Identity and access management is an important concept in cyber security, one that needs to be well understood. In the real world, identity and access management is usually shortened to IAM or IdAM and people will use these abbreviations to talk about this subject.
So, what is cyber security identity and access management? Identity and access management in cyber security requires people to have a digital identity like a user account that they can use to authenticate using a password. The digital identity is then authorized to access systems and services based on the persons job function. The digital identity can be used by people and machines like computers, systems and services to authenticate and access resources.
Digital identities are an important way of assigning an identity to a person, machine, system or even a service. This assigned digital identity allows the identity holder to identify themselves to resources like other machines, systems and services.
To prove the digital identity belongs to the holder, successful authentication using a password, token or a certificate, reassures the resource like a system or service the digital identity holder is authentic.
Once the authentication has taken place successfully, what the digital identity can do, is subject to authorization. Authentication is merely a mechanism to verify the digital identity, by saying to any resource the digitial identity is trying to access, that the digital identity is legit. Authorization takes this a step further, by acknowledging the digital identity is legit and then deciding what the digital identity can do and access.
Accessing a website where authentication is required, doesn’t mean that when a person logs in successfully they will have access to every single web page on the website. Instead they will only have access to the web pages they have been given authorization to access.
Authorization uses access control mechanisms to ensure only those who are authorized have access. Access control can be defining roles or groups to which users belong to and depending on the role or group membership, access can be allowed or denied. A user belonging to a administrators role or group will have access to information that only administrators are allowed to see, that is authorized for.
Let’s start with authentication, which is an important part of ensuring the identity of a person can be verified, that is they are who they say they are. User accounts are digital identities which can be used for authentication, by requiring passwords to login into systems and applications to get access to resources.
The username in combination with a password is proving to the systems and applications we are who we say we are, that is our identity is being confirmed. There will be some form of identity management system in the background that these systems and applications can reach out to and ask if the username and password combination is correct.
Many organizations use identity providers like Microsoft’s Active Directory, which systems and applications can refer to for verifying the user is genuine. Most people will use some form of identity provider be it Facebook to Google or even simple authentication on websites, these are all identity providers. They store details about usernames along with the passwords, which are checked when someone tries to authenticate.
It’s not only people who have to prove their identity through authentication but systems and services when they connect to other systems and services. Many government systems talk to each other, like the tax departments with the social security departments to the passport issuing departments. Each of the systems within in these departments needs to authenticate themselves as being genuine before they can talk to other systems in different departments.
Authorization is the process of making sure people and systems have access to what they are entitled to as part of their job or function. If you’re not authorized to access a particular system, then the authorization process will make sure you don’t get access.
When I’m given a digital identity with the organization I start working for, when I log into a system and successfully authenticate myself using my username and password. I don’t end up with access to everything in the organization, instead I have to reach out to various people by email, phone or via a website request page to get authorized.
So, when I log into the Microsoft SharePoint and authenticate using my username and password, I prove to the SharePoint service, I am who I say I am. This alone doesn’t mean I have access to everything stored on SharePoint.
No, I need to be authorized by someone with the authority to give me access to what I need as part of doing my job. And the sections and documents that I shouldn’t be seeing, I won’t be able to see, as I won’t be authorized to view them.
Authorization defines what a system, service or user has access to, so a user could have access to a specific set of web pages but how will this be enforced? This is where access control comes in as this is the nitty gritty of ensuring the authorization defined happens through permissions, privileges, rules etc.
I could for example, have the authorization to access a specialist database in a different corporate network, however, I would need the correct access controls to be put in place for this to happen. These could include opening firewall ports, so I can connect using my database management application to the database, an account set up for me and the appropriate privileges and database groups applied to my access.
Without these access controls being in place, my authorization to use the database is meaningless, as the access controls are the ones that actually give me the required access I need. Authorization just means I can have access but it’s the access control, that turns the ‘I can have access’ to me ‘actually having access’.
Role Based Access Control (RBAC)
Access Controls can include roles, in what is commonly referred to as Role Based Access Control, RBAC for short. A role has the right level of permissions to allow a function to be done. Roles can be assigned to people or they can be assigned to systems and services.
A role to allow access to a database to allow for administrative duties could be set up and those authorized to do administrative work on the database like the database administrators, commonly referred to as a DBA, would be added to this role.
Roles allows easier administration, as it’s easier to manage access control permissions applied to roles than to do so for every single person requiring access. Mistakes would be inevitable when there are no roles involved, as there are too many people to manage access controls for. Whilst, several roles could be created and easily managed, allowing users to be added or removed from the roles.
In the cloud world, in Amazons AWS, the role is only available to systems and services, so if a web server needs to communicate with a database server, a role is required with the correct permissions, so if data is only required to be read, then the role will only have read permissions.
As well as roles, groups also aid the process of controlling access to resources, where users can be added to specific groups which in turn have specific access controls applied. Like roles, groups allow easier administration of the access controls by avoiding the cumbersome nature of giving individual people the correct access controls.
Privileges define what a user or system can do and are applied as rules and permissions that are enforced, so rules not allowing users to be able to see a websites administration pages, will have permissions only allowing those with administrator roles to gain access. Anyone in other roles or groups will not have the permissions to access these web pages and as a result they will receive a forbidden message.
It’s important to appreciate one of the tenets of security, the principle of least privilege, where people, systems and services should only have the minimum level of privileges to do their job.
Giving someone database administrator rights when all they do is enter information into a webpage linked to a database, is overkill in privilege terms and if their user account was hacked, the hacker would have privileged access to the database and could run riot.
If the user only had basic access with minimal privileges then if their account was hacked, there’s very little the hacker could do apart from read some data only associated with the databases the user had access to instead of being able to see all databases and all the data including encrypted data if it was encrypted by the database.
Managing privileges is a key undertaking in cyber security as getting this wrong can lead to organization being at serious risk of being compromised in cyber attacks by hackers and other malicious parties.
Some users will undoubtedly need higher levels of access permissions and this is called privileged access. This needs to be carefully managed, as privileged credentials falling into the wrong hands can end up with serious cyber issues.
Administrator accounts are typical of the accounts with high levels of privileges that need to be controlled and protected. Especially if they fell into the wrong hands like an attacker who could end up with the license to see everything the organization has from secret information to payroll information, along with the added bonus of being able to modify and change things for their benefit.
Many organizations use systems to control privileged access where users first log into a Privileged Access Management (PAM). These systems keep a log of all privileged access and some of these systems protect the administrative passwords, by auto-logging on for the user without the user ever seeing these sensitive passwords. This protects the organization from passwords being stolen, as there are no passwords for the user using the PAM tool to see, so you can’t steal what you can’t see.
Auditing is a way of checking on who and what has accessed systems and resources, by keeping a log of digital identities in a file, along with timestamps of when access was made. Identity and access management provides key information that can be logged, and this can be used to spot suspicious activities.
For example, multiple failed login attempts using a particular identity can be down to a brute force attack, where a hacker is trying different passwords from a hacked password list to see if one of the passwords can get them to log in and authenticate with the system they are attacking.
These audit logs can be kept for an indefinite period and can be used for cyber forensic analysis to look for patterns to see if anything suspicious has happened. They can also be used post incident, to see how hackers managed to breach systems, including the identities they took over, the times they accessed systems to even the resources they attacked.
Another big area in cyber security is Machine Identity where machines like systems, computers to services need to identify themselves to each other. Using usernames and passwords might not be a good way of doing this, as this could create management issues, around protecting, regularly changing and revoking passwords and usernames.
Instead a different a different way of identifying each other is required, like digital certificates such as SSL/TLS Server certificates. These can be deployed onto web servers, application servers to load balancers provide a way of validating these machines are who they say they are.
We can also use SSL/TLS Client certificates to identify laptops to a corporate network, there’s a client certificate on the laptop that validates the laptop is a genuine corporate laptop and this allows it to join the corporate network.
The client certificate is used as part of the authentication process of joining the corporate network however this doesn’t mean anybody using the laptop can now get onto the corporate network, they still need to identify themselves and authenticate using their user credentials.
Public Key Infrastructure
Public Key Infrastructure, PKI for short, is used heavily with digital certificates being used to authenticate and validate the identity of the machines connecting to each other. With PKI a certificate authority is responsible for creating and issuing the digital certificates.
These certificates can then be used to validate the identity of the machine the certificate has been issued to, as being authentic.
SSH Keys are another source of machine identity and are also used to secure automated access as well as machine to machine interactions. SSH keys are cryptographic keys generated as a key pair, of public and private keys. These keys can then be used for authentication purposes by machines.
SSH keys don’t necessarily expire like SSL certificates, so there is increased possibility these SSH keys get forgotten about, thereby leaving them vulnerable to hackers.
Identity and access management, IAM for short is an important part of cyber security, ensuring people, machines, systems or services can be identified, authenticated and authorized through access controls to access resources.
This keeps out those who are not authorized to access resources, allowing for better control and protection of resources. Authorization uses access controls like roles and group where permissions can be applied, providing different levels of privilege based on the job function. This means people will only get access to those resources their job function requires, and they won’t get access to resources they are not authorized to use for their job function.
Identities aren’t just for people but machines, like systems, services to computers use identities to authenticate and be authorized to operate. These identities use digital certificates, PKI to SSH keys as part of their authentication processes, whilst non-machine identities like people logging into systems generally use usernames and passwords.