Identity & Access Management

Pablo Mena, Identity & Access Management Specialist

Angélica Salas, Application Security Consultant

SkillsBuild Partner
JUNIO, 2023
CompTIA Security+
❑ ¿Cada cuánto expira la certificación?
❑ ¿Cómo se puede renovar?
❑ ¿Con qué nota se aprueba?
❑ ¿Cantidad de preguntas?
❑ ¿Cómo se distribuyen las preguntas
según el contenido?
❑ ¿Con qué plataforma se hace el examen?
❑ ¿Cuánto dura el examen?
❑ IT Certification Roadmap

AS
CompTIA Security+
❑ Credencial permanece 3 años vigente desde que se
aprueba.

(Release) Security+ SY0-601 > 12 de Noviembre 2020

(Release) CompTIA Security+ SY0-501 > 2017

Renewal Exam Details Roadmap

AS
 “ Identity and Access Management is a fundamental and critical
cybersecurity capability, to ensure the right people and things have the
right access to the right resources at the right time”

- NIST (National Institute of Standards & Technology)

AS
What is Identity & Access Management?

Cybersecurity discipline dedicated on managing user

identities and access permissions on a computer network.

Allows access control to multi-cloud environments (on-

premises, remote, and cloud-based (SaaS) apps and data
sources)

PM
 ⧫ Establishing unique identities and associated authentication credentials.
⧫ Onboarding these identities into target applications, systems, and platforms.
⧫ Provisioning and de-provisioning new user accounts.
Identity ⧫ Managing identity data and credentials (e.g., self-service password reset).
management
⧫ Creating workflow processes for approving account creation and modification.
⧫ Providing the ability to modify, suspend, or remove accounts.
⧫ Auditing and reporting user identity information.

⧫ Providing the capability to request specific entitlements and/or roles.

⧫ Implementing workflow processes for approving the granting of entitlements and/or roles to an identity.
⧫ Providing the ability to modify or remove the entitlements and/or roles assigned to a user.
Access ⧫ Managing the association of entitlements to roles.
management ⧫ Associating entitlements and roles to job functions.
⧫ Providing the ability to review, remove, approve, and certify the entitlements and/or roles assigned to
users.
⧫ Providing the ability to review and audit historical access associated with an identity.
PM
How are USERS
identified in a
system?
Identity management typically consists
of the following processes:

• Network and application access

control
• Authentication
• Identity governance
• Single sign-on (SSO)
• Identity analytics
• Password management
DIGITAL IDENTITY

PM
 Identification: Claiming to be an Authentication: Proving that you are
identity when attempting to access a that identity
secured area or system

Authorization: Defining the Auditing: Recording a log of the events

permissions (i.e., allow/grant and/or and activities related to the system and
deny) of a resource and object access subjects
for a specific identity

Accounting (aka accountability):

Reviewing log files to check for
compliance and violations in order to
hold subjects accountable for their
actions

AS
What is Two-Factor Authentication (2FA)?
What is Multi-Factor Authentication (MFA)?
What is Single Sign-On (SSO)?

What is the Difference between 2FA, MFA, and SSO?

SSO is all about users gaining access to their resources with a single sign-on
authentication. Two-factor authentication uses just two of these methods to verify
and authorize a user's login attempts, whereas MFA uses two or more of these
checkpoints.

AS
AS
 MFA factors and
attributes
Factors
• Something you know, such as passwords, PINs,
or even secret locks.
• Something you have, such as a key or smart card.
• Something you are, such as biometric verification
(fingerprint, retina scan, or voice recognition).

Attributes
• Somewhere you are, like geolocation
• Something you can do, like gestures or touches.
• Something you exhibit, like the way you walk.
• Someone you know, like a web of trust in
certificates

AS
 Authentication methods

Directory services

Federation

Time–based one-time password (TOTP)

HMAC–based one-time password (HOTP) Attestation
Short message services (SMS)
Token Key
Static codes
Technologies
Authentication applications
Push notifications
Phone call
Smart card authentication
PM
 Cloud vs. On-premise authentication

Cloud-based security
• Third-party can manage the platform
• Centralized platform
• Automation options with API integration
• May include additional options (for a cost)

On-premise authentication system

• Internal monitoring and management
• Requires internal expertise
• External access must be granted and managed

PM
Biometrics

Fingerprint Retina Iris

Facial Voice Vein

Gait analysis

Efficacy rates

False False rejection Crossover error

acceptance rate rate rate

PM
If you want to make sure all legitimate users do not
experience trouble during scans, then some
unauthorized users will get accepted (false
positives) because they will be interpreted by the
system as being on the wrong curve based on
where the threshold is set.

AS
Account policies

Password Password Network

Password reuse Time of day
complexity history location

Time-based
Geofencing Geotagging Geolocation Access policies
logins

Impossible
Account
Account audits travel Lockout Disablement
permissions
time/risky login

AS
Password management in Microsoft Windows
AS
Account types

User account
Account credentials of a single individual. Each user is generally given a user ID—a unique
alphanumeric identifier they will use to identify themselves when logging in or accessing the
system.

Shared and generic

accounts/credentials Exist only to provide a specific set of functionalities, such as in a PC running in kiosk mode,
with a browser limited to accessing specific sites as an information display. Not able to trace
the activity to a user.

Guest accounts
Used on corporate networks to provide visitors access to the Internet and to some common
corporate resources, such as projectors, printers in a conference room

Service accounts

Used to run processes that do not require human intervention to start, stop, or administer
AS
User account provisioning
and de-provisioning
• Adding, removing, and updating
individuals and their roles in a system
• Assigning levels of access to individuals or
groups of individuals

PM
 Protecting the sensitive data within the system and
securing the system itself.

Defense in Depth Model

PM
Access control scheme

Access is the ability of a subject (such as an individual or a process running

on a computer system) to interact with an object

ACL is nothing more than a list that contains the subjects that have access
rights to a particular object. The list identifies not only the subject, but the
specific access granted to the subject for the object

Access Control List

Object Subject
PM
Access control schemes

Attribute- Role-based Rule-based Discretionary Privilege

Conditional Filesystem
based access access control access control MAC Access Control access
Access permissions
control (ABAC) (RBAC) (RBAC) (DAC) management

Outgoing Traffic Incoming Traffic

AS
Importance of policies to organizational security

Personnel
• Acceptable use policy
• Job rotation
• Mandatory vacation
• Separation of duties
• Least privilege
• Clean desk space
• Background checks
• Non-disclosure agreement (NDA)
• Social media analysis
• Onboarding
• Offboarding
• User training

PM
IAM tools

PM