Thursday, April 25, 2019

Identity and Access Management (IdAM) (draft)

Identify and Access Management (IdAM or IAM) is the mechanism used to authenticate an entity and authorize them to access a resource.

Several well-known services exist for authentication, including Active Directory, lightweight directory access protocol (LDAP), Remote Authentication Dial-In User Service (RADIUS), Internet Authentication Service (IAS) (Microsoft's implementation of RADIUS), Terminal Access Controller Access-Control System Plus (TACACS+) (Cisco-developed authentication, access, and accounting solution for networking devices), and Network Information Service (NIS). With the proliferation of cloud-based services, cloud service providers are providing identity and access services that are highly-scalable, robust, and secure. Examples include Amazon Web Services (AWS) Identify and Access Management (IAM) and several choices for implementation of Active Directory:  AD Connector, Simple AD, Microsoft AD. Rackspace has a good article which compares the different directory service offerings. Some things to consider in implementing authentication services:

  • Managing multiple services is an administrative burden and is not an efficient use of resources. Building a robust service (e.g. Active Directory) and configuring applications to use that service is easier to manage than setting up separate authentication realms. This approach is known as single sign on (SSO) - using one credential to access many services.
  • There are several methods to authenticate an entity, such as username/password, smartcard, challenge questions, one-time token, biometric, etc. Use of multifactor authentication (MFA) is highly recommended, which requires something a user knows (e.g. password) and something the user has (e.g. smartcard) or is (e.g. fingerprint).
  • Implement a lockout policy and recovery mechanism for lost or forgotten passwords. Examples of solutions for this are:  SysOp Tools Password Reset Pro. For hosted services (e.g. Office 365), use the administrative tools to configure a policy to do this.
  • Implement a logging and audit policy to review authentication events. For example, use of privileged accounts, failed access, anomalies in access times and/or geographic location (e.g. a user attempting to login from the US and then 10 seconds later from the UK).

Access management concerns governing permissions and rights to resources once the identity of an entity is verified via the authentication service described above. This is implemented by file system permissions and role definitions and assignment.

Per Department of the Army Pamphlet (PAM) 25-2-7 Information Management:  Army Cybersecurity Army Information System Privileged Access:  DA Form 7789 (Privileged Access Agreement and Acknowledgment of Responsibilities) is required after 4 May 2019. Individuals requiring elevated access to system control, monitoring, administration, criminal investigation, and/or compliance functions must sign a Privileged Access Agreement (PAA). Individuals seeking privileged access must complete and sign a PAA. Categories and specialties within the cybersecurity workforce that require a PAA include:   1) those requiring modification access to the configuration control functions of the IS/network and administration (e.g. user account management), 2) those with access to change control parameters (e.g. routing tables, path priorities, addresses of routers, multiplexers, and other key IS/network equipment or software), 3) those with the ability and authority to control and change program files, and other users' access to data, 4) those with direct access to operating-system-level functions that could permit system controls to be bypassed or changed, 5) those with access and authority to install, configure, monitor, and/or troubleshoot the security monitoring functions of IS/networks, or in the performance of cyber/network defense operations.

PAM, Privileged Access Management (sometimes Privileged Account Management), refers to the oversight of privileged user access to critical data and systems. PAM solutions implement features such as:  access manager (point of entry which facilitates user requests and the administrators' ability to grant and revoke access), password manager (protect, store, and rotate passwords, eliminating the need for users to have direct access to sensitive resources), session manager (trace and monitor privileged activity, automatically or manually terminate and report suspicious activity).

Authentication

  • Password policy
  • Multi-factor Authentication (MFA)
  • Single Sign On (SSO). Minimize the number of credentials needed, authentication realms to manage. Diligently audit in one place. SSO can support MFA for applications that don't.
Authorization

Authorization is the concept controlling what a user is allowed (or not allowed) to do once they
are authenticated. In IAM terms, authentication + authorization = access. 

Governance is the concept of periodically attesting to the appropriateness (or correctness) of user authorizations.

Identity analytics is an emerging discipline of IAM that evaluates the permissions, rights and
entitlements of individuals – and detects anomalies. Identity analytics is an effective way to uncover
errors in provisioning (we’ll call it over-provisioning) and to discover purposeful rights escalation
activities. It can prevent the activities of external bad actors and detect internal risks before they can
become a threat.
  • Provisioning. Defining and assign the user to the correct role(s) that provide the necessary rights for them to do their job.
  • Deprovisioning. Removing those rights.

Identity Solution Providers.
  • Auth0. Role-based access control. "Organizations" - allows clients to manage roles. Developer friendly. Note Auth0 was acquired by Okta.
PAM:
  • CyberArk.
  • Thycotic..
  • BeyondTrust. Call 7/26/2021. Nick Shaw, Anthony White (DoD and DHA), Steven Schullo (Solutions Engineer). Endpoint Privilege Management (agent-based. Windows, Mac, Unix. licensed by asset. Number of users doesn't matter. Allows access to privileged functions - process gets elevated vice the user). BeyondInsight (command and control/management auditing), can also control through ePO as well as GPO, can be run on-premise or SaaS in Azure, AWS, GCP, working on FedRAMP ATO, look for BeyondTrust in CSP marketplace). Whitelist, blacklist, and Assistance Required (need code from Service Desk). Only responsible for compute cost., Credentials Required (provide credential as well as reason). Password Safe. Cloud Privilege Broker (coming this summer).
  • Wallix
Identity Governance
​Resources:
Additional References:
  • ​​NIST SP 800-53 AC Control Family​​
Relevant Articles:

No comments:

Post a Comment