Sy0-701 - Lesson 04
Sy0-701 - Lesson 04
Lesson 4
Implement Identity and Access
Management
2
Lesson 4
Topic 4A
Authentication
4
Password Concepts
• Length
• Complexity
• Character combinations
• Aging
• Reuseand history
• Expiration
• NIST guidance
• Password hints
5
Password Managers
• Vault and master password
• Built-in OS/browser password
managers
• Third-party cloud/plug-in
6
Multifactor Authentication
• Multifactor authentication (MFA)
• Something you KNOW and something you HAVE
• NOT something you KNOW and something else you KNOW
• Fingerprint recognition
• Facial recognition
Android is a
trademark of
Google LLC.
8
Hard Authentication Tokens
• Token generation types
• Certificate-based (requires PKI)
• One-time password (OTP)
• Fast Identity Online (FIDO) Universal 2nd
Factor (U2F)
• Email account
• Phone call
• Push notification
• Authenticator app
• Possibility of interception
10
Passwordless Authentication
• Rely on authenticator rather than password
• Accounts identified by public/private key pair, but doesn’t have to use PKI
• Private key stored only on authenticator
• Authenticator can require biometric or PIN proof of presence (local gesture)
• Attestation
• Verify authenticator as root of trust
11
Review Activity: Authentication
• Authentication design
• Something you know/are/have
• Passwordless authentication
12
Lab Activity
• Assisted Lab Managing Password Security
13
Lesson 4
Topic 4B
Access Management
• Security groups
• Assign permissions to security groups and assign
user accounts to relevant groups
• Groups can be mapped to roles
• Conditional access
• Continual authentication
• User account control (UAC)and sudo
17
Least Privilege Permission Assignments
• Principle of least privilege
• Sufficient permissions only
• Implications
• Insufficient permissions
• Authorization creep
• Auditing
18
User Account Provisioning
• Provisioning
• Identity proofing
• Issuing credentials
• Asset allocation
• Policy awareness and security education
• Permission assignments and implications
• Deprovisioning
• Employees or contractors leaving company or project, or changing roles
• Remove or disable permission assignments
19
Account Attributes and Access Policies
• Account attributes
• Security identifier (SID, account
name, credential)
• Extended profile attributes
• Per-app settings and files
• Access policies
• File permissions
• By Location Services
• Time-based restrictions
• Logon hours
• Logon duration
• Impossible travel time/risky login
• Temporary permissions
21
Privileged Access Management
• Policies, procedures, and technical controls to prevent the malicious
abuse of privileged accounts
• Accounts with system-wide access
• Password vaulting/brokering
• Ephemeral credentials
22
Review Activity: Access Management
• Discretionary and mandatory access control
• Role-based and attribute-based access control
• Rule-based access control
• Least privilege permission assignments
• User account provisioning
• Identity proofing, secure credentials, asset allocation, policy/awareness training, permissions assignments
24
Lesson 4
Topic 4C
Identity Management
• Windows authentication
• Local sign-in
• Network sign-in (Kerberos and NTLM)
• Remote sign-in
• Linux authentication
• /etc/passwd and /etc/shadow
• Pluggable authentication modules (PAMs)
26
Directory Services
• Database of subjects
• Users, computers, security groups/roles, and services
27
Single Sign-on Authentication
• Kerberos
• Clients
• Application servers
Images © 123rf.com. 29
Federation
• Networks under
separate administrative control
share user identities
• Identity providers and claims
• Interoperability
• Service providers and identity
providers
• Shared frameworks and protocols
Images © 123rf.com.
30
Security Assertion Markup Language
• Open standard for
implementing identity and service
provider communications
• Attestations/assertions
• XML format
• Signed using XML
signature specification
• Communications protocols
• HTTPS
• Simple Object Access Protocol (SOAP)
31
Open Authorization
• “User-centric” federated services better suited to consumer websites
• Representational State Transfer (REST) Application Programming Interfaces (APIs)
(RESTful APIs)
• Framework for implementation not a protocol
• OAuth
• Designed to communicate authorizations, rather than explicitly authenticate a subject
• Client sites and apps interact with OAuth IdPs and resource servers that hold the
principal’s account/data
• Different flow types for server to server or mobile app to server
• JavaScript object notation (JSON) web token (JWT)
32
Review Activity: Identity Management
• Local, network, and remote authentication
• Directory services
• LDAP and distinguished name attributes
• Federation
• Identity providers and service providers
Lesson 4
Summary