Security+: Implementing Identity and Access Management (IAM) Controls
Identity and access management (IAM) are among the most essential information security controls. After all, making sure a user actually is who he/she is claiming to be before providing access based on the minimal privilege principle is a sound way of ensuring data confidentiality, integrity, and even availability.
CompTIA’s Security+ dedicates an entire domain to IAM, representing 16% of the exam questions. Since most of the Security+ focuses on real-world situations, it stands to reason that, given a scenario, candidates must have the skills necessary to implement identity and access management controls.
Here is a list of IAM controls exam takers should be aware:
- Access control models: In order to implement IAM, it is necessary to have a way of defining what an object (i.e., a user or a process) can interact with other securable objects. Access control models are responsible for just that: They are used to create a paradigm that defines the relationships among permissions, operations, objects, and subjects. There are a few different models that Security+ candidates must understand:
- MAC: In the mandatory access control model, users have limited power (or even no power at all) for defining who can access their files. Access policies are enforced by the system administrator, for example, by creating clearance levels for users and classifying data (i.e., public, confidential, secret, or top secret). A user with the clearance level “secret” can access data classified within this category, but cannot grant access to another user, even when they are considered data-owners.
- DAC: Using the discretionary access control model, users can be defined as a “data owners,” which means that they can determine who can access specific resources within their ownership. For example, a user can create a file and set it up in a way that other users, a group of users, or a process can read, change, or even delete it.
- ABAC: Attribute-based access control is a paradigm in which access rights are granted to users through the use of policies that combine attributes (i.e., user attributes, resource attributes, object, environment attributes) together. ABAC supports Boolean logic so it can create rules based on IF-THEN situations, taking into consideration who is making the request, the resource, and the action. For example, if the requestor is an admin, allow him to change (action) a user password (object).
- Role-based access control: As you may have already gathered from this method’s name, access is granted based on the role of the object. This can be considered a middle ground between MAC and DAC. For example, the role can be a group, a job position, or security clearance level; users that are members of a specific role are granted access based on that.
- Rule-based access control: In this paradigm, access control is based on rules that either allow or deny or access to resources. One of the simplest examples of this method are the access control lists (ACLs) commonly used by routers. Rules can be used to determine what IPs (sources or destinations) and/or ports are allowed through the router.
- Physical access control: As a principle, applying security controls to the physical environment is not all that different from protecting pure data. Controls should be enforced to make sure identity is confirmed before granting access and, once access is actually granted, it is limited and monitored.
- Proximity cards: it is quite common to use proximity cards to grant access to doors or door locks. The user simply moves the card close to the reader and presto! The door unlocks. In truth the proximity card is a passive device, powered inductively from the reader, that stores a small amount of information, usually a single identifier. Once read, this identifier is validated and either grants or denies access.
- Smart cards: While similar in format to proximity cards, smart cards are embedded with integrated circuit chips that can store a little more data, such as a cryptographic key used for authenticating with the reader. Smart cards may also contain useful data for other forms of authentication, such as biometric measures that are too large for high-volume remote authentication.
An important point to remember regarding authentication is that both proximity and smart cards fall into the “something you own” category. Because losing such a card is somewhat common, relying solely on it for physical access can create a huge security gap. The best approach is combining multiple factors such as “something you know” (e.g., a password) or “something you are” (e.g., a biometric read).
- Biometric factors: Many physical attributes of the human body can be used for identification/authentication purposes, including reads from fingerprints, retina, iris, voice/facial recognition, and even ear shape.
Since this falls under the “something you are” category, it usually helps preventing problems such as a user forgetting a password or loosing a card. Depending on the physical attribute being used, biometrics can provide a high level of accuracy, reducing the false acceptance rate (FAR), cases where the biometric security system will incorrectly accept an access attempt by an unauthorized user. It is also important to keep a close eye on the false rejection rate (FRR), the cases where an authorized user is incorrectly denied access. The crossover error rate (CER) is the rate where both FRR and FAR are equal. In terms of protection, the lower the CER, the better (and more secure) the biometric system is.
- Tokens: One of the best “something you have” authentication methods is using a token. This can be either a physical device, usually a small build, quite similar to a USB stick, or a software-based solution, such as an app installed on a mobile device. Physical tokens can either be used to store encrypted authentication information (i.e. a certificate), making it necessary to physically connect the device, usually at an USB port, for authentication, or have a mechanism such as a button that, once pressed, makes the device display the password.
Tokens can generate passwords by using either a time-based one-time password (TOTP) algorithm, generating new passwords at fixed intervals (e.g., a new pass every 60 seconds) or implement a HMAC-based one-time password (HOTP) algorithm, so new passwords are created not at fixed intervals, but by using a non-repeating one-way function such as a hash or hash message authentication code (HMAC).
- Certificate-based authentication: Certificates (or digital certificates) are a form of trust-based, third-party authentication technology that uses asymmetric public key cryptography. Certificates can be used to verify the identity of devices, applications, systems, networks, and even organizations.
In essence, certificates are simply digital files that can be stored (securely or not) on a system folder or on devices such as smart cards and tokens. These files can be lost or, even worse, stolen and used as a basis for an impersonation attack, so they should be handled with care. A safer solution for storing certificates is using a hardware security module (HSM), a physical device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing.
Good examples of certificate-based authentication using smartcards are the PIV (personal identity verification) card, which is mandatory for all U.S. government employees and contractors, and the common access card (CAC), a similar solution used to identify Department of Defense (DoD) military personnel and DoD civilian government employees. These cards are used not only for identifying the person and authenticating in buildings and systems but can also be employed to encrypting and digitally sign e-mails.
As mentioned before, implementing identity and access management controls is a key task any good information security professional should be familiar with. For instance, when designing a new system, IAM is a major consideration for a security architect. On the other hand, a pentester must understand how authentication works if he/she is supposed to exploit it. The same analogy goes for physical protection, as information security experts should be able to both design and test identification/authentication controls for critical areas such as a datacenter.
In the end, the implementation of IAM controls is a ratter important subject in the Security+ exam, so candidates should prepare accordingly. The InfoSec Institute offers a five-day Security+ Course Overview, providing IT professionals with the most comprehensive accelerated learning experience.