Federated Security Scenario

Identity and Access Management
Activity 11.1: Federated Security Scenario
In this exercise, you will be provided with two different federated identity scenarios.
Instructions:
For each, you should research the technology or situation described and then write a written recommendation to handle the issue described. Include answers to any questions in your response.

1. Part 1: Google OAuth Integration
   Example Corp.’s development team has implemented an OAuth integration with Google. The internal development team has written their own libraries for the company’s OAuth endpoint and has implemented their server via HTTP between Example Corp.’s servers.
   Answer the following question:
   What security issues would you identify with this design, and what fixes would you recommend? The security issues will always be a threat. You can always try to fix them, but someone new will come along and get pass those.
2. Part 2: High Security Federation Incident Response
   Example Corp. is considering using Facebook Login to allow users to bring their own identity for its customer support website. This would remove the need for Example Corp. to handle its own identity management in most cases and is seen as an attractive option to remove expensive user support this type of account.
   Answer the following questions:
3. What recommendations and advice would you provide to the implementation team? To let them know the how and why of the security breach.
4. What should Example Corp.’s incident response plan include to handle issues involving Facebook Login?
5. Does using Facebook Login create more or less risk for Example Corp.? Why? Both
6. Part 3: Analyze Your Responses
   To analyze your response to Part 1, use the OWASP Authentication cheat sheet found at URL?. You will find tips on OAuth and application communications.
   To analyze your response to Part 2, review federation-aware incident response policies like https://spaces.internet2.edu/display/InCFederation/Federated+Security+Incident+Response and https://www.btaa.org/docs/default-source/technology/federated_security_incident_response.pdf.

Activity 11.2: Onsite Identity Issues Scenario
In this exercise, you will be provided with two different local identity scenarios.
Instructions:
For each, you should research the technology or situation described, and then write a written recommendation to handle the issue described. Include answers to any questions in your response.
In Part 3, you will review your answers and look for potential flaws that remain.

4. Part 1: Emergency Privilege Escalation
   At Example Corp., administrative accounts are created and managed using a central identity and access management suite. This suite, as well as the company’s central AAA servers, are hosted in redundant datacenters, and site-to-site VPNs normally connect those datacenters to multiple locations around the country.
   Example Corp.’s systems engineering department recently dealt with a major Internet connectivity outage, which also resulted in engineers being unable to log into the systems at the sites where they worked. This meant that they were unable to work to fix the issues.
   The engineers have requested that you identify a secure way to provide emergency, on-demand privileged access to local servers when the central AAA services are unavailable. You have been asked to provide a solution to central IT management that is both secure and flexible enough to allow authentication for network devices, servers, and workstations.
5. Part 2: Managing Privilege Creep
   A recent audit of Example Corp.’s file shares shows that many long-term employees have significantly broader rights to files and folders than their current roles should allow. In fact, in some cases employees could see sensitive data that could result in negative audit findings in a pending external audit.
   How would you recommend that Example Corp. handle both the current issue of privilege creep and the ongoing problem of ensuring that it does not occur in the future without seriously disrupting the company’s operations?
6. Part 3: Review
7. Review your recommendations to ensure that confidentiality, integrity, and availability are maintained. Did you provide a solution that covers each of these three areas?
8. Does your solution cover each of these areas (if appropriate?)
   • Personnel
   • Endpoint devices
   • Servers
   • Services and applications
   • Roles and groups
9. If you were asked to conduct a penetration test of an organization that had implemented your recommendations, how would you approach attacking your solution?

Activity 11.3: Identity and Access Management Terminology

7. Match each of the following terms to the correct description from the list below the chart.

Term Description
TACACS+ A cisco-designed authentication protocol
Identity Microsofts identiy federation service
ADFS LDAP is deployed in this role
Privilege creep The set of claims made abour an account holder
Directory service A common AAA system for network devices
OAuth 2.0 An xml-based protocolused to exchange
SAML An open standard
RADIUS This issue occurs when accounts
Descriptions:
LDAP is deployed in this role.
An XML-based protocol used to exchange authentication and authorization data.
An open standard for authorization used for websites and applications.
A common AAA system for network devices.
This issue occurs when accounts gain more rights over time due to role changes.
The set of claims made about an account holder.
Microsoft’s identity federation service.
A Cisco-designed authentication protocol.