Author: IAM Noob

Governance in IAM

We have seen the importance of Identity and Access Management in the present times in a previous blog. Now, going a step further, how does one verify or ensure the IDs are functioning in the proper manner and no user has access beyond of what is needed by them? With the Covid pandemic triggering a new set of challenges and organizations choosing to allow employees to work from the safety of their homes, beefing up the organization security has taken more precedence than ever before.

With most organizations operating globally across geographies, involving plethora of distributed technologies, applications residing in the cloud and private and public networks, compliance and data security measures become even more important. Any breach as such can have far reaching ramifications from financial, brand and legal perspectives even.

Once an identity is established for an individual, it is modified on an ongoing basis depending on the roles the person undertakes in the organization. Periodic audits are mandatory to ensure that the IDs are functioning in the proper manner. This is where Governance comes into picture.

Identity and Access Governance products are typically deployed on top of IAM systems to enable organizations to define, enforce, review and audit IAM policies, map IAM functions to compliance requirements and audit user access, to support compliance reporting

Governance solutions are designed to link people, applications, data and devices to allow organizations to determine who has access to what, what kind of risk that represents, and take action in situations where policy violations are identified. It provides organizations with better visibility to identities and access privileges, and better controls to detect and prevent inappropriate access.

In addition to providing the guidelines, Governance solutions also impose the monitoring mechanisms required to evaluate the access and usage rights of individual users on an ongoing basis and flag off anomalies.

.

Segregation/Separation of Duties (SoD)–

Rules that prevent risky sets of access from being granted to a person. For example, User should not be granted both Purchase Order and even the Approval role for same.

Access Review (Recertification)-

Streamlines the review and verification of users access to different apps and resources. The reviewer(s) may choose to revoke any access if user no longer needs it.

Analytics and Reporting Tools –

Log activities, generate reports and provide analytics to identify issues and optimize roles if required using Role Mining.

IBM’s Identity Governance and Intelligence (IGI), RSA, Sailpoint, Saviynt are few of the leading Governance tools in the market.

Stay tuned for more. Please do leave comments/suggestions if any.

Database Vs Schema Vs Instance

A common confusion I usually see among beginners is differentiating between a Database, a Database instance and Database schema. Let’s get that cleared, shall we?

What is a Database?

Databases are computer structures that save, organize, protect, and deliver data. Any system that manages databases is called a database management system, or DBM. The database table is where all the data in a database is stored using a model of vertical columns (identifiable by name) and horizontal rows, the cell being the unit where a row and column intersect. A table has a specified number of columns but can have any number of rows.

What is a DB Schema?

Design of a database is called the schema. Schema is of three types: Physical schema, logical schema and view schema.

Physical Schema: The design of a database at physical level, how the data stored in blocks of storage is described at this level.

Logical Schema: Design of database at logical level. Programmers and database administrators work at this level. It is a model that exists on a white board or in a diagramming tool. It is like the architect’s drawings of your database.

View Schema: Design of database at view level is called. This generally describes end user interaction with database systems.

What is a DB instance?

While the database itself includes all the application data and metadata stored in physical files on a server, an instance is a combination of the software and memory used to access that data. An instance can have multiple databases.

A Tasty Analogy

Consider a multi-layer tiffin box as an analogy.

The individual boxes are the tables storing the data which is the food. The stack of the tiffin boxes i.e. a collection of tables forms the database. The tiffin stack, the lids and the supporting rack combined are stored in the tiffin bag which is the Database instance in this analogy. Since the stack of tiffin boxes in the picture is a representation of the DB, the picture itself would be the schema as it tells us the number of tables, the design etc.

Load Balancing

Load balancing refers to efficiently distributing incoming network traffic across a group of servers or services. It improves responsiveness and increases availability of applications.

A load balancer is a device that sits between the client and the server cluster accepting incoming network and application traffic and distributing the traffic across multiple backend servers using various methods. By balancing application requests across multiple servers, a load balancer reduces individual server load and prevents any one application server from becoming a single point of failure, thus improving overall application availability and responsiveness.

On high-level, there are three types of load balancers-

  1. Hardware-based
  2. Cloud-based
  3. Software-based

Hardware-based

It is a dedicated appliance to provide load distribution, and its relevant features. They are expensive but give you full control. Barracuda and TP-Link are 2 of the most used hardware-based Load balancers.

Cloud-based

Cloud load balancing is the process of distributing workloads across multiple computing resources. Cloud load balancing reduces costs associated with document management systems and maximizes availability of resources. It can transfer loads to servers globally as opposed to distributing it across local servers. In the event of a local server outage, cloud load balancing delivers users to the closest regional server without interruption for the user.

Cloud load balancing uses services offered by various computer network companies. AWS, Google Cloud and Azure are few of the most used Cloud-based Load Balancers in the industry today.

Software-based

One can install, manage and configure LB software themselves mostly used to distribute load across local servers.

HAProxy, Varnish, Balance, Kemp, Nexus are some of most notable Software Load Balancers.

Load Balancing in OSI model

Load balancing can be performed at various layers in the Open Systems Interconnection (OSI) Reference Model for networking.

Layer 4 (Transport Layer) load balancing

It operates at the intermediate transport layer, which deals with delivery of messages with no regard to the content of the messages. A layer 4 load-balancer takes routing decision based on IPs and TCP or UDP ports. It has a packet view of the traffic exchanged between the client and a server which means it takes decisions packet by packet. Layer 4 load balancers simply forward network packets to and from the upstream server without inspecting the content of the packets. They can make limited routing decisions by inspecting the first few packets in the TCP stream.

Layer 7 (Application Layer) load balancing

It operates at the high‑level application layer, which deals with the actual content of each message. HTTP is the predominant Layer 7 protocol for website traffic on the Internet. Layer 7 load balancers route network traffic in a much more sophisticated way than Layer 4 load balancers, particularly applicable to TCP‑based traffic such as HTTP. A Layer 7 load balancer terminates the network traffic and reads the message within. It can make a load‑balancing decision based on the content of the message (Example: URL or cookie). It then makes a new TCP connection to the selected upstream server and writes the request to the server. Let’s take an example-

A user visits a high‑traffic website. Over the course of the user’s session, he or she might request static content such as images or video, dynamic content such as a news feed, and even transactional information such as order status. Layer 7 load balancing allows the load balancer to route a request based on information in the request itself, such as what kind of content is being requested. So now a request for a video can be routed to the servers that store it and are highly optimized to serve up multimedia content. Requests for transactional information such as a discounted price can be routed to the application server responsible for managing pricing and so on.

Load balancing Algorithms and methods

Load balancing uses various algorithms/methods to select the service to which to redirect each client request. Some of the load balancing algorithms are-

  • The Least Connection Method
    When a virtual server is configured to use the least connection, it selects the service with the fewest active connections.
  • The Round Robin Method
    This method continuously rotates a list of services that are attached to it. When the virtual server receives a request, it assigns the connection to the first service in the list, and then moves that service to the bottom of the list.
  • The Least Response Time Method
    This method selects the service with the fewest active connections and the lowest average response time.
  • The Least Bandwidth Method
    This method selects the service that is currently serving the least amount of traffic, measured in megabits per second (Mbps).
  • The Least Packets Method
    This method selects the service that has received the fewest packets over a specified period of time.

If you would like to install and explore Load Balancers, there are a few open-source ones available which you may explore like LoadMaster by Kemp, Zevenet, GoBetween and a lot more. A quick google search should turn out a few more. Happy Balancing!

Single Sign-On (SSO)

Ever wondered how by logging in to Gmail, you are also able to navigate to Google’s other children like YouTube, Google Drive, G+ etc without being prompted for an ID or password?

Single sign-on (SSO) is an authentication process that allows a user to access multiple applications with one set of login credentials. With SSO, a user logs in once and gains access to different applications without the need to re-enter log-in credentials at each
application.

SSO is a common procedure in enterprises, where a client accesses multiple resources/applications. The service authenticates the end user for all the applications the user has been given rights to and eliminates further prompts when the user switches applications during the same session. On the back end, SSO is helpful for logging user activities as well as monitoring user accounts. SSO mechanisms vary, depending on application type.

However, SSO is not suited for systems requiring guaranteed access, as the loss of log-in credentials results into denial of access to all systems. Ideally, SSO is used with other authentication techniques, such as smart cards and one-time password (OTP) tokens.

Common SSO Mechanisms:

Following are the most common mechanisms used for SSO. We will not delve deep into them for now but in future blogs.

Kerberos-based – Initial sign-on prompts the user for credentials, and gets a Kerberos ticket-granting ticket (TGT). Additional applications that the user navigates to use these TGT proving the user’s identity without prompting the user to re-enter credentials

Smart-card-based Initial sign-on prompts the user for the smart card. Additional software applications also use the smart card, without prompting the user to re-enter credentials. This method either uses certificates or passwords stored on the smart card.

Security Assertion Markup Language (SAML) – SAML is an XML-based solution for exchanging user security information between an SAML identity provider and a SAML service provider.

Pros of SSO:

· Reduce password fatigue from different username and password combinations

· Reduce time spent re-entering passwords for the same identity

· Reduce IT costs due to lower number of IT help desk calls about passwords

· Mitigate risk for access to 3rd-party sites (user passwords not stored or managed externally)

· Minimizes phishing.

· Improves compliance through a centralized database.

· Provides detailed user access reporting.

Cons of SSO

· It increases the negative impact in case the credentials are available to other people and misused or if hacked. This can be prevented with high security, governance and 2-factor or multi factor authentication.

· A loss of SSO can result in denial of access to all systems unified under the SSO. A workaround is to keep highly critical applications out of SSO.

IBM ISAM, Okta, RSA etc are among the leading SSO solutions in the industry.

  • Stay tuned for future blogs. Please leave a comment or suggestions if any.

Identity and Access Management – Let’s get started

Information security and Identity management are both current major concerns for enterprises especially with the growing use of mobile applications and the sensitive data that these handle.

Information Security?

InfoSec is the state of being protected against the unauthorized use of information, especially electronic data, or the measures taken to achieve this without hampering
organization productivity. This is largely achieved through a multi-step risk management process that identifies assets, threat sources, vulnerabilities, potential
impacts, and possible controls (like industry standards on password, antivirus
software, firewall, encryption software etc) followed by assessment of the
effectiveness of the risk management plan.

Identity and Access Management?

IAM, IDM, IDAM are all acronyms of Identity and Access Management and is intended to be the primary focus of this blog. It is the branch of InfoSec that enables the right individuals to access the right resources (could be an application, data or even hardware) at the right times and for the right reasons. Identity is the consumer that needs to access a resource. This consumer while most of the time is best viewed as a
person or a digital persona but could also be other resources like a Database or other applications.

Identity management is a process applied to ensure the integrity and privacy of
identity and how it is created, managed and also how it translates to an access.
This brings us to another important question, what is access? Access is essentially a Yes/No decision. Access Management is a deployment that is tasked with the Yes/No decision making in lieu with an identity.

Identity Management creates an identity and manages the attributes related to the user whereas Access Management evaluates these attribute values and authorizes the user. Note that Authorization is not the same as authentication. In simple terms, authentication is the process of verifying who you are, while authorization is the process of verifying what you have access to.

image

Since examples are the best way to remember concepts, let’s consider a couple of them. A certain Media Sharing Platform requires any user that uses it to create an account by
registering.  During registration, some data is collected to store in the platform’s database. These are a part of Identity Management. Now, once the account is successfully created, the user has to enter his unique id and password to login to his account. This is authentication.
This platform allows everybody to view each other’s shared photographs while browsing
through other people’s videos is a paid feature. Whether a user has activated this paid feature or not is stored in an attribute (DB column) in the platform’s database. The storing and managing of this attribute is a part of identity management, whereas checking the attribute value once the user has logged in and tries to browse through other users’ profiles is authentication. This decision making of whether a user is a “paid user =Yes/No?”  is authorization and is handled by Access Management. If a user is authorized (paid=yes), the Access management module allows the user to browse through and play the videos and if not authorized (paid=no), the user is stopped from doing so.

As another example, consider a Windows desktop. Creating account on the desktop is the Identity Management. Logging in to the desktop is by authenticating against the Windows Local Registry and the permissions that you have on data on a specific location (Read Only, Read/Write, Delete etc) is based on the authorization level against your identity. Administrator account has all access whereas a guest account may have read-only access to Windows C drive.

Few well known IDAM tools are IBM’s ISIM for Identity Management and ISAM for Access Management, Sailpoint, Microsoft’s Azure Active Directory etc.

Stay tuned for more blogs on IAM and it’s tools. Leave comments/suggestions if any.