalation can occur due to

administrative oversight, through identity
theft or credential compromise, such as
keystroke capturing or password cracking.
 Privilege Escalation

Horizontal privilege escalation Vertical privilege escalation

Occurs when an attacker gains Occurs when an attacker gains access

rights and privileges of another user to an account and then tries to elevate
with similar privileges. This action is the privileges of the account.
referred to as account takeover. This is also known as a privilege
elevation attack and entails moving
from a low-level of privileged access,
to a higher level of privileged access.

Information source: https://www.beyondtrust.com/blog/entry/privilege-escalation-attack-defense-explained

 Privilege Escalation

Horizontal Privilege Escalation Attack

While each user above has only a standard
user account, each also has different spheres Sales Rep
of access that encompass different assets
and credentials. Some of those credentials
may be shared with other/assets, allowing
lateral movement and horizontal escalation. Marketing Marketing
Business
An internal horizontal escalation attack can Manager Manager
Analyst
occur between each of those accounts.
An outside attacker can also achieve
horizontal escalation by compromising one of
Director of
these accounts. Marketing

Information source: https://www.beyondtrust.com/blog/entry/privilege-escalation-attack-defense-explained

 Privilege Escalation

Vertical Privilege Escalation Attack

In this vertical escalation attack, a threat actor

moves from standard user access to an IT Help
Desk account before gaining Linux sysadmin
Linux
(root) access. Each subsequent step represents sysadmin(root)
more privileged access and an example of
IT Help desk rep
vertical privilege escalation

Standard User

Information source: https://www.beyondtrust.com/blog/entry/privilege-escalation-attack-defense-explained

 Privilege Escalation

Measures to minimize privilege escalation attacks:

Use multi-factor authentication

Minimize the number and scope

of the privileged accounts

Follow the principle of least

privilege
 Privilege Escalation

Measures to minimize privilege escalation attacks:

Enable continuous monitoring of

privileged accounts, and keep
detailed log of their activities

Analyze each privileged user or

account to identify and address any
risks, potential threats, sources,
and attacker’s intents

Prevent sharing of privileged

accounts and credentials
Implement Authentication Systems
 OpenID Connect

• It allows you to use an existing account to sign into multiple

websites without needing to create new passwords.

• You may choose to associate information with your OpenID that

can be shared with the websites you visit, such as a name or an
email address. With OpenID, you control how much of that
information is shared with the websites you visit.
OpenID
• With OpenID, your password is only given to your identity
provider and that provider then confirms your identity to the
websites you visit.

• Other than your provider, no website ever sees your password.

So you don’t need to worry about an unscrupulous or an
insecure website compromising your identity.
 OAuth

• OAuth is an open-standard authorization

protocol or framework that describes how
unrelated servers and services can safely
allow authenticated access to their assets
without actually sharing the initial, related,
and single login credentials.

• In the authentication parlance, this is known

as a secure, third-party, user-agent, and
delegated authorization.
 OAuth: Example

User
SERVICE
• The simplest example of OAuth is when you Login
login to a website and it offers one or more User Account
ID & password
opportunities to login using another website
or service login. has
Authorize
• You then click on the button linked to the User’s Data
other website, the other website
App
authenticates you, and the website you were
originally connecting to logs you in itself after
using permission gained from the second Third-party Application
website.
Continue with Google

Continue with Feedly

Continue with Facebook

 Security Assertion Markup Language (SAML)

Security Assertion Markup Language (SAML)

• It is an XML standard that allows the exchange

SAML
of authentication and authorization data Components
between security domains.
• It provides the authentication pieces to the
federated identity management systems. Identity Service
Principle
• Federated identity systems often use SAML and provider provider
SPML for access needs.
• It is used to provide SSO capabilities to access
Entity Entity providing
different browsers. User requesting
authenticating service to the
access
the user user
• SAML does not have a security mode, and it
relies on TLS for message confidentiality and
digital signature for message integrity.
 Security Assertion Markup Language (SAML)

The diagram given below will help to understand SAML.

IDENTIFY PROVIDER

2
SAML

DIRECTORY

TRUST RELATIONSHIP
3 SAML
USERS
Checking Savings Credit Card
Web Browser /
Mobile Device

APPLICATIONS

SERVICE PROVIDER
 Difference between SAML, OAuth and OpenID

SAML 2.0 OAuth2 OpenID Connect

Authorization and
Purpose Authorization Authentication
Authentication

Developed by the
Developed by Developed by Twitter and
History OpenID Foundation in
OASIS in 2001 Google in 2006
2004

Data format XML JSON JSON

SSO for enterprise SSO for consumer

Use case
applications applications
 Kerberos

Kerberos is an authentication protocol used for network-wide

authentication. Kerberos:

• Is based on symmetric key cryptography

• Provides end-to-end security

• Has the following roles

 Kerberos

Key Distribution Authentication Ticket Granting

Center (KDC) Server (AS) Server (TGS)
KDC stores secret keys of all AS authenticates identities of TGS generates unique
services and users. It consists subjects on the network. session keys between two
of authentication server (AS) entities. The session keys are
and ticket granting server then used by the entities for
(TGS). message encryption.
 Kerberos Steps

When a user wishes to log on to the network and access a print server, the following steps are performed:

With a valid session key with the client, the TGS The client sends the
server responds with a client or server (C/S) tokens to the printer with
session key (second session key), which will be 05 a valid C/S session key.
04
used for printing. It will also provide a service This proves its
ticket encrypted with the printer’s key. authenticity and the
server permits the client
to print.
The KDC sends the client a
session key encrypted with After decrypting the
the client’s secret key along 02 03 session key, the client
with a Ticket Granting Ticket forwards it to TGS to get
(TGT) encrypted with the permission to print.
secret key of TGS.

Client sends authentication

01 request to authentication
server (KDC).
 Problems with Kerberos

Drawbacks of Kerberos

• A single KDC is a sole point of failure and

performance bottleneck.
• Computers must have clocks synchronized
within 5 minutes of each other.
• Secret keys are temporarily stored in the
workstation. If compromised, the identity
can be forged.
• If KDC is hacked, security is lost.
• It is vulnerable to password guessing attacks.
 Remote Authentication Dial-In User Service (RADIUS)

Remote Authentication Dial-In User Service

• Third-party authentication system
• Client or server authentication protocol used for authenticating and authorizing remote users
• Encrypts only passwords
• Runs in the application layer and uses UDP as transport
• The attribute-value pair (AVP) field uses 8 bits
• Serves three functions: authentication, authorization, and accounting

Remote User
RADIUS Database(Authorization
Protocol Server)
Remote
User
Access
Reques
t
Access
Accept
Remote Network Of Reject RADIUS
User Access
Server
Server

Remote
User
 TACACS and TACACS+

Terminal Access Controller Access Control System (TACACS):

• Is an example of centralized access control system

• For authentication, a user is required to send the user ID along with a password
• UDP port 49 is used

TACACS+:

• Allows two-factor strong authentication, which gives better password protection

• No backward compatibility with TACACS
• TCP port 49 is used
• For added protection, it can use dynamic (one-time) passwords
• More secure than RADIUS and encrypts all data
 Key Takeaways

Access controls protect systems and resources from

unauthorized access.

Identity management is the use of different products to

identify, authenticate, and authorize the users through
automated means.

Memory cards and smart cards are widely used in identity

verification.

Controls are implemented to mitigate risk and reduce the

potential for loss.

The two types of access control administrations are

centralized and decentralized.
 This concludes Identity and Access Management (IAM).

The next domain is Security Assessment and Testing.

CISSP® is a registered trademark of (ISC)²®