- By Darril Gibson
- Objective 1.1: Control access by applying the following concepts/methodologies/techniques
- Objective 1.2: Understand access control attacks
- Objective 1.3: Assess effectiveness of access controls
- Objective 1.4: Identity and access provisioning lifecycle (e.g., provisioning, review, revocation)
Objective 1.4: Identity and access provisioning lifecycle (e.g., provisioning, review, revocation)
The identity and access provisioning life cycle directly addresses the management of accounts from creation to deletion. When an account is first created, it is provisioned with appropriate privileges. During the useful lifetime of an account, these privileges are often modified and the account needs to be periodically reviewed to ensure that it has not been granted excessive privileges. When the account is no longer being used, such as when an employee leaves the company, it should be disabled as soon as possible and deleted when it has been determined that it is not needed.
Exam need to know…
Understand issues related to provisioning of an account
For example: What is permission creep?
For example: Which accounts are the most important to review during the identity and access provisioning life cycle?
Understand the importance of revocation
For example: What should be done to a user account when an employee leaves the company?
Provisioning refers to creating accounts and granting them access to resources. Role-based access control (or group-based) is often used to simplify management. Accounts are placed into groups that have defined privileges. As a best practice, all privileges are assigned via the role or group, and individual accounts are not granted privileges directly.
Some organizations use software to automate the provisioning process. For example, when an employee is hired, someone from the human resources department might enter the employee’s information into an internal website application. This application is tied to a database and can automatically create the account and add it to the appropriate groups based on where the new employee will work.
Provisioning also occurs during the lifetime of an account when additional privileges are needed. For example, a salesperson assigned to the sales department needs privileges assigned to salespeople. If this person transfers to the IT department, the account is modified, adding privileges needed in the IT department.
Permission creep is a common problem that occurs when previously needed privileges are never removed. For example, someone who transferred from the sales department to the IT department no longer needs privileges assigned to salespeople. Without a procedure in place to remove unneeded privileges, many users progressively collect more and more privileges.
The use of roles or groups helps prevent permission creep. Users can be added and removed from the roles based on their current jobs, and they will automatically have the correct privileges.
Password policies and account lockout policies are often considered to be part of provisioning. Passwords are the weakest form of authentication, but strong password policies help ensure that users create strong passwords and regularly change them. They commonly include the following elements:
- Password length As tools to crack passwords become better and processor strength increases, the recommended length has also increased. An older recommendation is a password length of eight characters, but many security professionals now suggest a password length of 12 or more characters. Privileged accounts should be 15 or more characters.
- Complexity Passwords should have at least three of the four character types (uppercase, lowercase, numbers, and symbols). For the greatest complexity, passwords should include all four character types.
- History Users should be prevented from reusing the same password. A password history will often remember the last 12 or 24 passwords used by an account.
- Maximum age Users should be required to regularly change their passwords. Privileged accounts might be required to change their passwords every 30 days, and regular users might be required to change their passwords every 45, 60, or 90 days.
- Minimum age This setting requires users to wait before they can reset their password again, and it is often set to one day. It prevents users from repeatedly resetting their password to bypass the history requirement and reuse the same password.
Account lockout policies lock out accounts when incorrect passwords are entered too many times. For example, they can be set to lock out an account after the user enters the wrong password five times in a 30-minute period. The account can be set to remain locked until an administrator unlocks it or for a set time such as 15 minutes. Some policies implement a delay after two or more failed login attacks and are very effective at preventing brute force attacks.
Password reset systems reduce costs by allowing users to reset their passwords without administrative intervention. Many require users to answer secret questions during a registration process, and these questions are later used to validate the user’s identity before resetting the password. Attackers have used social engineering methods to learn these secrets and impersonate the user during the reset process. Password reset systems that communicate via email are less susceptible to these types of attacks.
True or false? Account de-provisioning is an important process that helps ensure that the principle of least privilege is enforced.
Answer: True. Account de-provisioning is the practice of removing privileges that are no longer needed and prevents permission creep.
Accounts should be reviewed periodically to ensure that company policies are being followed. Privileged accounts are the most important to monitor so that misuse is quickly detected. It’s often possible to detect suspicious activity by reviewing the logged activity of these accounts.
Groups are commonly used to grant privileges, and monitoring membership in these groups is also effective during a review. As a best practice, privileges should be granted only to a group or role rather than to an individual.
Monitoring group membership isn’t the only review, though. The privileges assigned to the groups should also be periodically reviewed. Groups are assigned privileges based on job tasks. As additional job responsibilities are added, additional privileges can be added without removing unneeded privileges. Also, it’s easy to focus only on permissions during a review, but the rights assigned to subjects should also be reviewed.
True or false? System logging is an effective measure used to identify misuse of privileged accounts.
Answer: True. System logs provide accountability as long as effective identification and authentication methods are used.
Revocation of account access is a concept that most people understand, yet it is often not followed in practice. When an employee leaves the company, the account should be disabled as soon as possible. When the account is no longer needed, it should be deleted.
This is especially important for employees who have administrative privileges. There are more than a few stories where administrators were fired but retained access long enough to create unauthorized accounts with full administrative privileges that they later used to launch attacks.
Human resources (HR) departments can be valuable in keeping access control current. They know when employees are changing jobs and permissions should be changed, and they know when employees are being terminated and accounts should be revoked.
True or false? It is not necessary to immediately disable an account when an employee leaves after giving a notice.
Answer: False. It is just as important to disable accounts for employees who leave on good terms as it is to disable accounts for employees who have been fired.
Can you answer these questions?
You can find the answers to these questions at the end of the chapter.
- When is an account provisioned?
- What can be used to review the provisioning process to determine whether the security policy is being followed?
- When should an account be disabled?