Talk Given at null community Bangalore Chapter about Identity and Access Management in Modern Web Applications
According to Wikipedia, Identity and access management (IAM) is, in computer security, the security and business discipline that
enables the right individuals to access the right resources at the right times and for the right reasons
We, the individuals, are accessing resources all over the Internet and Intranet, day-in and day-out, for a variety of reasons. Such was not the case a few years ago when we still used to depend heavily on pen and paper. Gone are the days when you had to be physically available at the offices of Electricity Board, Water Supply Board, Individual Mobile Operators, Banks, and you name it. We have entered an era where everything is just a click or two away. How did this happen? What has changed over the past years that allows us today to maintain our identities in a virtual manner? I may be sitting in one country, and buying products from a different country, and rest assured that the product would reach my address within days.
What is the basis of this trust that the buyer and the seller hold for one another?
Digital Identity
Every individual has an identity. Physical identity includes our physical attributes like, the way we walk and talk, our fingerprints, the date of birth, the gender, our signature, etc. We could recognize people and distinguish between individuals depending upon their look and feel, and the things that we manage to remember about them.
The moment we register ourselves on an online portal, we create a digital identity for ourselves. A digital identity is nothing but a “finite set of properties” that relates directly to who we are in the physical world. Every person could have multiple digital identities, i.e., multiple online accounts. However, every online account belongs to exactly one individual.
Access Management
As a user of an application, I might be allowed to create a new account for myself, but who would decide if I am allowed to access the admin panel of the application or not? Should I be allowed to view contents posted by other application users? Would I be able to edit the pages I have access to?
“Appropriate access rights are assigned to entities via their identities.” [Click here for source.]
Access management is a process that allows a system to identify its users and to control each user’s access to the online resources that are offered by the server.
The most well known systems that rely heavily on Identity management and access control mechanisms are web applications hosted on the Internet and the Intranet networks.
A Web Application
The term ‘web application’ could refer to anything ranging from web-mails (like gmail.com, yahoomail.com, outlook.office.com), online retail stores (like amazon.com, ebay.com, flipkart.com), online banks (like hdfcbank.com, icicibank.com, online.citi.com), social networking sites (like facebook.com, twitter.com, insgtagram.com), wikis, blogs, etc.
The Web Stack
According to whatis.techtarget.com:
“A Web stack is the collection of software required for Web development. At a minimum, a Web stack contains an operating system (OS), a programming language, database software and a Web server.” [Click here for source.]
XAMPP, LAMP, WAMP, WIMP, MEAN, and MERN are names of some of the common web stacks in use across web applications. Each one of these provide an end-to-end framework for building dynamic web applications.
- XAMPP → Cross-Platform (X), Apache (A), MariaDB (M), PHP (P) and Perl (P)
- LAMP → Linux (L), Apache (A), MySQL (M), and PHP (P)
- WAMP → Microsoft Windows (W), Apache (A), MySQL (M), and PHP (P)
- WIMP → Microsoft Windows (W), IIS (I), MySQL (M), and PHP (P)
- MEAN → MongoDB (M), Express.js (E), AngularJS (A), and Node.js (N)
MEAN stack is the newest out of all the web stacks listed above.
Most of the applications today (read as ‘modern web applications’) follow the API-first architecture. Our applications use Web APIs to communicate with the servers and applications. Think about any of the single page applications (SPAs) that you might have come across.
“Single-Page Applications are Web apps that load a single HTML page and dynamically update that page as the user interacts with the app.” [Click here for source.]
What is IAM?
Identity and Access Management (IAM) is a framework that facilitates the management of digital identities. It is made up of the following 4 components:
- Identity Management
- Identity Repository
- Authentication
- Authorization
Why IAM?
IAM is required to ensure that appropriate access to resources is granted across increasingly heterogeneous technology environments.
Moreover, it is impossible for organizations to individually take care of all the compliance requirements while building web applications. Thus, IAM framework becomes helpful in providing a standardized approach to build applications while adhering to the rules of the land.
IAM system can bolster regulatory compliance by providing the tools to implement comprehensive security, audit and access policies. Many systems now provide features designed to ensure that an organization is in compliance. [Click here for source.]
Identity Management
Just like most other things, every digital identity has its own life cycle. Digital identities come into existence when they are provisioned to an entity. As long as required, organizations maintain the access and permission levels for their stored identities. When physical world entities are no more associated with an organization, their corresponding digital identities are de-provisioned.
a. Isolated Identity Management
Have you ever filled up a user registration form to get access to the ‘protected resources’ of a website? If you have, you would agree that the process of filling-up the same personal details over and over again for different web portals, has never been a pleasant task.
Imagine accessing a job portal that allows you to view all job openings, but does not allow you to apply for a job directly. Every time you click on “Apply Now” button, you are redirected to the login page of the respective company’s website. In the redirected path you are asked to enter the same common details like: First Name, Last Name, Date of Birth, Gender, Address, Email, Phone, Updated Resume, etc. Because the websites are distinct and operate in isolation with each other, they do maintain their own identity database and access control mechanisms. This is known as the isolated identity management model, where each user is required to possess a separate identifier for accessing each isolated service.
b. Federated Identity Management
In the case of federated identity management, user authentication is separated out from the application code, and the authentication process is delegated entirely to a trusted identity provider. This model aims to simplify the account management problem for its users.
A set of agreements and standards are defined among a group of service providers who recognize user identifiers from one another. A customer of one particular service provider could access all services provided by another service provider in the group with only a single identifier. [Click here for source.]
“On-Premise”:
Applications are deployed inside the organization’s outskirts and “trust boundary” is more often than not static and is monitored and controlled by the organization itself. [Click here for source]
“On-Cloud”:
With Cloud adoption, the organization’s trust boundary has become dynamic and has moved beyond the control of an organization. The network, system, and application boundary of an organization has extended into the Cloud Service Provider domain. Federated Identity allows companies to keep their own directories and securely exchange information from them. [Click here for source]
- Use same credentials that are used to sign in to on-premise applications
- Credentials are validated against the on-premise active directory in real-time
- Passwords need to be synchronized to the cloud
c. Centralized Identity Management
Centralized Identity Management is useful for customer and partner-facing applications. In a centralized system, rather than having multiple accounts to use various work resources, each employee, partner, or customer can reach all the applications, services, and resources they need through a single profile.
Identity Repository
Active Directory:
Active directory (AD) is a software that provides directory-based identity-related services. All physical entities of a network (i.e., users, computers, printers, shared folders, etc.) are arranged in a logical hierarchical structure, and access rules are then applied to the individual accounts or groups.
Flat Files Repository:
A flat file is a data file that follows plain text format, e.g., plain text file or a binary file. Flat files do not have any structure for indexing, nor do they have any structural relationship between the records.
Authentication
When you claim to be someone, you need to provide further information to prove that you are who you say you are. For instance, suppose that you go to an ATM and use your credit card. After the card is inserted into the machine, it will be used to claim an identity. Now, how does the ATM know that whoever is in possession of the card is the owner of the card? It knows it by asking something that only the owner would be able to provide! That could be a password, a fingerprint or a 6–8 digit code which expires after a certain number of seconds. These are all different types of information which are used for authentication purposes — they are factors of authentication. [Click here for source.]
5 Factors of Authentication are:
- Something you know (e.g. password)
- Something you have (e.g. a smart card)
- Something you are (e.g. fingerprint)
- Somewhere you are (Location based)
- Something you do (Observing actions)
Out-of-Band Authentication:
Out-of-Band (OOB) means that authentication factors are transmitted via different channels or networks. This means that the device you use to enter a factor (e.g. something you know), is different than the device you use to receive or generate another factor (e.g. something you have). For instance, if you are on a website in your computer and you enter your username and password and a token is required next, the token needs to be generated by a different channel — an application on a cell phone or a device such as the RSA SecurID. [Click here for source.]
Authorization
Discretionary Access Control (DAC):
Users own the objects under their control, and the granting and revoking of access control privileges are left to the discretion of individual users.
Mandatory Access Control (MAC):
It is a means of restricting access to objects based on the sensitivity of the information contained in the objects, along with formal authorization of subjects to access information of such sensitivity. Sharing of information has to be mandated by someone other than the user who is creating it. Data could be created by anyone, but “who can read” the data depends on the access control rules, which is defined by an organization.
Role-based access control (RBAC):
It is an authorization mechanism in which access decisions are based on the roles that individual users have as part of an organisation.
Role-based access control (RBAC) should be used whenever:
- You need centralized access to resources in a network
- You don’t need Mandatory Access Control (MAC), i.e., when data is not very sensitive and a formal authorization is not required for accessing the data.
- You have high turnover, i.e., when the rate at which employees leave a workforce and are replaced is high.
Conclusion
About a month ago, I was clueless about the term ‘Identity and Access Management’ itself. Preparing for this talk at the null community has been an opportunity for me to learn about Digital Identities, Identity Repositories, Authentication and Authorization mechanisms. These are the concepts that play a very important role in almost every organization. Identity and Access Management is the reason why companies are able to scale up across geographical boundaries.
Through this blog I have tried to explain the common terms associated with Identity and Access Management systems. This post attempts to explain the various components of an IAM system. The next steps could involve becoming aware of the online systems and processes that deal with our identities. From an offensive security point of view, you must understand how identities are managed in order to find ways to bypass authentication and authorization systems that could compromise a user’s identity. Only when we understand the process as is, would we be able to think of ways in which identities could be attacked or handled better. After all, what are we without an identity!?
References
- https://msdn.microsoft.com/en-us/magazine/dn463786.aspx
- https://www.polyu.edu.hk/ags/Newsletter/news0911/IAM_details.html
- https://www.infosec.gov.hk/english/technical/files/identity.pdf
- https://www.youtube.com/watch?v=qkN4bvqWqvo
- https://www.youtube.com/watch?v=qkN4bvqWqvo
- https://roshanznet.blogspot.com/2017/06/active-directory-directory-services.html
- https://docs.infor.com/help_m3_coreit_13.4/index.jsp?topic=%2Fcom.lawson.help.user%2Fcom.lawson.help.mecffdtug-w_11.4.3.0%2FL157071217307538.html
- https://docs.microsoft.com/en-us/azure/architecture/patterns/federated-identity
- https://www.infosec.gov.hk/english/technical/files/identity.pdf
- https://clean-clouds.com/2012/04/25/federated-identity-management-in-cloud-computing-2/
- https://medium.com/@renansdias/the-5-factors-of-authentication-bcb79d354c13
- https://www.youtube.com/watch?v=ESz4ts7g_zw
- https://cloudtidings.com/2015/11/13/identity-management-and-people-ready-business/
- https://www.csoonline.com/article/2120384/identity-management/what-is-iam-identity-and-access-management-explained.html
