What is Identity and Access Management (IAM)?
Identity and access management, also known as IAM, is the application of policies, procedures, and technologies with the purpose of protecting data.
The IAM framework allows an organization to protect their data utilizing three core tenants, typically represented as points on a triangle.
- Authentication
- Authorization
- Access Control
What is Authentication?
Authentication is the action by which one entity proves their identity to another entity.
An example of authentication is entering a password, signing a message or certificate with a private key via asymmetrical cryptography, or scanning a fingerprint and other biometric means.
What is Authorization?
Authorization is the policy by which an organization will permit entities to have rights and privileges to certain data within the system. Specifically, authorizing is the defining of policy per an entity.
A common example of authorization in the user experience is when a web application permits the authenticated user to modify their own profile data, such as email, password, or avatar.
Your authorization policy will be determined by your organization’s threat model and goals. The CIA triad, consisting of Confidentiality, Integrity, and Availability, will help you determine how to apply your authorization policy.
What is Access Control?
Access control can easily be confused with authorization because they both relate to who or what has access to data, however these two terms are not interchangeable. You can think of access control as applied authorization or, “authorization in action” because it pertains to the actual mechanisms that enforce the authorization policy. Access control is a selective process where access is granted based on the permissions and privileges found in the authorization policy.
Probably the most commonly witnessed access control is the 403 Forbidden or 401 Unauthorized HTTP response codes. These can even happen when a user is authenticated to a system, but tries to access a page for which their account is not authorized, such an administration panel. Because access control is a selective process, an admin account with necessary privileges would pass the checks in the application that would permit access.
What are the types of access control?
The are quite a few main access control models defined by various institutions and organizations with a few extra that can be worth considering on a per-application basis.
What types of Access Control Models are on the CISSP Exam?
The CISSP exam will require you to be familiar with six types of access control models:
- Discretionary Access Control (DAC)
- Mandatory Access Control (MAC)
- Role-Based Access Control (RBAC)
- Rule-Based Access Control
- Attribute-Based Access Control (ABAC)
- Risk-Based Access Control
Discretionary Access Control (DAC)
As noted earlier, the CIA triad helps an organization determine which access control methods to use. When availability is the primary objective, discretionary access control is often the model of choice because it is the least restrictive.
DAC utilizes discretionary access control lists (DACLs) based on user identity to add or remove rights based on the object or process owner’s discretion.
You may be familiar with this access control method when sharing a file on a cloud service by clicking “Share with…” and entering the email address of the user you wish to have access. As the object owner, whom you add to the list of authorized users is totally up to your discretion.
When the DAC model is used to manage application access, the major security weakness is that the process owner may be able to give insecure permissions to another user which can be inherited in unexpected ways leading to lateral or even vertically escalated privileges.
Mandatory Access Control (MAC)
The mandatory access control model can be applied to focus on either the integrity or confidentiality corners of the CIA triad.
Typically associated with government or military organizations, the MAC model focuses on the classification of of objects and restricting privileges based on the classification of the user. This means that the data custodian or owner determines what class each object and user falls into, and only gives permissions when there’s a match. This means that data is only accessed when the custodian has determined that access is necessary.
This strategy has a lot of overhead requiring immense planning and continual maintenance.
Role-Based Access Control (RBAC)
The role-based access control model, in contrast to MAC, is much easier for the data custodian to manage because it applies access controls broadly based on the user’s role in the organization, rather than user’s identity.
For example, a department director’s role would have access to the department’s budgeting information, but the role given to a team member in the same department would not have access to these files.
When it’s necessary to make exceptions to these controls, problems such as privilege creep can occur as it’s necessary for the data custodian to add privileges which can be forgotten about and never revoked.
Rule-Based Access Control
The Rule-based access control model dynamically assigns privileges to resources regardless of the user’s role.
A common example of rule-based access control is time-gate features used by the electronic safes in grocery stores which only open between certain business hours.
In contrast with role-based access control, rule-based access controls do not establish a privilege level for the user- instead, they institute a set of rules on the resource.
One of the benefits of this access control model is the increased flexibility, as rules can be established dynamically.
Attribute-Based Access Control (ABAC)
The Attribute-based access control model associates attributes to each user, resource, action, and other elements in the scenario when establishing authorization.
Attribute-based access control is very granular and requires the data custodian to establish attributes for every entity (both users and resources) in the organization, however this granularity also provides a high level of flexibility.
Risk-Based Access Control
Risk-based access control models dynamically take into consideration the risk associated with an action.
Risk-based access control may sound less familiar, however this access control model is very common and you’ve likely experienced it yourself. Often times, when logging on using a new device, your banking portal will warn that the device is unknown and ask that you verify your identity using a second method such as a text message code or security question. In this scenario, the risk associated with a new device is higher than a previously seen device, therefore the access control restricts access until further authentication can be made.