Identity and Access management (IAAA)

The practice of ensuring that people or objects have the right level of access to assets

1. Identification
2. Authentication
3. Authorization
4. Accountability

---

Identification

A way of claiming an identity (The act of indicating someone's or an object's identity)

• Username
• SSN

---

Authentication

Ensuring the claimed identity is valid (Verifying someone's or an object's identity)

Authentication factors

• Something you know
  • Password
  • PIN
• Something you have
  • Passport
  • Smartphone
  • Smart Card
  • Token
• Something you are
  • Fingerprint
  • Facial recognition
  • Iris Scan
• Somewhere you are
  • IP address
  • MAC Address
• Something you do
  • Pattern unlock
  • Picture Password

---

Authorization

Determining if someone or an object has permission to do after their identity is verified

• Access Control
  • A security technique to protect a system against unauthorized access

---

Accountability (Auditing)

 The ability to trace an action back to someone or an object

• Audit logs

---

Account types

• User account
  • Used by humans
• Privileged accounts
  • They have higher-level access privileges (Administrative privileges)
  • Domain Administrator
    • Complete control of the Active Directory (AD) domain
  • Local Administrator
    • Complete control of the local computer in Windows (Not AD)
• Shared accounts
  • Can be used by multiple individuals or objects
• Guest accounts
  • Provide limited access or a temporary basis
• Service accounts
  • They are non-human accounts that used for running processes
    • Webserver
• Application accounts
  • They are non-human accounts that provide access applications
    • Access to databases

---

Passwords

A series of characters used for authenticating

• Shared passwords
  • Credential Stuffing
• Simple Passwords
  • Password guessing
• Strong Passwords
  • Password dumps
  • Password cracking
• Password Managers
  • Account reset
  • Account takeover
• 2FA
  • Phishing
  • SMS Swapping
  • Device compromise

---

Access Control

A security technique to protect a system against unauthorized access

---

Attribute-based Access Control (ABAC)

Access based on attributes

• User attributes
• Object attributes
• Environment conditions

---

Discretionary Access Control (DAC)

Access based on owner decision - This modal uses an Access Control List (ACL) authorization (ACL is used it to determine who can access resources)

• The data owner of an organization determines the level of access

---

Graph-based Access Control (GBAC)

Access based on how data relates to other data

• Using an organizational query language

---

History-Based Access Control (HBAC)

Access based on real-time evaluation of a history of activities

• A user declined access to sensitive info because of past behavior

---

Identity-Based Access Control (IBAC)

Access is based on the identity of the user (this access is by the individual, not by group)

• A specific user has access to sensitive information

---

Mandatory Access Control (MAC)

Access based on regulations by a central authority

• A user must demonstrate a need for the information before granting access

---

Role-Based Access Control (RBAC)

Access based on a user role

• Job title

---

Rule-Based Access Control (RAC)

Access based on a predefined set of rules or access permissions

• Allowing access to specific IP

---

Responsibility-Based Access Control (ReBAC)

Access based on the responsibilities assigned to a user or users

• Data engineer has access to a backup management interface

---

id

fee711fd-43d3-40f4-8974-e81e78f4c678

References

• https://en.wikipedia.org/wiki/Identity_management