Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:08,700 --> 00:00:13,630
Welcome to the lecture on IAM, which stands for Identity and Access Management.
2
00:00:14,040 --> 00:00:16,390
So we you have divided IAM into two parts.
3
00:00:16,440 --> 00:00:18,210
We are going to start with the first part.
4
00:00:20,060 --> 00:00:24,280
Now, cybersecurity contains a lot of acronyms, and IAAA is one of them.
5
00:00:25,790 --> 00:00:33,560
So I stands for identification now, this basically refers to just identifying an entity, so, for example,
6
00:00:33,560 --> 00:00:39,380
if you enter a bank and if the cashier asks you for identity and you say, I'm John, this just means
7
00:00:39,380 --> 00:00:45,260
that you have identified yourself, you have just provided your name, or if you're working on a system
8
00:00:45,510 --> 00:00:52,130
you have just provided your username. It is important to understand that identification is different
9
00:00:52,130 --> 00:00:57,440
from authentication. Now authentication is when you actually verify your identity.
10
00:00:57,890 --> 00:01:01,610
But identification can be done independent of authentication.
11
00:01:01,610 --> 00:01:06,530
You could claim any identity you want, it doesn't mean that you can actually, you know, validate it later
12
00:01:06,530 --> 00:01:06,740
on.
13
00:01:07,280 --> 00:01:10,130
But Identification just means claiming an identity.
14
00:01:10,970 --> 00:01:17,360
So after identification we have authentication, which basically means that you prove who you claim
15
00:01:17,360 --> 00:01:17,720
to be.
16
00:01:18,230 --> 00:01:20,630
And this can be done through several mechanisms.
17
00:01:20,630 --> 00:01:26,540
For example, you can provide a secret password, your secret pin, or it could be some sort of biometric
18
00:01:26,540 --> 00:01:29,630
data, for example, your fingerprints or retina scans.
19
00:01:30,740 --> 00:01:37,370
Please keep in mind that authentication can only be done once you have identified yourself because authentication
20
00:01:37,370 --> 00:01:40,490
is done against an identity, i.e., your claimed identity.
21
00:01:40,910 --> 00:01:44,240
So only after you have provided your identity can you authenticate.
22
00:01:44,930 --> 00:01:49,390
Authentication is important because it provides non repudiation.
23
00:01:49,910 --> 00:01:52,070
It is an important term in cybersecurity.
24
00:01:52,460 --> 00:01:58,610
What it means is that you cannot claim that it was not you who performed some actions on a system so
25
00:01:58,610 --> 00:01:58,820
Non
26
00:01:58,820 --> 00:02:03,120
repudiation basically means that you are bound by what you do.
27
00:02:03,650 --> 00:02:08,900
So, for example, if you provide your identity and you authenticate it by providing a password and then
28
00:02:08,900 --> 00:02:13,640
you do certain tasks on a system, then you are responsible for that.
29
00:02:13,970 --> 00:02:16,640
You cannot later on claim that it was someone else.
30
00:02:16,670 --> 00:02:19,310
So this is the concept of non repudiation.
31
00:02:19,620 --> 00:02:21,860
We know exactly who did this task.
32
00:02:23,120 --> 00:02:28,970
After authentication, we have authorization. Now once you are authenticated, it means that you
33
00:02:28,970 --> 00:02:32,630
are a legitimate user, you're allowed access to different parts of the system.
34
00:02:32,990 --> 00:02:35,580
But not all users have equal privileges.
35
00:02:35,840 --> 00:02:39,070
There are some users who have higher or elevated privileges.
36
00:02:39,470 --> 00:02:45,020
For example, a CEO of a company would obviously have elevated privileges compared to a normal employee.
37
00:02:45,590 --> 00:02:52,610
Similarly, a network administrator may have more extensive or more extended access on different parts
38
00:02:52,610 --> 00:02:56,570
of the systems on databases, for instance, compared to a normal user.
39
00:02:56,850 --> 00:03:03,020
Now, this is done through authorization, which basically means that it specifies your level of clearance.
40
00:03:03,500 --> 00:03:08,790
What kind of data, what kind of systems, what kind of applications do you have access to?
41
00:03:09,470 --> 00:03:15,930
This is enforced through access control lists, which define which user has which type of access.
42
00:03:16,460 --> 00:03:19,200
Now, this can be very broad based.
43
00:03:19,250 --> 00:03:21,170
You can have big groups.
44
00:03:21,530 --> 00:03:25,460
For example, you have a group of admins, you have a group of normal employees, you have a group of
45
00:03:25,460 --> 00:03:27,380
accountants, and they have the same privileges.
46
00:03:27,830 --> 00:03:34,100
Or you could also have a system in you in which you use more fine tuned details and you drill down and
47
00:03:34,100 --> 00:03:36,290
you can even go up to file level access.
48
00:03:36,290 --> 00:03:41,210
As you can say, for example, this user can access this file in read-only mode so on.
49
00:03:42,360 --> 00:03:49,020
Now always remember, authorization can only be done or consulted once a user has been authenticated
50
00:03:49,470 --> 00:03:52,830
because authorization is always against an authenticated user.
51
00:03:54,480 --> 00:04:01,050
So the last step after authorisation is accountability, which basically means holding users responsible
52
00:04:01,050 --> 00:04:01,860
for their actions.
53
00:04:02,610 --> 00:04:08,460
So even though you are a legitimate user of a system and you already have predefined authorization,
54
00:04:09,390 --> 00:04:15,570
but still it is nice to double check if any user has performed an activity he was not allowed to.
55
00:04:16,029 --> 00:04:17,940
And this is not always malicious.
56
00:04:18,120 --> 00:04:23,070
Sometimes inadvertently, users are assigned privileges that they were not meant to have.
57
00:04:23,700 --> 00:04:29,100
So, for example, this often happens when, you know, you change roles within an organization or when
58
00:04:29,100 --> 00:04:31,820
you acquire, you know, more privileges over time.
59
00:04:32,130 --> 00:04:38,430
And so basically we need some sort of an audit mechanism to ensure that privileges are appropriately
60
00:04:38,430 --> 00:04:39,840
assigned and updated.
61
00:04:39,990 --> 00:04:42,000
And that tool is accountability.
62
00:04:42,450 --> 00:04:46,950
Now, accountability is done by doing account audit and log reviews.
63
00:04:48,340 --> 00:04:52,680
Let's see how it pans out in real life, so here's Jim.
64
00:04:53,530 --> 00:04:59,740
Jim goes to a bank and at the counter he says, Hi, I'm Jim.
65
00:05:00,820 --> 00:05:07,390
Now, at this point, Jim has only identified himself, so identification is complete, but we haven't
66
00:05:07,390 --> 00:05:13,580
talked anything about authentication. So the officer at the counter, the bank officer.
67
00:05:14,080 --> 00:05:16,200
He says, ID please.
68
00:05:17,380 --> 00:05:23,590
Now, Jim produces his driver's license and the officer verifies it and says, thank you.
69
00:05:24,130 --> 00:05:28,510
Now, at this point, Jim has authenticated himself to the system.
70
00:05:29,620 --> 00:05:35,260
So the difference between identification and authentication is that ID just means claiming something,
71
00:05:35,590 --> 00:05:41,030
whereas authentication means verifying it and verification can be done in a number of ways.
72
00:05:41,050 --> 00:05:42,730
It could be your driver's license.
73
00:05:43,000 --> 00:05:44,370
It could be a PIN number.
74
00:05:44,380 --> 00:05:46,360
It could be a password and so on.
75
00:05:47,950 --> 00:05:51,100
So next, Jim says, can I withdraw ten thousand dollars?
76
00:05:52,240 --> 00:05:55,870
And the bank officer says you're only allowed five thousand dollars per day.
77
00:05:57,480 --> 00:06:04,470
Now, this is what we call authorisation. Now, even though Jim has identified himself and he is authenticated,
78
00:06:04,920 --> 00:06:10,200
but authorization deals with what functions or what things Jim has access to.
79
00:06:11,280 --> 00:06:16,950
So this is where the authorization comes into play, it creates the checks and balances and makes sure
80
00:06:16,950 --> 00:06:20,010
that Jim can only perform operations he's authorized to.
81
00:06:21,120 --> 00:06:27,990
And finally, we may have an audit officer who periodically checks bank records to detect inconsistencies
82
00:06:28,080 --> 00:06:31,830
and to make sure that all bank operations were properly authorized.
83
00:06:33,730 --> 00:06:39,550
Now, this completes the accountability part, let's discuss identification and authentication in more
84
00:06:39,550 --> 00:06:39,950
detail.
85
00:06:41,330 --> 00:06:45,090
So identification is when a subject claims an identity.
86
00:06:45,620 --> 00:06:53,000
So, for example, claims such as I'm John Cooper are showing your ID badge or facing a camera for retina
87
00:06:53,000 --> 00:06:57,560
or face scan are all examples of identification. At this point.
88
00:06:57,560 --> 00:06:58,780
you are not authenticated.
89
00:06:58,790 --> 00:07:00,350
You are just claiming an identity.
90
00:07:00,530 --> 00:07:03,770
Authentication refers to proving the identity of the subject.
91
00:07:04,190 --> 00:07:09,830
And this proof is done by providing a password or a PIN number, for example, or biometric data.
92
00:07:11,440 --> 00:07:17,650
Let's have a look at the different phases in an identity lifecycle which helps organizations streamline
93
00:07:17,650 --> 00:07:19,740
their identity and access management process.
94
00:07:20,560 --> 00:07:22,570
So the first step is provisioning.
95
00:07:22,840 --> 00:07:27,070
In this step, we create new accounts and we assign privileges to those accounts.
96
00:07:28,850 --> 00:07:34,140
But we also have a review process which requires periodic account reviews.
97
00:07:34,490 --> 00:07:37,720
Now, this helps highlight several serious problems sometimes.
98
00:07:38,030 --> 00:07:43,160
So, for example, we may detect accounts which are no longer active, which should be disabled, but
99
00:07:43,160 --> 00:07:47,120
it also helps us identify privilege creep.
100
00:07:47,120 --> 00:07:54,440
So privilege creep happens when a person moves vertically up in an organisation and over time he or she may accumulate
101
00:07:54,440 --> 00:07:55,850
excessive privileges.
102
00:07:57,060 --> 00:08:02,130
So let's say a person joins the H.R. department and later on they join the network department and they
103
00:08:02,130 --> 00:08:07,290
become the network administrator, but they still retain the privileges from their HR account.
104
00:08:07,980 --> 00:08:13,410
Now, this is referred to as privilege creep, and this can only be highlighted if you do periodic account
105
00:08:13,410 --> 00:08:14,450
reviews and audits.
106
00:08:15,540 --> 00:08:17,580
And the last step is revocation.
107
00:08:18,180 --> 00:08:23,400
This refers to disabling accounts of employees who leave, retire or are terminated.
108
00:08:23,940 --> 00:08:26,670
Now, this is different from disabling inactive accounts.
109
00:08:27,030 --> 00:08:32,820
And revocation is a very important step from a cybersecurity perspective, because especially if you
110
00:08:32,820 --> 00:08:38,520
have an employee who has been terminated and if he still has access to his account, he may leverage
111
00:08:38,520 --> 00:08:42,900
that access to launch attacks on the company, for example, or cause any other type of damage.
112
00:08:43,169 --> 00:08:50,850
So it is always a nice idea to quickly revoke access to accounts of users who leave, retire or terminated.
113
00:08:52,500 --> 00:08:57,420
We have different categories of authentication factors and we're going to go from the weakest to the
114
00:08:57,420 --> 00:08:58,290
strongest ones.
115
00:08:59,360 --> 00:09:04,520
So the first type is type one, this is something that, you know, for example, you know, your password
116
00:09:05,210 --> 00:09:08,950
or, you know your secret pin. It is an authentication factor,
117
00:09:08,960 --> 00:09:14,840
but it is not a great one because people sometimes do lose their passwords and pins to other people.
118
00:09:14,930 --> 00:09:18,020
They may note it down somewhere, or it may get hacked and so on.
119
00:09:19,070 --> 00:09:24,890
So the next category, which is slightly stronger, is something that you have, for example, if
120
00:09:24,890 --> 00:09:29,580
you possess a smart card or a mobile SIM and you receive a message on that SIM, for example.
121
00:09:30,020 --> 00:09:36,080
Now, this is something that you have. The strongest type of authentication factor is type three, which
122
00:09:36,080 --> 00:09:37,400
is something that you are.
123
00:09:38,410 --> 00:09:43,050
So your retina pattern, fingerprints, so these are some things which cannot really be stolen.
124
00:09:43,090 --> 00:09:45,790
Nobody's going to steal your retina, for example.
125
00:09:46,920 --> 00:09:52,260
So as we move from type one to type three, we move from the weakest authentication factors to strongest
126
00:09:52,260 --> 00:09:52,620
ones.
127
00:09:54,360 --> 00:09:59,640
Let's start with the Type 1 authentication factor, which is something you know, and a typical example
128
00:09:59,640 --> 00:10:00,830
of this is the password.
129
00:10:01,860 --> 00:10:06,560
There are some safety tips which must be observed if you are using this type of an authentication factor.
130
00:10:07,050 --> 00:10:10,710
So let's have some tips on password, for example, to your password.
131
00:10:10,710 --> 00:10:12,780
Should at least be eight characters long.
132
00:10:12,780 --> 00:10:15,000
If it's very short, it would be easily broken.
133
00:10:16,040 --> 00:10:19,770
It should always contain both uppercase and lowercase alphabets.
134
00:10:20,810 --> 00:10:23,550
It should also contain at least one numeric character.
135
00:10:23,810 --> 00:10:29,480
So the reason we are increasing the length of your password and including uppercase and lowercase alphabet
136
00:10:29,480 --> 00:10:35,630
and numerics is we want to increase the number of possibilities so that it becomes exponentially difficult
137
00:10:35,630 --> 00:10:37,550
to break it through brute force, for example.
138
00:10:38,650 --> 00:10:40,910
It should contain at least one special character.
139
00:10:42,010 --> 00:10:46,880
It's always better to have passphrases which are easier to remember, but difficult to break.
140
00:10:47,470 --> 00:10:49,410
So, for example, I like Superman.
141
00:10:49,960 --> 00:10:56,470
This is a phrase easier to remember and much harder to break because it has a longer length compared
142
00:10:56,470 --> 00:10:59,630
to a typical password. Even if you write a normal sentence,
143
00:10:59,650 --> 00:11:06,400
it is very hard to break that because the sheer length of that password makes it exponentially difficult
144
00:11:06,400 --> 00:11:06,970
to break it.
145
00:11:07,570 --> 00:11:12,100
You should never use common names, for example, cities, or use common patterns like 1 2,
146
00:11:12,100 --> 00:11:13,450
3, ABC. and so on.
147
00:11:15,120 --> 00:11:21,390
But always remember, you should never enforce an I.T. policy which forces users to select extremely
148
00:11:21,390 --> 00:11:22,550
complex passwords.
149
00:11:22,980 --> 00:11:28,470
So, for example, if you ask your users to have passwords which are at least 12 characters and which
150
00:11:28,470 --> 00:11:32,970
contain uppercase, lowercase, numeric and special characters and so on, then they are definitely
151
00:11:32,970 --> 00:11:36,020
going to have to create a password, which is difficult and complex.
152
00:11:36,600 --> 00:11:42,710
And in order not to forget it, they are very likely to write it down on a Post-it and stick it under
153
00:11:42,720 --> 00:11:43,260
the desk.
154
00:11:43,800 --> 00:11:45,110
So this is just common sense.
155
00:11:45,120 --> 00:11:48,660
We always need to balance security compared with complexity.
156
00:11:48,670 --> 00:11:52,110
We don't want to make a solution which is so complex to implement.
157
00:11:53,370 --> 00:11:59,280
Next is type two, this is something that you have so this refers to something which you physically
158
00:11:59,280 --> 00:12:04,650
possess, it could be your identity badge, a smart card, your mobile sim on which you receive messages,
159
00:12:05,100 --> 00:12:06,810
or it could even be an application.
160
00:12:07,080 --> 00:12:09,570
So, for example, you can install Google authenticator.
161
00:12:09,990 --> 00:12:15,270
So the contrast from Type-I is that in Type-I, it was something that you knew, something stored
162
00:12:15,270 --> 00:12:15,870
in your brain.
163
00:12:16,170 --> 00:12:18,840
Now, this is something which you have to physically possess.
164
00:12:21,170 --> 00:12:26,660
The last type is Type-III, which is something that you ARE. Now, this refers to biometrics.
165
00:12:28,650 --> 00:12:33,480
So basically, we have different type of biometrics, so the first is retinal scan, which is top of
166
00:12:33,480 --> 00:12:39,420
the list, it is the most accurate and it can even successfully differentiate between identical twins.
167
00:12:40,740 --> 00:12:45,400
Next is Iris scan, which seems similar, but it's quite different from retinal scan.
168
00:12:45,810 --> 00:12:49,120
So iris scans is slightly less accurate compared to retinal scan.
169
00:12:49,500 --> 00:12:54,900
However, there is a cost associated with retina scans because in retina scans, you have to put your
170
00:12:54,900 --> 00:12:58,800
eye really close to the scanner and then a beam of light enters your eye.
171
00:12:59,400 --> 00:13:02,730
This makes the whole process quite uncomfortable for a lot of users.
172
00:13:03,120 --> 00:13:08,380
In contrast, Iris scan can be done from a few feet away and it is not at all uncomfortable.
173
00:13:08,760 --> 00:13:12,940
So there's always this human tradeoff between these two. Next are finger prints.
174
00:13:12,960 --> 00:13:17,760
So if you're scanning 4 or more fingers, then your results would be pretty accurate around ninety
175
00:13:17,760 --> 00:13:19,370
nine point nine percent accurate.
176
00:13:21,180 --> 00:13:27,040
Next are palm scans. Now this previously referred to the geography of your palm, but modern palm
177
00:13:27,240 --> 00:13:33,030
scanners, they basically capture millions of data points of your palm veins and they can produce amazingly
178
00:13:33,030 --> 00:13:34,020
accurate results.
179
00:13:35,280 --> 00:13:41,910
The last one is your voice pattern. It is traditionally regarded not as accurate as other type of biometric
180
00:13:41,910 --> 00:13:43,740
scans, such as retinal scans.
181
00:13:44,280 --> 00:13:46,380
There's another factor which you need to consider.
182
00:13:46,860 --> 00:13:52,170
Some of these biometrics are constant throughout your life and some of them change over age.
183
00:13:52,620 --> 00:13:56,490
So, for example, your voice changes over age, your fingerprints.
184
00:13:56,490 --> 00:13:59,280
If you get really old, they may start to fade.
185
00:13:59,670 --> 00:14:04,650
But your retina scan, for example, is something which never really changes throughout your life until
186
00:14:04,650 --> 00:14:10,140
and unless, you know, if you have any medical problem which can obviously affect any of these biometrics.
187
00:14:11,490 --> 00:14:16,320
A great tool in the arsenal of cybersecurity specialists is multifactor authentication.
188
00:14:17,660 --> 00:14:22,310
So the problem stems from the fact that, you know, if you're just using a password, you know, you
189
00:14:22,310 --> 00:14:24,710
give your username and password to log into a system.
190
00:14:25,040 --> 00:14:31,070
So this is single factor authentication because you're just using the password and this provides very
191
00:14:31,070 --> 00:14:31,940
weak security.
192
00:14:32,630 --> 00:14:36,680
Only your password needs to be compromised in order for the system to be breached.
193
00:14:37,820 --> 00:14:43,250
So this can be alleviated if you use multifactor authentication, which combines more than one type
194
00:14:43,250 --> 00:14:44,120
of authentication.
195
00:14:45,290 --> 00:14:47,960
So often we combine Type-I and Type-II.
196
00:14:48,770 --> 00:14:54,080
So Type-I was something that, you know, for example, your password and Type-II is something that
197
00:14:54,080 --> 00:14:54,620
you have.
198
00:14:54,830 --> 00:14:59,200
So, for example, you have your mobile SIM card and then you can receive an SMS.
199
00:14:59,630 --> 00:15:03,440
So the way this works is that let's say you're logging into a system, you provide your username and
200
00:15:03,440 --> 00:15:09,260
password, but after providing your password, if your password is authenticated, the system is going
201
00:15:09,260 --> 00:15:12,030
to generate an SMS and send it to your mobile phone.
202
00:15:12,920 --> 00:15:17,870
Now, your SIM is something that you have and then you need to put in the confirmation code that you
203
00:15:17,870 --> 00:15:19,100
receive in your SMS.
204
00:15:19,520 --> 00:15:24,230
So this provides for two factors and hence the name multifactor authentication.
205
00:15:24,320 --> 00:15:26,770
When we combine two factors, it's called 2FA.
206
00:15:26,810 --> 00:15:29,850
And when we combine three factors, it's called 3FA.
207
00:15:31,330 --> 00:15:37,870
Let's have a quick question to see if you understand authentication factors, so in this example, is
208
00:15:37,870 --> 00:15:41,020
it a single factor authentication or multifactor authentication?
209
00:15:42,360 --> 00:15:44,630
I'll let you think about it for a few seconds.
210
00:15:46,290 --> 00:15:53,220
And secondly, which type of authentication factors are being used? is it Type-I, Type-II, Type-III,
211
00:15:53,730 --> 00:15:54,360
which one's?
212
00:15:55,760 --> 00:16:01,760
So the answer to the first question is that, yes, this is multifactor authentication, because two
213
00:16:01,760 --> 00:16:08,020
different factors are being used and the person is using both Type-I and Type-II factors.
214
00:16:08,690 --> 00:16:13,880
So Type-I is something, you know, so the person is, you know, punching in his pin number.
215
00:16:14,030 --> 00:16:15,460
So this is something he knows.
216
00:16:15,800 --> 00:16:17,900
And second is the card which he plugged in.
217
00:16:18,260 --> 00:16:24,080
So this is Type-II, which is something that you have. So, whenever you see any authentication system,
218
00:16:24,410 --> 00:16:30,230
you can try to, you know, dissect it and analyze it and try to determine which type of authentication
219
00:16:30,230 --> 00:16:32,030
factors is the system using.
23861
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.