Cybersecurity Architecture: Who Are You? Identity and Access Management

Welcome back to the Cybersecurity Architecture Series.

In this section, the speaker introduces the topic of cybersecurity architecture and mentions that they will be discussing the seven domains of cybersecurity architecture.

Identity and Access Management (IAM)

• The speaker emphasizes the importance of identity in cybersecurity and introduces identity and access management (IAM).

• IAM is described as a way to determine who the user is as early as possible.

• IAM consists of four components: Administration, Authentication, Authorization, and Audit.

• The speaker mentions a high-level conceptual architecture for IAM.

User Groups

• When designing an IAM architecture, it is important to consider different user groups.

• Examples of user groups mentioned are employees, suppliers, and customers.

• Employee group can be further divided into administrative staff, manufacturing, and sales.

• Suppliers are considered as one group while customers are divided into commercial and retail.

User Capabilities

• Users have specific capabilities or access rights within different systems.

• Examples of access rights mentioned include HR system access, email access, CRM system access, and finance system access.

Directory

• Identity information is stored in a directory.

• A directory stores user information such as names, accounts, departments.

• Each system requires its information to be stored in a directory for authentication and authorization purposes.

Database and Schema

• A database is typically used to store accounts in a directory.

• A schema organizes information about a particular user in the directory.

Conclusion

The speaker concludes the discussion on IAM and highlights the importance of understanding user groups, capabilities, and directories in designing an effective cybersecurity architecture.

Please note that this is a summary of the transcript provided.

Understanding Directories and Protocols

In this section, the speaker discusses the concept of directories and protocols used to communicate with them.

Introduction to Directories and LDAP Protocol

• A directory is a data store that allows storing and retrieving information.

• The most common protocol used to communicate with directories is LDAP (Lightweight Directory Access Protocol).

• LDAP is an industry-standard protocol for interacting with directories.

• Active Directory is Microsoft's version of a directory, which also uses the LDAP protocol.

Challenges in Managing Multiple Directories

• Ideally, all user accounts and information should be stored in a single enterprise directory.

• However, in reality, different systems may require specific directories for storing information.

• Organizations often have multiple directories in their environment.

• Synchronization between directories becomes crucial when it's not possible to consolidate everything into one directory.

Approaches for Directory Synchronization

1. Virtual Directory:

• Acts as an index that points to the actual location of information in different directories.

• Retrieves requested information from the appropriate directory when needed.

2. Meta Directory:

• Copies relevant pieces of information from lower-level directories into an enterprise directory.

• Ensures that required data is readily available for lookup without accessing multiple directories.

Importance of IAM Architecture

• IAM architecture should include a place to store users' information and mechanisms for synchronizing it across integrated directories.

• This forms the foundation for identity and access management systems.

Administration and Identity Management

This section focuses on administrative tasks related to identity management or identity governance within an IAM architecture.

Introduction to Administration Tasks

• Administration involves creating, deleting, updating accounts, changing privilege levels, etc.

• Identity management or identity governance are commonly used terms for administration tasks.

Role Management in IAM Architecture

• User groups can be mapped into roles within a good IAM implementation.

• IT roles are aligned with business roles and help determine the necessary access privileges for individuals.

Integration of Administrative Application

• An administrative application, such as identity management or identity governance, is added to the IAM architecture.

• Role management capabilities are included in this application.

Mapping Users to Roles

• Users are mapped to roles based on their business responsibilities and IT requirements.

• This mapping helps determine the appropriate access rights for individuals.

Conclusion

The transcript provides an overview of directories, protocols, directory synchronization approaches, administration tasks, and role management within an IAM architecture. It emphasizes the importance of having a centralized place to store user information and mechanisms for synchronizing it across multiple directories. The inclusion of an administrative application and role management capabilities enhances the overall identity management process.

New Section

In this section, the speaker discusses the process of determining access rates based on job roles and handling one-off requests.

Determining Access Rates

• The speaker suggests that 80% of access rates can be determined based on the role performed by individuals.

• The remaining 20% can be handled as one-off requests.

Process Overview

• A user is added to the HR database upon hiring, which includes information about their job role.

• This information is used to generate a request in the identity management/identity governance system.

• The request goes into a role management system, which converts HR-provided information into IT roles.

• Role definitions specify the access rights required for different job roles (e.g., teller, branch manager).

• Role mappings are pre-determined based on job roles, eliminating the need for individual determination.

• Each account associated with a role goes through an approval process to ensure appropriate access rights.

• Once approved, a connector from the identity management system provisions the account in the directory.

• Information is stored in directories or may involve API calls.

New Section

In this section, another use case is discussed where an existing employee requests additional access rights.

Requesting Additional Access Rights

• An existing employee who needs access to another system can make a request through a web interface.

• The request follows a similar process as before but may not involve mapping to specific roles.

• The requested account still needs to go through the regular approval process before granting access rights.

Please note that these summaries are based solely on the provided transcript and may not capture all details from the video.

Use Case 2: Employee Leaves Organization

This section discusses the need for an efficient de-provisioning process when an employee leaves the organization.

De-Provisioning Process

• When an employee leaves the organization, a system is needed to efficiently remove their access rights to prevent security exposure.

• The HR system indicates that the person is no longer employed, triggering a request in the identity governance system.

• The identity governance system knows all of the accounts associated with the user and can remove their access rights.

• Having this infrastructure in place allows for efficient de-provisioning without needing to audit each individual system for access rights.

Use Case 3: Importance of Provisioning and De-Provisioning

This section highlights three different use cases where provisioning and de-provisioning play a crucial role in security.

Use Cases for Provisioning and De-Provisioning

• Provisioning efficiently creates access rights for employees, while de-provisioning removes those access rights.

• Use case 1: Onboarding new employees

• Provisioning ensures new employees have the necessary access rights from day one.

• It streamlines the process by creating accounts in various systems simultaneously.

• Use case 2: Transferring employees within the organization

• Provisioning allows for seamless transfer of access rights when employees change roles or departments.

• It eliminates manual account creation and ensures proper permissions are granted.

• Use case 3: Employee leaving the organization

• De-provisioning becomes crucial when an employee departs from the organization.

• Efficient removal of access rights minimizes security risks.

Authentication Methods

This section explains different authentication methods used to verify a user's identity.

Authentication Methods

• Authentication answers the question "Who are you?" and verifies a user's identity.

• Traditional methods include:

• Something you know (e.g., password or PIN)

• Something you have (e.g., mobile phone)

• Something you are (e.g., biometrics like facial recognition or fingerprint scan)

• Multi-factor authentication combines multiple factors for enhanced security.

• The best authentication systems utilize a combination of these factors.

Multi-Factor Authentication

This section discusses the concept of multi-factor authentication for enhanced security.

Multi-Factor Authentication

• Multi-factor authentication uses multiple factors to verify a user's identity.

• Example: Using something the user has (e.g., mobile phone) and something they are (e.g., biometrics).

• It provides an extra layer of security by requiring more than one form of verification.

New Section Passwordless Authentication and Single Sign-On

In this section, the speaker discusses the concept of passwordless authentication and the benefits of single sign-on.

Passwordless Authentication

• The use of physical devices for authentication adds an extra layer of security.

• Physical characteristics, such as face prints, can be used to unlock devices.

• Two-factor authentication involves using something you have (physical device) and something you are (biometric data).

• Passwords are not required in passwordless authentication.

• The trend is moving towards passwordless authentication to eliminate the risk associated with passwords.

Single Sign-On

• Single sign-on allows users to log into multiple systems with a single set of credentials.

• Users typically have different credentials for each system they need to access.

• With single sign-on, users only need to remember one password or use multifactor authentication.

• Single sign-on improves user experience by reducing the number of passwords they need to remember.

• Multifactor authentication enhances security even in a single sign-on system.

Risk-Based Authorization

• Risk-based authorization considers various factors before granting access.

• Location and request type are examples of factors considered in risk-based authorization.

• Certain transactions may be restricted based on the location of the user.

• Risk-based authorization allows for more nuanced access control.

Conclusion

Passwordless authentication and single sign-on offer improved security and user experience. Risk-based authorization adds an extra layer of protection by considering various factors before granting access.

The transcript provided does not cover the entire video, so these notes are only a partial summary of the content discussed.

New Section

In this section, the speaker discusses access management and privileged access management, highlighting the risks associated with privileged users and the need for additional verification.

Access Management

• Access management involves determining what actions a user is allowed to perform.

• Authorization algorithms are used to determine if a user is allowed to perform certain actions.

• Privileged access management (PAM) refers to managing highly privileged users who have root-level access or administrative privileges.

• These privileged users have significant control over systems and data.

• Trust is placed in these users, but additional verification is necessary to ensure they are performing their duties appropriately.

Challenges with Privileged Users

• In many organizations, sensitive accounts like those of privileged users often have shared passwords or weak security practices.

• This poses risks as it becomes difficult to track actions performed by individual users.

• When a privileged user leaves an organization, changing all the shared passwords and retraining new staff becomes cumbersome.

• Best practice suggests implementing a PAM system that requires privileged users to log in through the PAM system rather than directly into systems.

• A PAM system can enforce multifactor authentication and unique passwords for each user, enhancing security.

Implementing a PAM System

• With a PAM system, privileged users log in through the PAM system instead of directly accessing systems.

• Each user has their own unique password for the PAM system, ensuring accountability and reducing reliance on shared passwords.

• The PAM system manages access to different systems using separate passwords for each one.

New Section

This section discusses the process of logging in and accessing a system, as well as the role of the PAM system in changing passwords and controlling access.

Logging In and Accessing the System

• Users are given credentials to log into the system.

• A password is provided for login, which may be managed by special software.

• After completing their tasks, users check their account back in to indicate they are done.

• The PAM system changes the password after checking it back in, revoking user access.

Authorization and Password Management

• Once logged out, users can only regain access by going through the authorization process again.

• Multiple passwords are used for each account, constantly changing with each use or checkout.

• This allows for tracking who had access at any given time and provides an audit trail.

• Session recording capabilities can be added to monitor user activity on the system.

New Section

This section introduces the concept of audit in enterprise identity and access management (IAM), highlighting its importance in ensuring correct implementation of administration, authentication, and authorization processes.

Audit in IAM

• Audit is the fourth component of IAM, focusing on reviewing previous actions for accuracy.

• It involves verifying that administration, authentication, and authorization were performed correctly.

• An example is presented where user activities are logged to enable retrospective analysis.

• Unusual patterns or rapid succession of certain actions can indicate potential security issues.

• User behavior analytics (UBA) tools use log records and machine learning to identify anomalies.

New Section

This section explains the concept of user behavior analytics (UBA) in enterprise IAM, highlighting its role in detecting abnormal patterns and potential security threats.

User Behavior Analytics

• UBA, or user entity behavior analytics, helps identify anomalous activities in system logs.

• It analyzes log records and applies policies and machine learning to detect suspicious patterns.

• UBA tools assist in spotting unusual behaviors that may indicate malicious intent.

New Section

This section emphasizes the importance of integrating all components discussed so far into a comprehensive enterprise identity and access management architecture.

Enterprise Identity and Access Management

• Enterprise IAM refers to the integration of administration, authentication, authorization, and audit processes.

• All these components work together to ensure secure access control within an organization.

• Federation capabilities allow for extending IAM beyond internal domains to external systems.

• Industry-standard protocols enable integration with other security domains and identity providers.

New Section

This section introduces the concept of workforce identity management as an extension of enterprise IAM for managing employee identities across different systems.

Workforce Identity Management

• Workforce identity management focuses on managing employee identities within an organization.

• It involves extending IAM capabilities to include logging into cloud providers or business partner systems.

New Section IAM Architecture and Use Cases

In this section, the speaker discusses the IAM architecture and its application in different use cases. The focus is on removing barriers to entry while preserving privacy and security.

IAM Architecture for Different Use Cases

• For less sensitive accounts, there is minimal proofing and approval processing to reduce barriers to entry.

• Privacy preservation is a key concern across all use cases.

• Despite different concerns in each use case, the underlying IAM architecture remains the same.

• A high-level reference architecture can be applied to all these cases.

Summary of Previous Videos

• The first three videos covered fundamental principles.

• This video focuses on identity and access management (IAM).

• The next video will cover endpoint security.

Conclusion

Thanks for watching! Don't forget to hit subscribe before you leave.

Timestamps are provided where available to help navigate the transcript.