Identity Access

Management
Group 6
 Table of contents

01 02 03
Authentication Authentication Authorization
Factors

04 05
Accounting Authentication
Systems
 Table of contents

06 07 08
Access Control Mandatory Other Access
Acess Control Control Models

09 10
Access Control User
Mechsnisms Management
 Table of contents

11 12
Password Point to point
Management Authentication
Identity Access
Management
Identity and access management (IAM) is a
framework of business processes, policies and
technologies that facilitates the management of
electronic or digital identities.
Systems used for IAM include single sign-on systems,
two-factor authentication, multifactor authentication
and privileged access management.
 01
Authentication
 What is
Authentication
Authentication is the process of verifying a user or device
before allowing access to a system or resources.

Authentication refers to identifying a user to confirm they

are who they claim to be they are before being granted access to
information resources.

Basically, authentication means confirming that a user is who

they say they are.
 Authentication

A common way to authenticate a user is by using a

combination of a username and password.

• Only the user is supposed to know his or her

exclusive username and password combination.

Although the username & password combination is a

traditional form of authentication, it is still the primary
form of authentication,

• The traditional username and password

combination is also known as user credentials
 Authentication is part of a three-step process for
gaining access to digital resources:

Identification—Who are you?

Authentication—Prove it.
Authorization—Do you have permission?

• Identification requires a user ID like a username.

(But without identity authentication, there’s no way to know if
that username actually belongs to them.)

• That’s where authentication comes in—

pairing the username with a password or other
verifying credentials.
02
Authentication
Factors
As cybersecurity threats have increased in recent years,

most organizations use and recommend additional

authentication factors for layered security.

 Authentication Factors

An authentication factor is a category of evidence that a person

has to present to prove they are who they say they are.

The are three authentication factors, the Knowledge

Factor, Possession Factor and the Inherence Factor
Authentication Factors

Knowledge Factor
- something you know, e.g., password

Possession Factor
– something you have, e.g., mobile phone

Inherence Factor
– something you are, e.g., fingerprint
 03
Authorization
What is Authorization

Authorization is the process of giving someone the

ability to access a resource.
 Authorization
In computer systems, authorization rules are part of an IT
discipline called Identity and Access Management (IAM).

Within IAM, authorization and authentication help system

managers to control who has access to system resources and
set client privileges.

The way that IT systems deal with authorization services is

very similar to a real-world access control process.
 Authorization
Consider a collaboration tool like Google Docs.
04
Accounting
 What is Accounting
Accounting measures the resources the user consumes during
access. This can include the amount of system time or data the user
has sent and received during a session. Accounting logs session
statistics and usage information and is used for authorization
control, billing, trend analysis, resource utilization and capacity
planning activities.
 Authentication,
Authorization and
Accounting (AAA)
BENEFITS OF AAA
Improved network security

Protocol Management

Flexible and Granular Control

Informed Decision-Making Abilities

Standardized authentication Methods

 05
Authentication
Systems
 What is
Authentication
Authentication is the process of identifying users that request access to a system, network,
server, app, website, or device. The primary goal of authentication is to ensure that a user is who
they claim to be.

Why Authentication is
Important
There is no organization, system, network, website, or server in today’s modern world that does
not require some form of authentication. If they are not, they are putting themselves at risk of
attacks that could result in the misappropriation of their resources and sensitive data at the
very least.
06
Access Control
 Access control
Access control is an essential element of security that determines who is allowed to
access certain data, apps, and resources—and in what circumstances. In the same
way that keys and preapproved guest lists protect physical spaces, access control
policies protect digital spaces. In other words, they let the right people in and keep
the wrong people out.

Access control policies rely heavily on techniques like authentication and authorization,
which allow organizations to explicitly verify both that users are who they say they
are and that these users are granted the appropriate level of access based on context
such as device, location, role, and much more.

Access control keeps confidential information—such as customer data and intellectual

property—from being stolen by bad actors or other unauthorized users. It also
reduces the risk of data exfiltration by employees and keeps web-based threats at
bay. Rather than manage permissions manually, most security-driven organizations lean
on identity and access management solutions to implement access control policies.
 07
Mandatory
Access Control
 What is a Mandatory Access Control
System (MAC)?
Mandatory Access Control (MAC) is a system to allow or deny
access to private information in an organization. What makes
MAC different from other system is that it works on a hierarchy
pattern.
Advantages:
•High-level data protection (most secure system among role,
mandatory and discretionary system): With MAC, one can be
sure that their most confidential data is well protected and
leaves no room for any leakage.

•Centralized Information: Once data is set in a category it

cannot be de-categorized by anyone other than the head
administrator. This makes the whole system centralized and
under the control of only one authority.

•Privacy: Data is set manually by an administrator. No one other

than admin can make changes in category or list of users'
accesses to any category. It can be updated only by admin.
Disadvantages:

•Careful Setting-Up Process: MAC must be set up with good care

otherwise it will make working chaotic. It is because sometimes a
piece of information needs to be shared among co-workers in the
same organization but MAC restricts anyone to do so.

•Regular Update Required: It requires regular updating when new

data is added or old data is deleted. The administration is required
to put some consideration into the MAC system and ACL list now
and then.

•Lack of Flexibility: MAC system is not operationally flexible. It is

not an easy task to initially input all data and create an ACL that
won’t create any trouble later.
08
Other Access
Control Models
 What is discretionary
access control (DAC)?
Discretionary access control decentralizes
security decisions to resource owners. The owner
could be a document’s creator or a department’s
system administrator. DAC systems use access
control lists (ACLs) to determine who can access
that resource. These tables pair individual and
group identifiers with their access privileges.
 Disadvantages of DAC
Advantages of DAC
•Over/underprivileged users — A user can be a
•Conceptual simplicity — ACLs pair a user with their
member of multiple, nested workgroups. Conflicting
access privileges. As long as the user is in the table
permissions may over- or under privilege the user.
and has the appropriate privileges, they may access
•Limited control — Security administrators cannot
the resource.
easily see how resources are shared within the
•Responsiveness to business needs — Since policy
organization. And although viewing a resource’s ACL
change requests do not need to go through a security
is straightforward, seeing one user’s privileges
administration, decision-making is more nimble and
requires searching every ACL.
aligned with business needs.
•Compromised security — By giving users discretion
over access policies, the resulting inconsistencies and
missing oversight could undermine the organization’s
security posture.
What is role-based access control (RBAC)?
Role-based access control grants access privileges based
on the work that individual users do. A popular way of
implementing “least privilege‚ policies, RBAC limits access
to just the resources users need to do their jobs.
Implementing RBAC requires defining the different roles
within the organization and determining whether and to
what degree those roles should have access to each
resource.
 Advantages of RBAC Disadvantages of RBAC

• Flexibility — Administrators can optimize an

• Complex deployment — The web of
responsibilities and relationships in
RBAC system by assigning users to multiple
larger enterprises makes defining
roles, creating hierarchies to account for levels
roles so challenging that it spawned
of responsibility, constraining privileges to
its own subfield: role engineering.
reflect business rules, and defining
relationships between roles.
• Balancing security with simplicity —
More roles and more granular roles
• Ease of maintenance — With well-defined
provide greater security, but
roles, the day-to-day management is the
administering a system where users
routine on-boarding, off-boarding, and cross-
have dozens of overlapping roles
boarding of users’ roles.
becomes more difficult.
• Centralized, non-discretionary policies —
• Layered roles and permissions —
Security professionals can set consistent RBAC
Assigning too many roles to users
policies across the organization.
also increases the risk of over-
• Lower risk exposure — Under RBAC, users only
privileging users.
have access to the resources their roles
justify, greatly limiting potential threat
vectors
What is Privileged Access Management
(PAM)?
A recent ThycoticCentrify study found that 53% of organizations
experienced theft of privileged credentials and 85% of those thefts
resulted in breaches of critical systems. Privileged access management
is a type of role-based access control specifically designed to defend
against these attacks.

Based on least-privilege access principles, PAM gives administrators

limited, ephemeral access privileges on an as-needed basis. These
systems enforce network security best practices such as eliminating
shared passwords and manual processes.
 Advantages of PAM
• Reduced threat surface — Common
passwords, shared credentials, and manual
processes are commonplace even in the best-
run IT departments. Imposing access control Disadvantages of PAM
best practices eliminates these security risks. • Internal resistance — Just as doctors
• Minimizing permission creep — PAM systems make the worst patients, IT
make it easier to revoke privileges when users professionals can be resistant to tighter
no longer need them, thus preventing users security measures.
from “collecting‚ access privileges. • Complexity and cost — Implementing
• Auditable logging — Monitoring privileged PAM requires investments in time and
users for unusual behavior becomes easier money within already-constrained IT
with a PAM solution. departments.
 09
Access Control
Mechanisms
 ACCESS CONTROL MECHANISIM

As logical component thar serves to receive the

access for an Object from Subject and decide &
enforce the access decision
COVERING
COVERING MY
MY TOPIC
TOPIC
User Account Management

Password Management

Point to point Authentication

10
User Management
What is the user account
management?

managing which users can access specific

folders and files, which requires
providing specific access credentials
to users who need who privileged
access.
Managing User
Account
A user is someone who uses a computer. A user account
defines what a user can do using Windows XP.
In Windows XP, there are three types of user accounts.
A user is someone who uses a computer. A user account
defines what a user can do using Windows XP.
In Windows XP, there are three types of user accounts.

Administrator account – The administrator can do everything with the computer and can go
anything he or she desires – essentially giving them control over the entire computer,
including other accounts. The administrator account can never be disabled or deleted.
Standard account – Users with standard accounts can install programs and hardware, change
pictures and related personal data, and create, change, or remove his or her password. Guest
account.

The guest account – doesn’t require a password, can’t add or remove

Managing User Account
Managing User Account

To easily manage user

accounts, click the
User Accounts icon in the
Control Panel
The User Accounts window
present you with an easy
to use interface
Creating a New Account

You can create new user accounts as

needed, giving others access to your
computer (without sharing you
password).
 To creating a new
account
• Click create a New Account in the user accounts
window.
• A user accounts window appears. Enter the name of
the new account and click NEXT.
• The next windows asks you to pick an account type.
Choose Computer Administrator or Limited by
clicking the appropriate radio button.
• If you’re not sure, click each one and read the list of
actions that can be performed by the account type.
• When finished, click the Create Account button.
• The new account now appears in the User Account
Window.
Changing an Account

Any account can be easily edited or

changed from the User Accounts
Window.
 To change an existing user
account
• Click change an account in the user accounts
window.
• A window appears asking you which account
you want to change.
• The next window (figure below) allows you to
change the name on the account, change the
picture, change the account type, create a
password or deleted the account. Make
necessary changes.
• Use the BACK button to return to the original
list make any additional changes.
Changing user Log on /
Log off Procedures

You can also select the way users log on

and log off.
To change log on and log off
options:
• Click change the way users log on
and log off in the User Account
Window.
• You’ll see two checkboxes that
allow you to enable the Welcome
Screen and Fast User Switching.
Fast User Switching allows you to
switch to another user account without
closing any programs.
11
Password
Management
What is the password
management?
a set of principles and best practices to
be followed by users while storing and
managing passwords in an efficient
manner to secure passwords as much
as they can to prevent unauthorized
access.
COMMON THREATS
AGAINST YOUR
PASSWORD
COMMON THREATS AGAINST YOUR
PASSWORD
Password cracking is the process of breaking passwords in order to gain
unauthorized access to a computer or account.

Social Engineering / Phishing -

Guessing - method of gaining access to
Deceiving users into revealing their
an account by attempting to
username and password. (easier than
authenticate using computers,
technical hacking)
dictionaries, or large word lists.
✓ Usually by pretending to be an IT
✓ Brute force – uses every possible
help desk agent or a legitimate
combination of characters to
organization such as a bank.
retrieve a password.
✓ DO NOT EVER SHARE YOUR
✓ Dictionary attack – uses every
PASSWORDS, sensitive data, or
word in a dictionary of common
confidential banking details on
words to identify the password
sites accessed through links in
emails.
WHAT MAKES A PASSWORD SAFE?

Strong passwords:
❖ are a minimum of 8 characters in length, it’s highly
recommended that it’s 12 characters or more

❖ contain special characters such as @#$%^& and/or

numbers.
❖ use a variation of upper and lower case letters.
11
Password
Management
Password Managers
Generally, there are two primary types of password managers:

❑ Personal Password Managers: Which manage passwords for individual

users/employees for access to various applications and services.
❑ Privileged Password Managers: These specialized enterprise solutions secure and
manage privileged credentials from a centralized, enterprise-wide password safe.
Privileged credentials are the organization’s most sensitive secrets, providing
privileged access for user accounts, applications, and systems. These are
generally paired with privileged session management and are a core component of
an enterprise privileged account management platform.
12
Point to point
Authentication
What is the Point to point
Authentication?
a communication protocol of the data link layer that is
used to transmit multiprotocol data between two
directly connected (point-to-point) computers. It is a
byte - oriented protocol that is widely used in
broadband communications having heavy loads and high
speeds. Since it is a data link layer protocol, data is
transmitted in frames. It is also known as RFC 1661.
Services Provided by PPP
 Services Provided by PPP
The main services provided by Point-to-Point Protocol are
−

• Defining the frame format of the data to be transmitted.

• Defining the procedure of establishing link between two points and
exchange of data.
• Stating the method of encapsulation of network layer data in the
frame.
• Stating authentication rules of the communicating devices.
• Providing address for network communication.
• Providing connections over multiple links.
• Supporting a variety of network layer protocols by providing a range
os services.
Components of PPP
 Components of PPP
Point - to - Point Protocol is a layered protocol having three components
−

• Encapsulation Component − It encapsulates the datagram so that it can be transmitted

over the specified physical layer.
• Link Control Protocol (LCP) − It is responsible for establishing, configuring, testing,
maintaining and terminating links for transmission. It also imparts negotiation for set
up of options and use of features by the two endpoints of the links.
• Authentication Protocols (AP) − These protocols authenticate endpoints for use of
services. The two authentication protocols of PPP are −
✓ Password Authentication Protocol (PAP)
✓ Challenge Handshake Authentication Protocol (CHAP)
 Components of PPP
Point - to - Point Protocol is a layered protocol having three components

• Network Control Protocols (NCPs) − These protocols are used for negotiating the
parameters and facilities for the network layer. For every higher-layer protocol
supported by PPP, one NCP is there. Some of the NCPs of PPP are −
✓ Internet Protocol Control Protocol (IPCP)
✓ OSI Network Layer Control Protocol (OSINLCP)
✓ Internetwork Packet Exchange Control Protocol (IPXCP)
✓ DECnet Phase IV Control Protocol (DNCP)
✓ NetBIOS Frames Control Protocol (NBFCP)
✓ IPv6 Control Protocol (IPV6CP)
PPP Frame
 PPP Frame
PPP is a byte - oriented protocol where each field of the frame is
composed of one or more bytes. The fields of a PPP frame are −
• Flag − 1 byte that marks the beginning and the end of the frame. The bit pattern of the flag is
01111110.

• Address − 1 byte which is set to 11111111 in case of broadcast.

• Control − 1 byte set to a constant value of 11000000.

• Protocol − 1 or 2 bytes that define the type of data contained in the payload field.

• Payload − This carries the data from the network layer. The maximum length of the payload field
is 1500 bytes. However, this may be negotiated between the endpoints of communication.

• FCS − It is a 2 byte or 4 bytes frame check sequence for error detection. The standard code
used is CRC (cyclic redundancy code)