27/1/2019 TestOut LabSim

2.3.1 Identity and Access Management

Identify and Access Management

One of your primary roles as a security professional is to protect the resources within your organization or company.

Now, you could accomplish this by gathering up all the company's resources, placing them in a giant safe, putting that safe in an even bigger safe,
and, for good measure, dropping it in the deepest part of the ocean. Your data is secure, and you can sleep soundly. Right? Of course not.

In the real world, those resources need to be accessed daily by employees, third parties, customers, and sometimes even the public.

Balancing Access
Because of this, we can't just lock up our resources. Instead, we need a system that allows us to keep those resources secure, while also enabling
us to control and manage access. And to effectively manage this system, you need to understand the different components and concepts it uses.

Identification
The first concept we'll look at is identification. Many people confuse identification with authentication, but these are two distinct concepts.

Identification is merely the act of claiming an identity. For example, when you tell someone your name, you are identifying yourself. Your
identification is your name. Similarly, in the computer world, a username is a form of identification. It's a piece of information used to identify a
certain user.

Identification by itself isn't very secure. Anyone could pretend to be you. To substantiate a person's identity, they need to provide some verification
to prove that they are who they say they are.

Authentication
They can do this through an authentication process, which is the second concept you should understand.

Authentication is the process of proving an identity. It's confirming they are actually who they say they are. For example, showing someone your
driver's license or passport in order to prove your identity is the process of authentication.

In the computer world, this is accomplished by providing some piece of information that only the actual user can provide. There are several
different types of computer system authentication, and they are broken down into five different categories.

We'll go into much more detail about the various types of authentication in a later lesson. But for now, just know that the five categories are 1)
something you are, 2) something you have, 3) something you know, 4) somewhere you are, and 5) something you do.

Examples of something you are include biometric information, such as a finger print or retina scan. Something you have are things like smart
cards, RSA tokens, or security key fobs. You should already be familiar with something you know, which are things like passwords and pins.
Somewhere you are is based on your geographical location. And something you do can include things like how you type a sentence on a keyboard.

A key point to understand is that identification alone is not enough. Identification without authentication doesn't provide security. The
identification and authentication process should be completed before granting access to a given network or network resource.

Mutual Authentication
The next concept to understand is mutual authentication. Mutual authentication is when two communicating entities authenticate each other
before exchanging data.

Unlike traditional, one-way authentication—"where only the server authenticates the user—"mutual authentication requires not only the server to
authenticate the user, but the user to also authenticate the server. That is, the server must prove its identity to the client. Only after that occurs will
data exchange take place.

Transitive Trust
Another concept you should know is transitive trust. Transitive trust is the concept that trust is hierarchical. That is, if A trusts B, and B trusts C,
then A trusts C.

For example, Microsoft Active Directory uses the concept of transitive trust to allow authenticated users access to resources in different domains
so long as the parent domain is trusted. We'll go into much more detail about transitive trust in a later lesson, but for now, just understand the
concept.

Access Control Best Practices

Let's talk about some access control best practices. One of the most important security standards is the principle of least privilege. This is giving
each user or group of users only the necessary access to do their job or perform their official duties. This prevents privilege escalation, where
users access unauthorized or unnecessary privileges.

https://cdn.testout.com/client-v5-1-10-551/startlabsim.html 1/2
27/1/2019 TestOut LabSim
Very similar to this is the concept of need to know. This describes the restriction of data that is highly sensitive. It's often used in reference to
government, military, or espionage contexts. The idea behind "need to know" is that even if you are fully authorized to access specific information,
that information remains classified simply because it's unnecessary for your current official duties. Need to know discourages casual browsing of
sensitive materials.

Related to the principle of least privilege is the concept of implicit deny. This is where users or groups of users, which are not specifically given
access to a resource, are denied access to that resource by default. You're simply not on the list of users who have access to the resource.

Another access control best practice is separation of duties. This is the concept of having more than one person required to complete a task. It
refers to the idea that multiple individuals should be responsible for the operation of a system. No one person has end-to-end control and no one
person is irreplaceable. This can help prevent insider attacks.

Another access control best practice is job rotation. This is a cross-training technique where organizations minimize collusion amongst staff. The
staff is cross-trained in different functional areas to detect fraud and provide oversight of past transactions. Job rotation could also be for training
purposes, someone learning the ropes of the company.

Summary
That's it for this lesson. We've discussed some important identity and access management concepts that security professionals need to
understand. We finished by looking at some of the best practices of access control.

TestOut Corporation All rights reserved.

https://cdn.testout.com/client-v5-1-10-551/startlabsim.html 2/2