Entitlement and Access Management
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
9 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Transcription
00:01
>> For our tour of entitlement and access management,
00:01
we're going to go through terminology,
00:01
RBAC versus ABAC,
00:01
revisiting the entitlement matrix
00:01
and then examine access management,
00:01
the Cloud provider versus
00:01
Cloud customer responsibilities.
00:01
Authorization is the permission to do something,
00:01
it's different than authentication.
00:01
Access control is what allows or
00:01
denies the expression of the authorization.
00:01
Hopefully this makes sense.
00:01
It starts with the authorization.
00:01
This is the permission to do something and then you get
00:01
entitled to have that authorization based on who you are,
00:01
your identity, as well as
00:01
other attributes associated with that identity.
00:01
Access control is the final call by
00:01
evaluating the entitlement and
00:01
authorization rules that are in place,
00:01
and the access control gives you that final go,
00:01
no-go decision that allows or
00:01
denies the action that you're trying to perform.
00:01
Role based access control has
00:01
been around for a long time.
00:01
It's a very traditional method of
00:01
structuring things and in RBAC,
00:01
your entitlements are defined
00:01
based on pre-assigned roles,
00:01
in other words, static attributes.
00:01
Maybe you need to belong to
00:01
a certain group and if you do,
00:01
then you are allowed to perform certain actions.
00:01
ABAC is attribute-based access control.
00:01
It's much newer approach and in this paradigm,
00:01
entitlements are evaluated more
00:01
dynamically in that runtime,
00:01
and they can look at attributes that are
00:01
dynamic to your particular session as well.
00:01
This gives you a lot more granularity and
00:01
flexibility in what you can build out.
00:01
As a result of this,
00:01
flexibility is the preferred approach for Cloud.
00:01
For example, you can create ABAC rules
00:01
that not only require you have certain static attributes,
00:01
you belong to a group,
00:01
for example, or you have a certain role assigned to you.
00:01
But they can also evaluate to
00:01
include more dynamic attributes such as,
00:01
what is the device that you are connecting from?
00:01
What is the network that you are using?
00:01
Have you provided multi-factor authentication
00:01
for this particular session?
00:01
We covered entitlement matrix previously,
00:01
but I wanted to modify that matrix
00:01
that we looked at in the earlier module to
00:01
include an example of where we're employing
00:01
the ABAC approach as well as RBAC.
00:01
Because the two can work together,
00:01
it's just the more you use ABAC,
00:01
the finer grain control you
00:01
have and the greater security you can have.
00:01
In this example, I added a row
00:01
at the very bottom for deleting backups.
00:01
We give anybody who has
00:01
the backup operator role
00:01
the ability to perform this action,
00:01
but we're also going to have
00:01
some attribute-based access controls
00:01
to get the appropriate entitlements to
00:01
perform the delete backup activities.
00:01
Their particular session needs to
00:01
have completed multi-factor authentication.
00:01
We're also going to restrict them to
00:01
a theoretical IP address range,
00:01
which would indicate they're
00:01
working within a trusted network.
00:01
By adding these additional constraints,
00:01
we're really locking down how much damage somebody
00:01
who may be compromises one of
00:01
these backup operator accounts could cause,
00:01
because even if they do have
00:01
the ability to get into one of these accounts,
00:01
if they want to start deleting the backups,
00:01
we're really putting the screws on them to make sure that
00:01
the MFA is taking place and they're
00:01
only in certain trusted IP ranges.
00:01
That's going to make it much more
00:01
difficult for an attacker to
00:01
create this damage if they're
00:01
using the broad, general Internet access.
00:01
If they only have a username and password,
00:01
somebody who does have the backup operator role,
00:01
they still won't be effective because there are
00:01
additional hurdles that they need to go through.
00:01
Let's look at access management Cloud provider
00:01
versus Cloud customer roles and responsibilities.
00:01
Starting with the provider side,
00:01
the different authorization capabilities
00:01
have to be configured in the Cloud platform.
00:01
SAML, OpenID,
00:01
often do I support FIDO U2F,
00:01
all these types of things,
00:01
it's the responsibility of the
00:01
>> Cloud provider to do that.
00:01
>> More importantly, once they've configured
00:01
the different technologies and capabilities,
00:01
the enforcement of those authorizations and
00:01
access controls is their responsibility.
00:01
They need to make sure that whatever engine they're
00:01
doing that gives the access control,
00:01
that's evaluating the entitlements,
00:01
that it works and it does
00:01
its job and that there's no loopholes that could be
00:01
easily worked around through
00:01
some odd combination of
00:01
events or belonging to multiple roles.
00:01
Then all of a sudden you find
00:01
this little back door that allows you
00:01
to enter into a superuser mode.
00:01
This is the responsibility of
00:01
the Cloud provider and they should really support ABAC.
00:01
We talked about that,
00:01
more and more of them do.
00:01
They may not call it attribute-based access control.
00:01
It's always preferred over
00:01
role-based access control because
00:01
of the additional level of flexibility that you
00:01
can have in securing your environment.
00:01
As we know, the Cloud environment
00:01
is innately more insecure than
00:01
the traditional corporate network
00:01
working within a defined perimeter.
00:01
However, the customer does have
00:01
certain obligations as well.
00:01
They need to define and configure the entitlements.
00:01
All those dials and knobs that
00:01
the Cloud provider gave to them,
00:01
they mean nothing if the Cloud customer
00:01
themselves isn't setting up,
00:01
isn't integrating with a federated identity system,
00:01
isn't creating entitlement matrixes themselves,
00:01
and in establishing certain groups,
00:01
creating rules,
00:01
defining those attribute-based access control rules
00:01
that allow somebody to perform certain operations,
00:01
access specific data or
00:01
denies them from performing those things.
00:01
Just like we've talked about with
00:01
many other things such as Cloud storage,
00:01
if you configure as a Cloud customer,
00:01
your provider provides
00:01
the best most secure Cloud storage option in the world,
00:01
but then you toggle the setting to say,
00:01
make this data public to the world.
00:01
Well, the whole world can see it.
00:01
Now, you've opened up the door
00:01
for a massive data leakage.
00:01
The same situation and thinking
00:01
applies here in that if you've configured
00:01
things so that any user has
00:01
all broad very strong permissions,
00:01
you've really left the door open
00:01
for a lot of other problems.
00:01
Then additionally, the customer,
00:01
they need to map their federated identity
00:01
attributes to those provider access controls.
00:01
When you get into the details of
00:01
putting up federated identity,
00:01
what defines a username or what
00:01
defines the identity that may
00:01
have a different name for
00:01
an attribute that the Cloud provider is expecting,
00:01
then your identity system is providing,
00:01
and so you have to do a little work on the mapping there.
00:01
Of course, this is very
00:01
important because if you do this wrong,
00:01
you can also open up things very broadly.
00:01
You want to make sure, for example,
00:01
that admins belong to a group called Admins.
00:01
But if you mess up the mapping and say anybody should
00:01
have the admin if they belong to a group Star,
00:01
which is a wildcard,
00:01
any group, all of a sudden there's
00:01
a real problem there and a discrepancy in the way
00:01
you as a Cloud customer have configured things and
00:01
it's really not the Cloud provider's fault.
00:01
Let's do a little quiz on some of this information.
00:01
Which of the following is an example
00:01
of an ABAC attribute?
00:01
Something that you could use and setup for your rules.
00:01
If a user is logged on with MFA biometric data,
00:01
biometric authentication status, or A and C,
00:01
think about it in a second.
00:01
The answer is D. B,
00:01
biometric data is not something you
00:01
would use for attribute-based access control.
00:01
Biometric data, it's just information, is just data.
00:01
What you really want is to know,
00:01
has this current session been authenticated
00:01
using biometric means or not?
00:01
Now, the biometric data is what's going to
00:01
be used to enforce
00:01
and evaluate
00:01
the accurate authentication of the biometrics.
00:01
But the status for that particular session,
00:01
have they gone through the biometric
00:01
authentication process or not,
00:01
that's the attribute that you're going to be looking at.
00:01
The same rings true for MFA.
00:01
For this particular scenario,
00:01
let's say you want to know,
00:01
has this user's session authenticated
00:01
using MFA or did they
00:01
just provide the username and password?
00:01
That wraps up this short video.
00:01
We went over the terminology,
00:01
talked about role-based access control versus
00:01
attribute-based access control and the subtle,
00:01
but very significant and powerful
00:01
differences between the two.
00:01
The entitlement matrix revisited.
00:01
We looked at that one
00:01
pulling from the past and saw an example of
00:01
how attribute-based access control can
00:01
be added into an entitlement matrix.
00:01
Then we covered access management roles,
00:01
responsibilities between the Cloud provider
00:01
and the Cloud customer.
Up Next
Similar Content
