CCS363 SOCIAL NETWORK SECURITY

ACCESS CONTROL, PRIVACY AND IDENTITY MANAGEMENT

Understand the access control requirements for Social Network,
Enforcing Access Control Strategies, Authentication and Authorization,
Roles-based Access Control, Host, storage and network access control
options, Firewalls, Authentication, and Authorization in Social Network,
Identity & Access Management, Single Sign-on, Identity Federation,
Identity providers and service consumers, The role of Identity
provisioning

5.1Understanding the access control requirements for Social Network

Introduction

DefinitionofAccessControl:
Access control refers to the mechanisms and policies that manage who can view or
use resources in a computing environment. In a social network, this is crucial for
protecting user data and ensuring a safe and secure online experience.

Purpose:
The primary purpose of access control in social networks is to safeguard personal
information, prevent unauthorized access, and create a trustful environment where
users feel secure sharing their content.

1. User Authentication
o Methods: Social networks must implement robust authentication
processes, such as secure registration forms, strong password
requirements, and email verification to confirm user identity.
o Multi-Factor Authentication (MFA): MFA enhances security by
requiring additional verification methods (like SMS codes or
authentication apps) when users log in, reducing the risk of unauthorized
access.

2. User Roles and Permissions

o Different Roles: Social networks often have multiple user roles, such as
administrators, moderators, and regular users. Each role has specific
permissions.
o Permissions Example: For instance, administrators can delete posts and
manage user accounts, while regular users can only create and comment
on posts. This hierarchy helps maintain order and security.

3. Privacy Settings
o User Control: Privacy settings allow users to manage who can view
their profiles and posts. Options might include public visibility, friends-
only access, or completely private settings.
 o Impact on Trust: By enabling users to control their information,
networks enhance user trust and satisfaction, making them more likely to
engage actively.

4. Data Access Controls

o Read/Write Permissions: Clear guidelines should define who can
access (read) and modify (write) content. For example, only friends
might be able to comment on a user’s post.
o API Access: Limiting third-party applications' access to user data
protects sensitive information and prevents misuse, ensuring users have
control over their data.

5. User Consent and Compliance

o Regulatory Compliance: Social networks must comply with data
protection regulations like GDPR, which require explicit user consent for
data collection and processing.
o Clear Policies: Providing transparent privacy policies that explain data
usage helps users understand their rights and the extent of data
protection.

6. Content Moderation and Reporting

o Reporting Mechanisms: Implementing straightforward reporting
features allows users to report harmful or inappropriate content quickly.
o Moderation Tools: Admins and moderators need effective tools to
review reports, enforce community guidelines, and maintain a safe
environment for users.

Advantages

1. Enhanced Security
o Protection of User Data: Access controls help safeguard sensitive
information from unauthorized access, reducing the risk of data
breaches.

2. User Empowerment
o Control Over Privacy: Users can manage who sees their content and
personal information, leading to greater trust and satisfaction with the
platform.

3. Regulatory Compliance
o Adherence to Laws: Implementing access control helps social networks
comply with data protection regulations like GDPR, minimizing legal
risks.

4. Content Moderation
o Safe Environment: Effective reporting and moderation systems help
maintain a respectful community by addressing harmful content
promptly.

5. Role-Based Management
 o Organizational Structure: Clearly defined roles and permissions
streamline operations, making it easier to manage user interactions and
content.

Disadvantages

1. Complexity of Implementation
o Development Challenges: Designing a robust access control system
can be complex and resource-intensive, requiring ongoing maintenance
and updates.

2. User Frustration
o Overly Restrictive Controls: If access controls are too strict, they can
frustrate users, making it difficult for them to engage fully with the
platform.

3. Potential for Misuse

o Administrative Abuse: Users with high-level permissions (e.g.,
admins) might misuse their access, leading to privacy violations or
biased content moderation.

4. False Sense of Security

o Inadequate Measures: Relying solely on access controls might create a
false sense of security, leading to complacency regarding other security
measures.

5. Increased Operational Costs

o Resource Allocation: Maintaining and updating access control systems
can incur significant operational costs, diverting resources from other
areas.

Conclusion

Access control in social networks encompasses user authentication, role-based

permissions, privacy settings, data access controls, user consent, and content
moderation. Each of these components plays a vital role in maintaining user security
and trust.

5.2 Enforcing access control strategies

Enforcing access control strategies in social network analysis (SNA) is crucial for
maintaining data privacy and security while enabling effective analysis. Here are some
key strategies to consider:

1. Role-Based Access Control (RBAC)

 Define Roles: Establish user roles (e.g., admin, analyst, viewer) with specific
permissions.
 Access Levels: Restrict access to data based on roles, ensuring sensitive
information is only available to authorized users.
2. Attribute-Based Access Control (ABAC)

 User Attributes: Use attributes (e.g., job title, department) to determine access
rights.
 Dynamic Policies: Create dynamic access policies that adapt based on user
context and data sensitivity.

3. Data Encryption

 At Rest and In Transit: Encrypt sensitive data to protect it from unauthorized

access during storage and transmission.
 Access Controls on Decryption: Only allow decryption keys to users with
appropriate access levels.

4. Audit Trails

 Logging Access: Keep detailed logs of who accesses what data and when.
 Regular Reviews: Periodically review logs to detect any unauthorized access
or anomalies.

5. User Authentication and Authorization

 Multi-Factor Authentication (MFA): Implement MFA to enhance user

verification.
 Session Management: Monitor user sessions and enforce timeouts to reduce
risks.

6. Data Minimization

 Limit Data Collection: Only collect the data necessary for analysis to reduce
exposure.
 Anonymization Techniques: Use techniques to anonymize or pseudonymize
data where possible.

7. Compliance with Regulations

 GDPR, HIPAA, etc.: Ensure that access control measures comply with
relevant data protection regulations.
 User Consent: Obtain user consent for data collection and clarify how their
data will be used.

8. Education and Training

 User Awareness: Provide training for users on the importance of data privacy
and security.
 Best Practices: Share best practices for handling sensitive data in SNA.

9. Access Control Mechanisms

 Fine-Grained Access Control: Implement fine-grained controls for sensitive

nodes or edges in the network.
 Temporal Access: Restrict access to data based on time or specific events.
10. Regular Security Assessments

 Penetration Testing: Conduct regular security assessments to identify

vulnerabilities.

Policy Updates: Update access control policies based on assessment findings and
emerging threats.

5.3Authentication and Authorization

Authentication

This process verifies the identity of a user. Common methods include:

1. Username and Password: The most traditional form, requiring users

to input their credentials.
2. Two-Factor Authentication (2FA): Adds an extra layer by
requiring a second form of identification, like a text message
code or authentication app.
3. Single Sign-On (SSO): Allows users to log in using credentials
from another platform (e.g., Google, Facebook).
4. Biometric Authentication: Uses unique biological traits
(fingerprints, facial recognition) for verification.

Authorization

Once a user is authenticated, authorization determines what they can do within the
platform. This involves:

1. Role-Based Access Control (RBAC): Users are assigned roles that dictate their
permissions (e.g., admin, regular user).
2. Scope-Based Permissions: Defines what resources or actions users can
access based on their roles.
3. Privacy Settings: Users can control who sees their content, influencing
authorization at a granular level.
4. Secure Password Storage: Use hashing and salting techniques to protect
user passwords.
5. Regular Audits: Review permissions and roles to ensure they remain
appropriate.
6. User Education: Teach users about strong passwords and the
importance of 2FA.
7. Session Management: Implement secure session handling to prevent
hijacking.
Authentication

Advantages:

1. Security: Ensures that only legitimate users can access sensitive

information.
2. User Accountability: Tracks user actions, making it easier to
identify and address unauthorized activities.
3. User Trust: Builds confidence in the platform, encouraging user
engagement and data sharing.
4. Flexible Methods: Supports various authentication
methods
(e.g., 2FA, biometrics), enhancing security.

Disadvantages:

1. User Frustration: Complex authentication processes (like multiple

2FA steps) can frustrate users and lead to abandonment.
2. Password Management: Users often struggle to remember complex
passwords, leading to weaker security practices (e.g., reusing passwords).
3. Implementation Complexity: Setting up and maintaining secure
authentication systems

Authorization

Advantages:

1. Granular Control: Allows for precise permissions management, ensuring

users only access what they need.

2. Improved Security: Reduces the risk of unauthorized actions within the

system by enforcing strict access controls.
3. Customizable Roles: Organizations can tailor roles and permissions to fit
their specific needs.
4. Compliance: Helps meet regulatory requirements regarding data
access and management.

Disadvantages:

1. Complexity in Management: Managing roles and permissions can become

complex, especially in large organizations or platforms.

5.4 RBAC(Role Based Access Control)

Definition
Role-Based Access Control (RBAC) is a widely used method for managing user
permissions and access in various applications, including social networks. It
helps maintain security, ensure privacy, and streamline user management.
Here’s a detailed explanation of RBAC in the context of social network
security:

1. Basic Concepts of RBAC

 Roles: A role is a defined set of permissions that determine what actions a user can
perform within the system. In a social network, roles might include "User,"
"Moderator," "Administrator," or "Guest."
 Users: Users are individuals who interact with the social network. Each user is
assigned one or more roles, which dictate their access level.
 Permissions: Permissions are the specific rights to perform actions, such as creating
posts, commenting, sending messages, or accessing certain content.
 Role Hierarchies: Roles can be organized in a hierarchy, allowing higher-level roles
to inherit permissions from lower-level ones. For instance, an "Administrator" may
have all the permissions of a "Moderator" plus additional capabilities.

2. How RBAC Works in Social Networks

1. Role Assignment: When a user registers or is created in the social network, they are
assigned one or more roles based on their intended use of the platform. For example,
new users might be assigned the "User" role, while employees might be assigned the
"Admin" role.
2. Permission Management: Each role is linked to specific permissions that dictate
what actions users in that role can perform. For example:
o User: Can create posts, comment, and like content.
o Moderator: Can delete posts, manage user reports, and mute users.
o Administrator: Can manage all aspects of the network, including user roles,
site settings, and data management.
3. Access Control Enforcement: When a user attempts to perform an action, the system
checks their assigned role(s) against the required permissions for that action. If the
user has the necessary permissions, the action is allowed; otherwise, it is denied.

3. Benefits of RBAC in Social Network Security

 Simplified Management: Instead of managing individual user permissions,

administrators can manage roles, making it easier to apply changes across many users
at once.
 Increased Security: By restricting access to sensitive features and data, RBAC
reduces the risk of unauthorized actions. For example, only users with a specific role
can view or edit private user information.
 Scalability: RBAC systems can scale easily as the user base grows. New users can be
assigned appropriate roles without the need for extensive permission management.
 Compliance: Many industries have regulatory requirements regarding data access.
RBAC can help ensure compliance by clearly defining who has access to what data
and actions.

4. Challenges and Considerations

 Role Explosion: As organizations grow, the number of roles can multiply, leading to
complexity in management. Careful planning is needed to avoid having too many
roles.
  Dynamic Access Needs: Social networks often have dynamic content and user needs.
RBAC may need to be combined with other models (like Attribute-Based Access
Control) to address these changing needs effectively.
 User Awareness: Users need to understand their roles and the associated permissions.
Misunderstandings can lead to security issues or user dissatisfaction.

5. Implementation Strategies

 Role Definition: Clearly define roles based on user needs and actions within the
platform.
 Regular Audits: Conduct regular audits of roles and permissions to ensure they
remain relevant and secure.
 Training and Documentation: Provide training and resources to users and
administrators to help them understand RBAC and its importance.
 Integration with Other Security Measures: Combine RBAC with other security
measures such as encryption, two-factor authentication, and activity monitoring for
enhanced security.

Advantages

1. Simplified Management:
o Administrators can manage access permissions through roles rather than
individual users, making it easier to apply changes across the platform.
2. Enhanced Security:
o RBAC restricts access to sensitive features and data based on user roles,
reducing the risk of unauthorized actions and potential data breaches.
3. Clear Accountability:
o Assigning roles creates a clear structure for accountability, making it easier to
track who has access to what and who is responsible for specific actions.
4. Scalability:
o RBAC can easily scale as the user base grows. New users can be assigned
roles quickly without extensive permission management.
5. Compliance Support:
o Many regulatory frameworks require strict access controls. RBAC helps
organizations meet these compliance requirements by defining and enforcing
access policies.
6. Role Hierarchies:
o Supports hierarchical roles, allowing higher-level roles to inherit permissions
from lower ones, which simplifies permission management for more complex
organizations.

Disadvantages

1. Role Explosion:
o As organizations grow, the number of roles can proliferate, leading to
complexity and making management cumbersome.
2. Inflexibility:
o RBAC can be rigid. If a user needs permissions that span multiple roles, it can
complicate access management and lead to potential conflicts.
3. Dynamic Needs:
o Social networks often require dynamic access controls that RBAC alone may
not accommodate, necessitating the integration of other access control models.
4. Initial Setup Complexity:
 o Designing an effective RBAC system requires careful planning and can be
complex initially, especially in large organizations with diverse user needs.
5. User Misunderstanding:
o Users may not fully understand their roles and permissions, leading to
frustration or misuse if they feel restricted by their assigned role.
6. Potential for Over-Permissioning:
o If roles are not well-defined, users may be granted more permissions than
necessary, increasing the risk of unauthorized actions or data exposure.

Conclusion

RBAC is an effective way to manage user access in social networks, balancing security with
usability. By clearly defining roles and permissions, social networks can protect user data,
manage interactions, and maintain a secure environment while allowing for growth and
adaptability. Proper implementation and management of RBAC are essential to address its
challenges and maximize its benefits.

5.5 Host,Storage and Network access Control Options:

Introduction

Social networks are prime targets for cyber threats due to the vast amounts of personal
data they handle. Effective security measures across host, storage, and network access
control are essential to protect user data and ensure the integrity and availability of
services.

Host Security

Host Security: Host security refers to the measures and practices implemented on
individual computing devices (hosts) to protect them from unauthorized access,
malware, and other security threats. This includes configurations, software tools, and
policies designed to safeguard the operating system, applications, and data on those
devices, ensuring their integrity, confidentiality, and availability. Key components
often include firewalls, antivirus software, intrusion detection systems, and access
control mechanisms.

1. Firewalls:
o Purpose: Act as a barrier between trusted internal networks and
untrusted external networks.
o Implementation: Use both hardware and software firewalls to filter
traffic based on security rules.
2. Intrusion Detection Systems (IDS):
o Function: Monitor network traffic for suspicious activity and potential
threats.
o Types: Host-based IDS (HIDS) and network-based IDS (NIDS) can be
deployed to detect unauthorized access.
3. Regular Updates and Patching:
o Importance: Keeping operating systems and applications up to date is
critical for mitigating vulnerabilities.
o Strategy: Establish a routine for automatic updates or manual patch
management.
4. Access Control Policies:
 o Roles and Permissions: Implement the principle of least privilege
(PoLP) to limit user access to necessary data only.
o User Management: Regularly review and update access permissions as
roles change.
5. Secure Configuration:
o Best Practices: Harden configurations by disabling unused services and
changing default settings.
o Security Benchmarks: Follow industry standards and benchmarks for
server configurations (e.g., CIS benchmarks).

Advantages
1. Improved Threat Detection:

oTools like firewalls and intrusion detection systems (IDS) can identify
and mitigate threats before they cause damage.
2. Reduced Attack Surface:

oRegular updates and secure configurations minimize vulnerabilities,

making it harder for attackers to exploit systems.
3. Controlled Access:

o Access control policies ensure that only authorized users can access
sensitive data, enhancing overall security.

Disadvantages
1. Cost:

oImplementing and maintaining security tools (e.g., IDS, firewalls) can

be expensive for organizations.
2. Complexity:

o Managing host security configurations and policies can be complex and

may require specialized skills.
3. False Positives:

o Security systems may generate false alerts, leading to unnecessary

investigations and resource allocation.

Storage Security

Storage Security: Storage security refers to the practices and technologies designed
to protect data stored on physical devices or in cloud environments from unauthorized
access, corruption, or loss. This includes implementing measures such as encryption,
access control, data segmentation, and regular backups to ensure the confidentiality,
integrity, and availability of stored information. Effective storage security helps
organizations comply with data protection regulations and mitigate the risks
associated with data breaches and leaks.

1. Data Encryption:
o At Rest and In Transit: Use encryption protocols (like AES for data at
rest and TLS for data in transit) to secure sensitive user information.
 o Key Management: Implement a secure key management process to
control access to encryption keys.
2. Data Segmentation:
o Segregation: Separate sensitive data (like personal identifiable
information) from other types of data to minimize risk exposure.
o Access Restrictions: Limit access to sensitive data based on user roles.
3. Access Control Lists (ACLs):
o Implementation: Define ACLs to specify which users or systems can
access specific data sets.
o Monitoring: Regularly audit ACLs to ensure compliance and adjust as
necessary.
4. Regular Backups:
o Data Recovery: Implement automated backup solutions to protect
against data loss due to breaches or hardware failures.
o Testing: Regularly test backup recovery procedures to ensure data can
be restored promptly.
5. Audit Trails:
o Logging Access: Maintain detailed logs of all access and changes to
sensitive data.
o Compliance: Use logs for compliance audits and forensic analysis in
case of incidents.

Advantages

1. Data Protection:
o Encryption protects sensitive information, even if data breaches occur,
making it unreadable to unauthorized users.

2. Data Integrity:
o Regular backups ensure data can be restored in case of corruption or
loss, maintaining business continuity.

3. Regulatory Compliance:
o Proper storage security measures help organizations comply with data
protection regulations, reducing legal risks.

Disadvantages

1. Performance Overhead:
o Encryption and other security measures can introduce latency and
impact system performance.

2. Complex Management:
o Managing encryption keys and access control lists can be challenging,
especially as data volume grows.

3. Potential Data Loss:

o If backups are not managed correctly, there’s a risk of data loss or
corruption, undermining the intended protections.

Network Access Control

Network Access Control (NAC): Network Access Control (NAC) is a security
approach that enforces policies on devices attempting to connect to a network. It
ensures that only authorized and compliant devices can access network resources,
helping to protect the network from unauthorized access and potential threats. NAC
typically involves authentication, authorization, and continuous monitoring of devices,
applying security measures based on user roles, device status, and compliance with
organizational policies.

1. Virtual Private Networks (VPNs):

o Secure Remote Access: Use VPNs to encrypt data transmitted over the
internet, especially for remote workers.
o Policy Enforcement: Ensure that VPN usage complies with the
organization’s security policies.
2. Multi-Factor Authentication (MFA):
o Enhanced Security: Require MFA for user logins to reduce the risk of
unauthorized access.
o Implementation: Use a combination of something the user knows
(password) and something they have (mobile device).
3. Network Segmentation:
o Isolation of Resources: Segment networks to limit the movement of
attackers if a breach occurs.
o Controlled Access: Enforce strict access controls between segments to
protect sensitive resources.
4. Monitoring and Logging:
o Traffic Analysis: Continuously monitor network traffic for unusual
patterns that may indicate an attack.
o Incident Response: Use logs to facilitate quick incident response and
investigations.
5. User Education and Training:
o Awareness Programs: Conduct regular training sessions to educate
users about security threats and best practices.
o Phishing Simulations: Use simulated phishing attacks to improve
awareness and response among users.

Advantages

1. Enhanced Security:
o Multi-factor authentication (MFA) and VPNs significantly reduce the
risk of unauthorized access.

2. Reduced Insider Threats:

o Network segmentation limits access to sensitive areas, reducing the
potential impact of insider threats.

3. Traffic Monitoring:
o Continuous monitoring of network traffic helps identify and respond to
anomalies quickly.

Disadvantages

1. User Frustration:
 o MFA can create additional steps for users, potentially leading to
frustration and decreased productivity.

2. Resource Intensive:
o Implementing and maintaining comprehensive network security
measures can require significant resources and expertise.

3. Dependency on Connectivity:
o VPNs rely on internet connectivity; issues with connection can disrupt
remote access and workflows.

5.6 Firewalls,authentication and authorization

firewalls, authentication, and authorization play important roles in ensuring the

integrity, security, and privacy of the data being analyzed. Here’s how each
component contributes:

Firewalls

 Data Protection: Firewalls help protect the infrastructure where social network
data is stored and processed. They can prevent unauthorized access and attacks,
such as SQL injection or cross-site scripting, that could compromise data
integrity.
 Network Segmentation: By segmenting networks, firewalls can help isolate
sensitive data and resources, allowing for more controlled access during
analysis.

Authentication

 User Verification: In SNA tools and platforms, strong authentication is crucial

for ensuring that only authorized users can access sensitive social network data.
This often involves multi-factor authentication (MFA) to enhance security.
 Data Access: Researchers and analysts must authenticate themselves before
accessing datasets, ensuring that only qualified individuals can conduct
analyses and interpret results.

Authorization

 Role-Based Access Control (RBAC): In social network analysis, different

roles (e.g., researchers, analysts, administrators) can be defined, each with
specific permissions to access or manipulate data. This ensures that users can
only interact with data that is relevant to their roles.
 Granular Permissions: Authorization mechanisms can dictate who can view,
edit, or share specific datasets or analysis results, which is essential for
protecting sensitive information, especially in studies involving personal data.

Integration in Social Network Analysis

1. Data Collection: When collecting data from social networks, secure methods
of authentication ensure that data retrieval is done ethically and legally,
respecting user privacy.
 2. Analysis Tools: Many SNA tools require user accounts, necessitating strong
authentication and well-defined authorization to control who can run analyses
or view results.
3. Collaboration: In collaborative research environments, robust authorization
mechanisms are vital to manage data sharing and access among team members
while maintaining compliance with data protection regulations.
4. Compliance: Ensuring that all users adhere to data protection laws (like GDPR
or CCPA) requires both authentication and authorization processes to manage
how data is used and shared.

Advantages

1. Enhanced Security:
o Firewalls provide an additional layer of security by controlling access to
network resources based on user authentication and authorization,
reducing the risk of unauthorized access.
2. Granular Access Control:
o They allow for detailed policies that specify who can access what
resources, enabling organizations to enforce strict access controls.
3. Monitoring and Logging:
o Firewalls can log authentication attempts and authorization events,
helping in auditing and monitoring for suspicious activities.
4. Centralized Management:
o Many firewalls offer centralized management tools that simplify the
administration of user permissions and access controls.
5. Integration with Identity Management:
o Firewalls can integrate with identity and access management (IAM)
systems, allowing for seamless user verification and role-based access.

Disadvantages

1. Complex Configuration:
o Setting up authentication and authorization policies can be complex,
leading to potential misconfigurations that could expose vulnerabilities.
2. Performance Overhead:
o Implementing strict authentication and authorization can introduce
latency and affect network performance, especially if the firewall
performs deep packet inspection.
3. Single Point of Failure:
o If a firewall fails or is compromised, it could lead to a significant
security breach, as it may serve as the primary gatekeeper for access
control.
4. User Experience Impact:
o Rigorous authentication processes can frustrate users, leading to
productivity losses or workarounds that bypass security protocols.
5. Ongoing Management Required:
o Continuous updates and management are necessary to ensure that access
controls remain effective and relevant, requiring dedicated resources.

5.7 IDENTITY AND ACCESS MANAGEMENT (IAM)

Identity and Access Management (IAM) is a combination of policies and technologies
that allows organizations to identify users and provide the right form of access as and
when required.
The services and resources you want to access can be specified in IAM.
IAM doesn’t provide any replica or backup.
IAM can be used for many purposes such as, if one want’s to control access of
individual and group access for your AWS resources.
The 4 four major components of Identity Access Management are:

 Identity
 Authentication
 Authorization
 Auditing
IAM Features
Shared Access to your Account: A team working on a project can easily share
resources with the help of the shared access feature.
Free of cost: IAM feature of the AWS account is free to use & charges are added
only when you access other Amazon web services using IAM users.
Grant permission to the user: As the root account holds administrative rights, the
user will be granted permission to access certain services by IAM.
Multifactor Authentication: Additional layer of security is implemented on your
account by a third party, a six-digit number that you have to put along with your
password when you log into your accounts.
IAM Technologies and Tools
 Single Sign-On (SSO): choices that lets a user login and uses multiple
applications at once, as well as give more security to the services.

Example: Its competitors include Okta and Microsoft Azure AD.

 Multi-Factor Authentication (MFA): A second one is that you must verify your
account with two or more ways to boost its security. Example: Some of the
examples of Two Factor Authentication applications are Duo Security and
Google Authenticator.

 Role-Based Access Control (RBAC): Secures the system based on employees’

roles, where the user will have the least privilege to access the system.

Example: IBM Security Identity Manager.

 Privileged Access Management (PAM): Performs functions associated with
obtaining and maintaining high levels of accessible (“privileged”) computing
resources
Importance of IAM for Organizations

 Security: IAM makes certain that only the right people are given access to core
systems and information and thus safeguards organizations from threats within
and outside.

 Regulatory Compliance: IAM aids organizations in compliance with the legal

and industry-compliant requirements based on the accessibility and the log
records of the user activities.

 Operational Efficiency: IAM provides means of minimizing workload to IT

teams by automating tasks such as on boarding, off boarding, and shifts in user
roles.

 Risk Mitigation: IAM also helps in combating data breaches and cyber-
attacks since it has strict measures towards providing access to users.
 User Experience: It provides easier access to the firm’s partners, employees, and
customers in interacting with the systems with increased security, thus enhancing
productivity and customer satisfaction.

Benefits of IAM Systems

 Enhanced Security: IAM prevents unauthorized access to sensitive data and
systems, thus minimizing the access of the unauthorized personnel.
 Improved Compliance: It also guarantees that the organization complies with
the legal requirements concerning the access control as well as the tracking of
activities performed by the users.
 Increased Productivity: Automates processes of the management of users and
access, thus minimizing the numbers of manual operations and providing faster
access to the required resources.
 Reduced Risk: Portfolios reduce internal risks and data losses due to strict
access protocols in place.
5.8 Introduction of Single Sign On (SSO)

Single Sign On(SSO) is a session and user authentication service that allows a user to
access various apps using a single set of login credentials, such as a username and
password. SSO is used by every organization as well as individuals to manage
multiple credentials more efficiently.
What is a Single Sign On(SSO)?
Single sign-on (SSO) is an authentication solution that allows users to securely
authenticate to multiple applications and websites using a single set of credentials. For
example, logging in to your Google account once will allow you to access Google
applications such as Google Docs, Gmail, and Google Drive.

 Without an SSO solution, the website maintains a database of login credentials

– usernames and passwords. Each time the user logs in to the website, it checks
the user’s credentials against its database and authenticates the user.
 With the SSO solution, the website does not store login credentials in its
database. Instead, Single Sign On (SSO) makes use of a shared cluster of
authentication servers where users are only required to enter their login
credentials once for authentication.
How does SSO Login work?
 The user enters login credentials on the website and the website checks to see if
the user has already been authenticated by SSO solution. If so, the SSO solution
would give the user access to the website. Otherwise, it presents the user with the
SSO solution for login.
 The user enters a username and password on the SSO solution.
 The user’s login credentials are sent to the SSO solution.
 The SSO solution seeks authentication from the identity provider, such as an
Active Directory, to verify the user’s identity.
 Upon successful login with SSO, the website passes authentication data in the
form of tokens as a form of verification that the user is authenticated as the user
navigates to a different application or web page.
Types of SSO configurations
 Kerberos-Based SSO: When user credentials are submitted in a Kerberos-
based configuration, a ticket-granting ticket (TGT) is generated. The TGT retrieves
service tickets for other apps that the user wants to access without requiring the
user to enter their credentials.
 SAML SSO: SAML is an Extensible Markup Language standard that allows for
the sharing of user authentication and authorization data across secure domains.
SAML-based SSO services require communication between the user, an identity
provider that manages the user directory, and a service provider.
 Smart card-based SSO: Smart card-based SSO requires an end user to utilize a
card that contains the sign-in credentials for the first login. Once the card is used,
the user is not required to enter usernames or passwords. SSO smart cards can
store either certificates or passwords.
 Social SSO: Many security professionals advise end users not to use social SSO
services since once attackers obtain control of a user’s SSO credentials, they can
access all other applications that use the same credentials.
 Enterprise SSO: Enterprise single sign-on (eSSO) software and services are
password managers that use client and server components to log users into target
apps by repeating their credentials.
What is an SSO Token?
 An SSO token is a collection of data or information that is transferred between
systems as part of the SSO procedure.
 The data can be as simple as a user’s email address and the system from which
the token is sent.
 Tokens must be digitally signed for the token receiver to verify that it is from a
reliable organization.
 The certificate required for this digital signature is transferred during the initial
configuration process.
Advantages of SSO
 For Users
o The risk of access to third-party sites is mitigated as the website
database does not store the user’s login credentials.
 o Increased convenience for users as they only need to remember and key
in login information once.
o Increased security assurance for users as website owners do not store
login credentials.
 For Businesses
o Increase customer base and satisfaction as SSO provides a lower barrier
to entry and seamless user experience.
o Reduce IT costs for managing customer’s usernames and passwords.
Disadvantages of SSO
 Increased security risk if login credentials are not securely protected and are
exposed or stolen as adversaries can now access many websites and applications
with a single credential.
 Authentication systems must have high availability as loss of availability can lead
to denial of service for applications using a shared cluster of authentication

5.9Identity Federation:
Identity federation refers to a trust relationship between two entities for using
authentication information from one system in order to grant access to another system
without asking for authentication information multiple times.

Identity federation is a way to log in to one site using credentials from another.
This way, you only need to remember one set of login information and don’t have
to worry about remembering multiple usernames and passwords.
Instead, users can use a single credential to access all their online accounts.
The most common identity providers are social media sites like Facebook and
Google.
There are also enterprise-level identity providers designed for use in business
environments.
Identity Federation Work:
Identity federation relies on something called an identity provider.
An identity provider is a website or service that stores your credentials and allows
you to use them to log in to other websites or services.
When you click the “Login with…” button on a website, you’re typically redirected
to the identity provider’s login page.
Once you enter your credentials on the identity provider’s login page, you’ll be
redirected back to the original site or system without having to log in again.
Identity Federation VS SSO (Single Sign-On)
It’s important to note that identity federation differs from single sign-on (SSO).
With SSO, you log in to one account and access all the other linked accounts at the
same entity. That is different from identity federation, where you can use your
credentials from one entity to log in to another entity.

Identity federation is a decentralized approach to authentication that allows users to

access multiple online services with a single set of credentials.
The main advantage is that it is more scalable and easier to manage than single
sign-on.
The downside is that it’s less secure since there is a possibility of using
compromised credentials to access accounts at multiple entities.

Single sign-on is a centralized approach requiring users to authenticate with a single

provider to access multiple online services.
Single sign-on is typically used in business environments where employees need to
access various resources, such as email, file sharing, and customer relationship
management tools.
Identity Federation Benefits:
Increased Security
When you use federated login, your credentials are only stored on the identity
provider’s servers. That means if one of the websites or services you’re using is
compromised, your credentials are not exposed.
Convenience
With federated login, you only need to remember your credentials for one account.
That can be much easier than keeping track of multiple credentials for different sites
and services.
Reduced Costs
Implementing a federated login system can be less expensive than setting up and
maintaining a single sign-on solution. You don’t need to build and deploy a custom
SSO solution.
Drawbacks of Identity Federation:
Increased Dependency
When you use federated login, you rely on the identity provider to keep your
credentials safe and secure. If the identity provider experiences an outage or security
breach, you may not be able to log in to the websites and services that you use.
Limited Control
You’re also giving up some control over your account with federated login. For
example, if you want to change your password on one of the websites or services you
use, you’ll need to do it through the identity provider.
Reduced Flexibility
Federated login systems can also be less flexible than single sign-on solutions because
they typically only work with a few specific types of accounts. So, if you want to use
federated login with a new website or service, it may not be compatible with the
existing system.