CCT 128: CISSP Mastery - Deprovisioning and Role Definitions (D5.5.2-3)

Apr 01, 2024
 

Could your company's board benefit from cybersecurity expertise? Discover the untold impact security professionals can make in risk mitigation and financial stability. This week on the CISSP Cyber Training Podcast, I, Sean Gerber, navigate the critical intersection of cybersecurity and corporate governance, underscoring a need for expertise that's often overlooked. We dissect the lifecycle of role management, from the precise art of onboarding to the essential processes of deprovisioning and offboarding. Ensuring your organization's digital fortress is impenetrable requires immediate action and smart tools, which we'll cover in detail.

Struggle with managing permissions in your organization? You're not alone. We'll break down Role-Based Access Control, a system that not only fortifies your security but streamlines your access management too. By understanding the risks of credential creep and the benefits of roles defined by job functions, you'll see how a robust RBAC system can prevent conflicts of interest and align with evolving business processes. And for those in the trenches of cybersecurity, I'll outline how the synergy between compliance and security teams forms the backbone of a solid role management plan.

Finally, we turn our focus to the CISSP exam, providing a beacon for those charting a course through the vast sea of cybersecurity knowledge. With strategic guidance and essential resources, I'll steer you towards not just passing the exam, but mastering it. Ensure you're equipped with the right identity and access management tools like single sign-on, multi-factor authentication, and Identity Governance and Administration. Remember, your journey doesn't end with certification. Stay connected for continued support as we build your cybersecurity expertise into a powerhouse skill set for any organization.

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

TRANSCRIPT

Speaker 1:  

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started. Let's go. Cybersecurity knowledge.

Speaker 2:  

All right, let's get started. Hey, I'm Sean Gerber with CISSP, cyber Training. Hope you all are having a beautiful day today. Today we're going to be getting into chapter or, I should say, domain 5.5 of the CISSP, and so we're going to get into various aspects around deprovisioning and role definitions. So it's going to be, whereas every week we transition, we go from domain to domain to domain and we then take a small subset of each domain and we kind of drill down into it, and this is 5.5 is what we're going to roll into Now, before we get started, one thing I wanted to bring up was an article that I read in InfoSecurity magazine, and it talks about how only 5% of the boards and this is a board of your individuals that are part of your company that sit on the board, like you have your CEO.

Speaker 2:  

Your CEO usually reports to the board, and the board is a group of people that will then help guide and direct and give strategic guidance for your company, and only 5% of the boards have cybersecurity expertise, despite the financial benefits they are able to discover and demonstrate. Now, this report that came out by Diligent and BitSight talks about this in the fact that the cyber experts on the board will range from as many as 10% in France down to just 1% in Canada. Now, if you're in the United States and you realize this well, the United States hasn't even made that list. And I would say from my perspective, when I was in a cybersecurity professional with a private company, I wasn't on the board and it was an interesting factor that, no matter how much I tried to get on and get in front of those leaders, that would not happen and a lot of it comes down to is they just didn't understand the overall need for something like that within their organization. Now the study observed the significant improvements in the cybersecurity performance when these experts were integrated into the specialized risk committees. So they're basically giving some guidance into these various risk aspects.

Speaker 2:  

Now part of a major company. It is all about risk. It truly is, and the risk in the past has been what kind of compliance risk do I have? What kind of legal risk do I have? Well, the cybersecurity risk. As time has gone on, they're realizing it's more and more it's playing a bigger factor in overall company performance. And how should a company do it? Or do their daily activities?

Speaker 2:  

And one of the things in here they said that they had cyber experts on an audit or a specialized risk committee, they achieved an average security performance score of 700 out of a maximum of 900, compared to the score of 580 out of those businesses that didn't have an expert on these committees. And it makes sense. I mean honestly, if your board is connected with the security risks of your company and of your domain, they're more apt to understand how should they then transmit that into adding protections to avoid these risks for their company? Now, they said that countries where companies are most likely to have a specialized risk committee were Australia, the UK, canada and France, and so, as you can see, there's a little bit stronger correlation. Now, if you also can kind of see in the fact that the UK and France obviously are part of the GDPR piece of this, they've been more compliance-driven, and so it's understandably so that there's probably a little bit more push for the cybersecurity professionals in that space. But all it's really coming down to is the fact that everybody's going to have to deal with this at some point in time. So what they're saying is is, over a three year period, the average total shareholder return, which I call TSR, for a company with advanced security performance ratings was 67%, compared to 14% for companies with basic ratings.

Speaker 2:  

So what are they really saying here? All they're saying is that if you have your security people embedded within your board, then the odds are high that you are going to put the proper protections in place to mitigate and reduce the risk, or, in some cases, you may enhance your security protection posture to actually buy down some of the risks that may be occurring within your organization, and that's that's basically it it really comes down to. Is they really there's ways for you, as a security professional, to then impart that onto your senior leaders in a way that will then reduce their risk, which, in turn, has a financial gain to it by reducing the exposure to your company, and then thus, by reducing that exposure, you limit yourself to fines, you limit yourself to ransomware attacks, you limit yourself to many other aspects. So the ultimate goal of this article is just to say, if you can get your security people in where they need to go as far as the company goes, there's a high likelihood that you'll be in a position to protect your company long-term and you'll be able to increase the financial posture of your organization by reducing the risk that they have.

Speaker 2:  

Okay, so let's get to domain 5.5, and the aspect is deprovisioning and role definitions. So one of the main factors that you're going to deal with as a security professional within your company is you're going to have to deal with roles and you're going to deal with how do you manage those roles, and so we're going to get into provisioning and onboarding. How would you deal something with like that? We're also going to roll into account maintenance and access reviews, obviously, deprovisioning and offboarding of those accounts as well, and tools for identity and access management. So those are some of the big factors that we're just going to cover in today's podcast. So, first off, enrollment of users right, so one of the aspects you're going to understand as a security professional is when you have to bring in new people to your company. You have to enroll a person in your organization and by doing so, you're going to need to establish their digital identity. Now I've just started on with the company as a contractor.

Speaker 2:  

The company then had a way to ingest me into their system. As they ingested me into the system, they had to have a way to provide who is my identity, who am I, what access do I have? And then they allowed me in, but I had to go through various identity proofing steps to ensure that, hey, sean Gerber is who he says he is. And these steps are important because obviously we want to make sure that we get the right people, the correct people within your organization and therefore you can limit the fact of somebody that could then walk in and be part of your company. Now, in a previous life I've done that. I've actually been able to get myself established within a company by using just impersonated credentials and the ability for them just to create accounts and for them to provision me access and equipment as needed to be able to gain access to this information. It can be done and having a good enrollment process in place, especially if it's automated with some level of tools. But I come back to this of when your tools are important and the technology is important, but it's people, processes and technology. You have to have all three and this is important, that you have all three, especially when you're dealing with enrollment of various users within your company and within your organization.

Speaker 2:  

So how does this begin? Well, it often begins with identity proofing, the creation of an identity record or something similar to what they would call that within your company. An identity in a what they call an identity management system, or idms. Now, you may have different types of IDMSs that are in place. They could be from as simple as you have just an account with an active directory, or they could be a very complicated system in and of themselves. Now, when you're dealing with the term identity proofing, this is a process by which you verify the identity of the user who requests access to your organization. Now, this involves collecting and validating identity information, such as passports, driver's license, national ID card, as well as biometrics or behavior factors.

Speaker 2:  

Now, like I mentioned earlier, I had to actually be part of, as I'm adding into LinkedIn. Let's go for an example. I had to add to verify who I am, there was a specific identity proofing process that I had to go through to include identity of my driver's license address, so on and so forth. They wanted to verify who I am to the LinkedIn or ecosystem. Now, this can be done in person, obviously, or remotely, and in today's world, remotely is probably a big chunk of it, but it depends on the level of assurance that may be required. Now, depending upon the access that you may need to have. They may want you in person and so that they see eyeball to eyeball. I did an interview for a friend of mine that was getting a security clearance, and so, therefore, an individual met with me one-on-one to discuss this individual's personality and their background to, because they wanted to get into a role where they would be have access to classified type information. So the purpose of this identity proofing is to ensure that the user, who they claim to be, is who they are, and it helps prevent the fraud and, obviously, impersonations that may occur.

Speaker 2:  

Now, how do you determine the roles and the various access requirements of this? So it's based on the user's job function and this appropriate roles are then assigned based on that function. Now, one thing that really kind of comes into is, as you get within an organization, you're going to find out that many people have various roles within their company, and leaders may say, well, I need someone who manages the tools, I need someone who can manage our compliance data, I need someone who can do X, y, z, doesn't matter. Right, the ultimate goal is they need somebody that can do each of these processes, and so, therefore, what they do is they will set a role for that person. Well, that role then has specific access that is needed to do their day-to-day jobs. This is what they call role-based access controls or RBAC, and we've talked about this, obviously, at the CISSP and our podcast, but it's used to help streamline the overall process. Now, what are RBAC controls?

Speaker 2:  

Well, rbac is a method of restricting access based on the roles of the individual users within the company or the organization, so it assigns permissions and privileges to the roles rather than directly to the user. So what does that mean? That Sean has a role of, let's say, being a contractor and as Sean is a contractor, I have specific access based on my contractor title and that is given to me like, basically, a cookie cutter Pick it up, give it to Sean. That then limits what Sean can and cannot do within an organization. Now, there might be times when Sean needs additional access, but then there needs to be a process in place by which Sean gains that access to be able to have the needs that he needs, right? So the ultimate point is just that you have a specific set of permissions and privileges directly to that role, versus specifically assigned to the user. Now, this does simplify the management of access rights and ensures that users only have the minimum level of access needed. We want to get. It's all about least privilege. You want to have the least amount of privileges.

Speaker 2:  

They need to do their day-to-day job, and this is an important factor whereas, you'll see from a hacker standpoint, they are looking for roles that tend to grow. They have credential creep we talk about it where they go from. I had a basic contractor access to. Now, because Sean is embedded within the organization for so long, he has picked up all kinds of credentials that now make him extremely targetable. This will happen, especially when you're dealing with contractors that are maybe within an organization. Well, it doesn't really matter. It could be contractors or employees, but anybody that has been within an organization for a long period of time will tend to have more credentials than someone who's been there for a short period of time, will tend to have more credentials than someone who's been there for a short period of time, especially if they don't have a good access control solution in place that manages both the accounts, the people and their overall role.

Speaker 2:  

Now, arba can also be used to improve security compliance and it is auditable. But that's an important factor in what you're doing is that, even though you have these security tools and compliance tools in place, you want to make it auditable, which basically means you have the ability to go in and look at it, ensure that the person has the rights that they're supposed to have. Now, when you understand RBAC, it's a method of restricting access to authorized users right? We talked about that just a little bit ago. Authorized users right, we talked about that just a little bit ago and it simplifies the management of these user permissions and can be scaled and set specifically to the size and complexity of your company and the systems that you're using. So it's an important factor of using RBAC with any company that you're in.

Speaker 2:  

Now, your defining role. One of the things that deals with RBAC is you want to define the roles that you're dealing with. The identification of the function the roles are created based on the job function and the responsibility. So keep that in mind. The roles are created based on job functions and responsibilities. So sean's job is to pick up this box and move it over here. His responsibility is to ensure that it's on time. So if sean's job is to pick up this box and move it over here, well then, from an IT perspective, sean should only have access to maybe check his email and maybe go to the internal website, anything else of that, or maybe in pay right. So that's about it. Outside of that, sean shouldn't have to do a whole lot.

Speaker 2:  

You then assign each role is assigned specific privileges that align with the functions of the role. So you assign those privileges, they align to that function and then from there you have what we call the separation of duties or SOD. This ensures that roles are designed to prevent conflicts of interest or fraud. So as an example I had in a previous my previous job I dealt with my SAP folks. So it was their enterprise resource planning, erp, and I had a separation of duties in the fact that if my folks were to go and do one aspect, then for them to make changes within their environment, it had to come to me, for me to do the approvals and once that approvals happened I was the person out of band. I was the separation of duties that people that were in SAP couldn't approve. Their own aspects. They could approve parts of it, but if they truly wanted to make it secure, you then have a second person on the outside of that team that would then approve those changes that would go into the environment. That is what they call a separation of duties. So it is it kind of look at it as a way also that if you are on a nuclear submarine, not one person can launch the nukes. It would require two people to do so. So there has to be some level of separation between the ability to and do those functions.

Speaker 2:  

Role hierarchy now establishing a hierarchy of roles for the inheritance of permissions and effective management of multiple roles is really important. So what does that mean? It means that you have role a, role b, role c. Well, each of those has the ability to inherit permissions based on what the role is supposed to do. Now you may want to always audit that to ensure that they don't inherit too many permissions, but you need to have the ability for those roles to inherit those permissions to allow it to be accessible and useful within your organization.

Speaker 2:  

There's another topic called role engineering. This is the process of defining, deploying and maintaining roles that need a specific business process and then they work into actually translating those into some sort of security role. But you have role hierarchy, role engineering, and then you have role management. Now role management is where you provision these accounts right and this is part of the overall onboarding process. You then have a review and adjustment. They regularly review the roles to ensure that they align with the business needs, making adjustments as needed to ensure that the role meets what the business is asking for. So role hierarchy, role engineering, role management, and in each of those the hierarchy basically takes, inherits roles or the capability of the role. Engineering is maintaining, deploying and defining what the role is. Role management is providing or provisioning the roles and the new users as they go through the onboarding process. And then it also role management is deal with reviewing, basically auditing, and then making adjustments as needed to fit the as it fits your business needs.

Speaker 2:  

And then role lifecycle this comes into where you creates, maintains and deactivates. You want to have a lifecycle in place, established, so that when you create a role, there is a plan and process by which you maintain that specific role and then there's a process by which you deactivate that role and then there's a process by which you deactivate that role. So often you will see the creations of accounts that are based on a role and they never go away. And they've established them, but they didn't go back and do any sort of maintenance on these and then, therefore, they didn't even deactivate them in the future. So the goal is is that, as from a hacker standpoint, they are looking for all of these accounts that have been created, that have never been cleaned up and that are still active, and then they're looking for accounts that actually have the ability to expand their influence beyond what their current place is. So again, role lifecycle, with the creation, the maintenance and the deactivation of these roles, is extremely important.

Speaker 2:  

Tools and technology you need. Like you talked about earlier, I use an identity management system, idms or other type of technology to help support your overall role management plan. So you want to have tools. Tools are very important, but I stress that if you don't have a good process in place to manage your tools or to manage your overall plan, no matter how many tools you throw at this, you're still going to have the same problem. Now the tools may help, in some cases, reduce, may create a bit of a process for you where you've just bought the tool and in the tool there is a process that goes from A to B to C to D, and that may be great, but that's very stovepipe, it's very narrow. You need to have something where you actually are going out there talking to people and building a process from A to Z. It's that important See it time and time again of why you need to do that.

Speaker 2:  

And then the last thing is compliance and auditing. You need to ensure that the role, definition and management practices comply with the relevant laws, regulations and standards. You have to do this as a security professional. It is upon you to make sure that you are in compliance with the various laws and regulations within your organization, and I mean, obviously, you have a compliance team, but, like I've mentioned before, compliance is highly dependent upon security in many cases Not all, but in many because the security is technical and it's not like. The compliance people aren't smart to figure this out. They are very, they're very, very intelligent. The challenge is, though, is their language is compliance. My language is cybersecurity. I understand security, but I don't always understand the terms of compliance the way they should be. Therefore, it's a good partnership between the compliance people and the security people to really have that great relationship so they can communicate well between the two. That's the only difference. It's really important as a security professional that you build relationships with just not just your IT brethren and sisters is the fact that you build them with your compliance, your legal teams, your ethics teams and so forth. It's an important factor in what you're doing.

Speaker 2:  

Okay, so provisioning accounts. So, once the roles are determined, user accounts are created across various systems and applications. This step includes setting up the authentication credentials and assigning specific rights based on those defined roles. So you have to set this up Now. In many cases, this is an automated process for the authentication piece of this, but you have to define it. Then you have to set up the process by which Sean comes into the organization and then Sean will need to have multi-factor. Sean has to have a username and password. Different access rights will basically be defined for what Sean has to have and then, once Sean comes into the organization, then the assigned, a specific set of access rights will be given to Sean when he enters into the organization itself.

Speaker 2:  

Now, these predefined roles are a way of grouping access rights based on common function and responsibilities. Many times you'll see people that go well, I'm special because I do it this way and Joe is special because they do it that way. There's nothing against that. That's probably the case. But getting a predefined set of rules is a very good place to begin and then, for their specialty, for their specialness that they have. You can add that specifically specialness to them, and these are a way, though, of grouping them into different functions that are easily understood and can be easily audited. It's an important part is that you really wanna have a standard set of groups so that you can audit your engineers, you can audit your accountants. It makes it so much easier to have these predefined roles.

Speaker 2:  

Now, some of these roles would be administrators, your managers, accountants, engineers, salespeople and so forth. Each of those would have, potentially, their own specific role, and so, therefore, your salespeople may need access to certain parts of your financial systems, whereas the IT person doesn't necessarily need that. Your engineers probably don't need that at all, but your engineers need to be part of your overall engineering suite, so they need to have specific, predefined roles that you want your folks to have access to. Now, each of these roles would have a set of permissions that allows them to perform certain tasks and access certain resources. They do simplify the process a lot by assigning a manager or by assigning managing accounts. So, as an example would be, if you have an account and Sean, well, I'll just give you an example of me I left an organization, left my company, to become a consultant.

Speaker 2:  

Well, in the process of leaving my company, my role then had a managing individual. This managing individual then got access to all of my accounts and they were able to see into my accounts to ensure that I was able. I was doing what I was supposed to be doing, but you have an assigning manager that then can assign that. Sean needed to have access to this account, this account and this account, and so he was setting those rights of what I needed. But then also, then, when I left the organization, he had access to my data. And that's an important part too that is sometimes forgotten that by having a managing person who can control the accounts of all the people his, under, he or she's underlings, it does allow you to have access into the data that they may have within your company. So it is it's really important to have that piece, and sometimes we don't talk about that, but having a manager that will control those accounts is an important piece going forward.

Speaker 2:  

Now, these you want to enforce, these roles have the principle of least privilege, which basically means they can only have access to the things they need to have access to, and you hear this a lot with the CISSP you need to have least privilege. Now, least privilege at the beginning in many cases is relatively easy. Least privilege over time that gets really squishy very quickly. So you need to understand that least privilege is an important factor in minimizing the risk to your organization. Now, predefined roles are defined by the security policy and the business requirements for the organization. They should be reviewed and updated regularly, ensuring that they have a reflect the current need and the goals of your company. I've seen this done it myself, had the policies in place. Life gets busy, you get moving, you forget to go back and update your policies. So your policies need to be an annual update that you go through and you look at and you're managing those updates to ensure that you're looking at them and keeping them forefront in your mind.

Speaker 2:  

Now again, predefined roles are not static or rigid. When you set the role up, it's not a set it and forget it mindset. You have to set the role, you have to make sure it meets your needs and then you should go back and redefine and re-look at those roles on a periodic period. What is that periodic period that really comes down to you? How big is your organization? How much movement do you have within your company and then, when the changes that are occurring, you get a ticket that comes in and says, hey, sean needs access to this, and then bill needs access to this and you see over time that sean and bill really needed access to these things. Why don't I add that to my predefined role? But that takes time and it takes time for you to go through and walk through each of those individual aspects. Now they can be customized, modified or, in various cases, they can be actually. People can have temporary assignments, cross-functional teams or any type of emergency situations.

Speaker 2:  

You can have these predefined roles customized to accommodate these special needs and you need to have a process again by which you do this, because what can happen is is, if Sean is the person that can, is the one individual that can approve or disprove an account's access. Well, now Sean can start adding all kinds of people, but nobody else is available. Nobody else knows what's going on. So when Sean leaves, you have all kinds of access of individuals that really shouldn't have this access. As an example administrative accounts. If you want an admin account within an organization that I was with, you had to have an approval from compliance and you had to have approval from me to get it. So it went all the way up to me to prove, if you got an admin account, why? Because I didn't want individuals within our organization to just have administrative rights without having some level of oversight and questioning why do they need it? And in many cases, 90 plus percent of the time when I challenged them of going why do you need this, they didn't have a good reason for it and so because of that, then we really limited the amount of exposure our company had, because not just granting administrative rights to everybody under the sun. So again, that's an important part of your predefined roles.

Speaker 2:  

Now, predefined roles are not the same as user groups. User groups are a way of organizing users based on a common attribute or characteristic, such as location, department or project. That is not how predefined roles are set up. Now, the role may be that you have people in that are just all your accountants are in one location, but that wouldn't be because of the role. That would be because of the fact that they're a specific group. So, again, the point I'm trying to make here is the fact that you need to ensure that your predefined roles are established and they are outside and different than the actual overall user group of your organizations, and then your groups can be used to facilitate communications, collaboration or resource sharing among each and all of the users, but they don't necessarily imply that the rights or the permissions that the group has.

Speaker 2:  

Okay, so now we're going to roll into account maintenance and access reviews. Now, when you're dealing with account maintenance, the organization needs to change right. So if you have an organization that needs to change, new roles need to be created. They have new services that are being supported. Then you need to define what each of these new roles are and each of these would have a specific aspect within your company and how it would meet your current organizational structure and the overall responsibilities of the user. So you need to define what those are and ensure that they have what you need for your organization to be successful.

Speaker 2:  

Then there's account maintenance, and this involves updating the user's accounts to reflect changes such as promotions, transfers, job changes, responsibilities. All of that stuff is there, and it's crucial that you have this to ensure the users have access to all the resources they need, while preventing what we talked about earlier privilege creep. You want to avoid the ability for an individual to continue increasing their privileges over time because of they move to new, specific roles. You want to try to automate this as much as possible, but at the end of it, you have to have, potentially, somebody look at this. So, as an example, if you move from one job to another job or a new role is created and then you get added permissions, maybe the supervisor has to approve you to, has to approve your permissions to be added to this role. So it's something that you have to consider and that this can be automated in a way of a tool that does it, or it could just be a process that, depending upon the size of your organization, that will go through this process as well.

Speaker 2:  

Now, account access reviews. There should be regular reviews, obviously conducted to verify the users have the appropriate access. I have been on numerous calls where we have stopped access of individuals and then managers and senior leaders have come down and said they need access and we grant them the access, but after the process of getting the access for them, there then is a process by which we walk through and find out. Okay, why did you come and talk to me about this? I mean, even though it's in your responsibility, you own the business and you wanted these changes, but why did you talk to me about this one specific role? Do I need to make changes to other roles to ensure that we don't have to have this conversation again? And it's not a bad conversation, it's a good conversation. You want to have these discussions with individuals within the company to ensure that you're giving them the right access, but, at the same time is you don't want to just blanket where the boss comes down and says give them access. Okay, they have access. Somebody else comes in and says they need access, okay, give them access. If you do that, you're going to real quickly. You're going to be in a situation where you have everybody has all kinds of access, and then you're going to have to pull that back in at some point in the future. And what I've seen before is, even though you had an individual that allows this kind of proliferation of accounts, then when that person leaves, the next person comes in and they have a monster of a mess to clean up. So it's important that you, as a security professional, are helping your leaders make the right call as it relates to these various accounts Now, deprovisioning and offboarding.

Speaker 2:  

So, again, you brought them on. They've got the access they need. Well, now they're leaving the company or they're moving on to a new role. What do you do then? Well, that's deprovisioning and offboarding. Deprovisioning is when a user's access is no longer required and their account is deactivated. Right, it's being turned down, just like Sean. When Sean left my company, they turned it all off. I lost access. I didn't have remote access off, I lost access. I didn't have remote access, didn't have any of those things were all gone. And this should be immediate upon termination of an employment to prevent unauthorized access. And I've seen this time and again where this didn't happen and bad guys and gals have gotten into the network and done bad things because they still had the access that should have been revoked and turned off.

Speaker 2:  

So you need to have a process in place by which you're doing this. So, if you haven't heard this conversation yet technology, people, processes, gotta have all three. If you have all three, you're in a much better position. Same with deprovisioning you need to have a process by which, when the person leaves a company, they have their rights removed. Now, offboarding, this is the full process by which you manage the exit of an employee from an organization. So, if you deprovision an account. That's one thing, but you off-board them completely. This includes not only the accounts, but also return of company assets, ensuring the data is associated with the users, handled according to data retention. All of those pieces are part of the overall off-boarding process. So you deprovision Sean Gerber's account gone down, but offboarded Sean. When Sean turned in his laptop, his badge, his key fob all of those things got turned back in during the overall offboarding process.

Speaker 2:  

Now what are some tools that you can use for identity and access management that are tied into this overall account provisioning piece of this? Well, obviously, single sign-on tools. We talk about those in CISSP, cyber Training. We talk about it on the podcast. There are various tools that allow you that can allow access to multiple applications with one set of credentials. Again simplifies the login process and improves the user experience. The good part about that is, though, is that when you do the deprovisioning of these accounts, they immediately will lose access because of the single sign-on tools. It cascades through, and you now limit the access to the individual once they have left the organization. It also allows you to provision them very quickly as well. With the ability to have the single sign-on, you now don't have multiple sets of credentials that an individual has, so it's a great way, a great tool to help limit for our provisioning and deprovisioning employees in the various roles they have within their company, and so it's an important factor.

Speaker 2:  

Now you're going to integrate this single sign-on with various pieces of this, such as SAML and OAuth these are the protocols we've talked about on the podcast numerous times and the purpose of this, obviously, is to increase the seamless login process across these different systems, and it does reduce the risk of password fatigue and potential breaches, and, I will say, the fact that many people use the same password for everything, everything. Well, okay, so if they're going to use the same password, then at least at a minimum I just have, I can validate them through a single sign-on process. Now the goal, though, is to educate your employees, so that they are doing more than just using that same login. They're using a process by which they are aspect of using, maybe, a password keeper, a password vault of some kind, and then validating and rotating their passwords. If we teach the employees, it doesn't mean they're not going to still make mistakes, but you have a much better chance of being successful within your organization by teaching and training your folks.

Speaker 2:  

Another one is multi-factor authentication. So the multi-factor is an additional layer of security requiring two or more verification methods. Obviously your phone. They could have a specific hardware token, it could be biometrics or something like that. That includes something that the person knows, obviously the password, something that the person has, or something the person may be right, something is. I was talking to my father who's insurance, and he was just explaining to me how he just can't stand, how much has changed and now he has to have all this multi-factor stuff in his insurance stuff.

Speaker 2:  

And I'm like, yeah, dad, you have to do that because if you don't, the stuff that you've worked so hard for for 50 years could go away as quickly as a fire burning down a house. So you just definitely want that to protect yourself. Now the purpose again, obviously, is requiring multiple forms of user verification to limit the ability of someone to get in the middle, to get in the middle and have access to your accounts because maybe your passwords were compromised and or you use the same password. The ultimate goal is to help limit that exposure to the company and to you. Now there's various verification methods, like I talked about. We have passwords, we have tokens, we have biometrics and then we also have an adaptive authentication, which then can adjust the requirements based on the risk assessment that's done of that specific account. So if you have an admin account, maybe there is an adaptive authentication based on. I'm going to then require you to have multi-factor every time you log in, based on what you're capable of doing within your organization, or it may be you know what single sign-on and you do multi-factor once in your lifetime and you're good. These are all based on various aspects within your company. It just depends on what is the risk of your company. And then compliance will help the regulatory standards by adding an extra layer of security as well, because compliance is involved in what you're doing.

Speaker 2:  

Two more tools we're going to quickly go into is one is Identity Governance and Administration, or IGA, and this helps manage digital identities and access rights. How this works is it enforces the identity and access policies across on-premises and cloud environments. It does define administrator user roles and access privileges. So it's an important factor within your company, as you're dealing with digital assets across many parts of your organization, to include within your on-premises environment as well as cloud environments. And then, last one is what they call a PAM. A PAM is a Privileged Access Management Tool.

Speaker 2:  

Now, pams can be done in different ways. In many cases, what they are is they're designed to store passwords within your company. They are typically a high-risk type of product. What I mean by that is, if some of the bad guys or girls got access to a PAM, it could be extremely detrimental to the organization because they would have access to all of the tools and the passwords to gain access to your organization. So therefore, pams are basically designed to manage and monitor privileged accounts which have elevated rights within your company.

Speaker 2:  

If you don't have a PAM, I would highly recommend that you get one within your company. Look at it, figure that out. Do not allow your high-risk folks with elevated credentials to keep their own passwords in a way that is being stored on their local devices. Do not do that, get out of that business. So even if your PAM is a simple solution say, for instance, you have a keeper is a good example you can share passwords amongst a group but they're stored in one location At least then you can add some level of rights or some level of requirements around those passwords to ensure the length, the complexity and so forth. And then also, if you can get into a PAM that will then track users, check in, check out of these tools, it could be extremely valuable to you in a way that you now know that Sean logged into the system, checked out a password and then used it. You now have an audibility and traceability for Sean. So again, it does limit the access to the systems and data, so it's got some level of access control. It does session monitoring, which it can track and record privileged sessions. You can even record it where a person goes in. It records what occurs and then you can then go back and replay that if you want to for auditing purposes. And then it does identify potentially high risk locations where you want to ensure that you have additional levels of protection to overall buy down or reduce the risk associated with potential privileged account misuse. I've seen it time and again. It's one of those that's a big, huge factor within companies that is often often overlooked.

Speaker 2:  

Okay, that's all I've got for you today at CISSP Cyber Training Podcast. That's all we have for today's podcast. And again want to go back and just reiterate go to cisspcybertrainingcom, go check it out. I got a lot of stuff that's free for you. These videos are there. The audio is there. I have an entire system.

Speaker 2:  

My blueprint is set up specifically to help walk you through your CISSP journey. If you follow the blueprint, you will pass, and the purpose is that it walks you through the books, it walks you through what you should listen to and it defines how you should be able to get ready for the test so that when you sit for the test, you are much better prepared to pass the exam. I highly recommend you go and check it out Again the CISSPcybertrainingcom. Go for free stuff, but you can also get the stuff you need to pass the CISSP the first time. It's that good I mean it Seriously.

Speaker 2:  

If you go through it and you follow the program, you will pass. But you got to follow the program. You can't do it a little, you got to do it all, and so that's why it's important that you just go through and do this entire program Again. Go to CISSP Cyber Training. Excited for you. Go check me out on LinkedIn, check me out on YouTube and be happy to connect with you. Just reach on out and we'll be happy to chat that way. Have a wonderful day and we will catch you guys on the flip.

OUTLINE

Provisioning and Onboarding

  • Enrollment of User:
    • This involves collecting and verifying user information to establish a digital identity within the organization. 
    • It often includes identity proofing and the creation of an identity record in the Identity Management System (IDMS)1.
      • Identity Proofing
        • Identity proofing is the process of verifying the identity of a user who requests access to an organization's systems or data.
        • It usually involves collecting and validating identity documents, such as passports, driver's licenses, or national ID cards, as well as biometric or behavioral factors, such as fingerprints, face recognition, or keystroke dynamics.
        • Identity proofing can be done in person or remotely, depending on the level of assurance required.
        • The purpose of identity proofing is to ensure that the user is who they claim to be and to prevent identity fraud or impersonation
  • Determining Roles and Access Requirements:
    • Based on the user’s job function, appropriate roles are assigned.
    • These roles determine the level of access to systems and data the user will have. 
    • Role-based access control (RBAC) is commonly used to streamline this process1.
      • Role Based Access Controls
        • RBAC is a method of restricting access to resources based on the roles of individual users within an organization.
        • RBAC assigns permissions and privileges to roles, rather than directly to users, and then assigns users to those roles.
        • This simplifies the management of access rights and ensures that users only have the minimum level of access they need to perform their duties1.
        • RBAC can also improve security, compliance, and auditability by reducing the risk of unauthorized access or misuse of data.
  • Understanding Role-Based Access Control (RBAC)
        • RBAC is a method of restricting system access to authorized users based on their roles within an organization.
        • It simplifies the management of user permissions and can be scaled according to the size and complexity of an organization’s systems.
  • Defining Roles
        • Identification of Functions: Roles are created based on job functions and responsibilities.
        • Assignment of Privileges: Each role is assigned specific privileges that align with the functions of the role.
        • Separation of Duties: Ensuring that roles are designed to prevent conflicts of interest and fraud.
  • Role Hierarchy
        • Establishing a hierarchy of roles allows for inheritance of permissions and efficient management of multiple roles.
  • Role Engineering
        • The process of defining, deploying, and maintaining roles involves analyzing business processes and translating them into security roles.
  • Role Management
        • Provisioning: Assigning roles to new users during the onboarding process.
        • Review and Adjustment: Regularly reviewing roles to ensure they align with current business needs and making necessary adjustments.
  • Role Lifecycle
        • Creation: Establishing new roles as needed.
        • Maintenance: Updating roles to reflect changes in the organization.
        • Deactivation: Removing roles that are no longer required.
  • Tools and Technologies
        • Utilizing Identity Management Systems (IDMS) and other technologies to support role definition and management.
  • Compliance and Auditing
        • Ensuring that role definition and management practices comply with relevant laws, regulations, and standards.
        • Regular audits to verify the integrity and effectiveness of role-based access controls.
  • Provisioning User Accounts:
    • Once roles are determined, user accounts are created across various systems and applications. 
    • This step includes setting up authentication credentials and assigning specific access rights based on the predefined roles1.
    • Predefined Roles
      • Predefined roles are a way of grouping access rights based on common functions or responsibilities within an organization.
      • For example, predefined roles may include administrators, managers, accountants, engineers, salespeople, etc.
      • Each role has a set of permissions that allow users to perform certain tasks or access certain resources.
      • Predefined roles simplify the process of assigning and managing user accounts, as well as enforcing the principle of least privilege
      • Predefined roles are defined by the security policy and the business requirements of the organization.
      • They should be reviewed and updated regularly to ensure that they reflect the current needs and goals of the organization.
      • Predefined roles are not static or rigid.
      • They can be customized or modified to accommodate special cases or exceptions, such as temporary assignments, cross-functional teams, or emergency situations.
      • However, any deviations from the predefined roles should be documented and approved by the appropriate authority.
      • Predefined roles are not the same as user groups. User groups are a way of organizing users based on common attributes or characteristics, such as location, department, project, etc.
      • User groups can be used to facilitate communication, collaboration, or resource sharing among users, but they do not necessarily imply any access rights or permissions.

Account Maintenance and Access Review

Deprovisioning and Offboarding

Tools for Identity and Access Management

CISSP Cyber Training Academy Program!

Are you an ambitious Cybersecurity or IT professional who wants to take your career to a whole new level by achieving the CISSP Certification? 

Let CISSP Cyber Training help you pass the CISSP Test the first time!

LEARN MORE | START TODAY!