Identification and authorization
Privileged access management:
Privileged access management (PAM) is cybersecurity strategies and technologies for exerting control over the elevated (“privileged”) access and permissions for users, accounts, processes, and systems across an IT environment. By dialing in the appropriate level of privileged access controls, PAM helps organizations condense their organization’s attack surface, and prevent, or at least mitigate, the damage arising from external attacks as well as from insider malfeasance or negligence.
While privilege management encompasses many strategies, a central goal is the enforcement of least privilege, defined as the restriction of access rights and permissions for users, accounts, applications, systems, devices (such as IoT) and computing processes to the absolute minimum necessary to perform routine, authorized activities.
Alternatively referred to as privileged account management, privileged identity management (PIM), or just privilege management, PAM is considered by many analysts and technologists as one of the most important security projects for reducing cyber risk and achieving high security ROI.
The domain of privilege management is generally accepted as falling within the broader scope of identity and access management (IAM). Together, PAM and IAM help to provide fined-grained control, visibility, and auditability over all credentials and privileges.
While IAM controls provide authentication of identities to ensure that the right user has the right access as the right time, PAM layers on more granular visibility, control, and auditing over privileged identities and activities.
In this glossary post, we will cover: what privilege refers to in a computing context, types of privileges and privileged accounts/credentials, common privilege-related risks and threat vectors, privilege security best practices, and how PAM is implemented.
Logical access management:
A logical access control system requires validation of an individual’s identity through some mechanism such as a PIN, card, biometric, or other token. It has the capability to assign different access privileges to different persons depending on their roles and responsibilities in an organization.
Account life-cycle management – Provision and deprovision accounts:
User Provisioning / User Account Provisioning is an Identity Access Management (IAM) process that ensures employee/user accounts are created, updated, deleted and given proper access across multiple applications and systems at the same time. User/employee information such as name, attributes, group name, and other associated data are available through account and access management, which allows you to grant or prohibit access based on your needs. When information in an “original system database” is added or altered, provisioning is required (e.g. HR system, Institute Database). User Provisioning (Account Provisioning) can be triggered by events like hiring, promotions, and transfers. User account Provisioning guarantees that users’ access rights and privileges are up to date without the need for manual intervention. Provisioning assures that access is granted only when it is required, preventing hackers from exploiting security flaws to gain unauthorized access to important company data.
Deprovisioning refers to withdrawing a user’s access to various SAAS apps account and network systems at the same time. When an employee leaves a firm or changes responsibilities within the organization, the Deprovisioning action is triggered. Deprovisioning lets enterprises free up disc space, ports, certificates, and company-issued workstations for future usage by removing individual accounts from file servers and authentication servers like Active Directory. Deprovisioning protects the organization’s security and confidentiality by preventing former employees from accessing corporate resources after they leave. This ensures the security of the organization’s applications while also lowering administrative expenses and time.
Access controls:
1. Role-based:
Role-based access control (RBAC) restricts network access based on a person’s role within an organization and has become one of the main methods for advanced access control. The roles in RBAC refer to the levels of access that employees have to the network.
Employees are only allowed to access the information necessary to effectively perform their job duties. Access can be based on several factors, such as authority, responsibility, and job competency. In addition, access to computer resources can be limited to specific tasks such as the ability to view, create, or modify a file.
As a result, lower-level employees usually do not have access to sensitive data if they do not need it to fulfill their responsibilities. This is especially helpful if you have many employees and use third-parties and contractors that make it difficult to closely monitor network access. Using RBAC will help in securing your company’s sensitive data and important applications.
2. Discretionary:
Discretionary access control (DAC) is a type of security access control that grants or restricts object access via an access policy determined by an object’s owner group and/or subjects. DAC mechanism controls are defined by user identification with supplied credentials during authentication, such as username and password. DACs are discretionary because the subject (owner) can transfer authenticated objects or information access to other users. In other words, the owner determines object access privileges.
3. Non-discretionary:
In general, all access control policies other than DAC are grouped in the category of non-discretionary access control (NDAC).
Source: NIST IR 7316
The following are excerpts from NIST IR 7316:
- “Mandatory access control (MAC) policy means that access control policy decisions are made by a central authority, not by the individual owner of an object, and the owner cannot change access rights.” MAC is just one of the many forms of NDAC, so the central authority is not the critical criteria to distinguish DAC from NDAC.
- “Although RBAC is technically a form of non-discretionary access control, recent computer security texts often list RBAC as one of the three primary access control policies (the others are DAC and MAC).”
- “Temporal constraints are formal statements of access policies that involve time-based restrictions on access to resources; they are required in several application scenarios. Popular access control policies related to temporal constraints are the history-based access control policies.” The Brewer and Nash model (Chinese Wall) is history-based.
Directory services
- Lightweight directory access protocol (LDAP)
– Federation
– Certificate management
– Multifactor authentication (MFA)
– Single sign-on (SSO)
- Security assertion markup language (SAML)
– Public key infrastructure (PKI)
– Secret management
– Key management
Introduction to AWS Identity and Access Management (IAM)
INTRODUCTION
AWS Identity and Access Management (IAM) is a web service that enables Amazon Web Services (AWS) customers to manage users and user permissions in AWS. The service is targeted at organizations with multiple users or systems in the cloud that use AWS products such as Amazon EC2, Amazon SimpleDB, and the AWS Management Console. With IAM, you can centrally manage users, security credentials such as access keys, and permissions that control which AWS resources users can access. The main purpose of the IAM is to enable a securely control access to AWS services and resources. With the help of AWS we can manage ,create policies to different users. they are many access authorizes to users like giving access keys , passwords and multi-factor authentication devices. We can create roles and add permissions to control which operation can be performed by the entity.
In this lab I have blocked some services to a particular user and when that user tries to login and try to use that service it would not be accessible.
OBJECTIVES
- Creating users and adding them to group
- Manage user accounts passwords and policies
- Edit a group policy
- Locating and using the IAM sign-in URL
ILLUSTRATION
STEP 1: For the understanding of giving permissions and managing password policies, I have created a couple of users with the name ‘userone’, ‘usertwo’, ‘userthree’. First I will show how the dashboard will look alike when you will select the IAM services under AWS console.
Now from the Dashboard image above you can clearly see items on the left side under details panel like groups, users, policies, account settings etc. You can actually create as many users according to the need of your organizational need. So to create new users you will go into users option and create new users as shown in image below:
STEP 2: Now I will create a couple of groups also to add the users I have created above. Then question can arise why You need to create groups. The answer to this question is that you can apply policies to groups only, the policies which allow and block some services of AWS just the same way you did in your Group policy management in VMware Server machines. Also, you have to add groups one by one and while creating the group you can assign the policies or you can apply them later.
So for creating the Groups again we have to look on the right side panel the same way we did in creating users. Image below shows one group ‘EC2 support’ that I have created and the policy that I have given to that group:
Next image will give you a hint about the list of services under AWS which we can use as a policy to block and allow.
Group0 has been created administrative policies and Group1 has been created with full EC2 Policy. The Image below will show that the particular policy while creating the group is being applied.
STEP 3: The next step can be adding users into the groups.This can be done by selecting the group in which you want to add the selected user. For this lab post I have added userthree into an EC2 support group, means ‘userthree’ will only have access to the EC2 instance as clear from the policy I added in the EC2 group.
Images below will show the user that has been added into the group:
** IMPORTANT: You can actually try doing this thing by adding policy to different group but just for the demonstration I have explained 1 group, 1 users in this lab post.**
STEP 4: After adding a user into the group and applying policies, you have to set the password for the users. There are two things that you can do in a password.
— First, you can set password policy, For example, you can give minimum password length, requires one upper case letter etc. The creating policy is necessary these days for better security. Password policies for better understanding is shown in the image below:
STEP 5: Now all set up with policies and password. You need to sign-in with the user, for that you have to copy the link that is given in the dashboard. So If you think at the level of organization you can clearly understand that being an Admin I will provide certain user this link, their username, and password so that they can login and use the services that I have allowed him/her under policy.
The image below will guide you where you can find that link:
Sign-in with the particular credentials that have provided:
Now as you know that I have given ‘User3’ of ‘Group1’ full access of EC2, so Image below will describe that ‘User3’ can use all services of EC2:
But we cannaot use other services such as S3 since the access will be deinied:
CONCLUSION
AWS Identity and Access Management (IAM) is a web service that lets you securely control access to AWS resources for users. People (AWS resources that are available using the IAM authentication ) and use its resources and how they can be used. With the help of IAM you can Share access to the AWS Account, Granular permissions, Security access AWS resources for applications running on Amazon EC2, Credentials works, Credentials for ensuring, Eventual Consistency.
QUESTIONS THAT CAN ARISE
Q1) What kinds of security credentials can IAM users have?
Ans- IAM users can have any combination of credentials that AWS supports, such as an AWS access key, X.509 certificate, SSH key, password for web app logins, or an MFA device. This allows users to interact with AWS in any manner that makes sense for them.
Q2) What are the features of IAM roles for EC2 instances?
Ans- IAM roles for EC2 instances provides the following features:
– AWS temporary security credentials to use when making requests from running EC2 instances to AWS services.
– Automatic rotation of the AWS temporary security credentials.
– Granular AWS service permissions for applications running on EC2 instances
Q3) Mention few IAM best Practises?
Ans- Some of the best practises to be followed during IAM are mentoned below:
- Lock Away Your AWS Account Root User Access Keys
- Create Individual IAM Users
- Use AWS Defined Policies to Assign Permissions Whenever Possible
- Use Groups to Assign Permissions to IAM Users
- Grant Least Privilege
- Use Access Levels to Review IAM Permissions
- Configure a Strong Password Policy for Your Users
- Enable MFA for Privileged Users
- Use Roles for Applications That Run on Amazon EC2 Instances
- Delegate by Using Roles Instead of by Sharing Credentials
- Rotate Credentials Regularly
- Remove Unnecessary Credentials
- Use Policy Conditions for Extra Security
- Monitor Activity in Your AWS Account
