If you would like to be notified when Al Mulnick releases Identity Lifecycle Process and You (Part 2) please sign up to our Real time article update newsletters.
If somebody asked you for your identity, could you produce it? What is your Identity? Is it something that describes what you’re allowed to do, such as a driver’s license? Is it a string of numbers that your government refers to as you for tax transactions? Are these “things” just parts of a bigger whole? To be sure, identity is a hotly debated topic.
But what does identity have to do with security? What is identity really, and how does it fit into the world of network access? Why is it important to you?
Your identity within the context of a corporate network is a thing. This thing represents you to the networked systems. It’s used to make decisions about whether to grant or deny you access to resources, data and information. Systems administrators can have access to just about everything while the boss’ secretary may not have access to more than the boss’ email and his calendar. In this sense, an identity is like a key because it allows you to gain access to something in much the same way a key allows you to gain access to a room or a structure.
Leaving old identities is like leaving old keys lying around. For the keys to be in that “old pile” they should be useless, but mistakes happen and you may have left a master key unprotected and unsupervised. Worse, you may have left a usable key in that pile that allows normal user access to rooms; now you have a malicious user that is allowed to roam freely with your general user population!
That would be a bad idea in any security conscious area. For this reason, developing an Identity and Access Management or Identity Lifecycle Management or whatever you want to call a process that helps to manage your identities from beginning to expiration and removal, is a cornerstone to a healthy security posture in any organization.
Anatomy of Network Access: Identification
In order to gain access to any network resource such as a file share, printer, email data, databases and in some cases to access the network itself, you’ll have to provide assertions of your identity. Identity is the piece of information used to answer the questions, “Who are you, can you prove it, what do you want, and do you have access to that?” Simply put, you must identify yourself, authenticate your assertion of identity, and be authorized to access the resource.
Real-World Example
Think of the networked resource as that trendy club uptown you’ve overheard everyone else raving about. You want to go inside the club and see for yourself. When you get there, the large man at the door with the reflective sunglasses asks you who you are (identification please.) You hand him your license (that’s not necessarily your identification, but it is often used to assert one; more on that in another article.) He checks the article of information you gave him to see if he thinks it is real in a rudimentary semblance of authentication (prove it). He already knows you want into the club (what do you want?). So, he checks his list to see if you have access to the club but you’re not allowed in (Authorized) and you’re unceremoniously escorted to the outside of the line.
The same thing happens when you try to access a resource on the network. However, one thing that’s different in many networks, especially in an Active Directory network is that you have something the security guard did not: a trusted identification source. Think about it: There was nothing that could have prevented you from presenting a false identity to the security guard (other than your integrity and the law in most countries of course.) For most tasks, that’s considered weak authentication. Other examples of weak authentication would be using your network address to identify you as a valid and authorized user.
That’s where strong authentication comes in. In the case of Active Directory, Kerberos is the authentication protocol and the KDC or Domain Controller is the trusted entity that each component of the security domain trusts for authenticating credentials. If the Domain Controller says that identity is authentic, it’s authentic!
What Is the Difference Between Identity and Authentication?
Sound confusing? Wondering what it has to do with identity processes yet?
Identity is who you are. By itself, an identity is not much good and that’s where authentication comes in.
Authentication is the act of verifying that an identity is who it says it is; it’s authentic. You have to have a way to prove, or authenticate that you are who you say you are. Otherwise, there’s no real point in having any type of security efforts in place is there?
In Active Directory there are several layers of authentication that help with the entire lifecycle of network access processes. From the initial logon process to Kerberos tickets, your identity and assertions of your identity are constantly being proven to be authentic.
Authorization occurs after you’ve authenticated. In fact, there’s no need to even consider authorizing some security principal to access a resource unless we know that principal is authentic. If your identity has been authorized to access a resource, then it is represented as an entry in an Access Control List (ACL) and is called an Access Control Entry (ACE).
Remember that the identity asserted can be authentic meaning it was not spoofed nor faked when presented to the resource entity, but that doesn’t mean the person controlling it is the person you think it is! What you are saying is that an entity presented the correct sequence of information to be allowed to use that network identity. That’s not the same as saying it’s the same person you intended to give access to. That’s where the process of allocating and revoking network identities becomes critical.
If you would like to be notified when Al Mulnick releases Identity Lifecycle Process and You (Part 2) please sign up to our Real time article update newsletters.