SEC835 Identity and Access Management Overview. Tasks of IAM Specify the rules of electronic identity Maintain identity Validate identity Define access.

Slides:



Advertisements
Similar presentations
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
Advertisements

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Access Control Chapter 3 Part 3 Pages 209 to 227.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Access Control Methodologies
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
SE571 Security in Computing
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Li Xiong CS573 Data Privacy and Security Access Control.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
OV Copyright © 2011 Element K Content LLC. All rights reserved. System Security  Computer Security Basics  System Security Tools  Authentication.
Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.
Chapter 10: Authentication Guide to Computer Network Security.
Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Security Security is a measure of the system’s ability to protect data and information from unauthorized access while still providing access to people.
Identity Management Report By Jean Carreon and Marlon Gonzales.
Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.
Switch off your Mobiles Phones or Change Profile to Silent Mode.
SEC835 Practical aspects of security implementation Part 1.
Cryptography, Authentication and Digital Signatures
ArcGIS Server and Portal for ArcGIS An Introduction to Security
TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,
SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.
Li Xiong CS573 Data Privacy and Security Access Control.
Module 11: Securing a Microsoft ASP.NET Web Application.
Ingredients of Information Security. - Who has access the asset? - Is the asset correct? - Is the asset accessible? …uncorrupted? …authentic?
Security, Accounting, and Assurance Mahdi N. Bojnordi 2004
Pertemuan #9 Security in Practice Kuliah Pengaman Jaringan.
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
Access Controls Henry Parks SSAC 2012 Presentation Outline Purpose of Access Controls Access Control Models –Mandatory –Nondiscretionary/Discretionary.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Academic Year 2014 Spring Academic Year 2014 Spring.
Module 9 User Profiles and Social Networking. Module Overview Configuring User Profiles Implementing SharePoint 2010 Social Networking Features.
1 Data Access Control, Password Policy and Authentication Methods for Online Bank Md. Mahbubur Rahman Alam B. Sc. (Statistics) Dhaka University M. Sc.
© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 7 Authentication Methods and Requirements.
Trusted Operating Systems
14.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Protection.
Computer Security: Principles and Practice
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
CSCE 201 Identification and Authentication Fall 2015.
My topic is…………. - It is the fundamental building block and the primary lines of defense in computer security. - It is a basic for access control and.
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
Chapter 4 Access Control. Access Control Principles RFC 4949 defines computer security as: “Measures that implement and assure security services in a.
SECURITY Prepared By: Dr. Vipul Vekariya.. 2 S ECURITY Secure system will control, through use of specific futures, access to information that only properly.
7/10/20161 Computer Security Protection in general purpose Operating Systems.
L’Oreal USA RSA Access Manager and Federated Identity Manager Kick-Off Meeting March 21 st, 2011.
Identity and Access Management
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Chapter One: Mastering the Basics of Security
State of e-Authentication in Higher Education Bernie Gleason
PLANNING A SECURE BASELINE INSTALLATION
Computer Security Protection in general purpose Operating Systems
Instructor Materials Chapter 5: Ensuring Integrity
Presentation transcript:

SEC835 Identity and Access Management Overview

Tasks of IAM Specify the rules of electronic identity Maintain identity Validate identity Define access privileges Validate access privileges

Identity Basic identity User’s ID generated to be used by a given application Federated identity User’s ID assembled from many sites in distributed environment With a single ID a user can communicate to many sites

Identity lifecycle User provisioning Create an electronic identity and access privileges Identity lifecycle Electronic identity is an object that change its state from being created to being destroyed. Between the two ends it can have other states to reflect the user’s state, e.g. pending, not-active. Identity assurance The method of determining that the electronic identity belongs to the right person

Authentication Identity validation Verify that this identity is correct (belongs to the group of valid identities) Identity proof Verify that the validated identity belongs to the right person. We need validation factors to do that. That is user’s authentication. Credential issuing Match the valid identity to relevant access privileges. Two things together are known as a user’s credentials. Credential assurance Credentials also need assurance since they may be intercepted and misused (impersonation attack) Graded authentication Authentication may be completed in stages, starting from more simple one (e.g. one factor) and growing up to more secure if there are business needs.

Authentication factors Something you know Password Secret word Something you have Smart Card Token Something you are Biometrics (finger prints, eyes retina)

A single factor authentication Password Must be strong Long Complicated structure Not using dictionary Changed regularly Always change system generated password Periodic changes of user-selected passwords Stored hashed or encrypted Hash cannot be restored Resistant to brute-force attacks Measures of precautions against information disclosure attacks Information disclosure through security holes in the application

Two-factor authentication Second factor – identify the type RSA certificate (PKI technology) Smart card (Entrust card) Telephone factor Secret words Fingerprints Out-of-band authentication Use additional input, that does not belong to the system

Authentication mechanisms Basic authentication Mechanism provided by web browsers This is weak authentication Form-based authentication Mechanism that is built and controlled by the application Recommended for commercial applications Required to implement two-factor authentication Single Sign On (SSO) The access control mechanism that allow authenticating a user just once when a user needs access to a few applications.

Strong authentication mechanism Strong identity –at least two factors Strong authentication protocol combined with secure session management and supported with other security mechanisms like encryption

Second factor choice – Lab 5, part1 How to decide about the second factor? Read the article Provide written answer to the following question: 1. For each of the factors, please identify the category of an authentication mechanism (out of three known categories: smth you know, smth you have, smth you are). Work individually or with your teammates (up to 3 people) Send the answer by today

Access control Access Control List (ACL) Map identity to resources and show allowed actions in terms of Read/Write/Update Role-based access control Application considers the end users roles Privileges are assigned to the roles, not to peoples Privileges specify access to functions and data Attribute-based access control Privileges take into account the level of sensitivity of data and functions in addition to the roles.

Role-based Access Control Often used for eCommerce applications The users have been assigned with their roles in business processes, e.g. operator, teller, customer service representative, etc. Privileges have been assigned to roles, not to individuals All users that play the same role have the same level of privileges Individuals move in and out but roles sustain

Attribute-based Access Control Differentiate access privileges within a group of users who play the same role Data attributes values or characteristics of functions are used as differentiating factors Examples Operator has the right to read data but do not have the right to delete them Teller has the right to perform transactions that are below $500. For greater amount of money she needs her manager

RBAC vs. ABAC ABAC provides more granular access control than RBAC Both are used for eCommerce ABAC always assume custom development RBAC tools is a part of nowadays Application Servers (Web Sphere, Web Logic)

Access control policy Access control policy sets the rules for ID and password creating Length, characters to be used Assigning privileges Map privileges to business functions or attributes Maintaining identity and access privileges Periodical changes, review, etc.

Access Control (cont.) Additional security measures Least privileges One has the access to data or functions on “need to know” basis Separation of duties Sensitive functions always require more than one person to complete

Access Control Implementation ID and passwords are stored in LDAP or RDB Privileges for RBAC or for ABAC are stored in RDB or in a special data repository Passwords must be hashed Application must implement different views for different roles

View Patterns for RBAC Full View with Exceptions The operations available in an application are made visible to users, but access attempts are guarded. Limited View A user can see, and access, only the operations he/she is entitled to use.

IAM technology conceptual architecture

Strong access control requirements A strong access-control mechanism must be: Policy based Centralized at a single point Invoked on every access request Cannot be avoided Reliable in that its operation cannot be subverted by hostile parties Auditable

Strong Access Control Mechanism Checklist Ensure that the access-control matrix is built for all development stages of the application (business, architecture, and design). Ensure that all URLs and business functions are protected, as well as data. Ensure that the request for data stored in the RDB goes through the access-control mechanism. At this point, the process must be authenticated and access privileges verified. Avoid having files or libraries located at the Web root directory. Block access to all file types that are not used by the application. Keep virus protection and patches up-to-date.

Data classification How to determine the need in strong access control mechanism? Each organization has its data classification policy Data is classified by the degree of sensitivity in terms of confidentiality and integrity Standard classification includes: Highly confidential Confidential Public This provides a clue to how strong the access control mechanism must be, and reflect the requirements to each category of users

Users discretion Users have different level of privileges to access to data Overall consideration of privileges assumes Need to know What operations are required (R/W/U) How sensitive is the data

Access Management Features Access Management Given that the account is viable, the application will use it to protect its assets by Identify a user Authenticate a user Check a user ’ s privileges to access the system assets Provide the access in accordance to the privileges Strong authentication, session management, and access control patterns are recommended. In a distributed environment we recommend using a Single Sign-On (SSO) component as the Portal ’ s access-management front-end.

Top IAM technologies SunMicrosystems IBM Oracle

RBAC matrix exercise GRP project Role – GRP Portal Admin Functions – create support tables Database tables – Catalog, Event Types, Categories

RBAC Access control in practice – Lab 5, Part 2 Complete RBAC matrix for a GRP role relevant to your mini-projects Send by today