An IAM Prospect
Next-generation identity management empowers employee with self-ID management via portal WAM (Web Access Management), such as self-password change, self-access for applications and services as in need or temporarily.
Cyber security dimension is evolving by encompassing to ensure a right user has right access (authentication) to right data (authorization) at the right time (availability) for right use (accountability). A user supplies username is an identity and password or token is authentication verification. Authorization is solely based on policy!
To manage IoT devices types (OS, MAC, Vendor, and Postures), users’ identity and application visibility, it is most important to identify, what entry is within the cyber eco-system? Once identified either a subject or an object and its identity and sensitivity, access control will be created, posture will be deployed and corporate security policies will be applied.
Comprehensive policy management and proper postures control based on context and content are directly proportional to subject category and object sensitivity label, further policies are defined to access level of services, applications and rights.
For an instance, from security encapsulation prospective, while data is scheduled for a flight, TLS provides confidentiality and integrity that can prevent eavesdropping, where digital certificate provides integrity and authentication prevents forged assertions, and hashing only provides integrity but not authentication.
From identity auditing and provisioning process prospective, review of logs, audit trails, and permissions granted both manually or automated are all accountable.
Identity-based Access Control and Posture Assessment
CISCO ISE is a great solution for differential NAC (Network Access Control) based on as below,
- Endpoint identities (authentication) enforcement, for an instance AD user and computer account credentials
- Computer system health status (posture) assessment and remediation, for an instance posture assessment results
- Trusted secure zones and level of access between subject and object access policy deployment
Intrusion detection systems intercept users (AD based or role based) or devices identity based on OS, type of vendors, MAC, RFID or unknown variables. Visibility of what is on the network allows proper posture assessment and security policy development.
Posture policies such as OS level, hotfixes/service packs, anti-virus/anti-malware signature level, and application installation/running status are designed based on posture assessment, security compliance, standards, framework, law, and regulation.
Anything does not comply with proper posture policies requires remediation such as containment of virus/malware by updating signature, patch management solutions for OS, flash, BIOS and customization of text and/or URL to redirect user or services for further assistance or dial-home service help.
The goal of TrustSec technology is to adopt software-defined segmentation (role-based) to identify types of traffic and defining zones (VLAN-based segmentation) within communication networks (DC, corporate office, branches, cloud or the internet). For an instance, assign a tag (security group tag or SGT) to the IoT devices or users traffic at ingress, and then enforcing the access policy based on the tag.
If the risk is identified on one of the devices, users or applications originated from a specific segmentation, it will be removed automatically, and instantly assign to quarantine group for investigation.
What is Identity Access Management?
Identity access management (IAM) is to identify, authenticate, and authorize the users for right services and systems, maintaining provisioning lifecycle (provisioning, review, and revocation) securely of the identity eco-system. Various products are used for identity management that helps increase the security and enable effectiveness and efficiency of the users and systems.
Provisioning involves creating new accounts with appropriate rights and privileges given based on subject types and objects classification.
The review is an audit of existing accounts periodically, upon audit completion, inactive accounts will be disabled and excessive and creeping privileges will be checked and monitored if any unauthorized accounts were created.
Revocation is to disable accounts upon employment termination and the accounts that have been expired must be deleted or re-activated upon newly approved request.
For highly secure application and system access, the authorized users or systems can use digital certification or one-time sessions.
Identity access management emphasis on following items,
- Directory management
- Account management
- Profile management
- Web access management
Resiliency and redundancy of infrastructure and communication medium provide high availability. Disaster recovery, data backup and business continuity planning increase higher resiliency and reduction on outages. All of these activities must have higher identity management capability to protect and recovery of data backup, actual data, users and systems from unethical or intentional breaches.
In another instance, if an application or organization has offsite services or cloud-based services, and remote or mobile users or IoT authentication process is hosted on premise, there is a risk of identity verification availability, so hybrid model of cloud and local authentication system ensures higher identification and verification availability.
However, if third-party IDaaS engage for identity management, even the SSL, strong encryption and integrity may not mitigate miss re-direction of requests that are potential dangers, so cannot be controlled by sophisticated security postures of any organization. An awareness campaign about trusted third party ID verification and redirection mechanism must be adopted and transparent within the organization.
Identity access and management (IAM) services provisioned and offered as a SaaS product by cloud provider termed as IDaaS. IDaaS everywhere service is to authenticate IoT and services to provide digital confidence and security for proliferating cyber IoT users & community.
In regards to security concerns, provisioning, de-provisioning, access control, governance, legal, and compliance needs a managed IAM service investment. Delivery of end-to-end IAM services solution provider at both on premise and at cloud platforms are today’s hybrid IAM/IDaaS services.
IDaaS service provider is a third party subscription-based managed service provider that provides
- A platform for Identity eco-system;
- Policy management such as Enforcement Points, Decision Points, and Access Points;
- Access and Privilege Management and Audit Logs
IDaaS functionalities are defined as
- IGA (Identity Governance and Administration) capability to manage identity management lifecycle for users and targeted applications;
- User authentication access with SSO and authorization enforcement;
- Intelligence used for audition purpose by collecting logs and events to prepare a report.
IDaaS features are as
- Granular Authorization Controls
- Ease of Administration
- Integration with internal directory and external services
Federation & SSO
FIM (Federated Identity Management) defines the management issues where multiple organizations need to share same applications, resources, and users among each other. Each organization share same policies, standards, and procedures along with trust relationship existence. For an instance cross-certification model, verification and due diligence, due care process and intelligence are shared.
IDaaS feature SSO (Single-sign-on) is widely used one touch identification process that enables to log a user in one place to have access to multiple systems and services. For an instance, a user’s Facebook account can be used to access content provided by different vendors.
The advantage of SSO are, fewer credentials to remember, fast access, fewer passwords, less time for access and centrally managed. SSO would allow managing services or users accounts in one click. However, if the user’s SSO account is compromised the magnitude of access is wide open for the hackers and a greater risk of single point of failures.
Federation & SSO identity can be practiced as following examples,
- Kerberos, a synchronous centralized authentication system based on one-time token
- SESAME, a European asynchronous authentication system
- Security Domain (resources under same security policy managed by the same group)
- Domain Service (such as identifying printers, CCTV, file servers on a network available for users and programs)
- Dumb AI Terminal (thin clients on CITRIX environment, lightweight devices access control, processing, and storage depends on a central server)
- Script-based SSO (in-house developing script for SSO solution) various to different organizations
Guidelines for User Identification & Access Control
Three important security characteristics of identity are
- Uniqueness (two users can not have the same identity);
- Non-descriptiveness (a user’s job role of position should not be identified or exposed by the ID);
- Secure assurance (ID provisioning process must be well documented and securely preserve the guidelines).
Identification verification relies on the user’s attributes or information such as
- Something user know (ID, username, PIN via SMS);
- Something user have (ID card, badges);
- Something user is (fingerprint, voice pattern, retina or iris scanning).
Multi-factor authentication can be developed in any combination of these users attributes.
Authentication types are based on password types such as a passphrase, cognitive and OTP. Synchronous Token is time-based as Kerberos, RSA etc. The asynchronous token is grid cards. Memory card and smart card (latest bank card with a smart chip), contactless cards are with antenna, and in some cases cards with chip and integrated circuit.
In author’s view, ID requirements entails confidential and hashed communications verification and validation for following common use cases,
- Users to services
- Users to IoT
- Users to users
- IoT to IoT
- Services to services
- App to app
- App to database
- App to web
- Web to web
- Database to database
Identity Access Control Model in practice,
- Least privilege
- Need to know
- Constrained interface
- Separation of duties
- Context-dependent control
- Behavioral control
Identity Access Control Types in practice,
- Role based: – Identify users or resources based on roles allows permissions to the resources
- Rule-based: – For an instance routers, firewall or proxy allows only specific URLs
- Constrained User Interface: – Menus and options are available based need to know
- Access Control Matrix: – For an instance, CISCO TrustSec where subjects and objects access rules are defined in a matrix table and indicate the actions for the subject.
- Content: – Based on object the access is guaranteed, for instance, an email-based content filter looks for SSN, important content and adopts the DPI (Deep Packet Inspection)
- Context: – Reviewing the situation, for an instance, the firewall uses context-based data to allow or determine the purpose of a data flow.
- MAC (non-discretionary): – Clearance and classification of data access by the subject and mostly automated and administrative driven.
- Discretionary: – Administrator uses ACL enforced by the system owner for both subjects and objects
Identity Conditional Access in practice,
- IoT Device State
- User Group
- Portal origin authentication web access management (Facebook or Google)