Identity and Access Management

Companies that fall under this category specialize in software, systems, cloud services, or managed services that store and control usernames, passwords, and privilege levels. These systems prevent outside parties from gaining access, as well as prevent users from accessing files and systems that are above their privilege level.
 

Key Terms and Services

Identity and Access Management
Although this is the actual category name, it is also a key term to understand. Identity and Access Management (IAM), is a discipline practiced within cyber security that when done properly, ensures the right users are accessing the right resource, at the right time. 


Identity Access Management as a Service
Also called, IAMaaS or IDaaS, is a managed cloud service for access management solutions, managed, maintained and hosted by a third-party provider. Utilizing a service like this takes the burden of managing your user rights and privileges, allowing you to focus on other areas of the business.


Identity-aware Networks
Also called IAN, is a system that monitors user behavior and enforces identity-based privilege policies.


Directory services
A service that provides correlation between names and the respective object or address they are tied to. Directory services are used within enterprise server structures to allow for intelligent searching by organizing the network into a hierarchical namespace. Many directory services also offer features like changing user privileges, IE configuring what user has access to what, and when.

 

Examples:

  • Microsoft Active Directory
  • Domain Name System (DNS)
  • Apache Directory
  • Red Hat Directory Server

Multi Factor Authentication 
Multi Factor Authentication (MFA), is a system of authentication utilized by many systems and services that require a user to present two, or more, pieces of evidence to identify themselves. There are three types of evidence that users can be asked to present: something they know (password), something they physically have (token, key fob, smart phone app, and smart card), or something that is physically apart of you (fingerprint or retinal scan).

The most common type of MFA is Two Factor Authentication, or 2FA, which typically uses a password as the first factor, and something you physically have like a token or phone app as the second factor. The best example of this is when using a debit card at an ATM and having to enter your PIN.


Non-repudiation
In the context of IT, this is used to refer to a message or data sent in a way in which the sender cannot deny they sent it.


Hash Functions
Hashing is a method of checking and ensuring data integrity. This is done by an algorithm based on the transmitted data itself. If the data is altered along the way to the destination, then the answer to the algorithm will change, which will alert the receiving party to the breach of data integrity.


Digital Signature
A digital signature is an algorithm used when sending messages to provide authentication of the sender, and proof that the message was not altered along the way. It uses hashing for the integrity, and the non-repudiation is provided by the private key of the sender. The private key is held exclusively by the sender and by encrypting the message with their private key, they have “signed” their message, which confirms authenticity.


Data Encryption
Data encryption is the scrambling of data into what is called “ciphertext”, an unreadable encryption to the human eye. Encryption can be done via a variety of methods, some more secure than others. Un-encrypted data is referred to as “plain text,” or “clear text,” and is readable just as words wrote in the pages of a book.

 

Public Key Cryptography
A form of cryptography where there is a public key and private key. The private key is held by the user in question, and only that user. The private key can encrypt, but it can only be decrypted by the public key. The public key can encrypt as well, but its messages can only be decrypted by the private key. This system provides both authentication and encryption, because only messages encrypted with the private key could be of been sent by the user who holds the private key. Asymmetric encryption uses a lot of computational power, so it is mostly used to send small blocks of data. 

 

Public Key Infrastructure

Public Key Infrastructure, or PKI, is a service and/or system that oversees and manages the issuing of certificates containing a company or individuals public key. These companies are called Certificate Authorities, or CA. Users use CA’s because they are trusted 3rd parties that gather verifiable information from ,and about, the owner of a public key. These certificates contain the owner’s actual public key, and are signed by the CA. Which means you can received a PKI certificate from anyone and know that it is valid if signed by a CA. The idea behind this is to prevent ‘man-in-the-middle’ attacks, or MiTM, because by having this verified certificate you know who only the intended recipient will be able to decrypt the message thanks to the nature of asymmetric cryptography. IE only the private key can decrypt a message encrypted by the public key, a public key cannot decrypt a public key encrypted message. PKI systems can also be setup in house via on premise servers or in the cloud.


Symmetric-key Cryptography
A type of cryptography where only the parties in the “session” have the encryption keys. The same key is used to both encrypt and decrypt by both parties. Which is a major drawback, as the keys are in two locations and a hacker only needs to exploit one user to decrypt both parties’ data. This type of encryption is usually paired with asymmetric to exchange the symmetric keys, and then the large amount of data is sent across via symmetric encryption.

Biowatch SA is a Swiss startup introducing a 2 factor authentication solution with a 0 factor user experience. It consists in a module of electronics that is worn within a bracelet or a watch clasp and that stores all kind of user credentials from passwords to private keys, credit cards or badges. In addition to provide seamless authentication through BLE and NFC, the module is secured by wrist vein pattern recognition. The identification of the end-user is permanent and seamless, together with being private by design. No biometric data are exchanged to 3rd parties nor stored on a cloud.
Access and Key Management
- Multi-Factor Authentication
- Non-repudiation
- Identity and Access Management