This post serves as a review for the domain 5 of the CISSP. This domain covers identity and access .
Before we start, here is a list that will help you navigate through the different sections of this domain review.
- Identification and Authentication.
- Federated Identity Management.
- Identity and Access Provisioning Lifecycle.
Identification and Authentication
There are three types of authentication factors :
- Type 1 : Something you know.
- This is the weakest type 1 form.
- You should never store passwords in plain-text. Only their hash is stored, and preferably it should be salted (In combination with a secret string).
- Security questions
- Also weak.
- Type 2 : Something you have.
- Badges and smartcards
- Tokens : Displaying One-Time Passwords.
- Soft Tokens : Mobile phone applications.
- Risk of loss and theft.
- Revocation procedures should be in place.
- Type 3 : Something you are.
- Body weight
- Hand geometry
- Palm vein recognition
- Voice recognition.
- Retina : Can reveal info about medical conditions.
- Facial recognition
- Signature dynamics
- Keystroke dynamics
- Type I – FRR : False rejection rate.
- Type II – FAR : False acceptance rate. (This is worst than FRR)
- CER (Crossover Error Rate), also EER (Equal Error Rate) : When FRR=FAR.
You can either have one of the three factors. In this case, you are using a single factor authentication.
If you are using more than one factor, then this is called multi-factor authentication.
Remember that a username only ensures identification, and not authentication.
NIST 800-63 defines three assurance levels for registration and identity proofing :
- IAL 1: Identity is self-asserted.
- IAL 2 : Remote or in-person identity proofing.
- IAL 3 : In-person Identity proofing. Verification by a Credential Service Provider (CSP).
Federated Identity Management
When talking about federated identity management, there are three solutions that are used
- Three roles :
- Identity Provider.
- Service Provider.
- User / Principal.
- Components :
- SAML do not provide authentication.
- Three roles :
- OAuth 2.0
- Provide only authorization, and not authentication.
- Components :
- Authorization server.
- Client application
- Resource owner.
- Resource server.
- Provide authentication and authorization/
IDaaS is when identity is managed as a service by a third-party, to allow single sign-on between different applications.
The most common way for implementing Single Sign-On (SSO) within an organization is using Kerberos.
These are the key components of Kerberos:
- KDC (Key Distribution Center). Include two services:
- AS (Authentication Server)
- TGS (Ticket Granting Server).
- TGT (Ticket Granting Ticket) is a ticket issued by the AS to the client. The client canuse it to request a ticket from the TGS.
- SS (Service Server) : The service that the client wants to access.
Sesame is another solution comparable to Kerberos, but it is not used as often.
Here are some access control models that define how authorization is granted to subjects:
- DAC (Discretionary Access Control)
- The rights to access a resource is under the discretion of the owner.
- MAC (Mandatory Access Control)
- Strict and follows the security policies.
- NDAC (Non-Discretionary Access Control)
- Example : Lattice-Based Models (Bell-LaPadula and Biba) are MAC methods.
- The rights to access a resource are based on the roles within the organization.
- Rights are assigned to roles, not users.
- The rights to access a resource are based on a list of rules.
- Example : Firewall rules.
- The rights to access a resource are based on policies that combine attributes.
- More flexible.
Logging can enforce accountability. Logs should therefore always be protected by separate credentials.
To ensure their integrity, you should apply WORM controls : Write Once Read Many.
Identity and Access Provisioning Lifecycle
Access provisioning lifecycle goes through the following process:
- Provision an account.
- Apply permissions.
- Modify permission.
- De-provision the account.
Reviews should be conducted for both user and system accounts. Reviews should be conducted more often for privileged accounts.
When privileges are accumulated as a result of an employee changing positions during the years. Rights are granted, but when they are not needed anymore, they do not get revoked. This is called Privilege creep.
We have now gone through all items that are covered in the domain 5 of the CISSP. If you notice that there is some important concept that I have forgotten to mention in this review, please let me know in the comments below.