This chapter covers the sixth objective of Domain 4.0, Security Architecture of the CompTIA Security+ exam.

In this chapter, you are going to look at the role of Identity and Access Management (IAM) in creating and deprovisioning accounts. We will look at different methods of authentication, as well as single sign-on, and explore various access controls for the prevention of unauthorized access to our systems. Later sections will consider biometrics and authentication factors, before reviewing best practices for passwords and administrative accounts.

This chapter will give you an overview of why companies rely on these processes to keep their environment safe and ensure you are prepared to successfully answer all exam questions related to these concepts for your certification.

Note

A full breakdown of Exam Objective 4.6 will be provided at the end of the chapter.

Provisioning is the process of creating, managing, and configuring user access rights to an organization’s resources according to their job role. It involves the allocation of permissions and resources to new users, thereby enabling them to perform their roles effectively. The process incorporates several key steps, including the creation of user identities, assignment of privileges, and allocation of resources, which are tailored to meet individual user needs and organizational policies.

One of the most common types of user accounts is an account in Active Directory, which can also be defined as a directory service. It uses an authentication protocol called Kerberos, as explained in the next section. At the end of this section, you will see how user accounts are created in Linux.

Active Directory (Directory Services)

Identity management in a corporate environment will use a directory database. This is a centralized database that will authenticate...

Deprovisioning a user account in this context refers to the process of disabling or removing access to a user’s account and associated resources when they are no longer authorized to use them. This could be due to an employee leaving the organization, a contractor completing their project, or any other reason for revoking access.

Deprovisioning a user account effectively secures data by either disabling or blocking access to an account, thus safeguarding sensitive information. Deprovisioning of a user’s account is performed as part of the offboarding process during which the user returns their company equipment, such as laptops, phones, smart cards, or tokens. When the account administrator deprovisions a user account, the account should be disabled and the password reset to block access to the previous owner. The account is not simply deleted as the company may need access to the user’s emails or other account data at a later date...

Permission assignment refers to the process of allocating specific rights and privileges to users in an organization. These permissions dictate the range of actions they can perform, the data they can access, and the extent of modifications they can make. The assignments are usually structured around the principle of least privilege, granting users the minimum levels of access—or permissions—they need to accomplish their tasks. Assigning users excessive permissions can lead to unauthorized access, data leaks, and security breaches.

A method to simplify access permissions when you have an organization of around 1,000 people or more is to use group-based authentication.

When a company must control permission for users, it is time-consuming and difficult to give each user individual access to the resources that they need to perform their job. Groups are created that contain all users in that department. For example, the sales...

Identity proofing is the process of verifying a person’s identity to confirm the authenticity and legitimacy of their actions. It is the foundational step in the identity and access management lifecycle, helping organizations to mitigate fraudulent activities. Methods of identity proofing may require the presentation of certain forms of evidence such as a passport, driving license, or Social Security Number (SSN) for identification.

Federation services allow identity information to be shared across organizations and IT systems, normally for authentication purposes. The most common uses for federation services are joint ventures and cloud authentication, where third-party authentication is required. When two entities seek to do business on a joint project, rather than merge their entire IT infrastructures, they use federation services to authenticate the other third-party users for the purposes of the joint project.

For example, consider the following joint venture between Companies A and B. Each entity hosts distinct users in its own directory service, as shown in Figure 19.6:

Figure 19.6: Directory services listing for a joint venture

In a joint venture where each company maintains its own domain, a company can only authenticate users within its domain. For instance, Mr. Orange from Company B cannot be authenticated by Company A’s security administrator. The...

Single Sign-On (SSO) is an authentication process that allows users to access multiple applications or services with a single set of credentials. It is designed to simplify user experiences by reducing the number of times users must log in to relevant applications or devices to access various services—for example, a mail server. As there is no need to log in to every application separately, SSO significantly improves productivity and user satisfaction, while also reducing the time spent on password resets and support. However, it necessitates stringent security measures as any compromise of SSO credentials could potentially lead to unauthorized access to all linked services. Three authentication types that use SSO are defined as follows:

• Kerberos authentication: Kerberos authentication uses TGTs to obtain service tickets to provide access to network resources without users needing to re-enter credentials. This is an example of seamless authentication...

Interoperability is the ability of different platforms, systems, or technologies to work together (inter-operate) seamlessly or to exchange and use information in a compatible and effective manner. Within IAM, this refers to systems specifically, and of course, not all systems will be interoperable in this manner. For instance, you might find that web applications that normally use OAuth cannot use Kerberos authentication.

To address these challenges, the design of cloud networks often necessitates the adoption of alternative standard protocols or frameworks to facilitate interoperability between web applications using standardized communication protocols that all applicable systems can understand. These protocols define rules for data exchange, making it easier for different components to communicate. Examples include HTTP/HTTPS for web applications and LDAP for directory services.

Attestation in IAM involves verifying the specific attributes, conditions, or credentials of an entity. This validation is supplied by a trusted source or authority, such as certificates, tokens, federation, or Active Directory:

• Certificates, issued by trusted Certificate Authorities (CAs), function as digital passports, serving to confirm the legitimacy of entities and ensuring secure and encrypted communication across networks.
• Tokens, frequently employed in OAuth, provide a secure means to confirm user identity and privileges, thereby granting controlled access to valuable resources.
• Federation serves as a mechanism to establish cross-domain trust and enables seamless resource-sharing among diverse organizations, confirming user identities and facilitating SSO capabilities.
• Microsoft’s Active Directory, a powerful directory service tailored for Windows domain networks, contributes to the confirmation of attestation by managing user data, safeguarding...

An access control model is a framework used to ensure that only authenticated and authorized users can access the resources pertinent to their roles within an organization. There are several distinct access control models, each with its own complexities, as described in the following sections.

Mandatory Access Control (MAC)

MAC is a stringent access strategy that employs classification levels to regulate access to information based on the sensitivity of the data and the user’s clearance level. The classification levels (Top Secret, Secret, Confidential, and Restricted) serve to prevent unauthorized access, protecting national interests from varying degrees of potential damage. The classification is not solely about the potential impact on national interests but also applies to organizations for which data sensitivity and confidentiality are paramount.

Once classified data is created, it becomes the property of the organization, and various roles are...

Multi-Factor Authentication (MFA) is essential in cybersecurity as it addresses the vulnerabilities inherent in relying solely on passwords. MFA elevates security protocols by necessitating the presentation of multiple verification factors—a step that adds an additional layer of defense against unauthorized access and potential breaches. There are additional methods of authentication that can work with multi-factor authentication, and these are detailed in the following sections.

Biometric Authentication

Biometric authentication is a security method that uses unique physical or behavioral traits, such as fingerprints or facial recognition, to verify a person’s identity for access or authentication.

These methods include the following:

• Fingerprint scanner: Fingerprint scanners serve various functions, including acting as a convenient method of access for smartphones such as the iPhone.
• Retina scanner: Retina scanners identify...

Passwords are the most common form of authentication, and they consist of several characteristics, such as length, complexity, reuse, expiration, and age. The CompTIA Security+ 701 exam requires familiarity with all of these, as well as password best practices. This section covers both these topics.

Password best practices refer to a set of guidelines and recommendations for creating, managing, and using passwords to enhance security. One set of guidelines is produced by the National Institute of Standards and Technology (NIST), which is a federal agency within the United States Department of Commerce that aims to promote and maintain measurement standards, as well as advance technology and innovation. NIST recommends using passphrases (that is, longer combinations of words or phrases) instead of short, complex passwords. These passphrases are easier to remember and provide stronger security.

Other recommendations to secure your passwords include the following...

Password managers are software applications that are stored on devices or hosted in the cloud and are designed to recall your set passwords so you don’t have to. A password manager can store passwords for every account that you own in a password vault, providing further security and convenience.

The best password managers to use are online, as these will still allow you to access your passwords even if you are away from home. Most password managers can be installed across multiple devices. Installed password managers are controlled by a master password, which is randomly generated when you set up the password manager system.

Passwordless authentication, a cutting-edge security approach, eliminates traditional passwords, relying instead on biometrics, smart cards, SSH keys, security keys, or other innovative methods for user verification. Most of these devices (including smart cards and tokens) use PINs, though some use biometrics. Examples of passwordless authentication methods include Touch ID and Face ID on Apple devices, along with smart cards and SSH keys, which use PINs and certificates.

Privileged Access Management (PAM) is a practice that restricts and protects administrative rights for administrator, privileged, service, and root accounts. To do so, PAM uses ephemeral credentials, meaning that they are single-use only and normally have a time limit. With PAM, user accounts are given the equivalent of a temporary ticket with limited administrator rights appropriate for their job role, and an unchangeable password. Once the administrator has closed the PAM session, this ticket expires. PAM also keeps track of who uses these important accounts and what they do with them.

To understand how PAM is set up, consider Figure 19.8:

Figure 19.8: PAM

Note the ABC domain on the left side of the diagram. This domain contains regular user accounts that don’t have special privileges. On the right side, however, there’s something called a bastion forest. This is the secure area where the important...

This section will explore essential PAM tools such as Just-in-Time (JIT) permissions, password vaulting, and ephemeral credentials, each designed to enhance security and accountability in privileged access control. These tools are defined as follows:

• JIT permissions: Traditional privilege assignment often involves granting long-term access rights to users, which can become a liability if not managed meticulously. JIT permissions are elevated on a temporary basis, only a few minutes before they are required. JIT comprises the following steps:
  1. When a user requires privileged access, they initiate a request through the PAM system
  2. The request is then routed through an approval workflow, which could involve manual or automated steps Only authorized personnel can be granted access
  3. Once approved, the PAM tool grants access for a predefined duration, often just enough time to complete the required task
  4. After the time limit for PAM expires, access is automatically revoked, reducing...

This chapter covered various critical aspects of access control, authentication, and privileged account management. It highlighted the importance of access controls in securing an organization’s resources and introduced multiple access control models, including Mandatory Access Control (MAC) and Role-Based Access Control (RBAC), and emphasized Multi-Factor Authentication (MFA) as a crucial element in cybersecurity, incorporating biometrics, security keys, and tokens for enhanced security.

It then looked at password management, explaining its significance within Identity and Access Management (IAM), and examining the role of password managers in generating and securely storing complex passwords. The concept of passwordless access using SSH keys in Linux environments was also introduced to enhance security while eliminating traditional passwords.

Lastly, Privileged Access Management (PAM) was explored as a solution to protect privileged accounts, with a focus on...

Given a scenario, implement and maintain identity and access management.

• Provisioning user accounts: Creating user accounts
• Deprovisioning user accounts: Disabling or blocking user accounts
• Permission assignments and implications: Allocating permissions
• Identity proofing: Confirming user identities securely
• Federation: Integrating identity across systems
• Single Sign-On (SSO): Simplifying access with one login:
  • Lightweight Directory Access Protocol (LDAP): Directory service for information access
  • Open Authorization (OAuth): A standard for secure authorization
  • Security Assertions Markup Language (SAML): XML-based authentication and authorization:
    • Interoperability: Ensuring different systems work together
    • Attestation: Confirming the validity of information
• Access controls: Managing who can access what:
  • Mandatory access controls: Enforcing strict access rules
  • Discretionary access controls: Where users control access to their data
  • Role-based access...

The following questions are designed to check that you have understood the information in the chapter. For a realistic practice exam, please check the practice resources in our exclusive online study tools (refer to Chapter 29, Accessing the online practice resources for instructions to unlock them). The answers and explanations to these questions can be found via this link.

1. In a secure authentication system, which type of authentication token relies on physical devices to generate authentication codes or keys?
   1. Hard Authentication Tokens
   2. Soft Authentication Tokens
   3. Biometric Authentication Tokens
   4. Hybrid Authentication Tokens
2. You are configuring secure access to an Apache web server. To enhance security, you enable passwordless access. Which technology should you primarily use for this?
   1. HTTPS with SSL/TLS
   2. SSH keys
   3. 2FA
   4. Username and password authentication
3. What is the main purpose of ephemeral credentials in the context of security?
   1. To securely store passwords...