CCT 152: Federated Identities and Credential Management for the CISSP Exam (Domain 5.3)
Jun 24, 2024Want to ensure your organization's sensitive data remains secure in today's mobile-centric world? Tune in to our latest CISSP Cyber Training Podcast episode, where we unravel the complexities of federated identities and robust credential management. Learn from the high-profile data breach involving Change Healthcare and discover how multi-factor authentication could have prevented such a disaster. We promise you'll gain essential insights into how federated identities streamline authentication processes, making your digital life both secure and efficient.
We'll also explore the pros and cons of centralized versus decentralized identity management, highlighting real-world examples like Google and Facebook authentication. Curious about just-in-time credentials? We explain how temporary, on-demand access can significantly reduce security risks, and examine top credential management systems like CyberArk, Keeper Security, and LastPass. To cap it all off, hear about our exciting new non-profit initiative supporting adoptive families. Don't miss out on this comprehensive guide to mastering domain 5, section 5.3 of the CISSP curriculum!
Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!
TRANSCRIPT
Speaker 1:
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started.
Speaker 2:
Good morning. It's Sean Gerber with CISSP Cyber Training. Hope you all are having a blessed day today, today's Monday. So what are we doing today? Today we're going to be talking about a lot of cool stuff as it relates to federated identities. Yes, awesome stuff coming your way, and this is going to be on 5.3. I think it's basically 1 through 3. So if you're following along on the CISSP Cyber Training Blueprint, you'll be able to gain access to that and be able to see it. So we're kind of going along as we move through each chapter of the CISSP. That's the part of the podcast where we go through chapter by chapter, looking at each specific area that you can help give you a little bit more guidance and direction around the CISSP exam.
Speaker 2:
But before we get started, we're going to talk about one thing I saw, as we noticed, in the United States. We had a hack that occurred with a change healthcare, basically the intermediary between the insurance companies and the individuals and it looks like approximately most of the people in the United States got their information stolen. Yeah Well, if you haven't had put in place some sort of protection around your identity protection, I would highly recommend it. If you're listening to this podcast. You probably already are in this situation, but if you haven't done so, I would highly recommend that you have your identity protection put in place, especially if you're here in the United States, because if you haven't had your identity stolen up until this point which is highly unlikely, I'm sure you have at this point then now that the change, healthcare probably got the rest of it. So I would consider it very strongly if you would go out and get your identity locked up, as it relates to all of the major credit reporting agencies. That would be the TransUnion Experience, equifax and so forth. So do not wait. But it sounds like it basically got health insurance information, primary, secondary health information, your ID cards, record numbers, diagnosis, medical conditions, claims, patient numbers, you name it they got it all. So, whether or not I mean again you're talking, they got it all. So whether or not I mean again you're talking, let's just say roughly, let's just say 300 million people that's a lot of information and it's not like they're going to go through any of it. I mean they may, but most likely they're just going to dump it out on the dark web, but somebody will pick it up. Your data has been compromised. So definitely go and look at some sort of way to protect your information, whether it's the locking up your credit or whatever special Gucci stuff you do. I would highly suggest it, because it's just not looking so good for them.
Speaker 2:
Basically, what ended up happening is they were able to gain access through the credentials through a Citrix-based management portal that didn't have multi-factor enabled, and I'm sorry, but this is just buffoonery. If you don't have multi-factor enabled, especially on some sort of remote access connectivity, it's just a bad idea. So they got access to it, they were able to get prescriptions filled using medical services, and all this stuff just kind of snowballed. So they're saying that the attack, the costs, this is going to cost close to a billion dollars to resolve this issue for this one company. So yeah, it's bad stuff, guys. It really is. So, that being said, you all got it, you're aware of it. Kind of a little piece of nugget of information for you all to kind of go into your Monday and the rest of your week and be excited about cybersecurity.
Speaker 2:
Yes, so let's go get started on our lesson for today. Okay, so this is going to be domain five, 5.3, federated identities and credential management. So we're going to go over the federated identities there's going to be tied to that. We're also going to go into credential management and the importance of that, and again you'll be able to get access to all of this data and the importance of that. And again, you'll be able to get access to all of this data both on my website at CISSP Cyber Training, and then eventually, you'll be able to see it on YouTube as well. But it's all available and it all ties back to the CISSP Cyber Training blueprint that's available to you, Also something we're making changes to my bronze package.
Speaker 2:
If you go to CISSP Cyber Training, basically all the funds that are being created from CISSP Cyber Training at this point forward are all going to a non-profit that my wife and I are starting up. It's all going to be tied to helping adoptive families be able to have extra funds for adoption. So if you purchase anything from CISSP Cyber Training going forward, it's all going to be tied to our non-profit, which I still have to name. My wife is. We're thinking like Psalms, something or other. So we're close. We're close, but the non-profit's all going to get all the funds that come out of this, because that's what's important.
Speaker 2:
Okay, so domain five, 5.3, the federated identities and credential management, and so how does this all play into? Well, as you guys know that we talked about it just recently. Obviously, it was this last situation where you've got a single sign-on, you've got multi-factor authentication, you've got different ways to identify yourselves within a company, and what federated identity is is. It's just basically, it's a one-stop shop for identification. And as we go into this new world that we're in, everything is mobile. Right, they talk about that. The most people spend between 70, 80% of their time on their mobile devices versus being on a computer, and that's true, I mean because I mean I'm on a computer because that's what I do for a living, but you're always on your phone is with you wherever you go, so everything is in a mobile app of some kind.
Speaker 2:
Now, all of these different federations they call it, and it's a big word. You know I don't like Star Trek Federation, but it's the part where it's all federated amongst everything that's out there. It's pushed out, it's touching everything, and so this is all integrated with the cloud, but it's also integrated with your on-premise systems, depending on how much you have on-prem, which basically means in your data center, in your facilities, versus what's in the cloud and what it touches, and the purpose of this is for ease of management, reduce the complexity of it, because if you had multiple identity solutions in place, it gets extremely complex. It gets very challenging to manage. So what do you do? Well, if you go and you federate this across multiple different avenues or platforms, it becomes much easier to manage, and it reduces the size of your team to a much smaller group that can manage a much larger footprint.
Speaker 2:
Again, though, multi-factor is important. If you don't have it, I would highly recommend it. Okay, so functionality how does this all kind of tie together? Well, you'll hear the terms single sign-on and multi-factor sometimes used synonymously. They're not. They're very different. When you're dealing with single sign-on, what it does is it's allowing one set of credentials, and we'll go into each of these a little bit differently, but it allows one set of credentials to allow you to be singly signed on to your facility or to your systems, and so there's an important factor. Now, multi-factor is a second form of factor that you have to have with you to help you sign on. Now, you may have a single sign-on credentials, which means seangerber at billybobcom is my login credentials and I have one username and password, but I will then have a multi-factor token which allows me the additional level of authentication to get into my environment. So, but they sometimes get used synonymously. They're not. So just keep that in the back of your mind.
Speaker 2:
Now, identity governance and administration the purpose behind your Now identity governance and administration, the purpose behind when you're talking about all these different aspects, is trying to govern or put a bow around or put some level of structure around identities. So when we talk about governance and we have a section in the CISSP where you talk about governance, it is all about managing the group, the overall program, the governance of that specific program, and this helps to manage your identities, your applications and various other aspects along with it. And the other thing that it will allow is when you're getting into these third parties and these different types of federated access. It allows you to have reports to logs that are providing you greater visibility within your environment. Now, these logs for identity access are really important because the logs can be put into what we call a SIM, which we've talked about before on the podcast. Sim is your security incident event management system and that will then manage all these logs, come in and get aggregated to a central point. So it's important that you have a good understanding of the overall structure, because everything feeds together.
Speaker 2:
Now, identity governance we talked about that, just kind of tapped on it just a minute. But what is identity governance? Identity governance is crucial for the overall control of your environment, and so you have to have this. If you don't, it gets very complicated and very hard to manage. So this includes your documentation, your monitoring, reporting and then your access rules, roles and overall entitlements. And we talk about entitlements you'll hear me say that, but that's basically what allows you access into something. It's your credentials, but it's Sean has credential A, but he has an entitlement for credential A and B. That's the entitlement aspect of it. So, operational documentation this helps provide structure oversight and how you would implement local access controls within your local space. It also establishes a model, a governance, a framework to help you ensure that you meet compliance with your processes and procedures.
Speaker 2:
That doesn't mean compliance with a big C. That means compliance with meeting the goals of what your program states, such as if I have a, I know that my individuals are going to log into a certain system, then I have that compliance built around and the processes built around how they're going to do that. Will they use CyberArk? Will they use some sort of credential management system to gain access? Those are the processes and procedures. That's the governance around. It Says Sean will do this. This is part of Sean's job. Sean will log into CyberArk. Sean will pull out the credentials and use them for his admin rights. That's the governance piece of it.
Speaker 2:
Your monitoring reporting piece is the compliance with policies and standards that you have for looking at those accounts. It can be done through executive dashboards, it can be done through various reports, but it's Sean logged into this system and he pulled credentials out of CyberArk. There's a log for that. There is some guidance around that. And then there's the access rules, roles and entitlements piece. We kind of talked about entitlements, but it's what do you have for your? What are you allowing Sean to go do? What are the exceptions that Sean can do? So, as an example, say, you have a USB exception. It's a little bit different, but you have a USB exception. That USB exception would be an entitlement that Sean would have. I'm talking to me, my third person. It's kind of weird, but that's the overall plan is that you would have some level of entitlement tied to your name and it would manage all of these different credentials that you can do. And, again, it maintains the overall life cycle around the processes, the rules, etc.
Speaker 2:
Now identity governance is really important because it's crucial to have an effective control over your logical environment and these include operational readiness advisories that would basically be comes around and says what is going on within your organization. This would be various stages around requirements, design, test and finalizing your operational onboarding processes. It also provides a level of advisory and consultation to the development of various systems. So that's your advisory, your operational readiness advisory. Then you have your change management advisory. Now, one thing that's important for you always to understand depending upon the size of your organization, you may have a change management process. Now, if you're a small company, your change management process may be I just tell Bill and Bill does it that's change management. If you're in a large company, it can be a very convoluted, challenging process to navigate through my current contract. Yes, it's a very challenging, convoluted process. That is put in place as a good thing I get it, but it also adds a lot of extra stuff. So you've got to understand your change management plan.
Speaker 2:
It is the process of managing changes throughout identity access. So when we talk about change management, it doesn't just focus on devices and hardware. It can be around identities. So is there a change management process focused specifically around identity access and it provides that advisory communication on what could be potentially happening. One thing to think about when you're dealing with identities if, for some reason, that you your password needs to change, it's tied to your identity, this is where the emails come in and say your password will expire in X days. That is an advisory around the change management process. That is what needs to occur. So, therefore, there's kind of a process that goes through that. So that is the overall change management advisory.
Speaker 2:
Now we get into the federated piece of this. What is the federated aspects? So identity management is, as you want, a single identification and this can be used across multiple enterprises, and we're going to talk about how this plays into with your google and your facebook here in just a minute. But you want it to be able to be federated, connected to various other entities that are throughout the web. As an example, and a lot of times they use what this it's called SAML, and SAML is security assertion, markup language, big ten dollar words. That, for person that graduated third grade is really hard. However, the security assertion markup language, saml. It allows for the consolidated transmission and authorization across various partners. Think of it as this way we talk aboutKI's. Pki's are a standard way that data is shared between point A and point B. Saml is a very similar thing Not that it's a PKI, but it's a standard way that it for that across all organizations, and it allows you to have related unrelated networks.
Speaker 2:
If you're a member of the federation, it allows for immediate access. It's pretty amazing and a lot of times developers will add their Google authentication or Facebook authentication into their development code, so that allows them to expand the ability to reach. So, if you look at it from a marketing standpoint, if I force you to put a username and password in, that's one more username and password you have to manage. If I tell you that you're going to just use your gmail account now, that it makes it much easier for an individual to remember and then they're more likely to come to your site and buy from you. So so it's a really good thing. One, it's a great security tool, but two, it also allows for much easier use throughout the web.
Speaker 2:
Now Active Directory has to be in place. Now they have federated identities low cost options with AD, and this would allow to get you set up. Now there are opportunity costs for setting this up and you would potentially need contractors to help you, depending upon the knowledge within your organization. But again, we talked about Google, facebook, etc. Now, as you're talking about identity operations and how those all work, again they are the day-to-day access control requests that are coming in. You utilize some level of federation to help you with that process and the more automated you can make that and the more streamlined, the better off you will be. This also allows you to enforce logical access controls. So these logical access controls will be in place and available because you are allowed everything through federation. It allows you to have ID and access request approvals and it allows you to have the responsible for day-to-day operations to manage these access requests and provision them in a way in a timely manner. So again, when you're talking about federation, it does streamline the entire process.
Speaker 2:
If any of you guys have been in IT for a while and I know a lot of my listeners are kind of a little bit not as senior as me, but they're a little bit more senior within the IT space and have listened to this for a while, they understand that in the early days you had it took forever to get provisioned within an account. Now, today, in many enterprises especially, you can get provisioned an account within 5, 10, 15 minutes. You can have all the things you need. It's very quick process because it's all automated all the things you need. It's a very quick process because it's all automated, it's all federated, it's all connected, which is an awesome thing. But in the days of old, yeah, that wasn't so much the case.
Speaker 2:
So when we're dealing with centralized identity management, there are some things that you need to kind of think about some positives, some cons, some good things and so forth. So one of the things we talked about is a seamless user experience. Again, the users all get a set of credentials, reducing the friction and password fatigue. It also reduces the risk of password reuse, which we see all the time, in which many hacks occur is because of some level of password reuse and I'll be honest, I use the same password on some of my logins. At what do you call it? Some of the news organizations to read what's going on, and the reason is because I don't care, it's already been compromised, I don't care. If someone wants to read the news, good on them and that's fine, but what happens is so often, as we all know, people reuse passwords everywhere. So it helps with that. It also helps with consistency, where data is stored consistently across multiple platforms, and it allows for the automated provisioning and deprovisioning which we talked about, and it really helps make this whole process a much smoother, smoother process.
Speaker 2:
The other piece that's really important is it does help with threat mitigation in that it improves the visibility across all these different systems. So, as all these logs are coming in, you have one identity tied to one person that is touching many applications. You now don't have to go hunt that Sean Gerber had application is his username is Sean Gerber at blankety blank, whereas the other application is Sean underscore Gerber at blankety blank, or it could be Sean G123456 at blankety blank. You see, the whole problem comes into is where it just makes it more challenging, whereas if it's all under one centralized identity, it makes it much more simpler to find the bad guys if they're using your credentials, or find the people that are being an insider and stealing stuff. That's a different topic, all right. So again the challenges, though it's a single point of failure. If you If any of you all experienced when the identity provider goes down, yeah, all work stops and that is a problem. So it's something that you have to be aware of and you have to work yourself work through the definition. Also, we talked about how some of the different use cases you have single sign-on, you have automated provisioning and we have threat detection. So there's a lot of different ways that you can help you with your centralized identity management.
Speaker 2:
Now, that's centralized. Now decentralized identity management. This is where you'll see the acronym DID. So decentralized identity management. This empowers individuals to control their own right. So you have your own ability rather than having a centralized authority to manage it all. So here are some decentralized identity solutions. Now, a lot of these are built on public blockchains, such as Ethereum, and this allows individuals to manage identity-related information specifically and directly.
Speaker 2:
Now, the good part about that is, again, it's self-sovereign. Basically, you can control your own identifiers, you decentralize your identifiers without relying on any central authority. You have privacy protecting, obviously, because now you own it. No one else sees the data but you. You have portability. Again, your identities are stored in a mobile wallet. Again, that helps them with the selective and the trusted parties and you're not locked into some specific area. So why are these important? Well, when it really comes right down to it, as the zero knowledge technologies are coming into this space, it's nice to have the ability where everything is decentralized, you own, you control the power of your identity. Nobody else has that and these are starting to burgeon out because of all the failures that you're seeing within these different, various accounts. And it does and it does enhance privacy. It reduces reliance on the single point of failure as we deal with. So, as we get into various pieces around the overall security space, you may begin to see more and more of the decentralized identity management. I have not done much with them myself. I've seen them talked about, but I haven't really worked a whole lot with the decentralized side of the house other than owning my own identity when I log into xyzcom.
Speaker 2:
Now, when we're dealing with on-premise different types of, as we have that we talked about, we're going to get into hybrid, we're going to get into cloud, but when we talked about on-premise, on-premise is where it uses your corporate LDAP or your active directory environment. It does integrate with SSO right, so you can have it set up where you have your single sign-on for your one company that you're at, and it will use different mechanisms such as SAML, window authentication, etc. There may be configurations for it to be workable with SSO or with a specific application, and it may require people that are in your environment that can help you with this. Now, if you don't have someone local, you may have to contract some of these work out to other people. Now, when you're dealing with on-prem as well, provisioning the process of creating, modifying and deactivating can be a little bit more kludgy and clunky. It just depends if you've been able to automate this process. There can be APIs that are connected with this process as well, and if you've been around for a while, maybe you have integrated those. If not, you may have to consider will that identity work with an API connection?
Speaker 2:
There's identity management services. These provide a pre-integrated solutions for your application. So say, you buy an application, they may already be built into that application itself. So something that you can go ahead and just turn on and make work. So we talked about some of the different options that are dealing with identity management. So one we talked about single sign-on the ability around again, fewer, just real quickly user convenience. It's also much more secure because there's fewer points of entry and it is very efficient.
Speaker 2:
Ldap and centralized control this is basically your active directory and most big, large corporations will have something like this and this is a central directory service for managing, obviously, usernames, passwords, your entitlements and so forth. It's. It's set up amongst across multiple data centers and it's very large and it allows you to have this a very large user base. Many corporate networks will use LDAP for, obviously, for their user authentication. Now you can add another piece of this and go LDAP with PKI, which is your public key infrastructure, and this would enhance your security. We talk about this in CISSP. Cyber training obviously is around the encryption piece of this, where you have secure data transmissions. You have revocation of certificates. The certificates are tied to your identity, so these are the x509 certificates. So all of those pieces are layered on top of your current Active Directory environment and I highly recommend PKI if you can put it within your company. But it does add another level of complexity which then in turn, will require individuals to help you set that up and maintain it. But it is a positive thing within your company if you can roll it out.
Speaker 2:
Now, when you're dealing with SSO and federated identities. You have a federated SSO this is where we talk about your identity provider and you'll see the acronym IDP. This is where they gain access to multiple service providers or SPs, and the SPs will trust the IDP's assertion. So the IDP could be ping and then your service providers could be your Googles, your Facebooks and so forth. They are now across multiple service providers. This does allow you to have all of these different logins. It helps you reduce credential fatigue where you have multiple login attempts or multiple logins with different credentials, that requiring all these goofy passwords. It does help a lot with that. A good example, obviously, is your Expedia and your travel booking websites and so forth. All that stuff is shared across multiple platforms. Great thing, works wonderfully. I highly recommend it, but not everybody is willing to implement that within their applications.
Speaker 2:
You have cloud-based federation. This is where you're federating identities across various cloud services as Azure, ad, google. Any of those different aspects are all federated across the I mean Google Cloud Platform, gcp. They're all federated across multiple areas. Users will authenticate once and then they're good to go off of all of them. Now the benefits of this is central control. It's scalable. Again, multiple cloud environments makes it work really, really well and I would highly recommend that. If you have enterprise-grade applications that are communicating, especially from cloud to cloud, a lot of times people will keep their enterprise solutions in one cloud Google, amazon, whatever it might be but if you go especially across cloud to cloud, this is a really good way to help you federate across those.
Speaker 2:
We talked about on-prem federation again, sso and how SSO works. Sso within your HRX system really good idea. Then now you have one person that's tied just to one name, and so forth. Hybrid federation. This is where you have a combination of on-prem and cloud-based federation, kind of hence the name. Right, it does work across both environments, especially if you are a company that has still an on-prem premise which many do, a data center of some kind, and then they also have a cloud premise, a cloud environment, then that's where this works across both of those. And again, it allows for coexistence between legacy and modern systems and it does allow you to transition between those two without having disruption. So it does allow you to move from on-prem to the cloud and I would say you're probably never going to. I say never is never the right word. It's highly unlikely that you'll ever get away completely and have everything in the cloud. That may not be the best choice, but as businesses are moving towards kind of this hybrid environment, you can definitely see where the credentials are important to share between those two.
Speaker 2:
And then we're talking about just-in-time credentials. Just-in-time credentials this provides temporary access when needed and they're generated on demand. As an example, you get access to a website and you forgot your password. That will generate a one-time key that allows you to gain access so that you can go in and then reset your password. That's just-in-time type of credentials Minimizes your exposure and users only get the access when they need it. So, again, it's really good for specific tasks or password-required resets or allowing them access for a very small window. All of those things are good when it comes to just-in-time credentials.
Speaker 2:
Okay. So now we're going to roll into just real quickly, credential management. And what are credential management systems? Cmss. So you'll see a lot around. A good example is CyberArk or Keeper Security or BlastPass. They are like a credential management system. Now, some of we've talked about this before in CISSP, cyber training. It depends upon the CMS you want to use, but these will keep a lot of the information available for you, whether you are using them for getting credentials in and out. Whatever it might be, they're available for you. Now.
Speaker 2:
These CMSs can be a standalone application or they can be an integrated solution within your environment. So a good example is that if you're having someone that's within your Windows environment, there may be Windows authentication, which their CMS is then managing all the credentials within that. So your NTLM, your Kerberos and so forth all of that stuff is done within the Windows environment and they can do this based on certificates or on smart cards, and that's the self-contained CMS environment. And these are used with third-party apps as well, so you can get those to store credentials in Edge, explorer, office Teams, etc. All that stuff can be done there in their own internal CMS. You also can get into applications such as the last passes, the portals, all Dashlane. All of those can be the third-party credentials that can store all of this stuff for you as well. So you need to understand that you have your own internal CMS, which I've used them for different pieces within my enterprise, and then I also have my own external CMS, the third-party CMS that I use, that stores credentials that are more of a personal nature. But all of those CMSs will manage their credentials for you.
Speaker 2:
Now you can do it in a couple different ways. They can do it through scripted access. They can do it through session management. The scripted access allows for automated login process of scripts that provide the credentials to the system. It could enable SSO, allowing for automated access without even manual input, and they would have these credentials would be stored within the credential manager. They would be pulled out and then used specifically for whatever is being done and that script is all set up for authentication to grab the credentials, user credentials, potentially put the credentials back or have the script set up where the credentials will expire. So all of those things can be set up in a scripted format.
Speaker 2:
You also have session management where the users and the sessions, including login, logout and all of those aspects, are maintained specifically for that specific session and this does enforces the user identity, enforces appropriate rights are being used, and then what happens is that it will bind that authentication credentials to that specific traffic that's occurring and it allows for a much more secure connection between point A and point B because you're managing that specific session that's occurring. Now, again, they can be very complex due to this the interaction between authentication, the session cookies and the access control. So if the dance is working well, then everything works great. If anybody steps on somebody's toes, then it all falls apart. So the session management can be a very secure platform if you have really good controls around it, if you have good people managing it, it can work well. But when it trips up it causes all kinds of drama. So that's the only downside when you're dealing with session management.
Speaker 2:
Okay, so that is all I have for you today, so I hope you guys get a lot out of this podcast. Please go on out to Apple, out to iTunes. Rate the podcast, give me some feedback. We are fast approaching 10,000 downloads a month. Things are just smoking. We're extremely excited. Go to cisspcybertrainingcom. Go check it out. Again. All of the training that you have that's available on CISSP Cyber Training is all going to be for a nonprofit. I'm not keeping any of it. It's all getting pushed off to our nonprofit to help adoptive families, so to be able to get through a process and adopt kids. So go there, purchase the products, do whatever you need to do. I'm here to support you in any way I possibly can, but again, no-transcript.
CISSP Cyber Training Academy Program!
Are you an ambitious Cybersecurity or IT professional who wants to take your career to a whole new level by achieving the CISSP Certification?
Let CISSP Cyber Training help you pass the CISSP Test the first time!