CompTIA Security+ SYO-401

Certification Training
9049 Learners
View Course Now!
33 Chapters +

Selecting the AAA in a Scenario Tutorial

1 Selecting the Appropriate Authentication, Authorization or Access Control in a Given Scenario

Let’s begin this course by looking at the difference between the three concepts in the digital world, authentication, authorization, or access control mechanism, and utilizing them in a given scenario. The following screen explains the objectives covered in this lesson. After completing this lesson, you will be able to: • Distinguish among identification, authentication, and authorization. • Identify different identification mechanisms. • Select the best suitable identification mechanism per the scenario. • Identify different authentication factors. • Identify different authentication mechanisms. • Select the best suitable authentication mechanism, per the scenario. • Identify different authorization mechanisms. • Select the best suitable authorization mechanism, per the scenario. • Identify the different access control models, and • Select the best suitable access control model, per the scenario.

2 Difference Between Identification, Authentication and Authorization Across Various Networks or Systems

In this topic, you will learn the difference between identification, authentication, and authorization across various networks or systems. Identification, authentication, and authorization happen in the physical world, but can you guess how it would happen on the Web or on an enterprise network? Well, the most common example is of a user logging on to a system or website. When you log on to a system or site, the credentials usually include username and password. By entering the username, you are trying to claim or convey that you are somebody. By giving your username, you have just allowed the server to identify yourself. This is called identification. In simple words, identification is a reply to the question “Who are you?” However, when you provide a password, it acts as a method to claim your identity. It confirms that you are the rightful owner of this account. It is a reply to the question, “How can you prove who you are?” Successful authentication means that you have performed two things. First, you have conveyed your identity and second, you have proved that you are the same individual. After successful authentication, the system determines what you can do on the site or application. This is known as authorization, and it takes care of “What you can do and what you cannot?” For example, you might only be given access to a few sections of the Web pages or application, depending upon the identity. Identification, authentication, and authorization are central to security design of any system on any network. Without proper implementation of these three concepts, you cannot expect effective access control at all. Let’s now check out the difference between identification and authentication. Comprehending the difference between identification and authentication is essential. Identification literally means finding who someone is, while authentication refers to a method for verifying that identity. In other words, identification is asserting an identity, while authentication is proving it. For example, in the digital world, you can claim to be anyone for your identity, but you need to prove it with the help of some evidence, such as password, answer to a confidential security question, or a scanned photo. Another point of difference is in terms of cost of computing. In case of identification, the cost is proportional to the number of records of a user. On the other hand, the computing cost is independent of records when it comes to authenticating a user. Lastly, identity needs to be unique, while authentication needs to be secret. For example, a username as m-george within the domain or system has to be only one, as no other user can have this username. Even though fingerprints can be used to determine your identity, it is mandatory to have a secret username, such as an ID or PIN to avoid spoofing. Similarly, it is possible that two users with unique usernames may use the same password, but none of them is aware of it. Therefore, in case of theft risk, changing the password is a quicker solution than creating a new account. In a nutshell, identification without authentication is deficient of proof, while authentication without identification removes multi-user capability and invalidates auditing. Let’s identify the difference between authentication and authorization. Well, one difference which you already know is that authentication confirms the identity of a user through validation, while authorization determines the resources a user can access, and actions a user can perform, after logging on to the application, computer system, database, or a server. There is one more difference between the two. Authentication checks the credentials of a user, while authorization checks the user’s responsibilities. For example, authentication answers, “Is this the same user as he or she claims to be?” On the other hand, authorization answers, “Can this user access resource X?”, “Can this user perform task A?”, and “Can this user perform task B on resource Y?” Based on the credentials, the user is given various access permissions. Therefore, authentication always precedes authorization. If you skip identification and directly go for authentication, it can cause security breach by allowing a user to impersonate someone else’s identity. For example, if you only log on with a password and now wish to change it, there is a possibility that the new password is already in use by someone, and the system throws an error message, “This password is already in use. Please try another.” With this message you understand that it is the password of another user’s account. Now all you have to do is identify the user, and enter the system as an intruder. To avoid this security breach, authentication has to follow identification. Similarly, security is compromised if you skip authentication and directly go for authorization. Anyone can claim to be an administrator, and it is possible to obtain administrator powers, as there is no one to interrogate or ask questions. Here is a brief summary on identification, authentication, and authorization. Identification is provided by the principal, such as a user or an application that should answer who he or she is, in the form of public assertion. Secondly, Authentication is provided by the principal to prove what he or she claims is true, in the form of secret response, such as password or fingerprints. Finally, authorization is what the system gives to the principal, a reply to what the user can do and cannot, in the form of ticket or token stating the access control privileges. We shall now explore the different methods for implementing identification, authentication, and authorization along with the scenarios in which they are suitable.

3 Identification Methods

Now, you will learn about the identification methods. Imagine that a small-scale startup firm has just deployed a new productivity tracking software on its Local Area Network or LAN. Because there are less than 50 employees, each employee logs on to the system through a unique alphanumeric code in the pattern, E1001, E1002, E1003. You, as a new administrator, decide to test the login functionality by entering codes used for both identifying and authenticating the user. However, at the time of testing the code change functionality, you realize that while using the change code functionality, there are high chances for any user to change its code, let’s say E1001, to E1025. When this happens, the system throws an error message, “This code is already in use. Please change!” This is because it is an existing code of another user. You realize that this is a risk, and that the employee with E1001 can easily act as employee with code, E1025. This might be done unintentionally, but it takes no time to transform an employee into an intruder. This simply hinders the proper and safe working of multi-user network. Now, the company wants a quick solution, which is not too complicated, or demanding more money or time for implementation. So, what will you do here? The perfect solution to the scenario is assigning every user with a username as: last name underscore code, and a randomly generated password. Both username and password would be valid only for the first time, and as the user logs on, the system would prompt the user to change both the details for better security and authentication. Keeping in mind that the company needs a fast, easy, and cost-effective solution for information security, assigning such a username and randomly generated password is an ideal solution. The most common method of identifying network users is to give each a unique name. The users use this name as username, which they type while logging onto the system or network for conveying their identity to the authenticating system. Other examples of identification are employee ID and account number, which can help in identifying the individual.

4 Scenario

Let us now move on to the other two identification systems, biometrics and PIV smart cards. Both of them have their distinct usage scenarios. A government organization operating in the Manhattan borough of New York, works directly under Farm Credit Administration, an autonomous agency of the federal government. It lends loans, and gives other financial help to farmers in the borough. However, it is recently facing a few frequent identity frauds at the top management level, which is responsible for leaking highly confidential federal information. The firm is also facing laxness from its government contractors who do not enter the entry and exit time in the register. In an urgent meeting, the Head of the organization asks you to come up with the strongest and non-ignorable solution for keeping both laxness and fraud at bay. The Head asks you to find a solution that uses a blend of identifiers, instead of just sticking only to usernames, IDs, voice-based identification, or fingerprints for tough security. This is because using any of them alone can easily result in security violation, which is something the organization has experienced before. At the same time, the solution should be such that no government employee can enter or go out of the office without registering the correct entry and exit time. Further, the security technology in use should comply with the federal security policies. So, what can you suggest here? Well, the best solution is the Personal Identification Verification Card or PIV card that is issued for identifying federal employees and contractors. Developed by Federal Information Processing Standards (FIPS) 201, this special physical and electronic access control card comes with government-trusted credentials. Designed due to the Homeland Security Presidential Directive 12 (HSPD-12) issued by the White House, the card allows gaining both physical and virtual access to government resources. Issued by a federal agency, the card includes the employee’s name, photo, card issue date, card expiry date, and other details such as Social Security Number or SSN, fingerprints, authentication key, and digital signature in an embedded chip. The chip is responsible for storing, obtaining, retrieving, and sending identification details securely. Usually, the card is used as an ID badge, and is swiped through a scanner or reader after which the owner needs to submit one or more authenticators such as PIN or password for authentication against the issuing authority. In this way, PIV ensures confidentiality, integrity, authenticity, and non-repudiation, due to PKI cryptography and digital signatures that preserve original details in an encrypted format. The card’s main function is to encrypt data for boosting security by implementing the Public Key Infrastructure (PKI) technology, which allows signing the sensitive data digitally. Regarded as a Global Business Standard for Internet Security, the PKI technology complies with all federal security policies, which is a requirement in our scenario. Today, almost any government employee and contractor who needs to access a government site, building, or Internet assets for six months or longer, has to use the PIV card, obtained after stringent background check. This card is likely to become a mandate for all government employees and contractors in the United States. So now, we are left with the last method, Identification. Consider a scenario where the employees of a bank need to use a swipe card to access the central bank’s assets. This swipe card acts as their identity proof. However, the biggest issue is that the employees forget to bring the card or the card gets stolen at times. This leads to frequent disruption due to reissue of those cards. All efforts have been taken to address the issue of forgetting to bring the cards, but all in vain. As a system administrator, what would you suggest to the bank? For the discussed scenario, you can suggest using biometric devices such as number locks or hand or fingerprint scanners in lieu of swipe or smart cards. These gadgets can easily facilitate the bank employees, who forget to bring their cards, to enter the computer lab. It ensures maximum security when used with an authentication factor such as PIN or password to avoid cybercrimes. A biometric system utilizes a distinct biological trait to identify the individual. Such traits include thumbprint, fingerprints, face, palm, DNA, voice, iris referring to the colored eye area around the pupil, or retina patterns or blood vessels pattern around the retina. They are recognized by hand scanners, facial recognition apps, and retinal scanners that are under surveillance to avoid bypassing. This means a unique physical characteristic of the user gets identified for accessing a system or network. Of all, IRIS scan is believed to be the most unique, and secured method of identification. Because of the falling cost, biometrics is increasingly being used in different fields, such as medical, aviation, finance, law, and mobiles. A user passes through the enrollment process when he or she uses a biometric device for the first time. In this process, the biometric data is extracted or read from a biometric reader, which is then converted into a digital representation. This data now passes through a mathematical process and its outcome is stored in a database for authentication. While it is true that biometrics is one of the most secure identification methods, there are some scope for mistakes, due to detailed level of information related to identity. You can expect two types of biometrics errors. Type I error, also termed as False Reject Rate or FRR. In this type, the system fails to identify a user having rights to access the system. Type II error, also known as False Acceptance Rate or FAR. In this type, the system grants access to an unauthorized user. The accuracy of biometric devices is measured by the percentage of errors, also termed as the Crossover Error Rate or CER. CER represents a number indicating that the number of type I and type II errors is equal. For instance, if 10 out of 200 attempts are type I errors and 10 out of 200 attempts are type II errors, then CER is 10. Generally, the accuracy of the biometric system is inversely proportional to the CER value. In other words, lower the CER, higher is the accuracy of the biometric system. We just saw the different scenarios in which you can use username, PIV card, and biometric system for identification. We now move forward to authentication.

5 Authentication Factors and Mechanisms

Now, you will learn about the authentication factors and mechanisms. For proving the identity, the principal accessing an application or network needs to give some valid evidence, such as a PIN or password. These are called authenticators, and are classified into five primary factors governing authentication systems. First, “it is you or something you are”. Here, the users use their unique physical characteristic such as fingerprint, voice, or retina for proving their identity. This is biometric identification mechanism, an advanced form for authenticating to a system or network. It is perhaps the strongest and highly secure method of authentication. Second, “it is something you know”. We all use it quite often for authentication, right from an email application to a shopping portal. Well, the best examples of this include password, secret code, security questions, key, or PIN. This is the most widely used authentication factor, wherein the users know what to give to prove their identity. Third, “it is something you have”. This is also a commonly used authentication factor, and is dependent upon what you have in your possession for accessing a system or network. Its examples include, a Kerberos token, ATM card, PIV card, or a swipe card. Fourth, “it is something you do”. This is a newer authentication factor based on the user’s habits. For instance, a network or system may consider relying on your typing patterns along with any of the above authentication factors for validation. Finally, “it is somewhere you are”. This authentication factor is concerned with the user’s location. An authentication system can validate per the IP subnet details, or GPS location. However, this factor works if the location is fixed every time the user logs in. Therefore, it is not applicable to mobile-based authentication. Including two or more of these authentication factor categories can actually ensure foolproof security. This is the first method of authentication, which is known as multifactor authentication. Let’s understand its need with the help of a scenario.

6 Scenario

Let’s consider an IT company who is about to get a project for designing a highly secure government system for which cost is not a constraint. The government head no longer trusts password authentication because of his prior experiences of leaks and hacks. According to him, longer passwords also are not feasible because of the difficulty in remembering them. After all, no matter how tricky your password is, there are ways to crack them through phishing and guessing. Further, the new system should prevent unauthorized access, allow highly secure remote connections, and protect data stored in both physical locations, as well as in virtual drives. Considering the high profile project in terms of security, you have been asked to suggest a security mechanism. It is obvious that you cannot suggest a single authentication method such as password or PIN. So, what will you do now? Considering the scenario and high security requirements, you should suggest a multifactor authentication scheme. This scheme shall involve two or more authentication factors from different categories. The possible combinations you can propose in this scenario are: • Two-factor authentication: Includes two different authentication factors from different categories, such as “something you have” and “something you know.” This scheme is much stronger and safer than only username and password mechanism. Having only username and password or only retina scan and fingerprint is called a single-factor authentication because both are instances of the same category that is “something you know”. For two-factor authentication, it is essential to have factors from two different categories. A few examples of valid two-factor authentication are: o Smart card, “something that the user has” + Password or PIN, “something that the user knows.” o ATM card + Password or PIN, o Token + Password or PIN, and o Biometrics + PIN or Password The examples make it clear that even if someone steals the card or password, it is of no use to that individual, as the other authentication factor is missing for accessing the system. This scheme ensures basic identity protection and security to keep the threats of 90s, such as password cracking, at bay. • Three-factor authentication: Includes three factors, such as “something you are,” “something you know,” and “something you have.” A few examples are: o Fingerprint scan, which is “something the user is” + identity card swipe, “something the user has” + PIN that is “something the user knows.” Considering the high level of security for government project, the three-factor authentication seems to be the ideal combination. This is because it is more flexible in giving access per different factors, and secured enough to keep phishing, attacks, password cracking, and advanced malware at bay. Well, this is what we saw in PIV card that contained photo, fingerprints, username, and much more. Another example was biometrics with PIN authentication acting as two-factor authentication. In real life too, we tend to experience multifactor authentication. A couple of examples are the following: Withdrawing cash from a bank’s ATM, which requires us to use the ATM card and then enter a PIN. This is a combination of “something the user has” and “something the user knows.” Logging into your Gmail account through a two-step verification that requires “something you have,” such as smartphone on which you receive a code and “something you know,” such as a password. Let’s now talk about some more authentication mechanisms.

7 Scenario

Your company provides data related to various ongoing scientific experiments and trials being conducted for finding new treatments to different medical disorders. This confidential information is available to only health professionals across the world. Because of the confidential nature of the data, it is vital to have session-based authentication, wherein identity proof is valid only for the particular session or login. Now, as a system administrator you need to suggest a relevant authentication mechanism. What will you suggest here? Well, the best suggestion is a security token that works similar to a certificate for authenticating the user’s identity. It is a small piece of data holding the rights and access privileges along with the identity information of the holder, such as Security Identifier or SID and group security identifier, in case the user belongs to a group. At the time of logon, the authentication system generates a token every time any user logs on to initiate a session. Once the session is over, the token gets destroyed, which means it is valid only for that specific session or user action. Several operating systems create a token applied to every action the users perform on their computer. If the token does not give access to some information, either the access is denied or that information is not displayed. Three main types of security tokens exist in networking environments. First is a hardware token, referring to a small device used to identify and authenticate a user. Of the various types, the most common one is a device showing a random number for 30 to 60 seconds, which the user needs to use along with the username and password for logging. If the user submits this number within those 60 seconds, the authenticating server lets the user access the system. Second is a software token functioning similar to a hardware token. However, it is in the form of application on a computing device rather than being on a separate hardware. Last is a logical token generated at the time of logging. This type of security token has SID, group SIDs, and access privileges. This token can be presented to any resources for granting access to the desired resource.

8 Scenario

Now let’s learn about the common access cards that are used as authentication mechanism. Consider a training center in the United States, where many individuals get trained before being a part of army or navy personnel. You are asked to suggest an authentication mechanism through which only the required trainers can access the military resources from a central database. What would you suggest? You should recommend Common Access Card or CAC for authentication. It is a type of smart card that the Department of Defense or DoD issues as an identification or authentication card for military personnel and non-DoD employees. The card is used for connecting to military systems, implementing PKI for encrypting and signing messages digitally, and signing into the email account. The card contains an integrated circuit chip or a microprocessor, barcode, photo, name, expiry date, federal identifier, service, rank, pay grade, and more. On the rear side of the card, there exists another barcode and a magnetic strip. Both PIV and CAC are smart cards that are tough to counterfeit. A smartcard is the size of a credit card and has a microprocessor storing rights and privileges, and visible details upfront, both used for identification and authentication. It is a part of “something you have” authentication factor. Once the smartcard is swiped into a reader, the user enters a PIN number linked to the smartcard for authentication. This ensures better safety even if the card gets stolen, as the thief does not know the PIN to access everything the card allows. For more information on CAC, you can surf www dot c-a-c dot m-i-l.

9 Scenario

Let’s now take a look at a scenario to explore another authentication mechanism. Consider a small enterprise network on which the users need to access several password-protected applications. However, right now, each user needs to have a different password and username, which means distinct login for each application. This is certainly not a feasible way to work, as there are 20 applications, such as email, database, and training application (collage). In other words, each user needs to remember 20 different usernames and passwords. So, how do you make this existing network feasible, and most importantly efficient? The answer is to implement the single sign-on or S-S-O authentication mechanism. SSO allows users to access all password-protected applications or resources when they log on with just one set of credentials. This means, authentication happens only once to access multiple systems or resources on the network. Such a system is already implemented in Microsoft Active Directory and Kerberos. In the given scenario, implementing SSO would enable the database, email, and application servers to authenticate with the same logon credentials. In the Active Directory or AD, these servers would accept its directives and controls. In this way, a user will not logon separately with email, database, and application passwords. You can choose to store credentials on a token or by combining with a third-party single sign-on system. Using AD simplifies SSO for users, as well as reduces the support requirements, as the administrators need not administer multiple user accounts. As an administrator, you can grant access through groups by placing users with similar rights or privileges into one group. Security risk exists with SSO because hackers can hack the credentials if it is only username and password. However, SSO is the simplest way to alleviate the issue of multiple accounts and roles whose credentials are often written on papers. Such papers are more susceptible to get hacked than SSO credentials stored on tokens. However, it is important to note that, SSO is not the opposite of multifactor authentication. Once the authentication is done, SSO is still applicable throughout a user’s session.

10 Scenario

Now let’s move ahead to find an appropriate authentication mechanism by discussing one more scenario. As the network administrator, you are being asked to set up a Wide Area Network or WAN for a big-scale agency dealing in different types of investments in FOREX and Stocks. As a part of its security policy, the agency has prepared a list of users who can access this network along with a few users who cannot access at all. For the rest, the agency wants you to deny access by default. So, how are you going to do this at the time of authentication? You will be fulfilling the security requirement by implementing an Access Control List or A-C-L with the implicit deny approach. An access control list allows network devices such as routers and firewalls to ignore requests from specific systems or users, and grant access to the desired users or systems. This is done by granting or blocking IP addresses at the router or firewall level. At the end of an access control list, a clause known as implicit deny is implied. According to this clause, if not explicitly granted, the access is denied, by default. In simple terms, for any entity, not mentioned on the list, access is denied. This entity can be in the form of an IP address, a packet, or anything that should not access the system or network. The implicit deny rule exists in an access control list for a router, in firewall configuration, and in a file permission configuration. In short, access control enables an administrator to adapt the network such that it can keep specific security threats at bay.

11 Scenario

Now let’s look at some more authentication mechanisms. You are appointed as a system administrator in a company that provides Web hosting services. It is a startup, but have a firm resolution of not compromising on security at any cost. It has asked you to suggest the most secured operating system for their front-end Web servers. The staff firmly believes that any known operating system on a server has some significant security loopholes or vulnerabilities, of which the most common being weak password protection to files and accounts that a hacker can easily intrude. Such loopholes are certainly a concern when you have several users, different roles, and various networks associated with the same system. The new operating system should be so foolproof that even if a hacker– whether from an external or internal network– gains illicit access, it becomes impossible to have root access. The company is looking for a server operating system that can guarantee some critical aspects namely, memory and file protection against illicit accesses, access control to input and output devices, user authentication, trusted path with no interception in communication and, intrusion detection. The system should also ensure auditing through logs and fair service without significant delays. What will you recommend them? In the given scenario, a Trusted OS or TOS is the ideal choice. A trusted OS implements several layers of security, such as authentication, accountability, and authorization, for controlling who can access what and what they can do. It has strong features and components to fulfill all requirements, as mentioned in the scenario. A TOS splits the services on offer, such as file, printer, application, or memory access into sandboxes or compartments to allow only the desired users, applications, or administrators to enter into those areas. To ensure that only valid administrators can make changes, administrators need to authenticate themselves by using a secure ID card and a password only from certain network addresses. Following strict practices, a trusted OS fulfills the government’s security requirements. Common Criteria or CC is the set of common standards for security evaluation for TOS. It is a document outlined from the collective effort between the United States, Canada, Germany, France, and the Netherlands. The evaluation criteria in the document are split into seven E-A-Ls or Evaluation Assurance Levels. EAL 1 certification - It is used to assure the user that the system will function precisely. However, security threats are not considered serious in this certification. EAL 2 - It is used for ensuring good design practices but without giving high priority to security. EAL 3 - It is used for mandating careful development efforts for ensuring moderate security levels. EAL 4 - It is used for ensuring positive security engineering per the relevant commercial development practices. This certification shall become the common yardstick for commercial systems. At present, operating systems such as Microsoft Server 2008 and Windows 7 along with a few Linux implementations have been given this rating. EAL 5 - It is used to ensure the implementation of security engineering, right from the early phases of design. It aims to ensure high levels of security. This level is for special design considerations. At present, XTS-400 is given this rating, which is a multi-level secure and multi-user OS, used in Ethernet networking. EAL 6 - It ensures high assurance of specialized engineering for security. Indicating high protection level from significant risks, this certification ensures highly secure OS against penetration attackers. EAL 7 - It is used for ensuring extremely high security level. For this certification, it is essential for the system to undergo extensive and independent testing of every component. It is important to note that, EAL certifications have replaced the popular American certification system called Trusted Computer Systems Evaluation Criteria or TCSEC. They have also replaced the popular European certification system, Information Technology Security Evaluation Criteria or ITSEC. As an administrator, it is vital to understand that just because a few operating systems are rated as EAL 4, it does not mean that each of their individual component implementation is functioning at that level.

12 Scenario

Let’s now explore some mechanisms that are quite common in authentication practices. Let’s assume that the users of different Instant Messaging or IM applications are demanding to allow communication across all email platforms such as Yahoo, Google, MSN, and Rediffmail. This means that there should be a single application wherein a Gmail user can chat with not only other Gmail users but also Yahoo, MSN, and Rediffmail users through proper authentication. What you think could be the probable solution here? In the given scenario, forming and implementing a federation is the solution. This is because, it allows joining two unique or dissimilar networks. Federation refers to a collection of networks operating on a common set of operation standards, such as security and communication standards. Usually, these networks are associated in some way or the other. As per the scenario, the single chat application would connect email networks of those popular companies by implementing a common set of standards that would allow users having different email clients on different platforms, to communicate freely. In some cases, a group of partners can opt to set up common standards for enabling communication between employees safely, working in each of the partner associations. At times, an industry association may be formed to establish such standards for authenticating and authorizing users across organizations as well as application boundaries. Federation may also involve federated identity, a method of associating a user’s identity to their privileges in a way that allows communicating across business boundaries. For instance, Microsoft Passport allows having a single user identity across different businesses. Note that a federated identity may seem analogous to a single sign-on, but they are different. Single sign-on allows having one password for accessing all resources on a single network, whereas federated identities allow accessing resources on diverse networks, by using single identity. An American publishing company has two departments, namely Publishing and Sales. Each of these departments is running its own domain namely, and This means that is the main network or domain. As the network administrator, you have been asked to allow the users in any of these domains to access resources. Further, when authentication takes place, you are supposed to ensure lowest network overheads by keeping least number of hops. Well, for reducing the overhead while authentication, you will need to create a transitive trust between the two sub-domains while creating a parent-child trust between the main domain and departmental domains. This will form a forest tree that has transitive trust in both directions. Transitive trust means that if trusts, and that it also trusts, then both the domains related to sales and publishing also trust each other. In this way, all domains trust each other in the tree. By default, this is essential for accessing each other’s resources. You can create such trusts between the domains in a tree, in separate trees, and even in separate forests. This flow significantly makes administration easier. Through transitive trust, it also becomes easier and quicker to authenticate requests from any of the two domains for accessing the resources in another. This is because those requests don’t need to pass through the main domain, thus decreasing the number of hops while authentication. In spite of being efficient, this authentication mechanism leaves open the risk of a hacker gaining more trust than normal, only by virtue of joining the domain. As of now, all Active Directory versions come with a default forest trust, wherein all domains in a forest trust each other through a transitive relationship. Let’s now explore the most commonly used authentication protocols before moving to authorization. The accounts department of a consumer product company is facing replay attacks and eavesdropping in its Local Area Network or LAN, and man-in-the-middle attacks in its remotely accessible network through or VPN. This is happening despite having two-factor authentication through username password and security question. Valid data transmission is maliciously delayed or repeated to impersonate a user through eavesdropping or somebody impersonating in the middle. The network consists of both new and old servers on LAN. The older ones do not support latest or stronger authentication mechanisms. Considering this limitation, as an administrator, you have been asked to suggest a highly secure solution. Well, in this scenario, it seems that the answers to security questions are easy for anyone to guess. Therefore, the questions need to be replaced by something stronger. Well for that, you can choose from four different protocols namely, Time-Based One-Time Password or TOTP, HMAC-Based One-Time Password or HOTP, Password authentication protocol or PAP, and Challenge Handshake Authentication Protocol or CHAP. Let’s see in which condition you will implement each of them. One-Time Passwords or OTPs involve using a password only once. Unlike regular passwords, such passwords are safer because they keep changing. This is exactly what makes them invincible against replay attacks wherein valid data transmission is maliciously repeated. You can use two algorithms or protocols for implementing OTP. First is Time-Based One-Time Password or TOTP. This protocol uses the current time for generating unique passwords. These passwords are short-lived, which means they are valid only for a given amount of time, say 30 or 60 seconds. HMAC-based One-Time Password or HOTP algorithm, which uses an HMAC or Hash Message Authentication Code to generate passwords that are relatively longer lived than TOTP. We will cover HMAC in later lessons. TOTP and HOTP use a secret key shared between the server and client such as a smartphone or application along with a frequently changing moving factor. In case of HOTP, the moving factor is a plain counter being incremented on each request or call. However, in case of TOTP, the current time is the moving factor. The client generates the OTP by using the moving factor and shared secret key. This OTP is then sent to the server where the same computation is performed whose result is checked to match with the one sent by the client. Of the two, TOTP is safer, because the password is valid for less time span. This means the attacker hardly has a few seconds, making it impossible to crack the password. This is why Google Authenticator, online bank transactions, and Facebook use TOTP in its two-step verification. However, authentication systems such as YubiKey and SMS2 use HOTP protocol. In the given scenario, it is best to implement TOTP for LAN, as it is more secure than HOTP. Password authentication protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP) authenticate dial-up or direct Point-to-Point or P-P-P sessions, and several VPN connections. PAP is much like a usual login procedure wherein a remote system validates itself by submitting user name and password sent as plain text. This is why the two-way handshake PAP is vulnerable to several attacks because of the ease to analyze and interpret the credentials, which may easily result in snooping, line sniffing, or password guessing. It uses PAP while connecting to older UNIX-based remote servers that do not support highly secure authentication protocols. Therefore, you can consider PAP for those older servers mentioned in the scenario. However, if cost is not a hindrance, it is better to replace these servers for safety purpose. In the given scenario, CHAP is perhaps a more secure approach, as it is designed to stop man-in-the-middle attacks on remotely accessed network. It does so by generating a distinct challenge phrase or key as a random string used for each authentication. Here, the server sends this challenge phrase or key to the client for using it in the authentication process. The client then merges this key with the password, both of which passes via Message Digest 5 or M-D-5 hashing algorithm to generate a hash value, during the initial authentication. Periodically, the server will send the challenge phrase or key to the client. This value is sent to the server for validation. An attacker eavesdropping over the session will not know the value because it is a hash, illegible value using which the original data cannot be obtained mathematically. Now, the server creates a hash value using the same challenge key and the password stored in the server. It then compares the computed value with that of the client’s hash value. If both the hash values match, the access is granted. The advantage of CHAP is that the user’s credentials are not transmitted across the network. We shall now explore the authorization mechanisms, protocols, and best practices. When configuring security, an authenticated user must be authorized to perform some tasks or access resources. An access control system implements this authorization and is usually in the form of an access control list or ACL, which we have already seen in this section of authentication. Now, let’s see how ACLs through its four models help in authorizing an authenticated user. As the network administrator, you have been asked to set up an access control for the managers of each department in the company. These managers should be able to allow or deny access and other privileges of their department’s employees for using the shared resources on a LAN. For example, sales managers should have the right to allow or deny the privilege of editing sales reports to their assistant managers, and grant read-only access of the same reports to the rest of the sales team. So, how are you going to do this? Well, this can be done by implementing the discretionary access control model, which enables the department managers to authorize permissions. The Discretionary Access Control or DAC model allows implementing a discretionary access control list for deciding who gets access to resources such as files and printers. This is exactly what a manager in each department should be authorized to do. This DAC list has users or groups, which are called security principals. These principals are given access to a resource, as the list determines the type of access or permissions a particular user or group has for that resource. This permission can be read, write, edit, and/or download. Each entry in the list is called an Access Control Entry or ACE. In this model, the managers enjoy some flexibility of deciding how other employees in their department can access the information. The managers can share information dynamically with them. However, the DAC model makes it tough for the security administrators to ensure that access is rightly controlled through appropriate permissions. Let’s consider the same scenario given for DAC. Now, we presume that DAC is already implemented. However, within a few months, two to three issues of unauthorized disclosure of information have cropped up. It seems that a few employees or managers are taking undue advantage of their privileges to leak confidential information to unauthorized users. As a system administrator, you have also traced Trojan Horse attacks, wherein genuine users are deceived to run a code for allowing the internal unauthorized users to access system information. How would you solve this problem? One quick and efficient solution to this problem is to implement Mandatory Access Control. In the Mandatory Access Control or MAC model, all rights and privileges of each user is prefixed and controlled centrally. Each individual, as the subject, is associated with a clearance level, while resources in the organization are linked with classification labels indicating the sensitivity of the information. Classification or clearance labels include unclassified for public release, restricted for preventing an undesirable result if leaked, confidential for preventing damage if leaked, secret for preventing serious damage if leaked, and top secret for preventing grave damage if leaked. These labels are more commonly used in government and military organizations. In business world, the classification labels are usually public, sensitive equivalent to restricted label, private equivalent to secret, and confidential equivalent to top secret. Both these categories bear a hierarchical structure. For example, a subject with confidential clearance can access confidential, private, sensitive, and public data. The system decides who gains access to which kind of resource as per the subject’s clearance level and the resource’s classification label. While designing mandatory access control system, the organization should decide about the sensitivity of the information and then allocate an appropriate classification label. In short, mandatory access control is an inflexible and rigid model as compared to discretionary access control, as all access capabilities are predefined. Only network administrators may be allowed to make changes to the rights, ensuring maximum possible security from attacks and breaches as well as easier information control. Mandatory access control is ideal for authorization in networks wherein confidentiality is a driving force. Let’s now proceed to explore two more access control models. Consider that you are a system administrator for a virtual large-scale company, where most employees are contractors. These employees work for short-term periods, let’s say, not more than a year and then are replaced by new employees. For these employees, you need to implement an easy to manage, but secure access control mechanism for working on the company’s internal network. As a system administrator, you need to ensure that this internal network is inaccessible if the same employees try to access it from the computers and laptops other than those present in the office. It is already known to you that discretionary access control is not secure, and that mandatory access control can be very tedious to track and administer, as you will have to make changes every time an employee leaves the company. So, what will you do now? Well, this is the perfect scenario where you can implement Role-Based Access Control together with Rule-Based Access Control, both of which are known as R-B-A-C. In role-based access control, access rights such as read, write, and delete are initially assigned to roles also known as groups, and then, user accounts are linked to those roles. This means there is no direct allotment of resource access rights to the users, and the authorization occurs by responsibility or job functionality called roles or groups having common rights and privileges available to all its members. Due to groups and roles, this kind of access control is also known as group-based control. In the given scenario, instead of specifying access rights every time a new employee comes, he or she can be directly assigned to a relevant role. This is also useful for those employees having one or more roles to play for accessing specific information on the network. For example, a writer may also act as a reviewer for another project due to which you can assign both roles to that writer for enjoying privileges given to a writer and reviewer. As a result, administering access control becomes quite efficient in this case. Because users can be allotted multiple roles, and a single role can be assigned to many users, role-based access control is more flexible than the mandatory and discretionary access control. Moreover, special administrator roles for delegating administrative rights exist, instead of having direct ownership over the resources, as in the case with discretionary access control. Recalling the scenario, as a system administrator you need to ensure that the company’s internal network is inaccessible if the contractors try to access it from the computers and laptops other than those present in the office. In this case, you need to implement the rule-based access control at the router or firewall level. It involves configuring rules on a device or system for granting or denying actions to occur. For instance, a router can use such an access control list to find out what traffic can enter or leave the network, and this is exactly what we want per the scenario. This list has rules to allow or deny unwanted usernames, hostnames, IP addresses, domains, and even groups. When implemented with role-based access control, rule-based control ensures greater flexibility. In the given scenario, you can give access to all IP addresses of machines in office and deny the rest.

13 Authorization Security Principles or Best Practices

Next, you will learn about authorization security principles or best practices. Let us recall the last scenario, but this time, there will be some more requirements. First, the company now wants you to ensure that the contractors cannot install any software or take a backup while using office machines. Further, they should only view and download files from the company’s network. Second, the company has found that the contractors are using the office machines for personal use after office hours. This is something that should be stopped forever. How will you fulfill these requirements? This is where you will apply the authorization best practices or security principles. Let us explore them now! The first requirement is to ensure that the contractors cannot install any software or take a backup while using office machines. Further, they should only view and download files from the company’s network. You can ensure this through the security principle of Least Privileges. Least privilege means you always minimize or grant only the required permissions to the users. Giving more than the required permissions allow the users and even administrators to do beyond what is expected with the resource. In the given scenario, you don’t want the contractors to install applications or take backups, but only to download and view files from the network share. Therefore, you will put all contractors into the ‘basic’ group that has only viewing and downloading from file server privileges. Now, just imagine placing the contractors in any other group through which they get more privileges such as deleting or editing an important file on the server. If any of them deleted a file unintentionally, who do you think would be at fault—the contractor who deleted the asset, or the person who put him or her into a wrong group? Therefore, it is wise to give users only the required permissions to do their work, and not more. Let’s assume that one of the contractors of the company felt the need of installing an application available on the network share. In this case, neither he should install nor should he ask his project head to install. This is because installation is something that only an administrator can do, but only after getting confirmation from their project head. This practice or principle is known as separation of duties. The practice of separation of duties allows splitting all critical tasks into different processes and performing each of this process through a different employee. For example, the person who fills a check differs from the person who signs the check. Otherwise, if the same person writes and signs the check, the chances of fraud are likely to increase. Therefore, a single person does not accomplish the process. By involving more than one individual to fulfill a process, separation of duties reduces the chance of fraud, misuses of systems and privileges, and eliminates accidental losses. For example, it can prevent a programming code from entering into a production status until it passes through one or more rounds of testing. Moreover, several banks need to accomplish multiple approvals for transferring money. This practice helps to prevent fraudulent activities. However, separation of duties does not defend you from collusion, wherein two or more people contributing to the same process conspire jointly for a fraudulent act. For example, the check writer and the one who signs together can start issuing checks for their own business. We shall now end the lesson with the last authorization security principle or best practice. The second requirement is that the company does not want the contractors to use the office machines after office hours. This means you need to implement a time restriction. You can do so with the help of the Time of Day Restriction practice. Almost every operating system, whether on workstation or server, enables you to set up when a user account can have system access. For instance, in the given scenario, you as an administrator can set up the accounts of all contractors such that they access their systems only from 9 AM to 6 PM from Monday through Friday. In this way, the contractors shall not access their systems during non-office hours. This not only prevents them from doing personal work but also protects from attacks during those non-working hours.

15 Summary

Let us summarize the topics covered in this lesson. • Identification means finding who someone is, while authentication refers to the way of proving the identity. Authorization determines the resources an authenticated user can access and actions to be performed. • A biometric system utilizes a distinct biological trait such as fingerprints, face, voice, and iris to identify the individual. • Security tokens facilitate session-based authentication, wherein the identity proof is valid only for that particular session or login. • Common Access Card or CAC refers to a smart card that the Department of Defense or DoD issues as an identification/authentication card for military personnel and non-DoD employees. • SSO authentication allows users to access all password-protected applications or resources with just one set of credentials. • A trusted OS is ideal for Web servers, as it features several layers of security, such as authentication, accountability, and authorization for controlling who can access what and what they can do. • The evaluation criteria in the Common Criteria document for Trusted OS are split into seven E-A-Ls or Evaluation Assurance Levels, of which EAL4 is for commercial system development and EAL7 is for highest level of security. • Transitive trust is another authentication protocol for allowing quick and efficient authentication between the domains in a tree, in separate trees, and even separate forests. • Time-Based One-Time Password or TOTP protocol uses the current time for generating unique, short-lived passwords lasting for not more than a few seconds or minutes. This makes it more secured than HMAC-Based One-Time Password or HOTP protocol whose passwords live for longer. • There are four access lists models namely, discretionary, mandatory, role-based, and rule-based. • The authorization practice of Least Privileges is preferable when each user is supposed to be given only minimal or work-related rights. • Separation of Duties does not protect against collusion wherein two or more people conspire jointly for a fraudulent act. With this we conclude this lesson, ‘Selecting the Appropriate Authentication, Authorization, or Access Control in a Given Scenario.’ The next lesson is, ‘Installing and Configuring Security Controls when Performing Account Management, Based on Best Practices.’

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Phone Number*
Job Title*