In-Depth Notes on Authentication & Access Control

Authentication & Access Control

Overview of Key Concepts

• Authentication: Verifying the identity of a user/system to ensure only authorized access.
• Access Control: Restricting access to data/resources based on user roles and identity.
• Importance: Prevents unauthorized access, protects sensitive information, reduces insider threats, ensures compliance with regulations.

Authentication

• Definition: Process of verifying a user's or system's identity.
• Common Methods:
  • Password-based authentication: Most common; weaknesses include vulnerability to guessing and brute-force attacks.
  • Multi-factor authentication (MFA): Combines two or more factors for stronger security; e.g., password + OTP.
  • Biometric authentication: Uses unique physical traits; types include fingerprint, retina scan, and facial recognition.
• Password Best Practices:
  • Use complex passwords
  • Regularly change passwords

Access Control

• Definition: Restricting access to data/resources based on various factors.
• Based On:
  • User identity
  • Role
  • Permissions

Types of Access Control Models

1. Discretionary Access Control (DAC):

   • Owner defines access permissions (e.g., Windows file permissions).
   • Strengths: Flexible; Weaknesses: Prone to insider threats.

2. Mandatory Access Control (MAC):

   • Permissions defined by a central authority (e.g., military classifications).
   • Strengths: Strong control; Weaknesses: Less flexibility.

3. Role-Based Access Control (RBAC):

   • Access defined by roles (e.g., Admin, User, Guest).
   • Strengths: Easier management; reduces human error.

Principle of Least Privilege (PoLP)

• Users/applications should have minimal access necessary.
• Reduces insider threats and lateral movement during attacks.

Database-Level Authentication Methods

• Username and password.
• Certificate-based authentication.
• Integrated authentication using LDAP (e.g., Active Directory).

Privilege Escalation and Monitoring

• Privilege Escalation: Gaining higher access than intended, often due to weak controls or misconfigured permissions.
  • Example: Exploiting weak file permissions to elevate a user account to admin.
• Auditing and Monitoring: Track user activity to identify suspicious behavior (e.g., SQL Server Audit).

Access Control Best Practices

• Apply least privilege principles.
• Enable multi-factor authentication.
• Monitor and log access activities.
• Regularly review permissions.

Handling Failed Logins

• Implement account lockout policies.
• Monitor failed login attempts.

Insider and External Threats

• Insider Threats: Threats from authorized users; mitigated by least privilege and monitoring.
• External Threats: Include brute-force attacks and phishing; mitigated via strong password policies.

Identity Protection

• Microsoft Identity Protection helps safeguard identities & sensitive data using machine learning and adaptive policies.
• Detects unusual activities and prompts additional verifications like MFA.

Incident Response for Access Violations

• Steps to follow:
  • Identify
  • Contain
  • Recover
  • Report

Future Trends in Authentication

• Include passwordless authentication and AI-driven access control.

Compliance Requirements

• GDPR: Protects personal data of EU citizens; requires user consent and rights for data access and deletion.
• HIPAA: Protects health information; mandates secure handling with safeguards.
• PCI DSS: Ensures secure credit card handling; applies to businesses storing/transmitting card data.
• Non-Compliance Penalties: Range from fines to operational restrictions based on the regulation.