Identity and Access Management - CompTIA Security+ SY0-701 - 4.6

Name: Identity and Access Management - CompTIA Security+ SY0-701 - 4.6
Uploaded: 2023-12-06T17:10:33.000Z
Duration: 24 min 46 s

Understanding Identity and Access Management (IAM)

Overview of IAM

The use of applications spans various systems and locations, including desktops, laptops, and mobile devices. Data can be stored locally, in data centers, or in the cloud.

Different types of users (employees, vendors, contractors, customers) require tailored access to data. Proper permissions are crucial for security; this is known as Identity and Access Management (IAM).

IAM Process

IAM encompasses the entire lifecycle of user access—from initial request to removal during offboarding. Changes may occur at various points due to role changes within the organization.

Users typically authenticate using a username and password or other factors. Monitoring access is essential for security compliance and best practices.

User Account Management

The IAM process starts with creating a user account and ends with its deactivation. This includes onboarding/offboarding as well as adjustments for promotions or departmental transfers.

Key information in IAM includes user names, attributes, group permissions, and application access rights.

Provisioning and Deprovisioning

Provisioning involves assigning appropriate permissions necessary for job functions while preventing excessive access rights—e.g., not granting admin rights indiscriminately.

Mandatory access control often associates users with groups that define their permissions; new hires are added to relevant groups based on their needs.

Security Measures in IAM

User-created documents remain private by default unless shared explicitly. Limiting OS access prevents unauthorized changes by users or malware.

Identity proofing verifies a user's identity during account creation through formal processes like resolution to ensure proper permission assignment.

Authentication Processes

Users must provide authentication details such as passwords along with additional validation methods like security questions during login attempts.

Verification may involve government-issued IDs or automated checks against credit reports to confirm identity before granting network resource access.

Centralized Authentication Systems

Authentication begins when clients send credentials to a central server (e.g., VPN concentrator). Successful validation allows resource access.

Single Sign-On (SSO) enables users to log in once for seamless access across multiple resources without repeated credential entry.

Authentication and Authorization Protocols

Overview of Single Sign-On (SSO) and Authentication

Users have access to resources for 24 hours before needing to re-authenticate for SSO. This requires login credentials that support SSO.

LDAP (Lightweight Directory Access Protocol) is a common authentication protocol used for accessing large data directories on networks, based on the X.500 specification by ITU.

Understanding LDAP Structure

LDAP was developed as an efficient alternative to the older Directory Access Protocol (DAP), allowing better compatibility with various operating systems.

Distinguished names in LDAP follow a standard format, starting with an attribute followed by its value, enabling structured organization within a directory information tree.

Directory Information Tree

The directory information tree organizes components like countries, organizations, departments, and individual devices into a hierarchical structure known as leaf objects.

Introduction to SAML

SAML (Security Assertion Markup Language) facilitates user authentication to third-party databases without maintaining separate user databases.

A basic SAML process involves three devices: client device, resource server, and authorization server; it starts when the client requests access to a URL.

SAML Authentication Process

If not logged in, the resource server sends an encrypted SAML request to the authorization server after which the user provides credentials.

Upon successful credential verification, the authorization server generates a SAML token that allows access to resources on the resource server.

OAuth Framework for Modern Systems

OAuth is an authorization framework designed for modern mobile systems that determines what resources users can access post-authentication.

Often paired with OpenID for combined authentication and authorization processes; OAuth was developed by major industry players for broad accessibility across devices.

Example of OAuth in Action

An example includes using Zapier to access Google account resources where users authorize third-party applications through OAuth permissions.

Federation as an Alternative Login Method

Federation enables network access without local authentication databases; users can log in using existing accounts from services like Twitter or Facebook instead of creating new ones.

Interoperability Considerations

VPN Concentrator and Authentication Options

Integration with LDAP Servers

The VPN concentrator supports access to an LDAP server for authentication, making it compatible with existing company resources.

If a company has an Active Directory server or another type of LDAP server, this setup is ideal for the VPN concentrator's requirements.

OAuth and API Authentication

When installing new applications that utilize OAuth for authorization, it's essential to provide authentication through an API (Application Programming Interface).

This process involves passing authentication information to OAuth, which is crucial for proper authorization within the application.