Security+ Domain #4: Identity and Access Management
Put simply, Identity and access management (IAM) can be defined as the security discipline that makes sure the right individuals can access the right resources, at the right times, exclusively for the right reasons. In essence, this is one of the most basic security controls every organization should be using, but in truth, it is far more complex than simply assigning a username and password to the new employee that has just arrived at the company.
Of course, IAM is an essential part of CompTIA’s Security+, with the 4th domain (Identity and Access Management) taking 16% of the exam, and there is good reason for that: This certification focuses on validating the foundation-level skills and knowledge that are needed to perform core security functions and pursue an IT security career. In the real world, IAM is a critical consideration for every company that wishes to protect its data. A simple mistake, such as accidentally granting a user access to a critical resource, could lead to a major incident such as unauthorized access to personally identifiable information or data loss/leakage.
So, if you are going for the Security+ certification, here is a list of IAM topics you must be familiar with:
- Compare and contrast identity and access management concepts: As with any important topic, learning should start with the basic concepts. As for Identity and Access Management, a sensible starting point is understanding what Identification, authentication, authorization, and accounting (AAA) is. Identification happens when a user claims their identity with identifiers such as a username, email address, or even a physical badge. After that, users must prove their identity with authentication, most commonly done with a password. Once identified and authenticated, a user can be authorized to access an object.Accountability is necessary to track whatever the user does with that object; after all, users are supposed to be responsible for their actions.
Other IAM concepts will include Multifactor Authentication, which is combining multiple authentication factors such as something you know (i.e. a password), something you are (i.e. biometric readings), something you have (i.e. a smartcard or token), and even somewhere you are (i.e. geolocation) or something you do (i.e. gestures or patterns in a touch screen); Federation, sharing identity information amongst several entities and across trust domains (i.e. using Facebook authentication on a completely different service); Single sign-on, the capability to authenticate once, and be subsequently and automatically authenticated when accessing various target systems; and Transitive trust, an indirect trust relationship created by two or more direct trust relationships.
- Given a scenario, install and configure identity and access services: Now that you already understand the basics of IAM, it is time to put concepts into practice. The Security+ certification exam will require candidates to be able to work with IAM services, such as the Lightweight Directory Access Protocol (LDAP) that specifies formats and methods to query directories, a database of objects providing a central access point to manage users, computers, and other directory objects.Another important topic is authentication methods, such as Kerberos, an authentication protocol used in Windows domains and some Unix environments. It enforces a Key Distribution Center (KDC) to issue timestamped tickets. For remote access, there are options such as RADIUS, the Remote Authentication Dial-In User Service, which provides a centralized method of authentication for multiple remote access servers. However, as it only encrypts the password packets but not the entire authentication process, IT Security pros must know alternatives such as TACACS+, Terminal Access Controller Access-Control System Plus, which can encrypt the entire authentication process.
PAP and CHAP are both authentication protocols that make use of the Point-to-Point Protocol (PPP) to authenticate clients, but there is a significant difference, as PAP sends passwords over a network in cleartext, a huge security gap. CHAP uses a handshake process that hashes a shared secret, allowing the client to pass credentials over a public network; even if attackers intercept the data, they cannot use it in an attack, as it is hashed with a nonce (number used once).
Many other important IAM services are covered during the Security+, such as the NTLM, a group of protocols that can provide confidentiality, integrity, and authentication within Windows systems, OAUTH, an open source standard used for authorization with Internet-based single sign-on solutions, and OpenID Connect another open source standard, typically used with OAUTH, that allows clients to verify the identity of end users without managing their credentials.
- Given a scenario, implement identity and access management controls: Making sure the right individuals have the right resources, but only for legitimate reasons, requires a management framework, and there is no lack of IAM controls designed just for that.Security+ candidates must understand the main access control models (the frameworks used for creating paradigms defining the relationships among permissions, operations, objects, and subjects). These include the Mandatory Access Control (MAC), the Discretionary Access Control (DAC), Attribute-based access control (ABAC), Role-based access control, and Rule-based access control. Each model has a different approach; for instance, when using MAC, users have limited power (or even no power at all) regarding defining who can access their files, but in the DAC model, users can be defined the ‘data owner’, allowing them to determine who can access specific resources within their ownership. Which model is the best? That is a trick question, as every model can have its advantage depending on how a company desires to control access to its data and how tight secure must be.
It is important to understand that most basic IAM also apply to the real world. For example, the Identification, authentication, authorization and accounting (AAA) routine should also be enforced to sensible physical environments and restricted areas (i.e. Datacenters). Controls must be in place and make sure identity is confirmed before granting access and, once access is actually granted, it is both limited and properly monitored.
By using Proximity cards, or, even better, Smart cards, it is possible to control the access to restricted areas. As usual, the best approach involves using multifactor authentication, especially when combined with Biometric factors such as using a physical attribute (i.e. reads from fingerprints, retina, iris, voice/facial recognition and even ear shape!) together with a Token (a physical device, usually a small build, quite similar to a USB stick, or a software-based solution, such as an App installed on a mobile device).
- Given a scenario, differentiate common account management practices: As the final part the Security+ IAM domain, candidates are also required to understand how user accounts are managed. This includes some basic security principles such as Least privilege, which is granting the user only minimal access to resources, only the rights and permissions needed to perform assigned tasks or functions, but no more.The least privilege principle should be at the basis of a sound IAM process, it should encompass the many different types of user accounts, from even in the case of shared credentials (a credential used by more than one user) and guest accounts (A default set of permissions, usually with very little privileges, given to non-registered users of a system or service). The same goes for service or privileged accounts; for most cases, those are used to access critical resources and the least privilege principle. For instance, service accounts should have sufficient privileges for the service they are used for, and nothing more, as for privileged accounts (i.e. system administrators), they should have a limited scope. Not every admin should have access for all resources; for instance, endpoint admins should only have privilege access to, yes, I know you guessed it, endpoints and nothing more. The same could be said about server admins, as it’s possible to define admin groups for specific servers (i.e. domain admins, mail admins, database admins).
There are lots of IAM practices that, if properly put in place, can be a great tool for enhancing security; for instance, it is possible to limit the Time-of-day a user can access a resource, or grant access by using Group-based access control instead of manually defining access privileges for each user. Of course, access permission and usage should be regularly audited and reviewed.
In the end, the best approach is having a centralized management for Account policy enforcement, including defining password safety rules such as length, complexity, expiration, recovery means and user lockout among others.
Making such a user that is identified, authenticated, receives only minimal access based on his tasks of functions, and monitored throughout its lifecycle (from onboarding to offboarding) is no easy task. But there is no way around it: In general terms, Identity and access management (IAM) practices are at the core of an effective information security strategy.
As the Security+ certification is designed to prepare candidates for real-world roles, including Junior IT Auditor/Penetration Tester, Systems Administrator, Network Administrator, and Security Administrator, it becomes clear why the exam has such an emphasis on IAM: Every good IT Security professional must have a clear understanding on how Identity and Access Management works and, at different levels, be able to implement the necessary controls.
That is why Security+ candidates should prepare accordingly. The Infosec Institute offers a 5-day Security+ Boot Camp, providing IT professionals with the most comprehensive accelerated learning experience.