WEBVTT

00:07.280 --> 00:12.530
Identity and Access Management, or IAM, is probably a term you're familiar with by now.

00:12.560 --> 00:17.180
Even if you haven't had experience with it in your cybersecurity career, you've probably set up multi-factor

00:17.180 --> 00:19.100
authentication for various accounts.

00:19.100 --> 00:25.220
Or you simply use single sign on or to simplify your account access, or use biometrics instead of a

00:25.220 --> 00:27.050
password to log into a device.

00:27.080 --> 00:32.330
Beyond these simple IAM topics, there are a lot more complex enterprise considerations like privileged

00:32.360 --> 00:38.930
access management or Pam and Cloud Access Security Brokers, or Casbs and the realm of cybersecurity.

00:38.960 --> 00:43.400
You'll need to know these systems inside and out in order to securely set up your accounts for users

00:43.400 --> 00:46.160
to ensure no one has access to something they're not supposed to.

00:46.190 --> 00:52.970
Identity and Access Management, or IAM are different access controls designed to secure your enterprise

00:52.970 --> 00:53.750
environment.

00:53.780 --> 00:58.280
You have to remember that we need to identify every user that comes in contact with our environment.

00:58.310 --> 01:02.440
This means identification of the specific user or group of users.

01:02.440 --> 01:07.960
We want to know and annotate the person that is accessing our environment first name, last name, and

01:07.960 --> 01:09.700
maybe an employee identification.

01:09.730 --> 01:13.540
This all slides into the identification model of access control.

01:13.540 --> 01:18.970
We also want to authenticate that just because someone says they are someone else doesn't necessarily

01:18.970 --> 01:21.040
mean that they are who they say they are.

01:21.070 --> 01:27.040
What I mean by this is by authenticating the identification we're going through and verifying they are

01:27.040 --> 01:32.470
exactly who they say they are, and that they have the privileges associated with that specific user.

01:32.500 --> 01:34.780
This comes into play with authorization.

01:34.780 --> 01:38.380
Once we've identified them, we've authenticated or validated them.

01:38.380 --> 01:42.370
We are now authorizing them to use different aspects of our enterprise environment.

01:42.400 --> 01:47.680
Maybe that's just accessing Microsoft Word for a word document or the browser to scour the internet,

01:47.680 --> 01:52.660
but it could also be authorization to gain certain permissions within our enterprise environment, like

01:52.690 --> 01:57.850
accessing the firewall to reconfigure it, or touching on a server and redoing a web page.

01:57.880 --> 02:04.030
All this comes into confines of access security management or identity and access management.

02:04.030 --> 02:05.290
Within IAM.

02:05.380 --> 02:11.800
Multi-factor authentication is the designed around the idea that having a simple username and password

02:11.800 --> 02:17.440
is just not enough to gain access into our system by using MFA or two factor authentication.

02:17.440 --> 02:23.200
Toofar, we combine the simple knowledge portion with other aspects of your identity.

02:23.230 --> 02:28.300
We know that there's password lists out there that literally have thousands of different passwords well

02:28.330 --> 02:33.220
known to attackers, and we need to identify those passwords and make sure that they're not part of

02:33.220 --> 02:36.910
our normal password list that we allow users to utilize.

02:36.910 --> 02:40.060
However, there's no way we can grab every single one of them.

02:40.240 --> 02:46.000
First off, we understand that users will often use something that they know or reuse a password.

02:46.000 --> 02:51.460
In general, this often comes into play with simple words like dog, one, two, three, or even password.

02:51.460 --> 02:56.140
We know that the most commonly used password out there right now is 123456.

02:56.140 --> 03:00.200
So we need to not only stop that type of password, but we need to add on to that.

03:00.200 --> 03:06.950
For even if a user's password has been taken advantage of or known by a malicious actor, that the password

03:06.980 --> 03:09.770
by itself is not going to gain an entry into our systems.

03:09.800 --> 03:13.790
This is where multi-factor authentication authentication comes into play.

03:13.790 --> 03:18.860
When you know something, you know this is a password or a Pin number that you've identified, and usually

03:18.860 --> 03:20.900
pretty common something you have.

03:20.900 --> 03:26.420
This could be a telephone or a Pin code that's transmitted to you via SMS text.

03:26.450 --> 03:29.150
This could be a token that you utilize.

03:29.150 --> 03:34.370
It can be any number of things, but it's usually where we're providing data via out-of-band to the

03:34.370 --> 03:37.910
user themselves, usually via a mobile device or a token.

03:37.940 --> 03:39.200
There's something you are.

03:39.230 --> 03:45.080
This is biometrics, a fingerprint, iris scan, maybe facial recognition some where you are.

03:45.110 --> 03:50.810
Maybe we only identify that your user is authorized to access the systems from a specific city, or

03:50.840 --> 03:53.570
an IP address associated with that user.

03:53.570 --> 03:59.670
For instance, when I was in Phoenix, Arizona, I would have to log in from Phoenix anytime I went

03:59.670 --> 04:01.590
out of the Phoenix metropolitan area.

04:01.620 --> 04:05.880
The system would pick it up and go, no, you're not allowed to access into our system because you are

04:05.880 --> 04:07.500
not where we expect you to be.

04:07.530 --> 04:09.240
And then there's something you do.

04:09.270 --> 04:12.300
Well, this is very limited in scope with technology nowadays.

04:12.300 --> 04:17.100
This is usually attributed to something like typing out your password and the key functions that you

04:17.100 --> 04:19.830
actually type it in, or how you sign your name.

04:19.830 --> 04:25.320
It's the action of doing something on the keyboard, or with a Pin code that allows the system to go

04:25.350 --> 04:30.060
yes, you normally type your password in this function or at this speed with this pause.

04:30.090 --> 04:36.060
This is something that you do that stipulates that articulates multifactor authentication.

04:36.090 --> 04:41.340
Single sign on is the idea that I have an enterprise environment, that I only want you to have one

04:41.340 --> 04:43.620
complex password that you have to memorize.

04:43.620 --> 04:49.740
Usually this password is very vast and usually encompasses anywhere from 18 to 24 characters with special

04:49.740 --> 04:55.370
characters, capital letters, lowercase letters, and you get the gamut, Numbers included with a single

04:55.370 --> 04:55.850
sign on.

04:55.850 --> 05:00.050
In my enterprise environment, you sign on once, meaning that your password doesn't have to be changed

05:00.050 --> 05:06.500
very often, but you gain a plethora of tools to utilize within my enterprise environment, meaning

05:06.500 --> 05:11.390
you have access to your email, you have access to different systems or capabilities within the enterprise

05:11.390 --> 05:11.990
environment.

05:11.990 --> 05:13.850
You can access SharePoint.

05:13.910 --> 05:18.650
You have access to different operations or departments that you would normally come into contact with.

05:18.680 --> 05:23.960
This single sign on aspect really provides us a secure password because it can make it very complex

05:23.960 --> 05:28.400
and very lengthy, but you don't have to re memorize it every single time, nor do you have to come

05:28.400 --> 05:30.980
up with 12 different passwords for 12 different systems.

05:31.010 --> 05:36.530
Now single sign on is really used within an enterprise environment or an employee aspect, meaning we're

05:36.530 --> 05:41.660
not going to do what most people call single sign on, which is a federated sign on within a federated

05:41.660 --> 05:42.110
sign on.

05:42.110 --> 05:48.170
I can use, like my Google password or Facebook to access different websites or applications across

05:48.170 --> 05:49.520
different organizations.

05:49.550 --> 05:55.250
Single sign on is specific to the organization in which you work for Federated Sinai would be utilizing,

05:55.280 --> 06:01.700
like Google to access different websites or something like Amazon passwords to access maybe your Facebook

06:01.700 --> 06:05.240
account along with your LinkedIn account versus your email.

06:05.270 --> 06:09.440
All of this is cross-organisational within a federated sign on atmosphere.

06:09.470 --> 06:15.380
Privileged Access Management, or Pam, is the idea of having the framework involved in minimal accounts.

06:15.410 --> 06:20.750
Meaning I have privileged accounts or administrative accounts across my functional areas, and I want

06:20.780 --> 06:24.830
to minimize the number of people that actually have access to those permissions.

06:24.860 --> 06:29.150
This would be something like if I have an administrator that usually does a lot of my server work,

06:29.150 --> 06:34.670
I don't want to have every IT person in my staff being able to access all the server infrastructure

06:34.670 --> 06:40.310
and be able to change the configurations, but providing minimal accounts to minimal unique users,

06:40.310 --> 06:44.960
then I can understand and track exactly what's going on within those different aspects.

06:44.960 --> 06:50.860
Meaning if Joe over there is accessing a server with a privileged account to change the configuration

06:50.860 --> 06:56.800
files, I can quickly identify that Joe is the one doing it, which is going to stop the number of available

06:56.800 --> 07:01.120
accounts in order to hack or gain malicious to gain access by malicious users.

07:01.120 --> 07:02.710
By having minimal accounts.

07:02.710 --> 07:07.690
I'm shortcoming or preventing access to malicious users.

07:07.690 --> 07:10.450
I want to make sure that my accounts are unique in nature.

07:10.450 --> 07:13.540
I don't want Joe, Bob, and Steve to all use the same account.

07:13.540 --> 07:18.970
I want each one to have a unique account to access the different features on the same server, irregardless

07:18.970 --> 07:20.440
if they have the same permissions.

07:20.440 --> 07:25.210
They need to have different unique accounts so that I can properly track and monitor what they're doing.

07:25.210 --> 07:28.300
We want to elevate those accounts on a case by case basis.

07:28.300 --> 07:33.370
Meaning let's say that Joe over there normally has access to change configuration files inside of a

07:33.370 --> 07:35.710
server, but only a subset of servers.

07:35.740 --> 07:39.820
However, he wants to access the change in configuration for a top level server.

07:39.820 --> 07:45.760
If I wanted to give access to that privileges for that specific top level server, I'm going to elevate

07:45.760 --> 07:51.440
his permissions for a short term basis because he needs to configure that specific server once he's

07:51.440 --> 07:51.890
done.

07:51.920 --> 07:55.250
We're going to lower those permissions so he can't access it again.

07:55.280 --> 07:59.510
This is done by a case by case basis depending on what the user is trying to accomplish.

07:59.540 --> 08:02.630
We want to make sure that we can log and monitor all those users.

08:02.630 --> 08:05.210
And we want to enforce a multi-factor authentication.

08:05.240 --> 08:10.250
Imagine, if you will, a user that has privileged access and only has to log in remotely with the username

08:10.250 --> 08:11.090
and password.

08:11.120 --> 08:15.530
They can make their password even very complex, but as soon as the malicious actor gets Ahold of it,

08:15.530 --> 08:20.750
they can really cause some havoc within our eternal system by implementing a multi-factor authentication.

08:20.780 --> 08:23.930
On top of that, we've better secured our systems all the way around.

08:23.990 --> 08:29.090
Understanding that username and passwords are probably the weakest form of authentication in our enterprise

08:29.090 --> 08:32.600
environment leads us to something called passwordless authentication.

08:32.630 --> 08:37.160
This is the idea that we're not going to have something, you know, as a major point of authentication

08:37.160 --> 08:39.560
for the identity management of Aim.

08:39.590 --> 08:45.560
We're going to authenticate utilizing different aspects like biometric authentication or security token.

08:45.560 --> 08:51.210
So we're mixing something you are with something you have and making that our two factor authentication

08:51.210 --> 08:54.900
or multi-factor authentication, we're getting rid of complete something.

08:54.900 --> 08:59.790
You know, when it comes into authenticating the different users on our systems, we want to provide

08:59.790 --> 09:01.260
unique links as well.

09:01.290 --> 09:05.520
What I mean by that is, let's say that you log into a system for the first time using a username and

09:05.520 --> 09:06.090
password.

09:06.120 --> 09:08.670
Now, I just said we're not going to use the username and password.

09:08.700 --> 09:14.070
However, if you log in with the username and password, it smses you a link, which you then click

09:14.070 --> 09:14.550
on.

09:14.550 --> 09:18.000
That click link that you clicked on is now something you have.

09:18.030 --> 09:19.740
You at least sent you the link via phone.

09:19.770 --> 09:24.750
You then log in via a second authentication methodology like biometrics.

09:24.750 --> 09:29.220
So in complexity, what we've really done is we've said you have to know your username and password,

09:29.250 --> 09:34.020
you have to have the device which is something you have, and then you have to provide a biometric authentication,

09:34.020 --> 09:38.340
meaning that you've done three forms of authentication, something you know, something you have and

09:38.340 --> 09:39.180
something you are.

09:39.210 --> 09:43.710
We want to make sure that regardless of the passwordless authentication that we're utilizing, we're

09:43.710 --> 09:49.390
using out-of-band authentication, Meaning that when we enter that username and password, you're not

09:49.390 --> 09:51.880
providing authentication on the same web page.

09:51.880 --> 09:56.620
If I log into a system and then it says, oh, you've logged in, let's send you directly to that website,

09:56.620 --> 09:58.180
that's in-band authentication.

09:58.180 --> 10:00.430
We're providing you the link just by logging in.

10:00.460 --> 10:03.670
By using an SMS text messages to your mobile device.

10:03.700 --> 10:08.140
We've provided an out-of-band authentication, meaning it's gone a different route than your initial

10:08.140 --> 10:08.890
input.

10:09.190 --> 10:14.590
Cloud Access Security Broker, or Casb, allows us to detect visibility of our users.

10:14.590 --> 10:19.270
I need to be able to see who, what, and when they are doing the actions that they're doing within

10:19.270 --> 10:20.380
a virtual environment.

10:20.380 --> 10:26.530
I need to be able to see and then potentially block or constrain those authorizations on a case by case

10:26.530 --> 10:31.810
basis, which means if I have a user that's trying to log in being the weekend and that user isn't permitted

10:31.810 --> 10:34.990
to access during the weekend, I can constrain those services.

10:34.990 --> 10:39.970
I can also stop them, say if they're normally working from 8 to 5, I can make sure that we not only

10:39.970 --> 10:45.350
monitor them, but that we can constrain their usage after 5:00 pm and still say 7:30 a.m..

10:45.380 --> 10:50.270
I can go through that process of visibility by monitoring the users and what they have access to.

10:50.300 --> 10:52.160
I can also do threat protection.

10:52.160 --> 10:58.580
This allows us to detect and potentially block a malware or insider threats from compromised accounts.

10:58.580 --> 11:03.950
We want to use this feature for intrusion detection and protection of the system of your cloud services.

11:03.950 --> 11:05.720
We want to use data security.

11:05.750 --> 11:11.480
Data security identifies whether the regulated environment or whether it's not regulated, and it identifies

11:11.480 --> 11:17.240
different protection mechanisms within our cloud environment to ensure that customer information or

11:17.240 --> 11:22.910
future product releases are constrained and that intellectual property is actually secure going through

11:22.910 --> 11:24.380
that data security prospect.

11:24.410 --> 11:27.200
Think of the same way you would secure data on a regular server.

11:27.230 --> 11:31.970
We want to encrypt it, and we want to make sure that users are only authorized to access that information

11:31.970 --> 11:35.660
if they're actually truly authorized within compliance.

11:35.660 --> 11:41.210
We want to make sure that our cloud infrastructure is regulated to conform to our regulated requirements,

11:41.210 --> 11:45.810
whether it's PCI, DSS, or HIPAA or FERPA or even GDPR.

11:45.840 --> 11:50.940
We want to make sure that we're maintaining that aspect of security and compliance infrastructure within

11:50.940 --> 11:51.900
our cloud environment.

11:51.930 --> 11:57.270
We often remember to do it on our on premise environment, but we often forget it in our cloud environment.

11:57.300 --> 12:01.560
You have to remember that both are on the same side of the same coin, and that we have to provide that

12:01.710 --> 12:05.820
compliant infrastructure regardless of where the data is being stored, regardless of whether it's in

12:05.820 --> 12:08.220
a virtual environment or an on prem environment.

12:08.640 --> 12:12.150
Throughout this episode, we've identified identity and access management.

12:12.360 --> 12:13.050
IAM.

12:13.050 --> 12:18.810
We've talked about multifactor authentication in detail, some SSL and federation when it comes to sign

12:18.840 --> 12:19.800
on processes.

12:19.800 --> 12:26.010
We've also identified privileged access management, passwordless authentication, and of course, cloud

12:26.010 --> 12:27.360
access security broker.

12:27.390 --> 12:32.820
We defined how these different tools and different technologies allow us to secure our different environments,

12:32.820 --> 12:37.920
whether it's an on prem environment or in a cloud environment, and ensure that security curtails right

12:37.920 --> 12:42.660
at the beginning or the forefront of what we're trying to establish within our enterprise environment.