Home / Identity Management

Identity Management

Identity management refers to all tasks required to create, manage, and delete user identities. During the lifetime of user accounts this includes:

  • adding  system access
  • removing system access
  • resetting lost passwords/keys
  • enforcing periodic password/key changes

All of those activities must be logged for audit purposes. Identity management does not only include user access, but also authentication for invocations among (micro) services. Common standards for identittty management controls are categorized under the identification and authenticaiton category of NIST 800-53. Identity management tools as well as authentication tools are under the control of the security architect and operated by the IT staff (see roles).

Authentication

There are three methods of authentication:

  • Something you know (e.g. password)
  • Something you have (e.g. smart card)
  • Something you are (e.g. fingerprints)

Based on security guidelines you are required to uses one or multiple methods for authentication, e.g. you ATM card has a magnetic strip (something you have) as well as requiring a PIN (something you know). Systems can also authenticate to you prior to asking for something you know. A good example is displaying a pre-selected image, before you enter your password; this avoids compromising your password. Another way is a certificate-based approach, which is more secure but also more complicated in terms of infrastructure setup.

Control Gates

To ensure only legitimate devices, there are some methods which can be leveraged:

  • Hardware
    Only pre-registered devices are allowed to connect to a system. This can be especially helpful for usage within sevice registries.
  • Software
    Accessing software may involve several logins due to platform resources. Users expect a single platform sign-in.
    • Kerberos provides one of the best known single-sign-on solutions.
    • System managed credentials, where the credentials must be protected in users behalf. This is the subject of NIST 800-53 “System and Communications Protection”. A common approach is the usage of certificates; therefore the Security Monkey of the Simian Army checks for expired certificates.

Access Control

Role-based authentication (RBA) is a technique for assigning identifications based on roes rather than identity. Most systems nowadays use this technique, e.g. Linux operating systems (root), Drupal or other systems The issue with this approach is the missing traceability for users as traces are only available for roles. There are two fundamental techniques used to control access to resources:

  • Access Control Lists (ACLs)
    List of users or roles and allowed operations attached to a resource (file system or database field). When access is determined, the list is examined.
  • Capability
    Token that grants particular rights on a resource. A good analogy is a key and a lock. The capability is the key, the resource maintains the lock. WHen access is requested, the resource will verify that the token provided with the access request contains sufficient privileges for the provider of that token to be granted access.

Role-based Access Control

Considering a operator gets promoted to a position that does not require root access to a server, there are some options for the root password:

  • Leave the root password as is
    resulting in an unauthorized individual knowing the root password
  • Change the root password
    resulting in all of the remaining operators having to learn a new password
  • Role-based access control (RBAC)
    resulting in a role change due to the promotion, incl. removal of root access.

Role-based access control is complicated within larger companies as it requires a uniform definition of roles across the organization. Many large organizations have similar, but different, roles in different positions of the organization.