Learning Library

← Back to Library

Identity and Access Management Overview

31m • Unknown Channel • security • tutorial • beginner • Watch on YouTube ↗

Key Points

The series shifts focus to the seven domains of cybersecurity architecture, beginning with identity and access management (IAM) as the “new perimeter” that must verify who users are early in the process.
IAM revolves around four core functions—Administration (defining access rights), Authentication (confirming identity), Authorization (granting permissions), and Audit (reviewing the previous steps).
A foundational IAM architecture includes “store and sync” capabilities that manage user identities and ensure consistent data across systems, much like plumbing beneath a building’s structure.
Defining major user groups (e.g., employees, suppliers, customers) and sub‑groups is essential for establishing roles and assigning appropriate IDs and access rights such as HR, email, or CRM systems.

Sections

Full Transcript

# Identity and Access Management Overview **Source:** [https://www.youtube.com/watch?v=5uNifnVlBy4](https://www.youtube.com/watch?v=5uNifnVlBy4) **Duration:** 00:31:12 ## Summary - The series shifts focus to the seven domains of cybersecurity architecture, beginning with identity and access management (IAM) as the “new perimeter” that must verify who users are early in the process. - IAM revolves around four core functions—Administration (defining access rights), Authentication (confirming identity), Authorization (granting permissions), and Audit (reviewing the previous steps). - A foundational IAM architecture includes “store and sync” capabilities that manage user identities and ensure consistent data across systems, much like plumbing beneath a building’s structure. - Defining major user groups (e.g., employees, suppliers, customers) and sub‑groups is essential for establishing roles and assigning appropriate IDs and access rights such as HR, email, or CRM systems. ## Sections - [00:00:00](https://www.youtube.com/watch?v=5uNifnVlBy4&t=0s) **Untitled Section** - - [00:03:08](https://www.youtube.com/watch?v=5uNifnVlBy4&t=188s) **Understanding Directories and LDAP** - The speaker explains that a directory is any system that stores user identity information—requiring a database, a schema for organizing attributes, and a protocol such as LDAP—to enable authentication, authorization, and account management. - [00:06:14](https://www.youtube.com/watch?v=5uNifnVlBy4&t=374s) **Virtual vs Meta Directory Overview** - The speaker contrasts virtual directories, which serve as indexed pointers to external data, with meta directories that pre‑fetch and store relevant user information, highlighting their role in creating a synchronized, integrated IAM foundation before discussing administrative capabilities. - [00:09:23](https://www.youtube.com/watch?v=5uNifnVlBy4&t=563s) **Role‑Based Access Mapping Workflow** - The speaker outlines a system that pre‑defines access rights for each job role (e.g., teller, branch manager), automatically verifies eligibility through an approval check against employee records, and provisions the necessary accounts via an identity management connector. - [00:12:26](https://www.youtube.com/watch?v=5uNifnVlBy4&t=746s) **Automated Access De‑provisioning Process** - The speaker outlines how approved role‑based requests grant access, then stresses the need for an efficient de‑provisioning workflow that automatically revokes all accounts for departed employees through an identity governance system. - [00:15:33](https://www.youtube.com/watch?v=5uNifnVlBy4&t=933s) **Understanding Multi-Factor Authentication** - The speaker outlines the shortcomings of knowledge‑based authentication and explains how combining a device you have (e.g., a mobile phone) with a biometric factor (something you are) creates a stronger, multi‑factor authentication system. - [00:18:41](https://www.youtube.com/watch?v=5uNifnVlBy4&t=1121s) **Single Sign-On with MFA** - The speaker advocates using single sign‑on paired with multifactor authentication to simplify user credentials while simultaneously strengthening security. - [00:21:52](https://www.youtube.com/watch?v=5uNifnVlBy4&t=1312s) **Privileged Access Management and Password Pitfalls** - The speaker explains PAM, the high‑risk nature of privileged accounts, the need for extra verification, and how many organizations mistakenly reuse passwords for these critical users. - [00:24:57](https://www.youtube.com/watch?v=5uNifnVlBy4&t=1497s) **Dynamic Password Rotation via PAM** - The speaker explains how a PAM system assigns each privileged account a unique password, grants users temporary access through authorization, and automatically changes the password after the session to ensure continual security. - [00:28:08](https://www.youtube.com/watch?v=5uNifnVlBy4&t=1688s) **Enterprise Identity Management with UBA and Federation** - The speaker describes how a comprehensive enterprise identity and access management architecture incorporates user behavior analytics to detect anomalies and uses standard federation protocols to extend authentication across external cloud and partner domains. ## Full Transcript

0:00Welcome back to the Cybersecurity Architecture Series. 0:03In the previous three videos, I talked about some of the fundamental concepts of cybersecurity architecture. 0:09In the next seven videos, we're going to talk about the seven domains of cybersecurity architecture. 0:15And today we're going to focus specifically on identity, or identity and access management. 0:20IAM is another way that it's thought. 0:23It said that identity is the new perimeter. 0:25And the reason people say that is because we really can't rely on all of these other things alone to do the job. 0:31We need to start figuring out who the user is as soon as we possibly can. 0:36And what we do in identity and access management are the four As. 0:40The first one is Administration. 0:42That's where we try to figure out what access rights you have and create those. 0:47Authentication, where we determine who you are. 0:50Authorization, where we determine if you're allowed to do this or not. 0:53And then Audit where we go back and see if we did the previous three As correctly. 0:57We're going to talk about an architecture that you see here. 1:00This is a high-level conceptual architecture where we're going to talk about the capabilities that will implement that. 1:08Starting with this base level. 1:11Think about if we were doing a building, this is the foundation, or this is the plumbing. 1:15This is the stuff that we're going to build on top of. 1:19And the first two concepts we're going to talk about here are store and sync. 1:23Why? 1:24Well, it turns out we've got users, of course, and those users will be of different types. 1:30When I'm doing an engagement with a client and I'm trying to figure out what their identity and access management architecture 1:35should look like, this is where I usually start the discussion. 1:39I say, "What kind of user groups do you have?" Now we're going to have a very simplified example here, but what it would be looking for is-- 1:45so you've got a bunch of users up here, what are the large general groups and types? 1:50Well, they might say, "Well, we've got employees, we've got suppliers, we've got customers." 1:55That's three major groupings of clients or of users. 1:59And then among the employee group, we could break that down and say, we've got people that do administrative staff jobs, 2:04we've got people in manufacturing, we've got people in sales. 2:08So those are different groups of large groups of users as well. Suppliers, I'll leave that all just as one. 2:14And then customers, well, we've got commercial and we've got retail. 2:18So again, very simple example here. 2:20But you can see with these types of user groups what we're going to do. 2:24We're going to use this later in defining roles, so just bear that in mind. 2:29I take these users and users then have certain capabilities. 2:34What they have are IDs and access rights. 2:37For instance, everyone who's an employee is probably going to be in the HR system--that's what we would assume. 2:43They're also going to probably need email access 2:46and some of those users might need access to our customer relationship management system. 2:51Some of them may need also access to the finance system. 2:54So I could pick one of these particular users 2:56and say those are the access rights that they're going to need across all of these different systems. 3:03Now, that's what the user wants, but these all have to have identities. 3:09Wherever I store identity information--so that is names, that is accounts, that is the department you're in. 3:17Any information about a user is essentially an identity. 3:22And wherever I store that, I'm going to tell you is what we call a directory. 3:28Now there are some people that have more narrow definitions of directories. 3:32But I'm going to tell you a directory is wherever we store user information. 3:35And what I need to do is for each of these systems that are up here, I need to be able to store their information in a directory 3:43so that I can then look up and do the authentication authorization, so I can store their accounts in the administration step, and so forth. 3:53With this, what goes into a directory? 3:56Well, typically what I need is some sort of database because I'm going to store those accounts in the directory itself. 4:03I also need a schema. 4:05That's how do I organize the information about that particular user. 4:09And I could use a different schema in different cases. 4:11Different applications may have different ways that they're expecting the information to be represented. 4:17And then ultimately, I need a protocol, a way that I can talk to this directory. 4:21A thing that will let me send messages in and get information back out. 4:26I can store information in it, I can pull information back out. 4:30The most common of these protocols is known as LDAP --a Lightweight Directory Aaccess Protocol. 4:36So this is a way of talking to [it]. 4:39Although what you'll hear many times people... 4:40they'll say "I put it in an LDAP directory." What they really mean is it's a directory that has these elements. 4:48And I'm using LDAP as the protocol to talk to it. 4:51But at the end of the day, it's some form of data store that I've got here. 4:55And you may also hear the term Active Directory. 4:57So that's Microsoft's version of this kind of thing, but it will also speak through the LDAP protocol. 5:04That's the industry standard protocol for this. 5:06Okay, so in a perfect world, what I would do is take all of these user accounts, all of the information that all these users, 5:12put them in one directory, we would call that an enterprise directory and it would be job done for this foundation layer. 5:20In the real world, what happens is this system right here, you know, maybe it requires its information in a very specific directory. 5:29And this information has to be stored in this particular [one], that is, the application has hooks into a very specific data store and so forth. 5:38You see what's happening here. 5:41That is, these applications are requiring specific directories. 5:45In a perfect world, it would all use one. 5:47In the real world we have multiple directories. 5:50Any organization of any substantial size will have multiple directories in their environment. 5:56They might not think about all of them all the time, but they are there. 5:59So what would be the next best thing if I can't get everything into one single directory? 6:05The next best thing, if I can't store them all in one place, is to have an ability to synchronize them. 6:11And there are a couple of different ways that we can approach synchronization. 6:14One is a virtual directory. 6:17That is, where this thing here, is basically an index. 6:21If someone sends a request into this directory and says, "Look up this user information," 6:25it knows where the information is and goes out and retrieves it for me. 6:30The information then might be cached here for performance reasons. 6:34But in general, it's an index that points in to someplace else. 6:37Another approach is a meta directory. 6:39With this, I might actually take the information and pre fetch it and store it up into an enterprise directory. 6:46I might not copy everything from all of these lower level directories into the enterprise directory, 6:51but I'm going to copy the relevant pieces so that way they are already in existence, already there, when I need to look them up. 6:59So the first thing we have to do in our IAM architecture--have a place to store users 7:04and a way to synchronize their information so that we have an ecosystem of integrated directories. 7:12Okay, now we've covered the base, the foundation, the plumbing of an identity and access management architecture. 7:19Now let's get into the real capabilities. 7:22First of all, we're going to talk about administration. 7:25That's where we create accounts, we delete accounts, we update accounts, we change privilege levels, all of this kind of stuff. 7:33It's an administrative task. 7:35And the term that's often used is identity management or identity governance has now become a more popular term for this. 7:43But these all kind of mean the same thing. 7:45And what we're going to do is take an example here. 7:48We're going to add into our architecture this administrative application, which again, is the identity management or identity governance. 7:55And I'm going to include in that our role management capability. 7:59In the previous section, I talked about the different types of users that we have. 8:04In a good architecture, in a good implementation, I would take those different user groups and map them into roles. 8:11These are IT roles that will have some mapping into their business role within the organization. 8:17And I'm going to use those things to then tell me what are the IDs that a person should have. 8:23in a perfect world, everything would map into a role, and then I know exactly what they need. 8:28In the real world. 8:30Maybe it's 80, 20, maybe that 80% of your access rates, I can determine based upon the role that you perform. 8:36And then the other 20% will handle as one-offs. 8:39And that would still be a massive improvement. 8:42Let's take a look at how this works. 8:44Let's say we have a user here. 8:46This guy just hired into the company. 8:48So what are we going to do? 8:49We're going to add him into the HR database. 8:52So this is HR database is going to identify all kinds of information about how this user is, 8:58who they work for, that sort of thing, and the job role that they perform--so the business role. 9:03What I can do then is generate from that a request into our identity management/identity governance system. 9:13That then will go into a role management system which will take the information 9:18that we got passed to us from HR and convert this into an IT role or roles. 9:24Because there could be multiples that this person needs in order to do their job. 9:27Within those role definitions. 9:30For instance, if it's a bank, i might say if you're a teller, then you need the following access rights, because all tellers need that. 9:36If you're a branch manager, you need the following access rights, and so on and so forth. 9:41So that's an example of what those kind of role mappings would look like. 9:44I based this upon what role that the user is performing, and I say we have already determined in advance 9:52that if you're performing this role, you need this account and you need this account. 9:57Great, I don't have to go figure out on a one off basis what they need, I kind of already know. 10:03Then for each of these accounts, I need to go through some sort of approval process. 10:08Some way that I'm going to go through and make sure that you should have these access rights. 10:15In some cases, it'll be very straightforward. 10:17For instance, if you're an employee, then we map you into the role, and that account might be, say, an email account. 10:25Let's say all employees are entitled to an email account. 10:28So we're going to run that through the approval process, which is actually going to be very straightforward, 10:31it's just going to do maybe a look up to see if you are still in the database, 10:36if you're still an active employee, and if so, then you are considered to be approved. 10:41And if you're approved, then I'm going to have a connector from my identity management system that goes out into the directory. 10:49Remember I talked about where we store in directories in the previous section? 10:53This is where we're going to do that. 10:55We're going to store your information into that that directory, and that will then give you those access rights. 11:01And some cases there might be an API call that happens here, but this is one way that it happens. 11:07So this user now has gotten their email account. 11:11Another thing that happens, let's say for this other account, maybe it's more sensitive information. 11:15So the approval process is more complex. 11:18We're going to start here and we're going to say you need to get an approval by this person simultaneously by this person. 11:25Or we could make them so that it's one or the other. 11:29You could build this into the workflow approval process. 11:32And then once I've received all of those, then we're ready to go ahead and provision the account for you. 11:38So this provisioning, this creation of the account flows all the way through the system. 11:43And you notice it's based upon the role, it's based upon the account, it's based upon the approval workflow process. 11:49And then we store it in the directory, and now the user has access. 11:54Okay, so that's one use case. 11:55Let's go through a different use case, different scenario. 11:58Here's an existing employee who says, "I've already got access, but I need more access. 12:03I need access to another system over here that I don't.". 12:07So we're not going to get them through the HR system, but we're going to put a GUI, 12:11some type of web interface where this user can go and request new access rights. 12:16And when they make their request, it's going to map into the same process we have here. 12:20That's the nice thing. 12:22We want to reuse the same infrastructure to do all of this. 12:25So the request comes in. 12:26It may map to a role or not, since it's a single one-off request, 12:30probably it's going to skip the role part and it's going to map to a particular account. 12:35And that account still must be approved, still has to go through the regular approval process. 12:41And once it's been approved, then we're going to give him the access rights that he's asked for. 12:46Or if not, then we're going to say why. 12:48So that's the second use case. 12:51Now, the third use case, let's say we have an employee who now has left the organization. 12:56Could be on good terms, could be they retired, could be on bad terms, that they got terminated. 13:02But this person is no longer an employee. 13:04Now, what I need--I've created a system that efficiently creates access rights. 13:09I need a system that is even more efficient at removing those access rights, because that's where the security exposure exists. 13:16So this provisioning process; now, I need a de-provisioning process to untangle, unwrap everything that I've done. 13:23So that will indicate in the HR system this person is no longer employed here. 13:27And that will send a request into our identity governance system, which will know all of the accounts that this user has. 13:38It will know that we created an account for this guy here and here because this was the system that created it. 13:45It's the one system of record that knows all of that. 13:47By the way, if I don't have this kind of infrastructure in place, 13:50if I've just gone and created each of these accounts separately, I don't have any one single source of truth. 13:56It means I have to go audit every single one of these systems out here to figure out 13:58where does this guy have access rights and how can I remove all of those. 14:03With this type of system, I can efficiently provision, and now I'm going to send the de-provision request in to here. 14:10I don't need to approve a de-provisioning request in most cases, so it's just going to go and delete all of the access rights that this guy had. 14:19So there's three different use cases that you can see where the ability to provision and then from a security standpoint, 14:24even more importantly, the ability to de-provision has become very important. 14:31Okay, now we've covered the identity management, the provisioning and de-provisioning part of the process. 14:37That's the administration, the first of the As. 14:40Now we're going to take a look at the next to the authentication and authorization portions of the four As. 14:47So I've added to our architecture diagram an access management component. 14:52So identity management is kind of this first one. 14:55Access Management, if we're talking about identity and access. 14:58This is the access part. 15:00All right, let's take a look. 15:02Authentication. 15:03What we're trying to do with authentication is answer the question, "Who are you?". 15:09So I'm going to determine who you are based upon something, you know, something you have, or something you are. 15:16That's traditionally how we do this. 15:18Something you know, might be a password, for instance, or a PIN. 15:23This is going to be something that stays in your head. 15:26And you don't tell anybody else. 15:27Because, by the way, if it leaks out of your brain into another brain, then it's no longer authenticating you. 15:34That's the problem with knowledge-based authentication, 15:37is that we don't necessarily know if information exists in only one brain because it can replicate. 15:44The next possibility is something you have. 15:47And the most common version of this that we see today is using a mobile phone, because pretty much everyone has one all the time. 15:55And your mobile phone is unique. 15:57So if part of our authentication is requiring that you have that device and prove that you have the device 16:02because I send a message to that device, either an SMS or a push notification--something along those lines 16:09that lets me know that you are in possession of the device, or whoever is in possession of that device, will pass for a proof of you. 16:18And then something you are. 16:20This is a biometric. 16:22This is a reading of some physical characteristic of you, for instance, a facial recognition or a fingerprint scan. 16:30Sometimes we use voice prints, but those are becoming more and more unreliable now with deepfakes and things like that. 16:36But the idea is-- something you know, something you have, and something you are. 16:41The best authentication systems don't rely on any single one of these factors. 16:46They do what we refer to as multi-factor authentication. 16:50Multi-factor authentication says, for instance, I'm going to use something you have and something you are. 16:56I'm going to send a push notification to your phone. 16:59It's only going to go to your phone. 17:00So if you have your phone, you can answer this. 17:03And by the way, if you lose your phone, you tend to notice that. 17:06If you lose your password, you tend not to necessarily be aware of that--if someone else has copied your password. 17:13So the fact that this is a physical device makes it a little more secure in that regard. 17:17And then I'm going to measure the physical characteristic. 17:20You're going to unlock it with your face print, for instance. 17:24Then something you have and something you are--that's two factor authentication. 17:27And notice the user didn't even have to remember a password. 17:31That's even better. 17:32Still, if you're really security conscious, maybe you do all three. 17:36So something you know, something you have, and something you are. 17:39But the trend is moving more and more towards this idea of "passwordless authentication" 17:45where we don't require the user to have this knowledge. 17:50Because the thing is, is that knowledge, like I said, can move around from one person to the other. 17:54Also, people tend to forget and then they have to call the helpdesk and that's expensive to get it reset. 17:59So passwordless is really the way of the future, I think. 18:02And using multi factors is a way to mitigate the risk of not having any password at all. 18:09And then another thing that's big in this space is this notion of single sign on. 18:13Let's take an example of what that looks like. 18:15Here's a typical use case. 18:16Here's a user, and they've got three different systems down here that they want to log into. 18:21So they have to have credentials on each one of those three systems. 18:25And the IT organization is telling them you need to have complex passwords and they need to be different on each one of these systems. 18:31So this guy has a problem. 18:34He's got to remember all of these passwords in order to log in, but he's going to log in to each one of them with his unique credentials. 18:42Now, a better solution to this is to say, let's go ahead and, in fact, have different passwords on these systems, if that's all they support. 18:52But I'm not going to require the user to keep up with all of that. 18:54Maybe I'm going to require the user to keep up with one password, 18:57or maybe I'm going to use multifactor and maybe the password is or is not one of those factors. 19:02They're going to log into a single sign on system, so prove who they are once. 19:07Then the single sign on system, whenever they go to log into one of these things, 19:11it will provide the credentials for that user, the password or whatever is necessary, in that case. 19:17The user is much happier in this case--they only have one thing they have to keep up with. 19:22Therefore it's easier for them. 19:24And we get this rare situation where we're actually able to make security better and the user is happier at the same time. 19:33And for those of you that are about to object and say, 19:35"Yeah, but now someone logs into this system and then they can get into all the others." 19:39Yes, but my answer again, multifactor authentication. 19:43It's not just stealing this guy's password. 19:46I've also got to steal his phone and his face, so that makes it harder still. 19:51And the other thing is, if by doing it this way--by the way, this user is probably setting all these passwords to the same thing anyway, 19:58if you give them half a chance, they will. 20:01So the idea that one password gets you into everything as it does with a single sign on system again, multifactor mitigates that. 20:07If you don't do multifactor, the user has already done one password. 20:12They just did it in a very inefficient way. 20:14So I don't think it's compromising security at all. 20:17In most cases it's improving security. 20:19So that's answering the question, "Who are you?" That's the authentication question. 20:23The authorization question: This is answering the question, "What are you allowed to do?" 20:29Can you do what it is you're trying to do? 20:32Are you permitted to do that? 20:33So the authorization system might use a technology we call risk-based authorization, adaptive access. 20:41These kinds of things are the newer kinds of technologies where it's not just a simple you're in or you're out. 20:48You can do this, but maybe only under certain circumstances. 20:52So I'm going to look at other aspects, other characteristics, like the location that you're coming from. 20:58Maybe you can do this transaction, but not from an unknown location because it's too risky. 21:06So that's the risk-based part of this. 21:08I look at the request type, certain types of requests. 21:11So yeah, it's low risk. 21:12You're looking up your bank balance, not a big deal. 21:15You want to transfer funds, bigger deal. 21:17So I might put more restrictions in that case. 21:21I might restrict on amount. 21:22You can transfer funds up to $1,000, but if you want to do more than that, then we're going to put extra kinds of controls in place. 21:29You also might look at frequency. 21:31If you try to do 30 of these transactions in a day and normally you do one a month, then I might trigger with something like that. 21:39So the idea that authorization then is looking at now a complex algorithm 21:45that goes into all of this, and that's how we consider, based upon who you are, what you're allowed to do. 21:52Are you allowed to do this or not? 21:54Okay, now we've talked about access management. 21:57There's a special case of access management, we call privileged access management, 22:01or privileged account management, or privileged user management or privilege identity management. 22:06PIM, PAM, POM... it goes by a lot of different acronyms. 22:09I'm going to stick with PAM. 22:11But what we're referring to in this particular case are these types of users. 22:16These types of users are the ones who have very highly privileged access, 22:21the root level access to a server, the system administrator, the database administrator, the network administrator. 22:28These are the people that have the keys to the kingdom. 22:30They can control everything. 22:32They can steal all of the data or they can keep all the data safe. 22:35They can make the network secure, or they could open it wide open. 22:39We're putting a lot of trust in these people. 22:41So we need, if we're going to trust them, have additional verification to prove that they're doing their jobs the appropriate way. 22:48Now, I'm going to let you in on a dirty little secret of IT. 22:51That is, we tell all of our end users that they should all have separate unique passwords and change them all the time. 22:58What happens in a lot of organizations is that these super sensitive accounts? 23:02We do the exact opposite, even though that's where the greater risk is. 23:07This is what we end up doing in so many of these cases. 23:10So let's say we have three of these super users, these privileged users, and they need to log in to these three different servers. 23:17Well, if it was only three, you probably wouldn't do this. 23:19But imagine it's 300 or in some cases it could be 3000. 23:24So imagine multiplying this out. 23:26And so what we do is say, you know, these three folks have to keep up with the account name and password for all of these different systems. 23:35Let's make it simple. 23:37We're going to set them all to the same thing. 23:39All of the IDs are root and all the passwords are exactly the same thing. 23:44Well, that's going to present some problems for us. 23:46Because now what happens, it's easy for these guys, because they just have one password that each one of them have to remember. 23:53And then he can log on to each one of these as he needs and on and on like this. 23:58So you can see how that works well for those folks. 24:02But then, let's say this guy leaves the organization. 24:05Are we now going to change all of this stuff and retrain these guys and retrain the new guy that comes in? 24:10How often do we change that? 24:12The reality is, we tend not to change it at all. 24:14We set it and forget it. 24:16These guys hang on to it and that's it. 24:18Also, there's another big problem here. 24:21That is, if something goes wrong on one of these systems, how do we know which one of these three guys did it? 24:26We don't. 24:27It doesn't identify. 24:28They all three knew what that password was. 24:31So they can all point to the other guy and say "He's the one that did it.' Okay, this is not the way to do it. 24:37It's a typical practice. 24:38It's not the best practice. 24:40Best practice would be to put in a PAM system. 24:44A PAM system will require that these users not log directly into the system, they log into the PAM system. 24:52And we're going to require things that I talked about in the previous section like multifactor authentication. 24:57So I really have them locked down. 25:00They again, only have to keep up with one password, 25:02if that, in order, each one of them have one password and it's unique to them, not a shared password. 25:08Here's shared accounts with shared passwords. 25:11Here we're going to have shared accounts without shared passwords. 25:15Now, each one of these systems, you'll notice down here, I've put in different passwords for each one of them. 25:20So these users do not have to know what those passwords are, they just have to know how to log into the PAM system as themself. 25:27Once they do, this guy logs in and says, "Okay, I need access to this system." 25:31It says, fine, I'll grant you access because you're a privilege user and you've proven that you deserve that level of access. 25:38He logs in, he's given the credential to log into this system. 25:42Actually, it's probably put into special software so he doesn't even have to keep up with it. 25:46But he's given a password to log in. 25:48He does his stuff, and then when he's done, he checks that account back in. 25:54So he's checked it out, now he checks it back in, says I'm done. 25:58What does the PAM system do next? 26:00It goes and changes this password to something else. 26:03So he now no longer has access. 26:05He could log in before, now he can't. 26:10If he wants to log in again, he goes back into the PAM system and again gets authorization 26:15and we're able to to give him that same thing for all of these guys. 26:19So now we have multiple passwords that are constantly changing on every use or every time someone checks out that particular account. 26:27That way, I also know at any point in time who did what. 26:31So if something strange goes on here, I'll know who did it, who had that thing checked out at that point in time. 26:37And then I might add a capability like this--that is, session recording, 26:41so that I can literally see every keystroke that they type when they're on that system and I can replay it. 26:48And there's no question these guys know that they are being monitored and the systems they're on are being monitored. 26:54And therefore that level of verification causes them to be less likely to do things they shouldn't, 27:00and also gives us an audit trail so we can prove if something does go wrong, who did it. 27:05Okay, now, we've covered the first three days: administration, authentication, authorization. And the fourth A is audit. 27:14That's where we go back and make sure we did the previous three As correctly. 27:18Now, how do we do that? 27:20What we're going to look at an example here. 27:22Here's a user doing normal stuff. 27:25Logged into the system, does something, and for everything they do, we're logging that access. 27:31We're logging the activity so that we can go back and see later. 27:35So that's normal. 27:37Now, here comes along another user with mal[icious] intent. 27:40They go and create a new account. 27:43Let's say they have stolen the privileged account user's password, they create a new account. 27:49Then they go dump a copy of the database instantly. 27:52Then they instantly delete the account. 27:56Now, creating an account, deleting an account, even copying a database is not necessarily a bad thing in and of itself. 28:03But doing those three things in rapid succession could indicate a problem. 28:09So we're going to have a system that audits that, that looks at all these log records and looks at different activities 28:15and has policies and uses things like machine learning to spot some of these patterns. 28:20And we call this UBA- user behavior analytics or user entity behavior analytics capability. 28:29This kind of tool will help spot those kind of anomalies. 28:34So that's it for the four As. 28:35If we're talking about what is known as Enterprise Identity and Access Management, we now have a fairly complete architecture. 28:43All of these things working together. 28:47There's one other thing that I might like to add, though, to this. 28:50What if this is my organization and my employees might need to log on to a cloud provider, 28:55a SaaS system somewhere, or some other business partner system? 29:00Well, I need to extend what is this into other identity domains. 29:05So what I need is a federation capability. 29:08A federation capability would let me log in to my system 29:13as my identity provider and then be able to access other systems as service providers, as an example. 29:21And I want to be able to do all of that in an industry-standard way. 29:24And in fact, we have protocols, industry standard protocols that will allow for that. 29:28So that becomes the thing that allows us to get outside of our own unique domain 29:32and integrate with other security domains that might be out there, other identity domains. 29:38And all of this is what we then refer to as enterprise identity and access management. 29:43or enterprise identity management. 29:45Another term that's coming into play here is workforce identity management. 29:50So "workforce" meaning I'm looking at my particular employees within my organization and then maybe extending out. 29:58Another aspect to consider these days is CIAM: Consumer Identity and Access Management. 30:04And CIAM is basically looking at some of these similar capabilities. 30:08But some areas we need more and some areas we need less. 30:11For instance, for our customers, we need to make it as frictionless as possible. 30:15So we're not going to do a lot of of proofing and things like that, if the account is not particularly sensitive. 30:21We're not going to do a lot of approval processing, maybe none, because I want to drop those barriers to entry. 30:28What I need to be able to do is preserve privacy and other things of that sort. 30:33So slightly different concerns in each one of these use cases, but underneath it all, is the same IAM architecture. 30:40Now we have a kind of high-level reference architecture that we can apply to all of these cases. 30:46So in this series, we've taken a look at some fundamental principles in the first three videos. 30:53In this video, we took a look at the identity and access management domain, and in the next video we'll look at endpoint security. 31:03Thanks for watching. 31:04Before you leave, don't forget to hit subscribe. 31:07That way you won't miss the next installment of the Cybersecurity Architecture Series.