Identity and Access Management

-
Identity and Access Management

Security Principles
  1.     Availability
  2.     Integrity
  3.     Confidentiality
    
Identification -> Authentication -> Authorization -> Accountability  (IAAA)

Identification and Authentication
    One-to-One and One-to-Many
    
  •         Identification Component Requirements
  •         Access Control Review
  •         IAAA
        
    Identity Management
  •         Directories
  •         Web Access Management
  •         Password Management
  1.             Password Synchronization
  2.             Self-service password reset
  3.             Assisted password reset
            
        Legacy Single sign-on
        Account Management
        Provisioning
            Authoritative System of Record
        Profile Update
        Biometrics
  1.             Processing Speed
  2.             Fingerprint
  3.             Palm Scan
  4.             Hand Geometry
  5.             Retina Scan (Extremely Invasive and involve a number of privacy issues)
  6.             Iris Scan
  7.             Signature Dynamics
  8.             Keystroke Dynamics
  9.             Voice Print
  10.             Facial Scan
  11.             Hand Topography
        Passwords        Password Policies
  1.                 Electronic monitoring
  2.                 Access the password file
  3.                 Brute-firse attacks
  4.                 Dictionary attacks
  5.                 Social Engineering
  6.                 Rainbow table
Password Checkers            
Password Hashing and Encryption            
Password Aging            
Limit Logon Attempts            
Cogntive Password             
One-Time Password             
The Token Devices            
Synchronous (OneKey, RSA SecurID, Banking Devices)             
Asynchronous (challenge/response scheme to authenticate the user; challenge + nonce (random value) ; users enters the random value + username; encrypted sent to server; server decrypts; user authenticated)
      

Cryptographic Keys
            Passphrase
            Memory Cards
            Smart Card
            Smart Card Attacks
                Interoperability
  1.                     ISO/IEC 14443-1 Physical Characterstics
  2.                     ISO/IEC 14443-3 Initialization and anticollision
  3.                     ISO/IEC 14443-4 Transmission protocol
  •         Radio-Frequency Identification (RFID)
  •         Authorization
  •         Access Criteria
  •         Default to No Access
  •         Need to Know
            Authorization Creep
  •         Single Sign-On
  •             Kerberos
                Kerberos and Password-Guessing Attacks
  •         Security Domains
        
  •     Directory Services
        Thin Clients
  •     Federation
        Digital Identity
    
    Access Control and Markup Languages
  1.         SPML
  2.         SAML
  3.         OpenID
  4.         OAuth
  5.         Identity as a Service
  6.         Integrated Identity Services
  7.         Establishing Connectivity
  8.         Esatblishing Trust
  9.         Incremental Testing
        
    Access Control Models
        DAC - Discretionary Access Control
            Identity-Based Access Control
        MAC - Mandatory Access Control
            Sensitivity Levels
        RBAC - Role-Based Access Control
            Core RBAC
            Hierarchical RBAC
                Limited Hierarchy 
                Gerneral Hierarchy
                Static Separation of Duty (SSD) Relations through RBAC
                Dynamic Separation of Duties (DSD) Relations through RBAC
        RB-RBAC - Rule-Based Access Control
    
    Access Control Techniques and Technologies
  1.         Contrained User Interfaces
  2.         Access Control Matrix
  3.         Capability Table
  4.         Access Control Lists
  5.         Content-Dependent Access Control
  6.         Context-Dependent Access Control
    
    Access Control Administration
        Centralized Access Control Administration
        RADIUS - Remote Authentication Dial-In User Service
        TACACS - Terminal Access Controller Access Control System
        Diameter (protocol)
            Mobile IP
        Decentralized Access Control Administration
        
    Access Control Methods
        Access Control Layers
            Administrative controls
                Personnel Controls
                Supervisory Structure
                Security-Awareness Training
                Testing
            Physical controls
                Network Segregation
                Perimeter Security
                Computer Controls
                Work Area Separation
                Cabling
                Control Zone
            Technical controls
                System Access
                Network Architecture
                Network Access
                Encryption and Protocols
                Auditing
    
    Accountability
        Review of Audit Information
        SEM & SIEM
        Protecing Audit Data and Log Information
        Keystroke Monitoring
        
    Access Control Practices
        Unauthorized Disclosure of Information
        Object Reuse
        Emanation Security
        TEMPEST
        White Noise
        Control Zone
    
    Access Control Monitoring
        IDS - Intrusion Detection Systems
        Network-Based IDSs
        Host-Based IDSs            Signature-based
                Pattern matching
                Stateful matching
            Anamoly-based
                Statistical anamoly-based
                Protocol anamoly-based
                Traffic anamoly-based
                Rule- or heuristic-based
        Knowledge- or Signature-Based Intrusion Detection
        State-Based IDSs
        Statistical Anamoly-Based IDS
        Protocol Anamoly-Based IDS
        Traffic Anamoly-Based IDS
        Rule-Based IDS
        IDS Sensors
        Network Traffic        
        IPS - Intrusion Prevention Systems
  1.             Switched Environments
  2.             Honeypot
  3.             Intrusion Responses
  4.             Network Sniffers
            
    Threats to Access Control
        Dictionary Attack
            Countermeasures
        Brute-Force Attacks
            Countermeasures
        Spoofing at Logon
        Phishing and Pharming
  1.             Spear-phishing
  2.             Whaling

Comments

Post a Comment

Popular posts from this blog

OIM 11g Custom ADF Application Development

-
Image
In this post , I will cover the steps required to create a custom ADF web application. What this application does is facilitate Account Claim Process. Users has been migrated from some other IAM product to OIM and exist in disabled state and hence cannot login to perform Self Service operations. User needs to identify themselves by providing their personal details like personal identification number, zip code and dob etc. After successfully Identifying themselves they will be able to set a new password and set their challenge questions and answers. During this process the application will activate their account and set the new password and QnA. At the end of the process, they will be able to login OIM with their new password set. The application has been developed using JDeveloper using ADF technology to render user interfaces and MVC design pattern to keep the concerns separate. Application Structure                                                                                  
Read more

Oracle Identity Manager (OIM) Interview Questions

-
This is my 100th post on my blog and in this post, I will list down interview questions on OIM. This post will always be work in progress as I keep appending this list with more and more questions. Please find the list of questions below :-) What are the new features in PS3 ? What are the differences between PS2 and PS3 ? How do you identify rogue account creation in target system ? What is the high level architecture of OIM 11g ? List out difference between OIM 9.1 and 11g and possibly 11gR2 What are the new features in 11gR2 PS2 , PS3 How do you save multi-valued attribute in process form and how the linking happens between process form & child form ,   1 child form per multi valued attribute Can we still use entity adapters in OIM 11g What is pluginservice in oim 11g/  What is the orchestration service in oim 11g. what is the difference between entity match found  and process match found ? what are service accounts in oim ? why remote manager is used ? What is a c
Read more

OIM 11g R2 PS2 : SOA Approval Workflow Sample

-
Image
In this post I am posting the sample code for a sample SOA approval workflow. Some of the features that this workflow addresses are Approval to Manager or Role Owners is dynamic based on the custom OIM system property "approval-condition". Value is set either "AND" or "OR". Manager or Role Owner can be set to be notified only with no approval required. In this case only email is sent to notify them but no approval is required from them. Custom OIM system property are created to address this.   manager-notify-only = TRUE or FALSE  TRUE = only notify the manager no approval request sent. FALSE = notify the manager and send an approval request.   roleowner-notify-only = TRUE or FALSE  TRUE = only notify the role owner no approval request sent. FALSE = notify the role owner and send an approval request. Third Level System Notification was required but it should be dynamic.  Custom OIM system property are created to address this sysadmin-noti
Read more