WEBVTT 1 00:00:00.050 --> 00:00:01.830 In this section of the course, 2 00:00:01.830 --> 00:00:03.540 we are going to discuss 3 00:00:03.540 --> 00:00:06.450 troubleshooting identity and access management. 4 00:00:06.450 --> 00:00:09.270 The troubleshooting identity and access management section 5 00:00:09.270 --> 00:00:13.800 of the course focuses on domain three, security engineering, 6 00:00:13.800 --> 00:00:16.950 specifically objective 3.1, 7 00:00:16.950 --> 00:00:19.620 which states that given a scenario, 8 00:00:19.620 --> 00:00:22.260 you must be able to troubleshoot common issues 9 00:00:22.260 --> 00:00:24.690 with identity and access management components 10 00:00:24.690 --> 00:00:26.640 in an enterprise environment. 11 00:00:26.640 --> 00:00:28.890 Troubleshooting identity and access management 12 00:00:28.890 --> 00:00:32.610 involves ensuring the right people have the right access 13 00:00:32.610 --> 00:00:35.220 to the right resources at the right time, 14 00:00:35.220 --> 00:00:37.860 this is done by managing user identities 15 00:00:37.860 --> 00:00:40.950 and controlling user and system access. 16 00:00:40.950 --> 00:00:44.190 As enterprise systems become more complex 17 00:00:44.190 --> 00:00:48.270 and especially when they're integrated with cloud services, 18 00:00:48.270 --> 00:00:51.960 proper management frameworks and policies are necessary, 19 00:00:51.960 --> 00:00:56.250 additionally, monitoring, assessing, and adjusting access 20 00:00:56.250 --> 00:01:00.600 keeps data and resources safe from unauthorized access. 21 00:01:00.600 --> 00:01:04.230 As we go through this section, we will cover many topics 22 00:01:04.230 --> 00:01:07.410 related to troubleshooting identity and access management, 23 00:01:07.410 --> 00:01:12.090 including management frameworks, subject access control, 24 00:01:12.090 --> 00:01:15.630 user identity control, secrets management, 25 00:01:15.630 --> 00:01:17.970 authentication and authorization, 26 00:01:17.970 --> 00:01:20.280 cloud identity and access management 27 00:01:20.280 --> 00:01:22.410 access and trust policies, 28 00:01:22.410 --> 00:01:25.650 wifi authentication, access control, 29 00:01:25.650 --> 00:01:29.970 conditional access, and finally, logging and monitoring. 30 00:01:29.970 --> 00:01:33.180 First, we will look at management frameworks. 31 00:01:33.180 --> 00:01:35.160 Management frameworks in the context 32 00:01:35.160 --> 00:01:37.830 of troubleshooting identity and access management 33 00:01:37.830 --> 00:01:40.020 are how identities and access controls 34 00:01:40.020 --> 00:01:43.020 are managed, monitored, and maintained 35 00:01:43.020 --> 00:01:44.940 within an organization. 36 00:01:44.940 --> 00:01:48.660 Management framework concepts include identity proofing, 37 00:01:48.660 --> 00:01:51.360 privilege, and identity management. 38 00:01:51.360 --> 00:01:55.050 Authentication and authorization are core processes, 39 00:01:55.050 --> 00:01:58.500 authentication verifies a user's identity 40 00:01:58.500 --> 00:02:00.450 and authorization determines 41 00:02:00.450 --> 00:02:03.180 what resources the user can access. 42 00:02:03.180 --> 00:02:05.970 Identity proofing is the process of verifying 43 00:02:05.970 --> 00:02:08.730 an individual's claimed identity is accurate, 44 00:02:08.730 --> 00:02:10.890 identity proofing is typically done 45 00:02:10.890 --> 00:02:13.620 during the initial setup of user accounts. 46 00:02:13.620 --> 00:02:16.800 Next, privileged identity management focuses 47 00:02:16.800 --> 00:02:20.070 on managing and controlling access to critical systems 48 00:02:20.070 --> 00:02:23.220 and information by granting elevated permissions 49 00:02:23.220 --> 00:02:24.690 only when necessary, 50 00:02:24.690 --> 00:02:28.590 it also involves closely monitoring privileged accounts, 51 00:02:28.590 --> 00:02:31.260 in practice, an IT administrator 52 00:02:31.260 --> 00:02:33.540 might undergo identity proofing 53 00:02:33.540 --> 00:02:35.310 when their account is created 54 00:02:35.310 --> 00:02:38.040 to ensure they are who they claim to be. 55 00:02:38.040 --> 00:02:39.480 The IT administrator 56 00:02:39.480 --> 00:02:42.090 may then use privileged identity management 57 00:02:42.090 --> 00:02:44.730 to gain temporary elevated privileges 58 00:02:44.730 --> 00:02:47.280 to perform a specific task. 59 00:02:47.280 --> 00:02:48.690 Throughout this process, 60 00:02:48.690 --> 00:02:51.300 their actions would be logged and monitored 61 00:02:51.300 --> 00:02:54.690 according to the organization's management framework. 62 00:02:54.690 --> 00:02:58.770 Next, we will explore subject access control, 63 00:02:58.770 --> 00:03:00.810 subject access is the mechanism 64 00:03:00.810 --> 00:03:04.170 that determines and enforces which subjects have access 65 00:03:04.170 --> 00:03:07.410 to specific resources within a network environment. 66 00:03:07.410 --> 00:03:08.850 Subjects are defined 67 00:03:08.850 --> 00:03:13.080 as users, processes, devices, and services. 68 00:03:13.080 --> 00:03:17.130 Let's take a minute to discuss how each subject interacts 69 00:03:17.130 --> 00:03:19.530 with enterprise access control. 70 00:03:19.530 --> 00:03:22.470 A user is an individual or entity 71 00:03:22.470 --> 00:03:25.355 that requires and receives access to resources, 72 00:03:25.355 --> 00:03:28.788 next, a process is an instance of a program 73 00:03:28.788 --> 00:03:32.490 that requires permissions to perform operations 74 00:03:32.490 --> 00:03:35.820 on behalf of a user or system function. 75 00:03:35.820 --> 00:03:40.110 Next, a device is any physical or virtual hardware 76 00:03:40.110 --> 00:03:41.940 that connects to the network, 77 00:03:41.940 --> 00:03:44.449 devices often require authentication 78 00:03:44.449 --> 00:03:48.510 to ensure they're authorized to access resources. 79 00:03:48.510 --> 00:03:53.010 Finally, a service is a system function or application 80 00:03:53.010 --> 00:03:54.690 that operates continuously 81 00:03:54.690 --> 00:03:56.521 in the background, providing users 82 00:03:56.521 --> 00:03:59.375 the seamless machine interaction they expect. 83 00:03:59.375 --> 00:04:02.806 Services manage tasks like processing data, 84 00:04:02.806 --> 00:04:07.230 handling requests, and maintaining system performance, 85 00:04:07.230 --> 00:04:11.430 all without requiring direct user intervention. 86 00:04:11.430 --> 00:04:13.350 Services may also interact 87 00:04:13.350 --> 00:04:16.470 with other services, devices or users, 88 00:04:16.470 --> 00:04:20.400 and must be controlled to prevent unauthorized access. 89 00:04:20.400 --> 00:04:24.180 After that, we will look at user identity control, 90 00:04:24.180 --> 00:04:27.330 user identity control is the process used 91 00:04:27.330 --> 00:04:31.800 to manage, verify, and secure the identities of users 92 00:04:31.800 --> 00:04:35.370 to ensure they have appropriate access to resources. 93 00:04:35.370 --> 00:04:38.778 User identity control concepts include credentials, 94 00:04:38.778 --> 00:04:43.260 the use of biometrics, and multi-factor authentication. 95 00:04:43.260 --> 00:04:46.080 Credentials are the information that users provide 96 00:04:46.080 --> 00:04:47.700 to prove their identity, 97 00:04:47.700 --> 00:04:50.309 examples of credentials include passwords, 98 00:04:50.309 --> 00:04:52.710 pins, and certificates. 99 00:04:52.710 --> 00:04:56.220 Biometrics like facial recognition and fingerprints 100 00:04:56.220 --> 00:04:59.130 may also be used to validate identity, 101 00:04:59.130 --> 00:05:01.770 authentication is then the process of validating 102 00:05:01.770 --> 00:05:05.019 user presented credentials or biometric data 103 00:05:05.019 --> 00:05:07.620 to confirm a user's identity, 104 00:05:07.620 --> 00:05:11.010 authorization is then used to determine what resources 105 00:05:11.010 --> 00:05:14.070 the authenticated user is allowed to access. 106 00:05:14.070 --> 00:05:17.130 Multi-Factor authentication, or MFA, 107 00:05:17.130 --> 00:05:21.570 requires users to provide two or more verification factors 108 00:05:21.570 --> 00:05:25.200 before being granted access to the enterprise network. 109 00:05:25.200 --> 00:05:29.460 Verification factors, also called authentication factors, 110 00:05:29.460 --> 00:05:33.180 include something that I know, such as a password, 111 00:05:33.180 --> 00:05:36.750 something that I have, such as an authentication token, 112 00:05:36.750 --> 00:05:39.600 and something that I am, such as a fingerprint. 113 00:05:39.600 --> 00:05:42.224 Next, we will explore secrets management, 114 00:05:42.224 --> 00:05:45.180 secrets management is securely storing, 115 00:05:45.180 --> 00:05:49.110 managing, and controlling access to sensitive information 116 00:05:49.110 --> 00:05:51.480 to prevent unauthorized access. 117 00:05:51.480 --> 00:05:55.710 Secrets management concepts include tokens, certificates, 118 00:05:55.710 --> 00:05:59.760 passwords, keys, rotation, and deletion. 119 00:05:59.760 --> 00:06:02.490 Tokens are temporary digital credentials 120 00:06:02.490 --> 00:06:05.220 used for authentication or authorization. 121 00:06:05.220 --> 00:06:09.240 Certificates are digital documents that verify the identity 122 00:06:09.240 --> 00:06:12.000 of entities and enable secure communication. 123 00:06:12.000 --> 00:06:15.690 Passwords are traditional secret strings of characters 124 00:06:15.690 --> 00:06:17.790 used for authentication, 125 00:06:17.790 --> 00:06:21.450 and keys are cryptographic elements that secure data 126 00:06:21.450 --> 00:06:24.240 through encryption and decryption processes. 127 00:06:24.240 --> 00:06:26.460 In order to maintain security, 128 00:06:26.460 --> 00:06:28.800 secrets should be regularly rotated, 129 00:06:28.800 --> 00:06:30.960 meaning updated or replaced, 130 00:06:30.960 --> 00:06:33.900 and to prevent unauthorized access, 131 00:06:33.900 --> 00:06:37.380 secrets should be securely deleted when no longer needed. 132 00:06:37.380 --> 00:06:40.020 In practice, an enterprise administrator 133 00:06:40.020 --> 00:06:42.448 might rotate encryption keys regularly 134 00:06:42.448 --> 00:06:44.580 to mitigate the risk of compromise, 135 00:06:44.580 --> 00:06:47.670 delete old tokens that are no longer valid, 136 00:06:47.670 --> 00:06:51.150 and update passwords on a recurring basis. 137 00:06:51.150 --> 00:06:53.160 Each of these actions could be managed 138 00:06:53.160 --> 00:06:55.260 within a secrets management framework 139 00:06:55.260 --> 00:06:58.950 to ensure ongoing protection of sensitive information. 140 00:06:58.950 --> 00:07:00.600 Following that, we will look 141 00:07:00.600 --> 00:07:03.000 at authentication and authorization. 142 00:07:03.000 --> 00:07:06.060 The process of authentication and authorization 143 00:07:06.060 --> 00:07:08.574 involves verifying a user's identity 144 00:07:08.574 --> 00:07:10.650 and determining their access rights 145 00:07:10.650 --> 00:07:12.660 to resources within a system. 146 00:07:12.660 --> 00:07:15.120 Authentication and authorization concepts 147 00:07:15.120 --> 00:07:17.850 include attestation, the use 148 00:07:17.850 --> 00:07:21.240 of the security assertion markup language, or SAML, 149 00:07:21.240 --> 00:07:24.690 OpenID, OAuth, and federation. 150 00:07:24.690 --> 00:07:27.300 Attestation is the process of verifying 151 00:07:27.300 --> 00:07:29.640 that a system or entity complies 152 00:07:29.640 --> 00:07:31.740 with certain policies or standards, 153 00:07:31.740 --> 00:07:35.160 often as a part of the authentication process. 154 00:07:35.160 --> 00:07:38.220 SAML, the security assertion markup language, 155 00:07:38.220 --> 00:07:40.920 is a standard for exchanging authentication 156 00:07:40.920 --> 00:07:43.800 and authorization data between parties, 157 00:07:43.800 --> 00:07:46.830 OpenID is an authentication protocol 158 00:07:46.830 --> 00:07:50.010 that allows users to log in to multiple services 159 00:07:50.010 --> 00:07:52.380 using a single identity provider. 160 00:07:52.380 --> 00:07:54.630 An identity provider is a service 161 00:07:54.630 --> 00:07:57.300 that manages user identity information 162 00:07:57.300 --> 00:08:00.520 and asserts authentication to enable secure access 163 00:08:00.520 --> 00:08:03.450 to multiple applications or systems. 164 00:08:03.450 --> 00:08:06.030 OAuth is an authorization framework 165 00:08:06.030 --> 00:08:10.560 that allows third party applications to access user data 166 00:08:10.560 --> 00:08:13.830 without passing their credentials to the third party. 167 00:08:13.830 --> 00:08:18.830 Don't forget that the auth in OAuth is for authorization, 168 00:08:18.930 --> 00:08:22.200 not authentication, for authentication, 169 00:08:22.200 --> 00:08:25.440 OAuth may employ OpenID. 170 00:08:25.440 --> 00:08:27.390 Federation refers to the practice 171 00:08:27.390 --> 00:08:30.330 of asserting identities across multiple domains, 172 00:08:30.330 --> 00:08:33.840 for example, in a federated environment, 173 00:08:33.840 --> 00:08:37.140 the security assertion markup language might be used 174 00:08:37.140 --> 00:08:40.710 to authenticate a user via OpenID 175 00:08:40.710 --> 00:08:43.590 with OAuth managing the authorization 176 00:08:43.590 --> 00:08:45.780 for a third party application. 177 00:08:45.780 --> 00:08:50.310 Then we will explore cloud identity and access management, 178 00:08:50.310 --> 00:08:52.320 access and trust policies. 179 00:08:52.320 --> 00:08:54.270 Cloud identity and access management 180 00:08:54.270 --> 00:08:58.140 access and trust policies are used to manage and enforce 181 00:08:58.140 --> 00:09:02.880 who has access to cloud resources and under what conditions. 182 00:09:02.880 --> 00:09:05.880 Furthermore, cloud identity and access management 183 00:09:05.880 --> 00:09:09.360 is a framework that is used to assign roles and permissions 184 00:09:09.360 --> 00:09:12.450 to users, groups, and services, 185 00:09:12.450 --> 00:09:14.550 directing what actions they can perform 186 00:09:14.550 --> 00:09:16.320 within the cloud environment. 187 00:09:16.320 --> 00:09:19.660 Trust policies are then used to define the relationships 188 00:09:19.660 --> 00:09:21.450 and trust boundaries 189 00:09:21.450 --> 00:09:24.390 between different cloud accounts or services. 190 00:09:24.390 --> 00:09:27.660 For example, in a multi-cloud environment, 191 00:09:27.660 --> 00:09:30.660 a trust policy might allow one cloud account 192 00:09:30.660 --> 00:09:33.990 to assume a specific role in another account, 193 00:09:33.990 --> 00:09:34.990 in this scenario, 194 00:09:34.990 --> 00:09:38.190 cloud identity and access management could be used 195 00:09:38.190 --> 00:09:41.520 to manage the permissions associated with the role, 196 00:09:41.520 --> 00:09:43.830 ensuring that access is controlled 197 00:09:43.830 --> 00:09:47.040 and monitored across the entire cloud infrastructure. 198 00:09:47.040 --> 00:09:50.430 Next, we will explore wifi authentication, 199 00:09:50.430 --> 00:09:54.600 wifi authentication is used to manage and secure user access 200 00:09:54.600 --> 00:09:56.310 to wireless networks. 201 00:09:56.310 --> 00:09:59.070 Wifi authentication concepts include 202 00:09:59.070 --> 00:10:02.790 the Institute of Electrical and Electronics Engineers, 203 00:10:02.790 --> 00:10:06.180 or IEEE 802.1X, 204 00:10:06.180 --> 00:10:09.510 the Extensible Authentication Protocol, or EAP, 205 00:10:09.510 --> 00:10:12.360 and the Simultaneous Authentication of Equals. 206 00:10:12.360 --> 00:10:16.625 802.1X is a network access control protocol 207 00:10:16.625 --> 00:10:20.400 that provides an authentication framework for devices 208 00:10:20.400 --> 00:10:22.620 connecting to a wifi network, 209 00:10:22.620 --> 00:10:27.510 furthermore, 802.1X ensures that only authorized users 210 00:10:27.510 --> 00:10:28.890 gain network access 211 00:10:28.890 --> 00:10:31.560 by enabling the process of authentication. 212 00:10:31.560 --> 00:10:33.590 The Extensible Authentication Protocol 213 00:10:33.590 --> 00:10:37.200 is a flexible authentication framework used 214 00:10:37.200 --> 00:10:40.500 within the 802.1 x framework, 215 00:10:40.500 --> 00:10:43.440 this supports multiple authentication methods 216 00:10:43.440 --> 00:10:46.140 between a client, known as a supplicant, 217 00:10:46.140 --> 00:10:48.930 and the wireless enterprise network. 218 00:10:48.930 --> 00:10:51.510 Simultaneous Authentication of Equals 219 00:10:51.510 --> 00:10:55.080 is a secure password based key exchange protocol 220 00:10:55.080 --> 00:11:00.080 used in WPA3 to provide a secure handshake process, 221 00:11:00.150 --> 00:11:03.030 resistant to offline dictionary attacks. 222 00:11:03.030 --> 00:11:06.390 Then we will explore access control, 223 00:11:06.390 --> 00:11:09.210 access control manages and enforces 224 00:11:09.210 --> 00:11:12.450 who can access specific resources within a system, 225 00:11:12.450 --> 00:11:16.020 based on predefined policies and user roles. 226 00:11:16.020 --> 00:11:20.640 Access control concepts include single sign-on, Kerberos, 227 00:11:20.640 --> 00:11:22.770 and privileged access management. 228 00:11:22.770 --> 00:11:26.850 Single sign-on, or SSO, is an authentication process 229 00:11:26.850 --> 00:11:28.620 that allows users to access 230 00:11:28.620 --> 00:11:31.260 multiple applications or services 231 00:11:31.260 --> 00:11:33.660 with one set of login credentials. 232 00:11:33.660 --> 00:11:36.780 Single sign-on streamlines a user's access 233 00:11:36.780 --> 00:11:39.240 within an organization's domain 234 00:11:39.240 --> 00:11:41.307 because the user only has to remember 235 00:11:41.307 --> 00:11:43.680 one set of credentials. 236 00:11:43.680 --> 00:11:47.010 Kerberos is a network authentication protocol 237 00:11:47.010 --> 00:11:50.820 that uses tickets to allow entities to securely prove 238 00:11:50.820 --> 00:11:54.750 their identity to one another over a non-secure network. 239 00:11:54.750 --> 00:11:58.770 Kerberos is commonly used in single sign-on implementations 240 00:11:58.770 --> 00:12:02.310 for secure authenticated access to services. 241 00:12:02.310 --> 00:12:05.040 Privileged Access Management, or PAM, 242 00:12:05.040 --> 00:12:07.110 controls and monitors access 243 00:12:07.110 --> 00:12:09.870 to critical systems and sensitive information 244 00:12:09.870 --> 00:12:13.110 by granting elevated privileges, only when needed. 245 00:12:13.110 --> 00:12:17.100 This just-in-time method of elevating privileges 246 00:12:17.100 --> 00:12:19.530 ensures that only authorized users 247 00:12:19.530 --> 00:12:21.900 can perform high risk tasks 248 00:12:21.900 --> 00:12:24.150 while minimizing security risks. 249 00:12:24.150 --> 00:12:27.347 Following that, we will look at conditional access, 250 00:12:27.347 --> 00:12:31.110 conditional access policies grant or deny access 251 00:12:31.110 --> 00:12:34.500 to resources based on specific conditions, 252 00:12:34.500 --> 00:12:38.070 such as user identity, device status, 253 00:12:38.070 --> 00:12:40.440 or other contextual factors. 254 00:12:40.440 --> 00:12:43.860 Conditional access concepts include configuration, 255 00:12:43.860 --> 00:12:47.610 user-to-device binding, time-based conditions, 256 00:12:47.610 --> 00:12:49.860 and geographic location. 257 00:12:49.860 --> 00:12:52.817 Configuration requires the setup and customization 258 00:12:52.817 --> 00:12:56.550 of conditional access policies to ensure they align 259 00:12:56.550 --> 00:12:59.220 within organization security requirements. 260 00:12:59.220 --> 00:13:01.829 Conditional access policies may specify 261 00:13:01.829 --> 00:13:05.618 which users or devices can access certain resources. 262 00:13:05.618 --> 00:13:09.120 User-to-device binding is a security measure 263 00:13:09.120 --> 00:13:12.578 that links a user's identity to a specific device, 264 00:13:12.578 --> 00:13:15.610 this binding ensures that access is granted 265 00:13:15.610 --> 00:13:19.260 only when the user is using an approved device. 266 00:13:19.260 --> 00:13:22.013 Time-based and geographic location conditions 267 00:13:22.013 --> 00:13:24.840 add additional layers of security 268 00:13:24.840 --> 00:13:28.260 by restricting access to certain times of the day 269 00:13:28.260 --> 00:13:31.200 or specific geographical areas, 270 00:13:31.200 --> 00:13:34.110 for example, an organization might configure 271 00:13:34.110 --> 00:13:38.340 conditional access to allow a user to access sensitive data 272 00:13:38.340 --> 00:13:40.770 only from a company issued device, 273 00:13:40.770 --> 00:13:44.760 using user-to-device binding during business hours, 274 00:13:44.760 --> 00:13:47.010 which is a time-based conditional 275 00:13:47.010 --> 00:13:51.660 and within a specific geographical location, such as the US. 276 00:13:51.660 --> 00:13:54.622 Finally, we will look at logging and monitoring, 277 00:13:54.622 --> 00:13:57.467 logging, and monitoring is the recording and analyzing 278 00:13:57.467 --> 00:14:00.480 of access events and user activities 279 00:14:00.480 --> 00:14:03.900 to detect, investigate, and respond to 280 00:14:03.900 --> 00:14:06.090 potential security incidents. 281 00:14:06.090 --> 00:14:10.230 Logging is the collection of data related to user actions, 282 00:14:10.230 --> 00:14:13.080 system changes, and access attempts. 283 00:14:13.080 --> 00:14:15.840 Logging provides a detailed record 284 00:14:15.840 --> 00:14:18.900 of who accessed what resources and when, 285 00:14:18.900 --> 00:14:22.260 monitoring on the other hand involves the real time 286 00:14:22.260 --> 00:14:24.840 or periodic review of logs 287 00:14:24.840 --> 00:14:28.710 to identify unusual or unauthorized activities. 288 00:14:28.710 --> 00:14:31.200 Unusual or unauthorized activities 289 00:14:31.200 --> 00:14:33.570 include failed login attempts 290 00:14:33.570 --> 00:14:36.270 or access from unfamiliar locations 291 00:14:36.270 --> 00:14:38.760 and may indicate a security event, 292 00:14:38.760 --> 00:14:41.970 for example, an identity and access management system 293 00:14:41.970 --> 00:14:45.147 might log every access attempt to a sensitive database 294 00:14:45.147 --> 00:14:48.540 and monitor these logs to detect patterns 295 00:14:48.540 --> 00:14:50.967 of failed attempts, triggering an alert 296 00:14:50.967 --> 00:14:54.180 if an unusual number of failures occur 297 00:14:54.180 --> 00:14:56.820 and allowing security teams to respond quickly 298 00:14:56.820 --> 00:14:58.860 to potential data breaches. 299 00:14:58.860 --> 00:15:01.770 To finish things off, we'll take a short quiz 300 00:15:01.770 --> 00:15:04.890 to see what you learned during this section of the course 301 00:15:04.890 --> 00:15:08.610 and we'll review each of those quiz questions fully 302 00:15:08.610 --> 00:15:12.210 to ensure you can explain why the right answers were right 303 00:15:12.210 --> 00:15:13.947 and the wrong answers were wrong. 304 00:15:13.947 --> 00:15:16.905 So let's get ready to dive into troubleshooting 305 00:15:16.905 --> 00:15:19.200 identity and access management 306 00:15:19.200 --> 00:15:21.303 in this section of the course!