--- title: "CISSP Domain 5: Identity and Access Management (IAM) " description: "CISSP Domain 5: Identity and Access Management (IAM) " keywords: "CISSP, Domain 5, Identity, Access Management, IAM" author: "diabee" date: "2025-01-21" --- ## CISSP Domain 5: Identity and Access Management (IAM) ### Manage the identity and access provisioning lifecycle (5.5) Domain2 + Domain5 核心範圍 → 認證、授權 #### The Identity Life Cycle  - 主體(subject)想要使用客體(object) - 要有條件地用，要控管，就是Reference Monitor → 認證、授權和記錄 - 在認證之前還會有Identity → 就是IAAA IT只談AA — 資安談IAAA  - 做身份的識別 - 這張圖是完整存取控制 → Lifecycle - New Identity Request → 建立新帳號 - identity Provisioning → 建立帳號 - Access Privileges → 建立權限 - 最小權限 - Need to know(因需可知) - 需 - 授權/層級 - 需要 - Pre Access Attempt → Trust by verify → verify 檢查授權 - 為什麼需要zero trust →有可能trust就被人拿走勒 資料就外洩了 → 要pre access → 一個access可能包含好幾個action - Accounting → 包含在圖上藍色的階段當中→ 驗證失敗、存取失敗都要做紀錄→ 建立帳號、建立授權都要有紀錄 - 後半段最精彩 Trigger - User Behavior Review - UBA → 使用行為分析 → - 做超過範圍外的事情 →  - Review JD(job/Duties) → 把授權改正 → Need to know (等級夠、需求合理) - 真的不合乎情理 → Revoke → disable and Deprovision - 準備CISSP 遇到具體的東西要抽象化，遇到抽象的東西要具體化 #### Access Control: The Basic  - 廣義來說 subject是object的一種 ### Control physical and logical access to assets (5.1) #### Logical Access Control systems - Automated systems:(電腦環境) - Authorize or deny use for an individual user.(授權) - Authorize or permit an individual user. - Are based on a user having an identity registered and approved by the system - Use information systems resources - Grant instances of the permissions on life for line identity #### Physical Access Control Systems (PACS) (Domain 7) - 門禁 - Manage movement of people, equipment, or property - Facility considerations: - buildings, rooms, surrounding landscapes vehicular area - Within enclosures, cabinets, racks, wiring closet - Based on authentication of identity - Authorized by assigned privileges ### Manage Identification and Authentication of People, Devices and Services (5.2) #### Identification, Authentication, Authorization and Accountability - Authentication Factor - SFA - 2FA/MFA  - 要取得授權的是用你做幾個action - 下面例子會有模糊地帶，用手機掃條碼line登入，這雖然有兩個action,但行為目的不一樣，一個是解手機，一個是line登入驗證 #### IAAA implements CIANA+PS - IAAA: - Identification and Authentication - Authorization and Accountability - CIANA+PS - Confidentiality, integrity, availability, non-repudiation and authenticity - Plus privacy and safety - Providing this confidence requires: - Identity management solutions that create and prove user identities, then manage the privileges associated with them. - Authentication controls that restrict system access to valid identities only. - Authorization controls that only allow authenticated, trusted identities to use trusted tool or processes to perform the actions allowed by the permissions granted to those identities. #### IAM administration Choices  - Centralized Logon domain 所有網域內機器都可以使用 - Decentralized - Hybrid - Tradeoffs : data consistency, responsiveness, security #### The Identity Store - An identity store: - Simplifies credentials maintenance - Reduce the burden on users to manage multiple credentials - Standardizes the identity services in various environment e.g. Active Directory, Kerberos, RADIUS, LDAP, OAuth/OAuth2.0, SAML, OpenID, OpenID Connect, and WebAuthn(FIDO2) #### Credential Management Systems  - 身分認證的多重宇宙 - 左邊authentication - 右邊authentication #### Identity Assurance Levels - IAL 1 - Self-asserted - Google帳號 - IAL 2 - A remote or in-person identity proofing is required - 公司內網申請帳號 - IAL 3 - In-person proofing with verification by authorized CSP - Examination of physical documentation - 銀行開帳號 #### Account Access Review: Periodic and Event-Driven - 每年一次和稽核的做法 - Identify discrepancies between assigned roles/permissions and recent usage to identify: - Inactive account that should be revoked - User account with excessive permission - User lacking needed permissions - Excessive use of permissions (JD)（濫權） - Excessive requests for elevation or additional privileges (等級)（過度請求） - Other anomalies #### Single-Factor vs. Multi-factor Authentication - Standard factor - Something you know - Something you have - something you are - Single-factor authentication(SFA) - One type of factor - Multi-factor authentication (MFA) - More than one factor ### Implement and manage authorization mechanisms (5.4) #### Access Control System  - 這個問題的是有爭議  - Object是檔案，就會有Owner，desing ACL - DAC在貫徹owner的意思，自主，design的依據是need to know - 不是DAC就是NDAC，不是由owner作主  - 分類方式 - Access control system should consider three abstractions - Access control policies - High level requirements - Models (domain3)(設計前一項) - How to design to enforce AC policies - Mechanisms(實作前兩項) - Implement AC policies or models #### Access Control Policies - AC policies are high-level access control requirements - Two well-known AC policies - Discretionary Access Control (DAC) - Non-Discretionary Access Control (NDAC) #### Access Control Policies(DAC) - The privileges for accessing objects are decided by the owner of the object - Not a system-wide policy that reflects the organization’s security requirements - Identity-based - Common mechanism - ACLs →前生 ACM #### Access Control Policies(NDAC) - Establish controls that cannot be changed by users, but only through administrative action - Rule-based Access Control(RuBAC) - Well-know NDAC policies(mechanisms) - Role-Based Access Control (RBAC) - Attribute-Based Access Control (ABAC) - Risk-Based Access Control - Mandatory Access Control(MAC) - 來自於owner可不可決定一切 #### Rule-Based Access Control (RuBAC) - Access is based on a list of predefined rules that determine what access should be granted - The rules, created or authorized by system owners, specify the privileges granted to users when specific condition of a rule is met #### Role-Based Access Control (RBAC)  - Bases access control authorizations on roles, or functions, assigned to a user - Determination of what roles have access to a resource can be governed by the owner of the data or applied based on policy - 設計理念：你的權限指派給subject，希望有個中繼的設定，permission set 也就是Role #### Attribute-Based Access Control (ABAC) (AWS)  - Attributes: 說得出來都算，裝置 人 物 網路 - Subject - Object - Environmental - 雲端環境大和複雜 #### Risk-Based Access Control(金融) - Provides administrators a variety of parameters to raise or lower the filter thresholds used to screen access requests - Example application - Configured to use dual-factor authentication in low-risk, stable circumstances. - Add additional challenges or filters as external risk conditions increase. - 基本上有一個臨界值的概念，刷卡刷不過，刷不過的問題是在於風險 #### Access Control Policies(MAC) - pre-defined access control policy decisions are made by central authority - An example of MAC occurs in military security - Well-know MAC security models(domain 3) - Bell-LaPadula(BLP) - Biba - Mechanism - Labels  - 你只可以去存取等級跟你相同 - BLP和Biba是再跨安全等級的使用會有意義 - Security Admin會去決定你的clearance - Object由Owner 來決定 - Windows linux sql server 系統是DAC（70%是對的） - 安卓裡面的selinux就是MAC #### NDAC,MAC,DAC  #### Privilege Escalation (attack)提權 - Vertical escalation (elevation) - Attempt to run applications/service at higher privilege levels than granted to account - Exploit: app/service logic error, command injection - 用你用不到的功能，低權限變高權限 - Horizontal escalation (lateral movement) - Discover, fingerprint, gain access to other resources (on LAN or federated) - May require elevated privilege - 去存取我不該存取的資料，我可以看到其他同事的薪水 - Phishing is often the ticket to many escalation attacks #### Session Management 非osi session layer - Session → 事情 - 開始: Auth → Token → Accounting - 期間: Token → Access (Authorization) → Accounting - 結束: clean-up - Keep track and securing multiple request to any service coming from the same subject - Authentication and authorization - Session ID(Token) generation and management - Reduced risk of existing authorized session being attacked for unauthorized activity #### Federated identity with a third-party service (5.3) And Implement authentication systems (5.6) 跟其他系統間整合 #### Technologies and Devices - Single Sign-On (SSO) - Biometrics(something you are) 指紋 - Just-in-Time identity 動態調整身分 - Federated Identity Management (FIM) 不同的資訊系統 #### Single Sign-On (SSO)  1. Users 2. SSO servers 3. Resource servers #### Kerberos  1. AS (authentication service) 拿到token TGT (Ticket Grant Ticket) 2. TGS (Ticket Grant Service) 請求授權，服務票卷藉由TGT (Ticket Grant Ticket) 換回來（AD) 3. AP 去存取資源 #### Errors in Access Control  https://ycc.idv.tw/confusion-matrix.html (後面他的例子舉反了) - Confusion metrix  - 檢測的動作，會有兩個結果 檢出Positive 和未檢出Negative - 右半邊稱為False alarm(假警報)，假警報要越低，左邊的正確率才會高，TP檢出這件事情才會有意義。（統計學的概念） - 沒有背景的數字，沒有意義。  - 越往上錯誤率越高 - 越往左邊越安全，越往右邊走越不安全 - 藍線越往左邊→ 錯誤率越高 type 1 error → 誤報(沒有的事，你說有) - 紅線安全等級往下降 → 往右邊走 → 降到一個程度 敏感度也極高 type 2 error → 漏報(有的事情，你說沒) - Crossover Error Rate 要越低，正確率越高 - 觀點→ Error = Cost - 補充記憶點 - FRR -> Type 1 Error -> 記Reject -> 就像iphone 連你自己且包含外人的指紋都不解鎖 -> 高安全(因為都阻擋了) - FAR -> Type 2 Error -> 記Accept -> 就像iphone 別人可以用他自己的指紋解鎖 -> 最不安全(因為你都放了) #### Just-in-Time (JIT) identity - Identity management problems: - Manual ID provisioning - Always-on privilege accounts - Excess privileges - JIT 1 2 3 - Real-time creation and provisioning of human and nonhuman user identities - Granting access at a specific moment in time (for a single transaction event) with a specific set of privileges - Use cases - Privileged account management(PAM) → attack surface → best practice → John(日常使用) , John_admin(特權帳號使用→要申請) - Privileged session management - Endpoint privilege management - Remote helpdesk - attack surface 在你不需要的情況下，這些帳號的存在，加大你的攻擊面積，沒辦法保證你的特權帳號不被濫用 #### Federated Identity Management(FIM) - FIM is the concept of creating a trust relationship between different security domains - These trust domains then provide access (verification) by using the common digital identities(SSO) → google , fb - Consisting of three components: Client or principal, the service provider(SP) 蝦皮 or relying party (RP), and the identity provider (IdP) 臉書 - Shopee example  - Book Sample  1. The user, Sue, has an account at Any Bank, Inc. and wants to access her account online. Each time she does this, she clicks the “Login” button on their website, which generates an access request to her bank. 2. Any Bank, Inc. sends a verification request to the IdP. 3. The IdP presents Sue with a login ID. 4. Sue provides some identifying credentials to verify her identity, which are sent to the IdP’s identity database for verification. 5. This database sends the verification to the IdP. 6. The IdP notifies the bank that the person logging in is, in fact, Sue. 7. The bank allows Sue to log in. #### SAML and OpenID Connect  - 透過SAML來實作FIM - Sp跟Idp是不認識的、不溝通的 - 關鍵在訊息包裡面→ 包含一些簽單之類的訊息 - three things 1. Authentication 2. Entitlement 3. 交換 Security Property - SAML - v2.0,2005, OASIS - SAML is a markup language for making authentication and authorization statements(assertions) - Client, Service Provider(SP), Identity Provider(IdP) - OpenID connect(OIDC) - v1.0, 2014, OpenID Foundation - OIDC runs on top of OAuth 2.0, provides authentication to verify user identity and authorization - End User, Relying Party(RP), Identity Provider(IdP) #### Security Assertion Markup Language (SAML)  OAuth - 只做授權 - An open protocol to allow secure authorization in a simple and a standard method from web, mobile and desktop - The major security advantage by using OAuth is that the user’s passwords are not shared with the third party(client), rather access tokens are supplied to delegate resource owners. - Client, Resource Owner, Authorization Server, Resource server #### OAuth Process (abstract)  - Client端啟動 - 當你同意授權(最常見的就是存取你的通訊錄)，你就會帶著你的Authorization Grant 到Authorization Server，在接續後面的行為 - 類似Line叫車服務之類的 - OpenID + OAuth (Authentication and Authorization) #### Federated Identity with a Third-Party Service - IDaaS - Burden of due care and due diligence stays with your organization - Third-party services: - Risk management planning and assessment - Security assessment and testing - Incident response - BCDR planning and support - Identity management - Delivery of full AC services, including authentication, authorization, and accounting - IT systems configuration management and control #### Review Domain 5