Identity and Access

Management
General Aspects
• Object
• A passive entity that contains information or functionality
• Subject
• A user, program or process that requests access to an object or the
data within an object
• Access
• The flow of information between a subject and an object
• Access control
• Security features that control how user and systems communicate with
each other and the resources
• Access control systems need to applied in a layered defense-in-depth
method
• It is the extremely important first line-of-defense
General Aspects
• Identification
• Describes a method by which a subject claims to have a specific identity
• It is the assertion of unique identity for a person or system
• It is the critical first step in applying access control
• Can be provided by the use of username or account number etc

• Authentication
• Describes a method to validate a subject claims of who it claims it to be
• Authentication involves two step process; entering the public information (identification)
and then entering the private information
• It establishes trust between the user and the system for the allocation of privileges
• Authorization
• Providing access to an authenticated resource based on its rights
• Identification and Authentication are “All or nothing” aspects of access
control, in contrast authorization occupies a wide range of variations
• Accountability
• Keeping a track of actions performed by the subject on an object
• Identification and auditing are the key aspects for ensuring accountability
• Accountability relies on identification and authentication, but it does not
require effective authorization

Authorization Identification
provides provides
control uniqueness

Authentication
provides validity
General Aspects
• Permissions
• Access granted to subject for an object and determines what you can
do with it – tagged to object

• Rights
• Ability to take an action on an object – tagged to subject

• Privileges
• Its is a combination of permissions and rights
Identification and Authentication
• Three general factors for authentication
• Something a person knows (knowledge)
• Something a person has (ownership)
• Something a person is (characteristic)
• Use of more than one factor is called multi-factor authentication
• Multi-factor authentication is the most secure authentication mechanism
• 1:1 Verification
• Measurement of an identity against a single claimed identity
• Access card

• 1:N verification
• Measurement of an identity against multiple identities
• Fingerprint database

• Mutual Authentication
• Two communicating entities must be authenticated to each other before passing data
Identity Proofing and Registration
• Process of collecting and verifying information about a person for the
purpose of providing an account, credential
• It is performed before an account is created or the credential is issued or
special privilege is granted
• It is more lengthy the first time it is created
• FIPS 201-2 is the identity verification chain-of-trust for federal agencies
• Chain-of-trust assures all parties involved, that each participating entity followed a
vetting process to securely and accurately validate an individuals' identity

• Registration happens once Identity Proofing is completed

Authentication Factors
Factor Attribute Characteristic
Knowledge • Based on what is known by the user • Too many factors have to be
Type 1 • Most common authentication option remembered
• Subject has to remember the attribute • If it is shared, the secrecy is lost
• Eg: password, PIN, Passphrase • It is the least expensive method

Ownership • Based on something the user has in • Most commonly used in facility or
Type 2 possession building access control
• Eg: Access card, smart card, ID card • If lost or stolen, it can result in
un-authorized access
Characteristic • Based on physiological and behaviour • It is considered intrusive
Type 3 of a user • It is expensive compared to other
• Eg: Biometric, signature dynamic methods
• It is reliable than other methods
Place • Somewhere you are, based on the • It isn’t reliable on its own, but
place or identifier of the source effective when used in
• Eg: IP based, Geography based combination with other factors
Identification Process
• Creating and issuing identity should involve 3 aspects
• Uniqueness
• The identifiers must have a unique identity to be accountable

• Non-descriptive
• Neither piece of the credential set should indicate the purpose of the account

• Issuance
• Another authority should be providing the identity after proper verification
Identity Management
• Management of uniquely identified entities, their attributes, credentials
and entitlements
• IdM allows organizations to create and manage digital identity life cycles
in a timely and automated fashion
• Goals of IdM technology are:
• Streamline management of identity, authentication, authorization
• Auditing of subjects on multiple systems throughout the organization
IdM - Directories
• Directories contain information pertaining to the companies network resources and users
• It is a specialized database software that is optimized for reading and searching functionality
• It is the main component of an identity management solution
• Most directories follow X.500 standard based hierarchical database format and LDAP as the protocol
• LDAP allows subjects and objects to interact with each other
• SASL (Simple Authentication and Security Layer) for LDAP provides support for a range of
authentication types.
• Directory service
• Manages the entities and data in a directory and also enforces the configured security policy
• It allows administrators to configure and manage how IAA and access control take place
• Active directory is a directory service in windows environments
• It assigns distinguishing names (DN) to each object
• Each DN represents the collection of attributes specific to the object
• Eg: cn:karthikeyan Dhayalan, dc=CyIntegriti,dc=com
Directory Types
Meta-directory Virtual Directory
• Gathers the necessary information from • Gathers the necessary information from
multiple sources and stores it in one central multiple sources and stores the pointers in
repository one central repository

• Synchronizes itself with all identity sources Synchronizes itself with all identity sources
periodically to ensure the up-to date periodically to ensure the up-to date information
information is being used by all applications is being used by all applications

• Physically has the identity data in its • Does not have the identity data, instead only
directory has pointers to where the actual data resides
X.500 Based Directory

• The following rules are for organizing objects in directories that are
based on X.500
• Tree structure directory to organize the entries in a parent-child configuration
• Each entry has an unique name made up of attributes of a specific object
• The attributes are dictated by a defined schema
• The unique identifiers are called distinguished names

• Schema
• It describes the directory structure and what names can be used within the
directory
X.400 Standard

• Set of guidelines for the message handling systems (email)

• The protocol supports two primary functions
• Message Transfer
• Message Storage

• The addresses consist of a series of name/value pairs separated by

semicolons
IdM - Web Access Management

• Controls, what users can access using web browser when accessing
web based enterprise assets
• The WAM software is the gateway between users and the corporate
web-based resources
• This type of access control is commonly put in place to control
external entities requesting access to corporate web based
resources
Single-Sign On

• Allows the user to login one time and then access resources in the
environment without having to authenticate again
• SSO software intercepts requests from network resources and fills in
the necessary identification/authentication information for the user
• If the attacker uncovers the credential, all access will become
available
• It is also a bottleneck or single-point of failure
• It is expensive to implement in large complex environments
IdM - Account Management

• Deals with creating user accounts on all systems, modifying the

account privileges, and decommissioning the accounts
• Automated workflow component is common in account management
products
• It reduces the potential errors that can take place in account management

• Account management products are used to setup and maintain

internal accounts
IdM - Provisioning
• Authoritative Source:
• A “system of record” or location where identity information originates and is maintained
• It should have the most up-to-date and reliable information
• Authoritative system of record
• Hierarchical tree like structure that tracks subjects and their authorization changes
• It should contain the subjects name, associated accounts, authorization history per account and
provision details

• User provisioning refers to the creation, maintenance, deactivation of user

objects and attributes as they exist in one or more systems
• User provisioning software components
• Change propagation, self-service workflow, consolidated user administration, delegated user
administration and federated change control
• It is through provisioning that users are given access or access taken away
IdM – Biometrics
• It is one of the most accurate and effective ways of verifying identification
• False Rejection Rate (Type 1)
• When the system rejects an authorized user from authentication
• False Acceptance Rate (Type 2)
• When the system allows an un-authorized user to successfully authenticate
• Cross over Error Rate (Equal Error Rate)
• Represents the point at which FRR and FAR meet
• It is expressed in %
• Most important measurement in determining the system’s accuracy
• When the biometric is too sensitive Type 1 errors are common, when it is not
sensitive enough Type 2 errors can happen
• Type 2 errors are the most dangerous and hence should be avoided
IdM – Biometrics
• The stored sample of biometric data is refered as “Reference Template” or “Reference Profile”

• Declaring a match or no match is based on acquired template being similar, but not identical

• Some biometric systems also check for liveness detection

• Some of the drawbacks are

• Cost ~ it is comparatively more expensive than other mechanisms

• User Acceptance ~ intrusive biometric models are not preferred by users

• Throughput ~ time it takes to authenticate an user may be long

• Enrollment time ~ time and effort needed to enroll an user is long

IdM – Biometrics
Biometric Type Characteristic
Fingerprint • Focuses on the distinctiveness of the ridge endings and the bifurcations exhibited by
friction ridges
• Most common biometric system
• Stores the full fingerprint, hence takes up HDD space and resources
Finger-scan • Extracts specific features from the fingerprint and stores only that
• Takes up less space and allows for quicker Database queries
Palm scan • Looks at the creases, ridges and grooves throughout the palm
• It includes the fingerprints of each finger
Retina scan • Scans the blood-vessel patterns of the retina on the backside of the eyeball
• It is an extremely invasive method, since the information collected can be used in
diagnosis of medical condition, it involves a number of privacy issues
• It is the most accurate Biometric access method
• Used in high-end security applications, such as military bases and nuclear power plants
Iris scan • Analyses the coloured portion of the eye that surrounds the pupil
• It is the second most accurate Biometric access method
• It is more acceptable than Retina scans because there are no privacy concerns
• When using Iris system, it is important that sun rays do not directly shine into the aperture
• Throughput time is around 2 seconds, hence if number of people need to authenticate in
short period of time, it will become bottleneck
 Biometric Type Characteristic
Signature dynamics • Writing signature produces electrical signals that can be captured by a biometric
system
• Signature dynamics provides more attributes than a static signature
• It relies on pen pressure, stroke pattern, stroke length, does not rely on speed at which
the written sample is created
Keystroke dynamics • Captures electrical signals when a person types certain phrases
• It is more effective than typing a password
Voice pattern • Captures a voice print and compares it with the reference database
• Used as an additional authentication mechanism; rarely used by itself
• Less expensive compared to other technologies; synthesizer should be placed in an
area where the voice is not disturbed
Facial scan • Scans the bone structure of face, nose ridges, eye widths, forehead size and chin
shapes
Hand topography • Looks at different peaks and valleys of the hand, along with the overall shape and size
• It is not unique enough to authenticate itself and hence is used in conjunction with
hand geometry
Hand Geometry • Focuses on the shape, length and width of each the hand and each fingers
• The speed of recognition is more rapid than fingerprint recognition. But tends to give
higher false accept rates than fingerprint recognition

Heart/Pulse Patterns • Measures the pulse or heartbeat of a real person

• Employed as a secondary authentication method
IdM – Password Hacking techniques
Technique Characteristic
Electronic monitoring • Listening to network traffic to capture authentication
(replay attack) information
Access the password file • Usually done on the authentication server
• Capturing the file will give access to many users
password
• Has high damage potential
Brute-force attack • Performed through automated tools that cycle many
possible combinations on the password dump

Dictionary attack • Thousands of dictionary words are compared to a users’

password for a successful match
Social Engineering • Falsely convincing an individual to share authentication
information
Rainbow table • Attacker uses a table that contains all possible
passwords in a hash format
Password Protection
• Some of the controls to prevent password hacking are
• After successful login, popup message capturing the last login data, time and
source IP
• Introduce clipping levels, beyond which the ID should be disabled or notification
sent
• Have a finite password lifetime
• Have complex and practical password
• Using salts to randomize the hashes
• Salts are random values added to the encryption process to add more complexity and
randomness
IdM - Password Management
• Composition Passwords
• System generated passwords for initial user creation accounts; it includes two or
more unrelated words together with a number of symbol in between
• They are easy to generate but should not be used for extended period of times,
they are vulnerable to password-guessing attacks
• Common Password Management Approaches
• Password Synchronization
• Password is synchronized across applications; reduces the complexity of remembering
multiple passwords
• Self-service password reset
• Helps the user to reset the password using cognitive passwords; helps reduce support desk
call volumes
• Assisted password reset
• Allows support desk to validate the user before allowing password resets;
Password Management - Synchronization

• Synchronizes the password to other systems and applications

transparent to the user
• Goal is to require the user to remember only one password
• The user has to enter the same password for each application to be
accessed
• If the password is lost all application access is compromised
Cognitive Password / Composition Password
• Cognitive Password
• Fact or opinion based information used to verify an individual
• This authentication model is best for a service a user does not use more commonly
• Care should be taken to ensure the authentication attributes are not publicly
available

• Composition Password
• System generated password which includes two unrelated words joined together
with a number or symbol in between
• These are easy for systems to generate but their lifetime should not be for longer
periods because they are vulnerable for password guessing attacks
IdM – One-time password

• It is also called dynamic password

• It is used in environments that require high level of security

• Token device is the most common implementation of OTP

• Common implemented in 3 formats

• Dedicated physical device with a small screen to display the OTP
• A smart phone application
• A service that sends sms message to phone
Passphrase
• It is a sequence of characters that is longer than a password and, in
come cases, takes the place of password for authentication

• During the authentication process, the passphrase is transformed to

a length and format that is registered with the application. This new
character set is called the virtual password

• A passphrase is more secure than a password because it is longer

and harder to crack
Credential Manager
• Credential manager can obtain its information in two ways
• Explicit Creation
• When users enter a username and password for a target computer or domain, the
information is stored and used when the users attempt to log on to an appropriate
resource

• System Population
• When system connects to a resource, it supplies the current username and
password, if this is not sufficient CM attempts to supply username and password. All
stored username and passwords are examined from the most specific to the least
specific as appropriate.
Token Device

• A hand held device that has an LCD display and possible keypad

• The token device and the authentication service must be synchronized in some
manner to be able to authenticate a user

• They come in two types

• Synchronous tokens
• Asynchronous tokens

• This type of system is vulnerable to MITM, masquerading attacks

• But is not vulnerable to electronic eavesdropping, sniffing, or password guessing

Token Device – Synchronous

• Synchronizes with the authentication device by using time or counter

• Time-based
• The token device and the authentication device must hold the same time within their
internal clocks
• Time value on the token device and the secret key is used to generate the OTP
• Counter (event) based
• Token device and authentication server advance to next authentication value based
on counter
• The counter value and base secret is used to create the OTP
• In both the options, it is imperative the token device and the
authentication server has the same secret key
Token Device – Asynchronous
• This method employs a challenge-response scheme to authenticate
the user
• Does not use a clock synchronization
• Working model
• Authentication server sends a challenge (nonce) to user
• The user enters this random value into the token
• Token encrypts it and returns the OTP
• User sends the OTP along with username to the authentication server
• Authentication decrypts the value and if it is the same challenge value sent
earlier the user is authenticated
Device Fingerprinting
• With BYOD prevalent, new type of access control is device
fingerprinting
• Captures the key attributes of the device and maps it with a user
• The user has to enroll the device first time, when attributes like OS,
web browser, plug-in, time zone, screen resolution, cookie settings
and HTTP headers are captured
Memory Cards

• Memory cards can hold information but cannot process it

• They are used to hold authentication information

• They require a reader to process the information

Smart Cards
• Smart card has microprocessor and integrated circuits incorporated into the card

• It has capability to process information by itself

• US Government personnel are required to carry Common Access cards (CAC) or

Personal Identity verification cards (PIV).

• Two categories of smart cards

• Contact based
• The card needs to be placed in contact with the card reader which will supply power and data I/O to the device

• Contactless based
• The smart card has an antenna wire that surrounds the perimeter of the card
• Antenna generates enough energy to power the internal chip
• They are resistant to reverse-engineering and tampering attacks
• They are costlier than normal overhead of card generation
Smart Card Attacks
• Fault Generation Attacks
• Introducing computational errors into the cards with the goal of uncovering the
encryption keys used and stored in the cards
• Some methods include, changing the voltage, clock rate, temperature fluctuation
• Attacker analysis the encryption process with induced error against the correct
results; the results help reverse engineer the encryption process, revealing the key
• Side channel Attacks
• These type of attacks are used to uncover the sensitive information about how they
work without compromising any type of flaw.
• They are primarily used for data collection
• Differential power analysis – examines the power emissions during processing
• Electromagnetic analysis – examines the frequencies emitted
• Timing – how long a specific process takes to complete
Smart Card Attacks
• Software attacks
• Considered non-invasive attacks
• Attack involves inputting instructions into the card to extract information from
the card (primarily account information)
• Good example is the PoS machines are used to swipe money
• Microprobing
• More intrusive attack
• Involves using needles and ultrasonic vibrations to remove the protective
covering over the circuits
• Once removed, data can be extracted by directly tapping into the ROM chips
Radio-Frequency Identification (RFID)
• Technology that provides data communication over the use of Radio
waves
• Two components are involved – Tag and Reader
• Tag has an integrated circuit for storing and processing data,
modulating and demodulating the RF signal
• Reader has built-in antenna for reading and receiving the signal
• This technology can be integrated into smart cards or other mobile
transport technologies for access control purposes
• Security Issue:
• Data can be captured as it passes between tag and reader
• Encryption is not common because RFID is implemented in technologies that
has low processing power
Authorization
• Access Criteria
• Granting access to subject should be based on the level of trust and the
need-to-know
• Can be enforced by roles, groups, location, time and transaction types
Role Based The role is based on job assignment or function
It is an efficient way of providing access for user who performs a certain
task
Group Based Combining users to a group and providing access to the group instead of
individual users
Another effective way of assigning access control rights
Physical or Logical Providing access based on the location of the subject
location Eg: Geo based access, IP based access
Time of day Access restrictions are based on the time of the day or the creation date
(Temporal Isolation) of a file, lifetime for a object
Eg: lean hour access restrictions;
Transaction-type Can be used to control what data is accesses during a certain type of
function and what commands can be carried out on the data
Authorization
• Default to No Access
• If nothing has been specifically configured for the subject, the subject should not have implicit access to any
resources
• Access control to default to blocking all requests until a valid access is provided for the subject ~ implicit
deny rule
• Need to Know
• Subjects should be given access only to the information that they absolutely require for performing their job
duties
• It is similar to least-privilege function
• It is the management’s responsibility to decide on the access rights of the user and how the
access is authorized
• Excessive Privileges
• Occurs when users have more privileges than their assigned work tasks dictate.
• Authorization Creep (creeping privileges)
• Accumulation of excessive rights over time as the user is assigned more and more access rights and
permissions
• Enforcing least privilege will help in addressing this problem.
• Authorization creep results in excessive privileges
• Account reviews are effective at discovering Creeping privileges and excessive privileges
Single Sign-On (SSO)
• It allows a user to enter their credentials one time and access all pre-
authorized resources within the domain
• It improves security by reducing the need for the user to remember
multiple passwords
• It reduces the administrator overhead on time managing the user
accounts
• Major Disadvantage:
• If the credential gets into the hand of the attacker, he has access to all the
resources within the domain; kind of single point of failure
• Single Sign-on Technologies
• Kerberos, Security domains, directory services, thin clients
Kerberos
• Kerberos is a de facto authentication standard for heterogeneous
networks and used in distributed environments
• Its an authentication protocol
• It works on a client/server model
• Uses Symmetric key algorithm
• It has 4 elements necessary for enterprise access control
• Transparency, reliability, scalability, security
• It provides end-to-end security
• Most Kerberos authentications work with shared secret keys, it eliminates
the need to share the passwords over the network
• Trust is the foundation of Kerberos security
• They are extremely time sensitive and often require NTP
Kerberos - components
• Key Distribution Centre (KDC)
• It is the most important component
• It holds all users and services secret keys
• Kerberos 5 uses symmetric AES encryption protocol
• It provides authentication as well as key distribution service
• It provides confidentiality and integrity for authentication traffic using end-to-end encryption and helps prevent
against eavesdropping and replay attacks
• Clients and services must trust the integrity of the KDC
• It provides security services to principals (users, services, applications)
• The KDC must have an account and share a secret key with each principle
• When a KDC provides security services to a set of principles it is called realm
• One KDC can be responsible for one realm or several realms
• Realms are used by administrator to group users or services
• Kerberos is a open protocol allowing vendors to manipulate it to work properly within their products

• Ticket Granting Service (TGS)

• A component within KDC
• Ticket is generated by the TGS
• The ticket enables one principle to authenticate with another principle
Kerberos - components
• Authentication Server
• Hosts the functions of the KDC: Authentication service (AS) and a Ticket granting Service
(TGS)
• Ticket Granting Ticket (TGT)
• Provides proof that a subject has authenticated through a KDC and is authorized to request
tickets to access other objects
• TGT is encrypted and includes a symmetric key, an expiration time and the user’s IP
address
• Subjects present the TGT when requesting access to objects
• Ticket
• Is an encrypted message that provides proof that a subject is authorized to access an object
• It is sometimes called a service ticket (ST)
Kerberos – Authentication Process
• The principal and KDC share a secret key that is static
• The principals share a session key that is dynamic, this key is generated once
the principals authenticate each other
• At no point will the passwords be shared over the network
• When the user logins to the system, the Kerberos client in the system sends the
username to the KDC
• AS service in KDC verifies the Username in its database, creates a session key
encrypts it with the users’s password hash and sends it back to the client
• If the client can decrypt it with the hash of the user password that was entered,
the user is authenticated to the system
• KDC also sends a time-stamped TGT to the client; this gives the client the
authenticator to use any other resource in the network
Kerberos – weakness
• KDC an be a single point of failure; if KDC goes down no one will be able to
access any resource. It must have redundancy
• KDC must be able to handle large volumes of requests in a timely manner. Ti
must be scalable
• Secret keys are temporarily stored on the users machine
• Session keys are decrypted and stored on the users machine.
• Kerberos is vulnerable to password guessing, KDC does not know if a dictionary
attack is taking place
• Network traffic is not protected if encryption is not used
• Keys are too short and vulnerable to brute-force attacks
• It needs all client and server clocks to be synchronized
Security Domains

• Domains are a set of resources available to the subjects within this logical
structure and are working together under the same security policy

• Different domains are segregated by logical boundaries

• Domains can be architected in hierarchical manner that dictates the relationship

between the different domains and the ways in which subjects within the
different domains can communicate

• Subjects can access resources from domains of equal or lower trust

Directory Services
• It is another single sign-on technology

• A network directory service contains information about the different resources and the
subjects.

• The directory service develops unique distinguishing names for each object and
appends the corresponding attribute to each object as needed

• The directory service enforces a security policy to control how subjects and objects
interact

• Directory service based on X.500 standard uses LDAP protocol for access request
management

• Eg: LPAP, Microsoft AD, NetIQ eDirectory

Thin Clients

• Diskless workstations that do not have capability to store much information

depend on a central server for logon as well as network resource use

• Users are authenticated only to the central server and then are provided access
to all authorized and necessary services
Digital Identity

• A digital Identity is made up of attributes, entitlements and traits

• Attributes can be department, role in the company, shift timing, clearance etc

• Entitlements can be resources available, authoritative rights etc

• Traits can be biometric information, height, sex etc

Federation

• A portable identity that can be used across business boundaries

• It allows a user to be authenticated across multiple enterprises

• A federation can be composed of multiple unrelated networks within a single

organization or multiple organizations sharing a common resource

• Members of the organizations match the user identities within an organization to

federated identities

• Federated Identity management systems use SAML and SPML to meet the
requirement for common language between organizations identity process
Federated Identity management Process

• Cross-certification model
• Each entity must authenticate with every other entity is worthy of its trust
• The biggest problem is the scalability issue when more entities start
participating
• Trusted third party model (bridge model)
• Each of the participating entity subscribes to the standard and practices of a
third-party that manages the verification and due diligence process for all
participating companies
• The third-party acts a bridge between the participating organizations for
identity verification purposes.
Access control and Markup Languages
• Markup language is a way to structure text and data sets; and it dictates how to
view and use them
• The use of standard markup language allows for interoperability
• Hypertext Markup Language (HTML)
• it is used to display static web pages.
• It was derived from Standard General Markup Language (SGML) and the Generalized
Markup Language (GML)
• Describes how data is displayed using tags manipulating size and color of text
• Extensible Markup Language (XML)
• XML universal and foundational standard that provides a structure for other independent
markup languages to be built from and still allow for interoperability
Service Provisioning Markup Language (SPML)
• SPML allows for exchange of provisioning data between applications
residing in one organization or between organizations
• It allows for automation of user management, access entitlement
configuration, across multiple provisioning systems
• It allows for integration and interoperation of service provisioning
requests across various platforms
• It is based on Directory Service Markup Language (DSML)
• Has 3 main entities:
• Requesting Authority  Entity that is making up the request to setup a new account or change existing
account
• Provisioning service provider  software that responds to account requests
• Service Target  Entity that carries out provisioning activities on the requested system
Security Assertion Markup Language (SAML)
• XML standard that allows the exchange of authentication and authorization data
between security domains
• It provides the authentication pieces to the Federated Identity management
systems
• There are three components
• Principal – user access requesting
• Identity provider – entity authenticating the user
• Service provider – entity providing service to the user
• SAML does not tell the receiving system how to interpret and use the
authentication data
• Federated identity systems often use SAML and SPML for access needs
• It is used to provided SSO capabilities for browser access
• SAML does not have security mode and relies on TLS for message
confidentiality and digital signature for message integrity
Simple Object Access Protocol (SOAP)
• It is a specification that outlines the way information pertaining to
web services is exchanged in a structure manner
• It is a simple messaging framework to be used by users to request a
service and in turn the service is made available to the user
• Transmission of SAML data takes place over SOAP
• The use of web services in this manner also allows for organization
to provide Service Oriented Architecture (SOA)
• SOA is a way to provide independent services residing in different
applications in different domains in one consistent manner
Extensible Access Control Markup Language (XACML)

• It is used to express security policies and access rights to assets

provided through web services and other enterprise applications
• It is both an access control policy language and processing model
that allows for policies to be interpreted and enforced in a standard
manner
• XACML uses a subject element, resource element and an action
element
• It provides assurance to all members in a federation that they are
granting the same level of access to different roles
• XACML has become popular with software defined networking
applications
Scripted Access or Logon Scripts

• Establishes communication links by providing an automated process

to transmit credentials at the start of the logon session

• It can be used to simulate SSO in environments where SSO

implementation is not possible

• Scripts should be stored in highly protected areas, because they

usually contain access credentials in clear text
Once In-Unlimited Access

• The user authenticates once and then has access to all the
resources participating in the model
• In this model the system behind the initial authentication do not have
any authentication mechanism to speak of
• The fact that the user is able to access the system in the first place
means that the user is authorized
• Eg: Casinos “unlimited Beer”
Other SSO Examples

• SESAME
• Ticket based authentication system developed to address the weakness in
Kerberos

• It did not compensate for all weaknesses and has not be adopted

• KryptoKnight
• Ticket-based authentication system developed by IBM

• It uses peer-to-peer authentication

• As incorporated into NetSP product, but never took off.

OpenID
• Open standard for user authentication by third-parties
• It is very similar to SAML, but the user authentication is maintained
by a third-party not by the company
• It defines 3 roles
• End User: The user who wants to be authenticated
• Resource party: The server that owns the resource the end-user is trying to
access
• OpenID provider: The system in which the end user already has an account
and which will authenticate the user to the resource party
OpenAuth
• Open standard for user authorization by third-parties
• It lets you authorize a website/applications to use something you
control at a different website
Access Control
Basic Access Concepts
• Permissions:
• Refer to the access granted for an object and determine what you can do
with it
• Rights:
• Refers to the ability to take an action on the object
• Privileges:
• It is the combination of rights and permissions
• Implicit Deny:
• It is the basic principle of access control
• Ensures access to object is denied unless access has been explicitly granted
to a subject
Access Control types
• Primary Control types
• Preventive
• Attempts to stop some thing bad from happening
• Fence, lock, mantrap, separation of duties, encryption, data classification, penetration testing,
smartcards, callback procedures, awareness training
• Detective
• Detects something anomalous; its an after the fact control
• Audit, cctv, motion detectors, job rotation, mandatory vacations, honeypots, IDS, violation
reports
• Corrective
• Modifies the environment to return systems to normal after an incident
• Attempts to correct any problem that may have happened
• Terminating malicious activity, rebooting the system, backup and restore plans, active
intrusion detection systems
Access Control types
• Other Control types
• Deterrent
• Attempts to dissuade someone from carrying out unauthorized activity
• Fence, policies, training, CCTV, Lights, security badges, mantraps
• Recovery
• Attempts to repair or restore resources after a security violation
• It is an extension of corrective controls
• Backups and restores, fault-tolerant drive systems, system imaging, server clustering, VM
Shadowing
• Directive
• Attempts to direct or control the actions of the subjects to force compliance to the policy
• Security standard, posters, escape route maps, monitoring, supervision, procedures
• Compensatory
• Provides an alternative when the primary control isn’t feasible
Access Control categories
• Administrative Access Control
• Also called management access control
• They focus on people and business practices
• Policy, procedures, hiring practices, background checks, data classification, awareness
training, reports, testing
• Logical Access Control
• Also called Technical Access control
• Hardware and software mechanisms used to control access
• Encryption, constrained interfaces, firewalls, IDS, biometric, password, clipping levels, ACLs
• Physical Access Control
• Items that we can physically touch
• Guards, fences, motion detectors, locks, lights, cable protection, badges, video camera,
mantraps
Access Control Models
• A framework that dictates how a subject access an object
• Three main types of access control models are
• Discretionary access control
• Mandatory access control
• Role based access control
• Access control model decision is based on
• Business and security goals
• Culture
• Habits of conducting business
Discretionary Access Control (DAC)
• A system using DAC enables the owner to specify which subjects
can access specific resources
• Control of access is based on the discretion of the owner
• Access is restricted based on the authorization granted to the users
• The most common implementation of DAC is through Access control
lists (ACL) on objects
• DAC can be applied to both directory tree structure and the files in it
• DAC is considered identity based access control type
Non-Discretionary Access Control
• Access decisions are not based at the discretion of the user

• They are put in place by the central authoritative entity with the goal
of protecting the most critical assets

• Administrators centrally administer non-discretionary control and can

make changes that affect the entire environment

• Rule-based, role-based and lattice-based access controls are

considered non-discretionary models
Mandatory Access Control (MAC)
• Users do not have the rights to decide who can access objects
• MAC model is much more structured and stricter than DAC model and is based on a security label system
• Users are given security clearance and data is classified in similar way
• The rules of how subjects access objects are defined via the organization’s security policy
• OS based on MAC model greatly reduces the amount of rights, permissions and functionality a user has for
security purposes
• In MAC model, user cannot install software, change permissions, add new users etc.
• This type of model is used in environments that places information classification and confidentiality of
utmost importance
• MAC model have labels while rule-based models do not use labels
• The MAC model is often referred to as a lattice-based model
• It is based on cooperative interaction between system and Information owner. The system’s decision
controls access, and the owner provides the need-to-know control
• It is prohibitive than permissive and it uses implicit deny principle
• It is more secure than DAC but it isn’t flexible or scalable
MAC System – Sensitivity Labels
• Also called security labels
• It contains a classification and different categories
• Personnel within the organization identify and define their meanings as well as
requirements to obtain the label.
• Administrators assign labels to subjects and objects
• Classification indicates the sensitivity levels
• Categories enforce need-to-know and represent compartments of information within a
system
• Classification follows a hierarchical structure, while categories do not follow a
hierarchical scheme
• Guards can be used to connect different security modes, and they can be used to
connect different networks working at different security levels
MAC System – Environment Types

Hierarchical Environment Compartmentalized Hybrid Environment

Environment
• Relates various • There is no relationship • Combines both the
classification labels in an between one security environment types
ordered structure from low domain and another • Each hierarchical level
security to high security • Each domain represents a may contain numerous
• Each classification label in separate isolated subdivisions that are
the structure is related compartment isolated from the rest of
• Clearance in one level • Subjects must have the security domains
grants the subject access security clearance for • Provides granular control
to objects in all levels each security domain but difficult to manage as it
below it where it would need to grows
access object
Role-Based Access Control
• Access to resources is based on the role/task the user holds within
the company
• Also called Task Based access control
• RBAC is often implemented using groups
• It is a centrally administered set of controls to determine how
subjects and objects interact
• In RBAC a role is defined in terms of the operations and tasks the
role will carry out
• Rights and permissions are assigned implicitly to the user via the
role or group the user inherits
• It is best system for companies with high employee turnover
Core RBAC
• It is the foundation of RBAC model
• Users, roles, permissions, operations and sessions are defined and
mapped according to the security policy
• The core RBAC
• Has a many-to-many relationship among individual users and privileges
• Uses a session as a mapping between a user and a subset of assigned roles
• Accommodates traditional but robust group-based access control
Hierarchical RBAC
• Helps map the organizational structures to the roles based access
control
• It is an accumulation of rights and permissions of other roles
• Supports two types of hierarchies
• Limited Hierarchies: only one level of hierarchy is allowed
• General Hierarchies: Allows for many levels of hierarchies
• Separation of duties is provided by
• Static Separation of Duty (SSD) Relations through RBAC:
• Helps deter fraud by constraining the combination of privileges
• Dynamic Separation of Duties relations through RBAC:
• Helps deter fraud by constraining the combination of privileges that can be activated in
any session
Role-Based Access Control management types
• Non-RBAC: users are mapped directly to applications and no roles
are used
• Limited RBAC: users are mapped to roles and also directly mapped
to some applications that do not support RBAC
• Hybrid RBAC: users should be mapped to multiapplication roles with
only selected rights assigned to those roles (users will be part of
organizational roles, but also in some instances part of specific
application roles)
• Full RBAC: users are mapped to enterprise roles
Rule Based Access control
• Based on specific rules that dictate what can and cannot happen between a
subject and a object
• This is built on traditional RBAC and hence called RB-RBAC
• It is based on the concept of “if X then Y” programming rules
• It is not identity based
• It allows a developer to define specific and detailed situations in which a subject
can or cannot access an object
• Rule based access control has been used in MAC systems
• Content filtering technologies use Rule-based access control
• It is a compulsory access control because administrator set the rules and users
cannot modify these
• A distinctive characteristic is that they have global rules that apply to all subjects
Attribute Based Access Control
• Advanced implementation of the rule based access control
• It includes multiple attributes for rules
• While rule-based access control applies to all users, ABAC can be
much more specific
• Administrators create ABAC policies using plain language
statements
Access Control Techniques and Technologies
• Some of the access control techniques are
• Constrained user interfaces
• Access control Matrix
• Capability table
• Access control lists
• Content dependent access control
• Context dependent access control
Constrained User Interfaces
• Restricts user abilities by not allowing them to request or access
certain functions
• 3 major types
• Menus
• Options the user is given to execute is limited
• Shells
• Shells will contain only the commands the administrator wants the user to be able to
execute
• Database views
• Used to restrict user access to data contained in databases
Access Control Matrix
• A table of subjects and objects indicating what actions individual
subjects can taken upon individual objects
• It is usually an attribute of DAC model. The access rights can be
assigned directly to the subjects and objects
• Capability Table:
• Specifies the access rights subjects posses pertaining to objects
• Subject is bound to capability table
• Access Control Lists:
• List of subjects that are authorized to access a specific object
• Object is bound to ACLs
Content/Context Dependent Access Control

• Content Dependent Access Control

• Access to objects is determined by the content within the object

• Content dependent devices employ this access control

• Context Dependent Access Control

• Makes access decisions based on the context of the collection of information
rather than on the sensitivity of the data

• It reviews the previous actions or the current situations and then takes the
decision
Centralized Access Control Administration

• One entity is responsible for all access control decisions

• The entity configures mechanism to enforce access control

• This model provides consistent and uniform method of controlling

access rights

• Supplies strict control over data

• Drawback:
• Since only one entity is responsible for all access decisions, it can be slow
RADIUS
• Network protocol that provides client/server authentication, authorization and audits remote users

• ISPs use RADIUS to authenticate remote users before allowing access to Internet

• Allows companies to maintain centralized user profile database

• It is an open protocol that can be customized by any vendor

• Uses UDP as its transport protocol

• Latest versions can be implemented over TCP using TLS encryption

• Encrypts user’s password only as it is transmitted between the client and the server

• Combines authentication, authorization and accounting functionalities

• Has limited number of Attribute-value (28 ) pairs compared to TACACS+

• Works over PPP connection

TACACS

• Combines Authentication and Authorization Functions

• XTACACS separates authentication, authorization and auditing

processes

• TACACS+ is XTACACS with extended two-factor user authentication

• TACACS uses fixed password for authentication; while TACACS+

allows for users to employ dynamic passwords

• TACACS+ is not backword compatible with TACACS and XTACACS

TACACS+
• It uses TCP (49) protocol as its transport protocol
• It is the most commonly used Authentication system
• Encrypts all data between the client and server
• Uses a true authentication, authorization and accounting functionality
• TACACS+ has move AVPs, allowing network administrator to define ACLs,
filters, user privileges and more
• Supports TCP, AppletTalk, NetBIOS, and IPX protocols
• Used in environments that require more sophisticated authentication steps and
tighter control over more complex authorization activities
Diameter
• Built upon the functionality of RADIUS
• It is a peer-to-peer based protocol
• Used in authentication of mobile devices, wireless devices, Mobile IP, Ethernet over
PPP, VoIP
• It also supports IPSec and TLS for encryption
• Consists of two parts
• Base Protocol:
• Provides security communication between diameter entities, feature discovery and version negotiations
• Extensions:
• Built on top of base protocol to allow various technologies to use Diameter for authentication
• It is not backward compatible with RADIUS
• It uses TCP and Attribute-value pairs (232)
• It provides proxy server support
• It has better error detection and correction functionality
• Has better failover properties and thus provides better network resilience
• Diameter uses TCP 3868.
Diameter Functionality
• Provides the following AAA functionality:
• Authentication
• PAP, CHAP, EAP
• End-to-End protection of authentication information
• Replay attack protection
• Authorization
• Secure proxy, relays, brokers
• State reconciliation
• Unsolicited disconnect
• Reauthorization on demand
• Accounting
• Reporting, Roaming operations (ROAMOPS) accounting, event monitoring
Decentralized Access Control

• Gives access control decisions to people closer to the resources

• Functional manager assigns access control rights to employees

• Changes can happen faster

• Conflict of interest possibility can arise

• It does not provide uniformity and fairness across organization

• Certain actions can overlap

Distributed system access control

• SQL incorporates many features of Role and rule based access

control

• Services that are useful in implementing distributed access control

include LDAP, capability based Kerberos, XML based XACML
Accountability
• Auditing capabilities ensure users are accountable for their actions

• Accountability is tracked by recording user, system and application activities

• Clipping level or threshold parameters can be set of items for alert trigger

• Reviewing audit logs post an event is called event-oriented audit review

• Audit-reduction tools help discard mundane task information and records events of interest

• Deleting specific incriminating data within audit logs is called scrubbing

• The integrity of the audit logs can be ensured with Digital signature, Hashing and strong access
control

• Confidentiality is maintained by encryption and access controls

• The most significant aspect of ensuring accountability is the culture of the organization
Keystroke Monitoring

• A type of monitoring that can record and review keystrokes entered

by user during an active session

• It is usually done in special cases and only for a specific length of

time

• Organization should ensure it states in its security policy, security

training, banner notice about the option of using Keystroke
monitoring.
Access Control Monitoring - IDS
• Intrusion detection is the process of detecting anomalous activities in a system
or network
• IDS is designed to aid in mitigating the damage caused by malicious actions
• IDS tool is used to detect something suspicious and sound alarm
• 3 main components of IDS
• Sensor – collect network and user activity traffic and sends to analyzer
• Analyzer – looks for suspicious activities from the collected data and alerts the admin
interface
• Administrator interface – User interface for managing and monitoring the IDS
Two main types of IDS

Network Based Host Based

Software installed dedicated Installed on individual server or
appliance that has one of its NIC in workstation
promiscuous mode
Promiscuous mode enables NIC to Software within the system
capture all traffic and make a copy enables it to inspect all the actions
of the system
Looks only at network traffic flow Looks only at system activities
IDS Analysis Types

• 2 Types
• Signature based
• Pattern matching
• Stateful matching

• Anomaly based
• Statistical anomaly based
• Protocol anomaly based
• Traffic anomaly based
• Rule or heuristic based
Signature Based IDS

• Also known as knowledge based and pattern matching

• Developed by vendors based on known attack patterns

• Most popular IDS product

• Its effectiveness depends on regular update with new signatures

• It is weak against new types of attacks because it can recognize only

the ones that are known previously
State-Based IDS

• State is a snapshot of an OS value in volatile, permanent memory locations

• In this model, the initial state is the state prior to the execution of the attack, and
compromised state is the state after successful execution of the attack

• IDS has rules that outline which state transition sequences should sound an
alarm

• Its scans for attack signatures in the context of a stream of activity instead of
looking at individual packets

• Effectiveness is dependent on regular signature update

Statistical Anomaly IDS
• It’s a behavior based IDS

• Does not use predefined signatures

• The IDS is allowed to learn the network traffic to create a baseline, post which any traffic pattern
that meets a defined threshold variation will trigger an alert

• The key factor is to ensure during learning phase the environment does not have any malicious
activity

• It can detect Zero Day attacks

• It can also detect low and slow attacks

• Disadvantages
• Prone to serious false-positives in a complex network
• Need highly skilled security engineers to investigate the alerts
Protocol Anomaly IDS

• Protocol anomaly pertains to the behavior and format of the protocol

• IDS has specific knowledge of each protocol they will monitor

• Considering protocols are customized there is possibilities for false-

positives

• Can be used in statistical anomaly-based IDS

Traffic Anomaly IDS

• Behavior based IDS has traffic anomaly based filters

• They detect changes in the traffic patterns of the network and

generate alert

• It can detect unknown attacks

Rule Based IDS
• It is associated with expert system
• Expert system is made up of knowledge base, inference engine and
rule-based programming
• Knowledge is represented as rules and data to be analyzed is
referred as facts
• Used IF/THEN rule-based programming to take decisions
• The inference engine provides the artificial intelligence into the
process
Application Based IDS

• Specialized IDS products that can monitor specific applications

• They can gather fine-grained and detailed activities of the specific

application being monitored

• They can capture very specific application attack types, but does not
have visibility to more general OS attacks

• Predominantly used in applications that carry out encryption

functions which may not be inspected by other IDS systems
Honeypot

• Enticement:
• Setting up the environment that allows an attacker to easily hack into

• Entrapment
• Setting up the environment and also indicating the users to perform an action
with an intention of charging them with violation

• It is illegal and cannot be used when charging anyone with hacking attempts
Access Control Threats

• Threat are primarily unauthorized individuals attempting

unauthorized access to resources

• Threat Modelling
• Process of identifying, understanding and categorizing potential threats

• Goal is to identify a potential list of threats to the system and analyze the
threats

• It attempts to identify the attackers goals and categorize them based on the
priority of the underlying assets
Threat Modelling Approaches
• Focused on Assets:
• This method uses asset valuation results and attempts to identify threats to the
valuable assets
• Personnel evaluate the specific threats to determine the susceptibility to attacks
• Focused on Attacker:
• This method focuses on identifying the attackers and identify the threats they
represent based on the attackers goals
• Commonly used by governments
• Challenge is that this approach will not be able to consider new threats that may not
be anticipated
• Focused on Software:
• Organization developing software consider potential threats to the software
Access control Attacks
• Access Aggregation Attacks
• Collecting multiple pieces of non-sensitive information and combining them
to learn sensitive information
• Reconnaissance attacks are access aggregation attacks
• Combining defense-in-depth, need-to-know and least privilege helps prevent
access aggregation attacks
• Dictionary Password Attacks
• Attempt to discover password by using every possible password in a pre-
defined database
• Includes character combinations commonly used as password, but not found
in dictionary
• It can scan for one-upped-constructed passwords
Access control Attacks
• Brute-force Attacks
• Attempts to discover passwords for user accounts by systematically attempting all combinations
of letters, numbers, symbols.
• Uses comparative analysis to guess the password from the hash files
• Rainbow tables
• Its a database of precomputed password hashes that can be used by password crackers to
brute force password attacks
• It significantly reduces the time it takes to crack a password
• Sniffing Attack (Snooping)
• A tool that can capture network traffic.
• If it has capability to understand and interpret individual protocols it is called as protocol analyzer
• Sniffers are dangerous and very hard to detect
• Their activities are difficult to audit
 Access control Attacks
• Spoofing attack
• Also known as masquerading attack
• Pretending to be something, someone
• Email spoofing, phone number spoofing, IP spoofing
• Login spoofing attack can be mitigated by trusted path
• Shoulder Surfing
• Looking over the shoulder of an individual to read information on the screen
• Screen filters help restrict this attack
• Phishing
• Tricking users to give sensitive information
• Spear phishing is a phishing attack targeted to a specific group
• Whaling is a phishing attack that is targeted to senior or high profile executives
• Vishing is a phishing variant that uses phone or voip.
Karthikeyan Dhayalan
MD & Chief Security Partner