Sunday, September 14, 2014

Chapter 3: Other Technologies for the CISSP Exam

Legacy Single Sign-On (SSO):
  • How are SSO products used as an Identity Management solutions or as part of a large IdM enterprise-wide solution?
    • SSO technology allows users to authenticate one time and then access resources in the environment without needing to re-authenticate. 
    • The difference with SSO technology and password synchronization is that password synchronization will take the user's password and update each user account on each different system application with that password. When a user requests access to a network application, the application will send over a request for credentials, but the request will be intercepted by SSO software and the login prompts from the network will fill in the necessary identification and authentication information for the user.  
    • Vulnerability:
      • If an attacker is able to get their hands on the user's credentials then the attacker will have all the resources of that user. 
    • Negative Aspect:
      • SSO solutions may create a bottleneck (single point of failure) if SSO server goes down and users are unable to access their network resources. 
      • Costly
      • All of user's credentials for company's resources are stored in one location 
Account Management:
  • What is account management?
    • Deals with creating user accounts on all systems, modifying the account privileges when necessary, and decommissioning the accounts when they are no longer needed (Harris, 177).
  • Issue with account management:
    • Account are often created by the IT department manually on different systems and users are given excessive rights and permissions. Often times, when an employee leaves the company many or all the accounts stay active.
    • Conclusion: 
      • Allowing administrators to manage user accounts across multiple systems
  • How are accounts set up?
    • When a new user needs an account, a network administrator will set up the account(s) and provide the user with certain privileges and permissions. administrators don't know what resources to allow the user to have access to and often they have to "wing it." This is how users access to too much stuff. 
    • Solution:
      • Implementing a workflow process that allows for a request for a new user account. The request has to be approved, usually by the employee's manager, then the accounts are automatically set up on the systems, or a ticket is generated for technical staff to set it up. This works the same for when an account needs to be updated or deleted. 
    • Pros of a workflow process:
      • Reduces potential errors common in account management practice
      • Each step is logged and tracked which provides accountability and documentation for backtracking if something goes wrong
      • Only necessary access is provided for each account
      • "Orphan" accounts that are still active when employees leave are removed
      • Make auditors happy



Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)