OB 4.6 IAM

Identity Proofing

Identity proofing involves validating that a

person is who they claim to be.

It involves verifying an individual's identity

through various means before granting

access to systems and data.

Effective identity proofing is key to

maintaining security, ensuring regulatory

compliance, and building trust in digital

transactions, while also posing challenges in

balancing security, user experience, and

privacy

Identity Proofing

(Key Components)

Verification of Personal Information: This

typically involves taking government-issued

IDs, biometric data, or other personal

information and checking them against trusted

sources to ensure their authenticity.

Knowledge-Based Authentication (KBA): Asking

personal questions (like previous addresses or

maiden names) that only the legitimate user

would likely know.

Document Verification: Examining documents

such as driver’s licenses, passports, or birth

certificates for authenticity.

Biometric Verification: Using fingerprint, facial

recognition, or other biometric data to confirm

identity.

Use of Third-Party Services: Employing external

services or databases to validate the identity of

an individual.

Provisioning User

Accounts

process of creating and setting up new user

accounts with appropriate access rights in

an organization's systems and applications

Provisioning User

Accounts (Key Steps)

User Identification: Determining the identity

of the new user and their role in the

organization.

Access Rights Assignment: Assigning

appropriate access levels based on the user’s

role, following the principle of least privilege

(PoLP), where users are given the minimum

levels of access necessary to perform their

duties.

Account Creation: Setting up the user

account in various systems, which may

include email, file storage, databases, and

other applications.

Security Measures: Implementing security

measures such as strong password

requirements, multi-factor authentication

(MFA), and security training.

De-provisioning User

Accounts

De-provisioning involves the process of

removing or disabling user accounts when

they are no longer needed, typically when an

employee leaves the organization or changes

roles.

De-provisioning User

Accounts (Key Steps)

Access Revocation: Terminating the user's

access to all systems and applications.

Data Handling: Ensuring any data associated

with the user is handled according to

organizational and legal requirements.

This may involve transferring ownership of

files or emails to another employee.

Account Disabling or Deletion: Disabling or

permanently deleting the user account to

prevent future access.

Permission Assignments

core

component of identity and access

management, involving the allocation of

access rights to users.

These assignments must be handled

carefully, following principles like least

privilege and role-based access, to maintain

security and compliance.

Single Sign-On

users log in once and gain access to multiple

systems without the need to reauthenticate.

This enhances user experience

and productivity.

SSO (Importance)

Reduced Password Fatigue: SSO reduces the

number of passwords users must manage,

decreasing the likelihood of weak password

practices.

Centralized Authentication Control: Provides

centralized control over user access to

multiple systems, making it easier to enforce

security policies.

Reduced IT Workload: Simplifies the

management of user accounts and

credentials, reducing the workload on IT

departments.

LDAP

LDAP (Lightweight Directory Access Protocol)

is a protocol for accessing and maintaining

distributed directory information services,

like user and group details, over an IP

network.

Usage: Primarily used for directory services

and information lookup. Commonly utilized

for storing user credentials and groups in an

enterprise environment.

The foundation for Microsoft Active

Directory and used as Linux Open LDAP.

Federation

process of

linking and managing identities across

different systems and organizational

boundaries.

It enables users to use the same identity or

set of credentials to access multiple

applications or services.

It allows for single sign-on and streamlined

access management, enhancing user

experience and operational efficiency.

Federation involves identity providers,

service providers, and specific protocols, and

is crucial for centralized authentication and

compliance.

SAML

SAML (Security Assertion Markup Language)

is an open standard for exchanging

authentication and authorization data

between parties, specifically between an

identity provider and a service provider.

Usage: Widely used for SSO to allow users to

log in to multiple applications with one set of

credentials.

Characteristics: SAML uses XML for data

exchange and is focused on both

authentication and authorization. It's

particularly useful in enterprise-level SSO.

SAML

(Key Components)

Identity Providers (IdPs): Services that

authenticate users and provide identity

information to service providers. Examples

include Okta, Microsoft Azure AD, and

Google Identity.

◦ Attestation (formal verification that

something is true), is done the IdPs. They

attest that user is who they claim to be.

Service Providers (SPs): The applications or

services that rely on information from the

IdP to provide access to the user.

OAuth

open standard for access

delegation.

It is used to grant websites or applications

access to their information on other

websites but without giving them the

passwords.

Usage: Commonly used for authorizing thirdparty

applications to access a user's data

without exposing user credentials.

Characteristics: OAuth is about authorization

(not authentication) and is used to grant

limited access to an application on behalf of

the user

OpenID Connect

identity layer on top of

OAuth 2.0. It allows clients to verify the

identity of the end-user based on the

authentication performed by an

authorization server.

Usage: Primarily used for authentication in

modern web applications and mobile

applications.

Characteristics: OpenID Connect extends

OAuth 2.0 for use cases involving identity

assertion.

Access Controls

mechanisms and policies

used to manage and restrict access to

resources in an information system.

Various types of access controls include DAC,

MAC, RBAC, and ABAC, each with its specific

use cases and implications for security and

compliance.

The effective implementation of access

controls requires balancing security,

complexity, and usability, and is a vital part

of any comprehensive cybersecurity strategy

Mandatory Access Control (MAC):

MAC is a security model in which access rights are

regulated by a central authority based on different

levels of security clearance.

Use Case: Common in government and military

systems where classified information is involved.

Key Aspect: Users cannot change access permissions;

they are set and enforced by a system administrator.

Discretionary Access Control (DAC):

In DAC, the resource owner decides on access levels.

It is the most flexible access control model.

Use Case: Used in environments where users need

control over the resources they own, like setting file

permissions in an operating system.

Key Aspect: Risk of users granting excessive access,

potentially leading to security breaches.

RBAC (Role-Based Access Control):

assigns permissions based on a user’s role

within an organization.

Use Case: Common in corporate

environments where roles define job

functions and access needs.

Key Aspect: Streamlines access

management, especially in organizations

with many users and roles.

Rule-Based Access Control

Access decisions are based on a set of rules defined

by the system administrator.

Use Case: Useful in environments requiring stringent

access control, like securing network resources.

Key Aspect: Rules can be based on various criteria,

such as source/destination IP addresses in firewalls.

ABAC (Attribute-Based Access Control)

uses policies that evaluate attributes (or

characteristics) of users, the environment, and

resources.

Use Case: Effective in complex environments with

diverse and dynamic user attributes.

Key Aspect: Provides fine-grained control, allowing

for more nuanced access decisions based on multiple

factors.

Multifactor

Authentication

MFA is a security system that requires more

than one method of authentication from

independent categories of credentials to

verify the user's identity for a login or other

transaction.

This approach combines two or more

distinct authentication factors, significantly

increasing security.

MFA

(Authentication Factors)

Something You Know: Commonly used but

vulnerable to theft or guessing or brute force.

Examples: Passwords, PINs, answers to security

questions.

Something You Have: Adds a layer of security

by requiring a physical device in possession of

the user.

Examples: Mobile devices with authentication apps,

smart cards, security tokens.

Something You Are: Highly secure, but

implementation can be complex and costly.

Examples: Biometric verification methods.

Somewhere You Are (Location-Based

Authentication): Adds contextual security by

restricting access to specific locations.

Examples: Authentication based on the user’s

geographic location, using GPS or network-based

methods.

Tokens

Hard/Soft Authentication Tokens:

◦ Hard Tokens: Physical devices (e.g., key fobs,

smart cards) used to generate secure codes.

◦ Soft Tokens: Software-based approaches that

generate a secure code on a user’s device

(like a smartphone).

◦ Use Case: Both are used to provide a timesensitive

passcode as an additional

authentication factor.

Security Key

A security key is a physical hardware device used for

verifying a user's identity. It is also used as a part of

multifactor authentication.

Functionality: Unlike hard tokens that generate a

passcode, security keys usually work by being

plugged into a computer or connected wirelessly.

They often support protocols like Universal 2nd

Factor (U2F) or FIDO2, and they authenticate by

proving possession of the key (something you have)

in response to an authentication request.

Examples: USB security keys (like YubiKey or Google Titan),

NFC-enabled keys, or Bluetooth-enabled keys.

Biometric

Based on unique physical attributes or

behavior

◦ Biometric authentication is a type of system

that relies on the unique biological

characteristics of individuals

◦ Sophisticated but expensive

◦ Types:

◦ Fingerprints: Visible patterns on the fingers and thumbs

◦ Face Scans: Uses geometric patterns of face

◦ Retina Scans: Focuses on the pattern of blood vessels at

the back of the eyes. Most accurate but least

acceptable. Can reveal high blood pressure and

pregnancy

◦ Iris Scans: Focused on the colored area around the

pupil, second-most accurate, longer authentication life

span

◦ Palm Scans: Scans the palm, uses infrared light to

measure vein patterns in the palm

Hand Geometry: Recognizes the physical dimension of

the hand, including width and length of the fingers and

hands

◦ Heart/Pulse Pattern: Often employed as a secondary

biometric to support another type of authentication

◦ Voice Pattern Recognition: Relies on the characteristics

of a person’s speaking voice, known as voiceprint

◦ Signature Dynamics: Examines both how a subject

performs the act of writing as well as features in a

written sample The success relies on pen pressure,

stroke pattern, stroke length, and the point in time

when the pen is lifted from the writing surface

◦ Keystroke Patterns: Measure how a subject uses a

keyboard by analyzing flight time ( how long it takes

between key presses) and dwell time ( how long a key is

pressed)

Biometric

Type 1 Error

Occurs when a valid subject is not

authenticated

◦ More common when the device is too sensitive

◦ The ratio of Type 1 errors to valid authentications is

False Rejection Rate (FRR)

Biometric

Type 2 Error

Occurs when an invalid subject is

authenticated

◦ More common when the device is not sensitive

enough

◦ The ratio of type 2 error to valid authentications is

False Acceptance Rate (FAR)

Crossover Error Rate (CER) / Equal Error Rate (EER):

Point where FRR and FAR percentages are equal

◦ The devices with lower CER are more accurate

Enrollment

Extract and store unique features identifying

the person

• Creation of a Reference Template/Reference

Profile

Comparison

Real-Time collection of user template

• Comparison with template stored in Database

• Fast, match/non-match decision in one second

or less

Identification &

Authentication

“One to One” for Authentication

• “One to many” for Identification

Passwords

fundamental component of

cybersecurity, serving as the first line of

defense in many systems.

Password Best Practices

Length: The longer the password, the more

secure it generally is. A minimum of 8-12

characters is often recommended.

Complexity: Passwords should include a mix

of uppercase and lowercase letters,

numbers, and special characters to resist

common attack methods like brute force.

Reuse: Avoid using the same password

across multiple accounts to prevent a single

breach from compromising multiple systems.

Expiration: Regularly changing passwords,

traditionally every 90 days, though this

practice is being reconsidered in light of

modern security insights.

Age: Monitoring the age of passwords helps

in enforcing timely updates and identifying

potentially vulnerable accounts.

Password Managers

Encouraged for managing a large number of

complex passwords. Password managers

store and encrypt passwords, requiring the

user to remember only one strong master

password.

Passwordless

Authentication

emerging trend where traditional

passwords are replaced with alternative

methods like biometrics, security keys, or

one-time tokens sent to a user’s device.

This approach enhances security by

eliminating the risks associated with weak

or compromised passwords.

Privileged Access

Management Tools

PAM tools are used to control, manage, and

monitor access to critical systems and

resources within an organization,

particularly focusing on privileged users who

have elevated access rights.

They help mitigate risks associated with

privileged accounts by ensuring that

elevated access is provided securely and

managed effectively.

Key aspects of PAM include Just-in-Time

permissions for time-limited access,

password vaulting for secure credential

management, and ephemeral credentials for

temporary access with minimal risk.

Just-in-Time

Just-in-Time (JIT) permissions grant

privileged access on an as-needed basis,

typically for a limited period.

Functionality:

Reduces the risk of privilege abuse by

ensuring privileges are granted only when

necessary and for the shortest time

required.

Often includes approval workflows to ensure

oversight.

Use Case: Ideal for situations where users

need temporary elevated access for specific

tasks, like system maintenance or

troubleshooting.

Password Vaulting

involves securely storing

and managing credentials for privileged

accounts in a centralized repository (vault).

Functionality:

Users check out credentials when needed,

which are then returned to the vault.

The vault automatically manages, rotates,

and updates passwords, reducing the risk of

password reuse or theft.

Use Case: Used for managing a large number

of privileged accounts to ensure secure and

controlled access.

Ephemeral Credentials

temporary

credentials that are generated on-demand

and expire after a short duration.

Functionality:

Enhances security by ensuring credentials

are valid only for a brief period and for a

specific purpose.

Reduces the risk of long-term credential

compromise.

Use Case: Useful in dynamic environments

like cloud computing, where temporary

access is needed frequently.