Secure Your Organization’s Data and Resources: An Overview of Identity and Access Management (IAM) – Identification, Authentication and Authorization

Identity and Access Management, commonly referred to as IAM, is a critical aspect of modern-day security and is essential for any organization that wants to protect its digital assets. In simple terms, IAM is the practice of managing digital identities, including users, devices, and applications, and controlling their access to resources within an organization’s network. As businesses become increasingly reliant on digital technology, the need to protect sensitive data and ensure secure access to resources becomes more crucial. However, for those unfamiliar with the concept, IAM can seem complex and intimidating. In this paper, we will simplify IAM and provide a clear understanding of its importance, components, and benefits.

Three important components that make up IAM are identification, authentication, and authorization. Identification is when a person (or digital identity) makes a claim about their identity in order to gain access to a system. In the physical world, think of going to the gym and realizing you forgot your access card. You tell the person at the front desk your name. At this point, you are making a claim about your identity. Authentication is the next step. In the gym scenario, the gym employee will want you to prove that you are who you say you are. They may ask to see your driver’s license to prove and authenticate your identity. The third step is authorization. After you have proved your identity through authentication in our gym scenario, you will only have access to parts of the gym that you are authorized. For example, your gym membership may authorize you to have access to the weight room, but not to the pool area.

Let’s look deeper at each of these key components of IAM, starting with identification.

1) Identification

Registration

In IAM, identification begins with a registration process. This involves gathering information about a user and creating a corresponding entity in the system. Users must be given initial credentials when they are created in the system as entities. Onboarding a new employee is a good example of the registration process.

When a new employee is hired, their manager typically submits a request to create an entity for the employee. This is usually done within a Human Resources system. Someone will then approve the request. The registration authority then performs identity proofing and other checks as required by policy. The registration authority is typically a centralized role and it’s often found in human resources departments. Last, someone issues the credentials for the new employee. Usually there will be different people acting throughout the registration process. This is important because it provides separations of duties (SOD) which reduces the chances of fraud or mistakes.

Usernames & ID Cards

Usernames are the most commonly used means of identification for digital systems. Companies usually provide every person who will access their systems which a unique identifier. Since our usernames are only used for identification, it’s okay to not keep them private. Another common form of identification used is employee identification cards. When you join a company, you will typically be issued such a card. Displaying the card shows proof of employment and it may also provide access to the building or systems.

Biometrics

Biometrics is also becoming more commonly used for identification. Biometrics proves someone’s identity by showing one or more physical characteristics. This could include things like a fingerprint, palm scan, or eye scan. Most people are familiar with using biometrics when they unlock their cell phone using facial recognition technology. Biometric identification is increasing in popularity as users turn away from the inconvenience of identifying  and authenticating themselves with a keyboard. 

2) Authentication

As stated earlier, authentication is about proving your identity. There are many different ways that users can prove their identity to a system. Below we will break down common authentication techniques used to prove a user’s identity. The main authentication attributes used are the following:

• Something you know – Typically, knowledge-based authentication  comes in the form of a password that the user remembers  and enters into a system during the authentication process. (“Authentication factors – CompTIA Security+ (SY0-601) Cert … – LinkedIn”)
• Something you are – Biometrics measure one of your physical characteristics  such as a fingerprint, eye pattern, face, or voice.
• Something you have – Requires user to have physical possession of a device,  such as a smartphone or authentication token key fob.   

Let’s take a deeper look at some authentication techniques starting with passwords.

Password Authentication Protocols

Password authentication (something you know) protocols are a set of rules that govern how a user proves their identity to a computer system by entering a secret code known as a password. The system compares the password provided by the user to a stored password associated with that user’s account. If the two passwords match, the user is authenticated and granted access to the system.

There are several different password authentication protocols, each with its own strengths and weaknesses. Some protocols require the password to be entered in plaintext, while others use more secure methods such as hashing or encryption to protect the password.

Overall, password authentication protocols are a fundamental component of modern computer security and are used in a wide range of applications, from logging into personal computers to accessing online banking systems.

Multi Factor Authentication (MFA)

Single authentication factors authentication aren’t foolproof.  If you use smart card authentication to implement something  you have, the user may lose the smart card. Someone coming across it may then use it  to impersonate the user.  The solution to this problem  is to combine authentication techniques  for multiple factors,  such as combining something you know and something you have.  This approach is known as multifactor authentication (MFA).

Multifactor authentication (MFA) is a security measure that requires users to provide multiple forms of identification in order to access an account or a system.

Instead of just a username and password, MFA requires additional forms of identification, such as a fingerprint scan, a facial recognition scan, a security token, or a text message verification code.

By requiring multiple factors of authentication, MFA makes it much harder for someone to gain unauthorized access to an account or system, even if they manage to obtain a user’s password.

Single Sign On (SSO) and Federation

Single Sign-On (SSO) is a way for users to access multiple applications and services with just one set of login credentials (usually a username and password).

Normally, users must enter their login credentials for each application or service they want to use. With SSO, however, a user logs in once and gains access to all of the applications and services that are part of the SSO system.

SSO is particularly useful in organizations where employees need to use multiple applications and services on a daily basis. With SSO, employees can save time and effort by only having to remember one set of login credentials. Additionally, SSO can improve security by allowing for centralized control and management of user access to different applications and services.

federation refers to a method of sharing authentication and authorization data between different organizations or systems, allowing users to access resources and services across multiple domains without needing separate logins or credentials for each one.

Federation allows two or more organizations to securely share information about user identities and access permissions. This makes it easier for users to access resources and services, while also providing enhanced security and control for the organizations involved.

Federation typically involves the use of standardized protocols and technologies, such as Security Assertion Markup Language (SAML) or OpenID Connect, to enable secure communication and information exchange between different systems. This helps to ensure that user identities are verified and authorized only when necessary, reducing the risk of unauthorized access to sensitive data or systems.

Security Assertion Markup Language (SAML)

Security Assertion Markup Language (SAML) is a standard protocol used for exchanging authentication and authorization data between different systems, usually between an identity provider (IdP) and a service provider (SP). (“SAML IdP | FortiAuthenticator 6.5.1”)

SAML allows users to log in to one system (the identity provider) and then access multiple other systems (the service providers) without having to log in again. SAML achieves this by using digital “tokens” that contain information about the user’s identity and access permissions, which are passed between the identity provider and service provider systems.

When a user logs in to an identity provider, the identity provider issues a SAML token that contains information about the user’s identity and access permissions. This token is then sent to the service provider, which can use it to grant the user access to the requested resources or services without requiring the user to log in again.

SAML is widely used for federated authentication and authorization in enterprise environments, as well as for enabling single sign-on (SSO) across multiple systems and applications.

OAuth and OpenID Connect

OAuth and OpenID Connect (OIDC) are two related protocols that are used for authentication and authorization in web-based applications.

OAuth is primarily used for authorization, allowing users to grant access to their data or services to third-party applications without giving the third-party application full access to their login credentials. For example, if you use your Facebook account to log in to a third-party app, OAuth allows you to grant the app access to your Facebook data (such as your name and profile picture) without giving the app your Facebook username and password.

OpenID Connect, on the other hand, is primarily used for authentication, allowing users to log in to different systems and services using a single set of credentials (such as their Google or Facebook account). OIDC builds on top of OAuth by adding an authentication layer, allowing third-party applications to authenticate users with an identity provider (such as Google or Facebook) and obtain basic user information, such as name and email address.

In simple terms, OAuth and OIDC enable secure access to web-based applications and services by allowing users to grant limited access to their data and services to third-party applications, and allowing users to log in to multiple applications and services using a single set of credentials.

Certificate Based Authentication

Certificate-based authentication is a type of authentication method that uses digital certificates to verify the identity of a user or device.

In simple terms, a digital certificate is a type of electronic ID card that contains information about the user or device, as well as a unique digital signature that can be used to verify their identity. When a user or device attempts to access a system or service, the digital certificate is presented to the system or service as proof of identity.

Certificate-based authentication is commonly used in secure web browsing, where a website presents a digital certificate to the user’s web browser as proof of its identity. The browser can then verify the authenticity of the certificate and establish a secure connection to the website.

Certificate-based authentication can also be used in other scenarios, such as secure email or VPN connections. It is often considered more secure than traditional username and password authentication, as it is much harder to spoof or fake a digital certificate than it is to guess or steal a password.

3) Authorization

Authorization is the final step in granting a user access to a resource.  Once an individual successfully authenticates to a system,  authorization determines the privileges that the individual has  to access resources and information on that system. It is the process of granting or denying access to resources and actions based on a user’s role or permissions within an organization’s IT environment.

Authorization allows administrators to define and enforce policies that determine which users or groups of users can access specific resources, such as applications, data, or systems, and what actions they can perform once they have access.

For example, a user may be authorized to access a certain application, but only be allowed to view data and not make any changes. Or, a manager may be authorized to approve or reject certain requests, while a regular employee may not have that level of access.

Authorization helps ensure that users have access only to the resources they need to perform their job responsibilities, reducing the risk of unauthorized access, data breaches, and other security incidents. Additionally, it helps organizations maintain compliance with industry regulations and internal security policies by enforcing access controls and monitoring user activity.

There are two general principles of authorization that lead to strong security. The first of these is the principle of least privilege.  This principle states that an individual  should only have the minimum set of permissions necessary  to accomplish their job duties. The second important principle is separation of duties. This principle states that sensitive business functions should require the involvement of at least two people. This reduces the likelihood of fraud  by requiring collusion between two employees  to commit fraud.  

Let’s take a look at another important aspect of authorization, access controls.

Access Controls

Access controls in IAM (Identity and Access Management) refers to the process of managing and regulating access to resources within a system or network. This involves setting up policies and rules to determine who is authorized to access specific resources, such as files, databases, applications, and other IT assets.

IAM access controls typically involve three main components:

1. Users: The individuals who access resources within the system.
2. Roles: Sets of permissions that define what actions a user can perform on specific resources.
3. Policies: Rules that define how users and roles can interact with resources.

IAM access controls help organizations maintain security and compliance by ensuring that only authorized users can access sensitive data or perform critical operations. They also enable administrators to easily manage user access by centralizing access control management and providing granular control over permissions.

Access Control Attacks

Access control attacks refer to any unauthorized attempts to gain access to resources within a system or network. These attacks typically target weaknesses in the access control mechanisms that regulate user access to resources. Below are various types of access control attacks that occur:

Social Engineering – Social engineering attacks use psychological tricks  to manipulate people  into performing an action  or divulging sensitive information  that undermines the organization’s security.  For example, an attacker posing  as a help desk technician  might use social engineering  to trick a user  into revealing their password  over the telephone. Therefore, it’s essential to educate employees and individuals to be aware of these tactics and to implement security measures, such as two-factor authentication and access controls, to prevent these attacks from succeeding.

Impersonation Attacks – Phishing emails are fraudulent emails that appear to be from a legitimate source and often contain a link or attachment that, when clicked or opened, installs malware or directs the victim to a fake website where they are prompted to enter personal information. Social engineering attacks can be highly effective because they exploit human nature, which can be unpredictable and vulnerable to manipulation.

Spoofing is another impersonation attack that  means faking the identity of someone else  when sending a message.  It’s easy to forge an email  and hackers have software  designed to do just that,  where they can simply type in  the name and address of a random sender  and generate a fake message  from that sender.  Similar technology exists  for caller ID and SMS message spoofing. 

Identity Fraud and Pretexting – Identity fraud is a type of cyber-attack where an attacker steals someone’s personal information, such as their name, date of birth, social security number, or financial information, and uses it for fraudulent activities, such as opening credit card accounts, taking out loans, or making unauthorized purchases.

Identity fraud can happen through a variety of methods, including phishing, malware, or social engineering attacks, such as pretexting.

Pretexting is a social engineering tactic where an attacker creates a false scenario to gain access to sensitive information or resources. For example, an attacker may pose as a bank representative or a government official and use that pretext to extract personal information, such as a social security number or credit card details.

Pretexting is often used as a tool for identity fraud because it allows attackers to gain access to sensitive information that they can use to impersonate their victims and carry out fraudulent activities

Watering Hole Attacks – A watering hole attack is a type of cyber-attack where an attacker targets a specific group of users by infecting websites that they are known to visit.

The attack typically starts with the attacker identifying a website that is popular with the target group, such as a social media platform, news site, or online forum. The attacker then infects the website with malware, usually by exploiting a vulnerability in the website’s code or by injecting malicious code into the site.

When the target group visits the infected website, their devices are infected with malware, which can then be used to steal sensitive information, such as login credentials, financial information, or personal data.

Watering hole attacks are particularly effective because they exploit the trust that users have in the websites that they visit regularly. The attacker can gain access to a large number of potential victims without having to directly target them or their devices.

To protect against watering hole attacks, users and organizations should keep their software and systems up-to-date with the latest security patches, use antivirus software, and be cautious when visiting unfamiliar or suspicious websites. Additionally, it’s important to be aware of the potential risks associated with visiting popular websites and to monitor for any unusual activity or behavior on your devices.

Physical Social Engineering

Physical social engineering is a type of cyber-attack that involves manipulating people in person to gain unauthorized access to a building, room, or computer system.

This type of attack often involves an attacker posing as an employee or a trusted authority figure, such as a contractor, repair person, or security guard, to gain access to a restricted area or computer system.

Physical social engineering attacks can take forms, such as tailgating, where an attacker follows someone into a restricted area, or posing as a delivery person or maintenance worker to gain access to a building or room.

To prevent physical social engineering attacks, organizations should implement security protocols, such as access controls, ID badge requirements, and visitor registration procedures. Additionally, employees should be trained to be aware of the risks associated with physical social engineering and to follow proper security procedures when interacting with strangers or unfamiliar individuals.

Summary

In conclusion, Identity and Access Management (IAM) plays a critical role in securing sensitive information and resources in modern organizations. The three main components of IAM – identification, authentication, and authorization – are essential for ensuring that only authorized individuals have access to critical systems and data.

As discussed in the paper, the risks associated with IAM can be significant, including data breaches and identity theft. However, by implementing effective IAM policies and procedures, organizations can significantly reduce these risks and improve their overall security posture.

Overall, it is clear that IAM is an essential part of any comprehensive information security strategy. As technology continues to evolve and threats become increasingly sophisticated, it will be more important than ever for organizations to prioritize IAM and ensure that they have robust policies and procedures in place to protect their critical data and resources.

As the importance of data security continues to grow, IAM will become an increasingly critical component of any organization’s security strategy. By demystifying IAM and providing a simplified guide for better security and efficiency, this paper aims to help organizations take the first steps towards implementing an effective IAM solution and safeguarding their valuable information assets.