Security+: Implementing identity and access management (IAM) controls
Identity and access management (IAM) is perhaps the most essential information security control. After all, ensuring that a user is who they claim to be before providing access based on the minimal privilege principle is a sound way of ensuring data confidentiality, integrity and even availability.
The topic of IAM is found throughout the CompTIA Security+ exam. The primary objective covering IAM is 4.6: Given a scenario, implement and maintain identity and access management. However, identity and access concepts are also included in many of the other 28 objectives covered across the Security+ exam domains, such as:
- 1.2: Summarize fundamental security concepts.
- 2.5: Explain the purpose of mitigation techniques used to secure the enterprise.
- 3.2: Given a scenario, apply security principles to secure enterprise infrastructure.
- 4.5: Given a scenario, modify enterprise capabilities to enhance security.
- 5.1: Summarize elements of effective security governance.
Read on to learn more about IAM. For more information on the Security+ exam, download our free Security+ ebook or explore Infosec's Security+ Training Boot Camp.
IAM controls you should know
There are several IAM controls covered on the Security+ exam. Here are a few cybersecurity professionals should be aware of:
- Access control models: To implement IAM, it is necessary to define how an object (a user or a process) can interact with other securable objects. Access control models are responsible for just that: they are used to create a paradigm that defines the relationships among permissions, operations, objects and subjects. There are a few different models that Security+ candidates must understand.
- MAC: In the mandatory access control model, users have limited power (or even no power at all) to define who can access their files. Access policies are enforced by the system administrator, for example, by creating clearance levels for users and classifying data (public, confidential, secret or top secret). A user with a clearance level of secret can access data classified within this category but cannot grant access to another user, even when they are considered data owners.
- DAC: Using the discretionary access control model, users can be defined as data owners, which means that they can determine who can access specific resources within their ownership. For example, a user can create a file and set it up so that other users, a group of users or a process can read, change or even delete it.
- Role-based access control: As you may have already gathered from this method’s name, access is granted based on the object's role. This can be considered a middle ground between MAC and DAC. For example, the role can be a group, a job position or a security clearance level; users who are members of a specific role are granted access based on that.
- Rule-based access control: In this paradigm, access control is based on rules that either allow or deny access to resources. One of the simplest examples of this method is the access control lists (ACLs) commonly used by routers. Rules can be used to determine what IPs (sources or destinations) and/or ports are allowed through the router.
- Physical access control: As a principle, applying security controls to the physical environment is not all that different from protecting pure data. Controls should be enforced to ensure identity is confirmed before granting access, and once access is actually granted, it is limited and monitored.
- Proximity cards: It is quite common to use proximity cards to grant access to doors or door locks. The user simply moves the card close to the reader, and presto! The door unlocks. In truth, the proximity card is a passive device, powered inductively by the reader, that stores a small amount of information, usually a single identifier. Once read, this identifier is validated and either grants or denies access.
- Smart cards: while similar in format to proximity cards, smart cards are embedded with integrated circuit chips that can store a little more data, such as a cryptographic key for authenticating with the reader. Smart cards may also contain useful data for other forms of authentication, such as biometric measures that are too large for high-volume remote authentication. An important point to remember regarding authentication is that both proximity and smart cards fall into the category of something you own. Because losing such a card is somewhat common, relying solely on it for physical access can create a huge security gap. The best approach combines multiple factors, such as something you know (a password) or something you are (a biometric read).
- Biometric factors: Many physical attributes of the human body can be used for identification/authentication purposes, including reads from fingerprints, retina, iris, voice/facial recognition and even ear shape. Since this falls under the something you are category, it usually helps prevent problems such as a user forgetting a password or losing a card. Depending on the physical attribute being used, biometrics can provide a high level of accuracy, reducing the false acceptance rate (FAR) (cases where the biometric security system will incorrectly accept an access attempt by an unauthorized user). It is also important to keep a close eye on the false rejection rate (FRR), the cases where an authorized user is incorrectly denied access. The crossover error rate (CER) is the rate where both FRR and FAR are equal. Regarding protection, the lower the CER, the better (and more secure) the biometric system is.
- Tokens: One of the best authentication methods you have is using a token. This can be a physical device, usually a small build, similar to a USB stick, or a software-based solution, such as an app installed on a mobile device. Physical tokens can either be used to store encrypted authentication information (such as a certificate), making it necessary to physically connect the device, usually at a USB port, for authentication, or have a mechanism such as a button that, once pressed, makes the device display the password. Tokens can generate passwords by using either a time-based one-time password (TOTP) algorithm, generating new passwords at fixed intervals (a new password every 60 seconds, for example) or implementing an HMAC-based one-time password (HOTP) algorithm, so new passwords are created not at fixed intervals, but by using a non-repeating one-way function such as a hash or hash message authentication code (HMAC).
- Certificate-based authentication: Certificates (or digital certificates) are a form of trust-based, third-party authentication technology that uses asymmetric public key cryptography. Certificates can be used to verify the identity of devices, applications, systems, networks and organizations. In essence, certificates are digital files that can be stored (securely or not) in a system folder or on devices such as smart cards and tokens. These files can be lost or, even worse, stolen and used as a basis for an impersonation attack, so they should be handled carefully. A safer solution for storing certificates is using a hardware security module (HSM), a physical device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing.
Better security through identity and access management implementation
As mentioned before, implementing identity and access management controls is a key task any good information security professional should be familiar with. For instance, when designing a new system, IAM is a major consideration for a security architect. On the other hand, a pentester must understand how authentication works if they’re supposed to exploit it. The same analogy applies to physical protection, as information security experts should be able to design and test identification/authentication controls for critical areas such as a data center.
In the end, implementing IAM controls is a rather important subject in the Security+ exam, so candidates should prepare accordingly.
For more on the Security+ certification, view our Security+ certification hub.