3.7 Identity and Account Management Controls

Identity Controls

Identity provider (IdP) = service that vouch for you - holds a list of entities such as users and devices - commonly used for SSO applications - OAuth, SAML, OpenID Connect are some of the standard authentication methods

Account Types

User account - account that is associated with a specific person, usually has a name

Shared account - used by more than one person, guest login, anonymous login

Service account - used by services running on a computer, web server, database server

Privileged account - windows=administrator, linux=root - complete access to the system, manages hardware drivers, and software installation

Account Policies

Auditing - systematic process of collecting and evaluating evidence - determine whether a computer system safeguards assets, maintains data integrity, achieves organizational goals effectively, and uses resources efficiently key aspects - accountability = tracking user activities and changes to the system or data - evidence = compliance with regulations, standards, and policies - effectiveness = organization can evaluate the effectiveness and efficiency of its security controls and processes

Permission auditing - does everyone have the correct permissions? Usage auditing - how are your resources being used?

Account lockout policy - account will be locked if you try your password more than ... times - sometimes administrators disable account lockout policy for service accounts, because service account is inaccassible this could prevent the business from operating properly

Location-based policy - geolocation: identifying the location of a user - geotagging: addition of location metadata to a file - geofencing: allow or restrict access based on a particular location