If you are new to IT industry or maybe just haven't come across Identity and Access Management (IAM) concept in your professional journey so far, this article will help you get started and introduce you to four pillars of Identity and Access Management.
IAM is comprised of two components. The first component is known as 'Identification' and other 'Authentication, Authorization, and Authentication (AAA)'. With any traditional or modern tools, there's always a mechanism governing the permissions and access to the resources. For example, a user logging on to file server needs to have a login and fulfill certain requirements defined by an organization to get access to the organizational data. This process involves all four pillars of IAM to some extend. We'll dig deep into both of these concepts one by one.
Table of contents
- Authentication Concept
- Authentication, Authorization and Accounting
- Authentication Factors
- Dual Factor or MFA
Identification occurs when a user claims their identity with some sort of identifier whether it's in form of username or email addresses. In addition to username, user proves their identity with authentication, such as a password.
The process involved 2 entities, one entity presents the credentials and, second entity is the authentication that verifies the credentials. For example, in an organization login, user supplies the username and password to authentication server which validates the credentials to allow access.
Authentication is a broad concept used not just for users but all network devices, services, processes, workstations and, servers use authentication to prove their identity in one form or another. This also introduces a concept of mutual authentication where both entities authenticate to each other which we will not cover in this article for now.
Authentication, Authorization and Accounting
Authentication, Authorization and Accounting (AAA) works together to provide a robust and comprehensive access management system. With the knowledge of identification & authentication, authorization and accounting come in naturally to cover the security gaps. Let's see what the definitions of both terms are.
Authorization is a method of granting access once the identity is confirmed and authentication takes place successfully. Permission is granted based on user's identity to ensure only authorized resources can be accessed.
Accounting facilitates the tracking of user activity and records all the activity in the form of logs. This helps an audit trail to re-create or perform the forensics in case any security incident takes place.
With the definitions covered, let see what IAM process involves. Authentication involves certain factors that ensure proper measures are implemented to secure the infrastructure. This may involve one factor of authentication in form of password, or two factor using alternate verification methods to implement more secure authentication.
We'll discuss the following factors used in authentication:
- Something you know
- Something you have
- Something you are
- Somewhere you are
- Something you do
Something You Know
Something you know authentication refers to usage of password, shared secret or a PIN. Unfortunately, there are a lot of applications and services that only support password-based authentication, also known as Basic Authentication. Although this is least secure type of authentication, it can be enhanced by using some simple guidelines described below.
Setting a password complexity is one of the easiest methods to prevent any security incidents form a weak password. A strong password is of sufficient length and is not a word easily found in a dictionary. A password should fulfill the following requirements to be considered a strong password:
- At least 10 characters
- Uppercase character (A-Z)
- Lowercase character (a-z)
- Number (0-9)
- Special Character ( !#@$%^&*/~)
Password Expiration (Password Rotation)
In addition to having a strong password, a password should be set to expire every 90 or 180 days depending on the organization's ability to support the change. When a password expires, users are not able to log in without setting a new password first. Users are often forced to change the password on login to enforce the password rotation policy.
Password resets are often complicated and lengthy process depending on the organization's size and support staff's skills to tackle the request. In many organizations, phishing calls are very effective to get an incompetent support desk to reset the password of an executive's account and gaining access to internal systems.
To save the valuable time of helpdesk in resetting user's password, a self-service password reset (SSPR) helps to automate the process. The login page of any service often includes "Forget Password" which walks the user through a process of resetting their password by verifying their identity using either the security questions, alternate email or phone number already registered to their account during the initial setup.
Once the identity is confirmed, users is prompted to set a new password for their account without any intervention of helpdesk staff.
Password History and Reuse
It is a common behavior for users to set same or similar password forever on rotations as it's easier to remember, which in turn weakens the password security significantly.
Almost all the security systems includes password history and reuse policy that can be leveraged to prevent users from using the same password on password rotation cycle. Password history should ideally be 24 that ensures users cannot reuse password until they've used 24 new passwords.
Every network device or service is set up with a default password. In many cases, username is either 'admin' or 'administrator' with a default password of 'password', 'admin' or 'administrator'. As a precautionary security measure, the default password should be changed before putting a system into use.
In some cases, it's not possible to disable the in-built admin account, however it's always effective to rename the admin account to something else other than 'admin' or 'administrator' to reduce the attack surface, as malicious actors ideally search for a privileged account using their default names.
Something You Have
Something you have refers to something that you can physically hold. Some common factors include smart card, fob, or hardware token.
Smart cards are credit card-sized cards with an embedded chip and a certificate. They are used like a credit card where user would insert the card into a verification device that performs the certificate-based authentication.
Smart cards are often used as a second factor of authentication along with basic password authentication. As PIN or password is something you know and smart card is something you have, the combination provides the multi-factor authentication (MFA).
Tokens or Key Fobs
A token or key fob is a programmable hardware device programmed to grant access to by tapping the fob on a fob reader device. They are easy to carry and store because of their compact size. The size is similar to a car's key and it also includes LCD that displays a random number.
The fob is usually programmed with a rolling number that changes after it's used once. There is an expiry time of 60 seconds for the number before it is set to a new random number. The authorization server is always aware of number in the sequence and can validate any expired number as well to avoid replay attacks.
This concept also facilitates the use of multi-factor method as user enters the password for an account (something you know) and use fob as a second factor (something you have).
One Time Password (OTP)
The idea of OTP is similar to a fob with a rotating number. However, OTP can be configured and performed using software-based service. The random number is generated in a mobile authenticator application such as Google Authenticator or Microsoft Authenticator. Many web services provide the capability to enroll in MFA using the application of your choice and leverage multifactor functionality using software-based token service.
Something You Are
Something you are uses biometrics for authentication. Biometrics is known to be the strongest authentication method as they are most difficult to falsify.
Biometric methods used for authentication include fingerprints, retina scan, voice recognition, facial recognition or Iris scan. The authentication system capture user's identity by one of the means mentioned earlier and then reuses it later during authentication to verify the identity and grant access.
Below are some of the most common biometrics used for authentication:
- Fingerprint Scanner - Most mobile devices including phones or laptops include fingerprint readers to use as an authentication method once enrolled by user.
- Retina Scanner - Retina scanner scans both your eyes and observes the pattern of blood vessels at the back of the eye for recognition. Retina scanner usually needs physical contact with scanner which is not easily found in mobile devices but rather used in a highly sensitive area using secure dedicated hardware to grant access to authorized personnel only.
- Iris Scanner - Iris scanner can be found in mobile devices that are equipped with a camera, which captures the pattern of iris around the pupil for recognition.
- Voice Recognition - Voice recognition identifies a user using speech recognition methods to identify different acoustic features.
- Facial recognition - Facial recognition systems identify people based on facial features including size and structure of nose, eyes, mouth, cheekbones, and jaw. Almost all modern devices include facial recognition including Windows laptops with a feature called Windows Hello which supports facial recognition.
Somewhere You Are
Somewhere you are factor identifies a user's geographical location. Many authentication systems use IP addresses for geolocation to verify the country, region, state, and city.
This is an effective measure when you plan to block access to resources for a certain country or IP address range, however it not foolproof as many VPN solutions can spoof the IP address.
Something You Do
Something you do refers to action you take such as a gesture or pattern which includes tapping in specific place on the picture, drawing lines between items or drawing a pattern over an image using finger. This pattern is first registered by user which is used later to authenticate to systems.
Dual Factor or MFA
Multi-Factor Authentication (MFA) or Dual-Factor uses two different forms of authentication mention in previous sections. It can either be a combination of something you know and somewhere you are where system verifies the credentials (something you know) and allow access to account when user is either in Office Network (somewhere you are) or any other trusted location.