Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:08,700 --> 00:00:13,630 Welcome to the lecture on IAM, which stands for Identity and Access Management. 2 00:00:14,040 --> 00:00:16,390 So we you have divided IAM into two parts. 3 00:00:16,440 --> 00:00:18,210 We are going to start with the first part. 4 00:00:20,060 --> 00:00:24,280 Now, cybersecurity contains a lot of acronyms, and IAAA is one of them. 5 00:00:25,790 --> 00:00:33,560 So I stands for identification now, this basically refers to just identifying an entity, so, for example, 6 00:00:33,560 --> 00:00:39,380 if you enter a bank and if the cashier asks you for identity and you say, I'm John, this just means 7 00:00:39,380 --> 00:00:45,260 that you have identified yourself, you have just provided your name, or if you're working on a system 8 00:00:45,510 --> 00:00:52,130 you have just provided your username. It is important to understand that identification is different 9 00:00:52,130 --> 00:00:57,440 from authentication. Now authentication is when you actually verify your identity. 10 00:00:57,890 --> 00:01:01,610 But identification can be done independent of authentication. 11 00:01:01,610 --> 00:01:06,530 You could claim any identity you want, it doesn't mean that you can actually, you know, validate it later 12 00:01:06,530 --> 00:01:06,740 on. 13 00:01:07,280 --> 00:01:10,130 But Identification just means claiming an identity. 14 00:01:10,970 --> 00:01:17,360 So after identification we have authentication, which basically means that you prove who you claim 15 00:01:17,360 --> 00:01:17,720 to be. 16 00:01:18,230 --> 00:01:20,630 And this can be done through several mechanisms. 17 00:01:20,630 --> 00:01:26,540 For example, you can provide a secret password, your secret pin, or it could be some sort of biometric 18 00:01:26,540 --> 00:01:29,630 data, for example, your fingerprints or retina scans. 19 00:01:30,740 --> 00:01:37,370 Please keep in mind that authentication can only be done once you have identified yourself because authentication 20 00:01:37,370 --> 00:01:40,490 is done against an identity, i.e., your claimed identity. 21 00:01:40,910 --> 00:01:44,240 So only after you have provided your identity can you authenticate. 22 00:01:44,930 --> 00:01:49,390 Authentication is important because it provides non repudiation. 23 00:01:49,910 --> 00:01:52,070 It is an important term in cybersecurity. 24 00:01:52,460 --> 00:01:58,610 What it means is that you cannot claim that it was not you who performed some actions on a system so 25 00:01:58,610 --> 00:01:58,820 Non 26 00:01:58,820 --> 00:02:03,120 repudiation basically means that you are bound by what you do. 27 00:02:03,650 --> 00:02:08,900 So, for example, if you provide your identity and you authenticate it by providing a password and then 28 00:02:08,900 --> 00:02:13,640 you do certain tasks on a system, then you are responsible for that. 29 00:02:13,970 --> 00:02:16,640 You cannot later on claim that it was someone else. 30 00:02:16,670 --> 00:02:19,310 So this is the concept of non repudiation. 31 00:02:19,620 --> 00:02:21,860 We know exactly who did this task. 32 00:02:23,120 --> 00:02:28,970 After authentication, we have authorization. Now once you are authenticated, it means that you 33 00:02:28,970 --> 00:02:32,630 are a legitimate user, you're allowed access to different parts of the system. 34 00:02:32,990 --> 00:02:35,580 But not all users have equal privileges. 35 00:02:35,840 --> 00:02:39,070 There are some users who have higher or elevated privileges. 36 00:02:39,470 --> 00:02:45,020 For example, a CEO of a company would obviously have elevated privileges compared to a normal employee. 37 00:02:45,590 --> 00:02:52,610 Similarly, a network administrator may have more extensive or more extended access on different parts 38 00:02:52,610 --> 00:02:56,570 of the systems on databases, for instance, compared to a normal user. 39 00:02:56,850 --> 00:03:03,020 Now, this is done through authorization, which basically means that it specifies your level of clearance. 40 00:03:03,500 --> 00:03:08,790 What kind of data, what kind of systems, what kind of applications do you have access to? 41 00:03:09,470 --> 00:03:15,930 This is enforced through access control lists, which define which user has which type of access. 42 00:03:16,460 --> 00:03:19,200 Now, this can be very broad based. 43 00:03:19,250 --> 00:03:21,170 You can have big groups. 44 00:03:21,530 --> 00:03:25,460 For example, you have a group of admins, you have a group of normal employees, you have a group of 45 00:03:25,460 --> 00:03:27,380 accountants, and they have the same privileges. 46 00:03:27,830 --> 00:03:34,100 Or you could also have a system in you in which you use more fine tuned details and you drill down and 47 00:03:34,100 --> 00:03:36,290 you can even go up to file level access. 48 00:03:36,290 --> 00:03:41,210 As you can say, for example, this user can access this file in read-only mode so on. 49 00:03:42,360 --> 00:03:49,020 Now always remember, authorization can only be done or consulted once a user has been authenticated 50 00:03:49,470 --> 00:03:52,830 because authorization is always against an authenticated user. 51 00:03:54,480 --> 00:04:01,050 So the last step after authorisation is accountability, which basically means holding users responsible 52 00:04:01,050 --> 00:04:01,860 for their actions. 53 00:04:02,610 --> 00:04:08,460 So even though you are a legitimate user of a system and you already have predefined authorization, 54 00:04:09,390 --> 00:04:15,570 but still it is nice to double check if any user has performed an activity he was not allowed to. 55 00:04:16,029 --> 00:04:17,940 And this is not always malicious. 56 00:04:18,120 --> 00:04:23,070 Sometimes inadvertently, users are assigned privileges that they were not meant to have. 57 00:04:23,700 --> 00:04:29,100 So, for example, this often happens when, you know, you change roles within an organization or when 58 00:04:29,100 --> 00:04:31,820 you acquire, you know, more privileges over time. 59 00:04:32,130 --> 00:04:38,430 And so basically we need some sort of an audit mechanism to ensure that privileges are appropriately 60 00:04:38,430 --> 00:04:39,840 assigned and updated. 61 00:04:39,990 --> 00:04:42,000 And that tool is accountability. 62 00:04:42,450 --> 00:04:46,950 Now, accountability is done by doing account audit and log reviews. 63 00:04:48,340 --> 00:04:52,680 Let's see how it pans out in real life, so here's Jim. 64 00:04:53,530 --> 00:04:59,740 Jim goes to a bank and at the counter he says, Hi, I'm Jim. 65 00:05:00,820 --> 00:05:07,390 Now, at this point, Jim has only identified himself, so identification is complete, but we haven't 66 00:05:07,390 --> 00:05:13,580 talked anything about authentication. So the officer at the counter, the bank officer. 67 00:05:14,080 --> 00:05:16,200 He says, ID please. 68 00:05:17,380 --> 00:05:23,590 Now, Jim produces his driver's license and the officer verifies it and says, thank you. 69 00:05:24,130 --> 00:05:28,510 Now, at this point, Jim has authenticated himself to the system. 70 00:05:29,620 --> 00:05:35,260 So the difference between identification and authentication is that ID just means claiming something, 71 00:05:35,590 --> 00:05:41,030 whereas authentication means verifying it and verification can be done in a number of ways. 72 00:05:41,050 --> 00:05:42,730 It could be your driver's license. 73 00:05:43,000 --> 00:05:44,370 It could be a PIN number. 74 00:05:44,380 --> 00:05:46,360 It could be a password and so on. 75 00:05:47,950 --> 00:05:51,100 So next, Jim says, can I withdraw ten thousand dollars? 76 00:05:52,240 --> 00:05:55,870 And the bank officer says you're only allowed five thousand dollars per day. 77 00:05:57,480 --> 00:06:04,470 Now, this is what we call authorisation. Now, even though Jim has identified himself and he is authenticated, 78 00:06:04,920 --> 00:06:10,200 but authorization deals with what functions or what things Jim has access to. 79 00:06:11,280 --> 00:06:16,950 So this is where the authorization comes into play, it creates the checks and balances and makes sure 80 00:06:16,950 --> 00:06:20,010 that Jim can only perform operations he's authorized to. 81 00:06:21,120 --> 00:06:27,990 And finally, we may have an audit officer who periodically checks bank records to detect inconsistencies 82 00:06:28,080 --> 00:06:31,830 and to make sure that all bank operations were properly authorized. 83 00:06:33,730 --> 00:06:39,550 Now, this completes the accountability part, let's discuss identification and authentication in more 84 00:06:39,550 --> 00:06:39,950 detail. 85 00:06:41,330 --> 00:06:45,090 So identification is when a subject claims an identity. 86 00:06:45,620 --> 00:06:53,000 So, for example, claims such as I'm John Cooper are showing your ID badge or facing a camera for retina 87 00:06:53,000 --> 00:06:57,560 or face scan are all examples of identification. At this point. 88 00:06:57,560 --> 00:06:58,780 you are not authenticated. 89 00:06:58,790 --> 00:07:00,350 You are just claiming an identity. 90 00:07:00,530 --> 00:07:03,770 Authentication refers to proving the identity of the subject. 91 00:07:04,190 --> 00:07:09,830 And this proof is done by providing a password or a PIN number, for example, or biometric data. 92 00:07:11,440 --> 00:07:17,650 Let's have a look at the different phases in an identity lifecycle which helps organizations streamline 93 00:07:17,650 --> 00:07:19,740 their identity and access management process. 94 00:07:20,560 --> 00:07:22,570 So the first step is provisioning. 95 00:07:22,840 --> 00:07:27,070 In this step, we create new accounts and we assign privileges to those accounts. 96 00:07:28,850 --> 00:07:34,140 But we also have a review process which requires periodic account reviews. 97 00:07:34,490 --> 00:07:37,720 Now, this helps highlight several serious problems sometimes. 98 00:07:38,030 --> 00:07:43,160 So, for example, we may detect accounts which are no longer active, which should be disabled, but 99 00:07:43,160 --> 00:07:47,120 it also helps us identify privilege creep. 100 00:07:47,120 --> 00:07:54,440 So privilege creep happens when a person moves vertically up in an organisation and over time he or she may accumulate 101 00:07:54,440 --> 00:07:55,850 excessive privileges. 102 00:07:57,060 --> 00:08:02,130 So let's say a person joins the H.R. department and later on they join the network department and they 103 00:08:02,130 --> 00:08:07,290 become the network administrator, but they still retain the privileges from their HR account. 104 00:08:07,980 --> 00:08:13,410 Now, this is referred to as privilege creep, and this can only be highlighted if you do periodic account 105 00:08:13,410 --> 00:08:14,450 reviews and audits. 106 00:08:15,540 --> 00:08:17,580 And the last step is revocation. 107 00:08:18,180 --> 00:08:23,400 This refers to disabling accounts of employees who leave, retire or are terminated. 108 00:08:23,940 --> 00:08:26,670 Now, this is different from disabling inactive accounts. 109 00:08:27,030 --> 00:08:32,820 And revocation is a very important step from a cybersecurity perspective, because especially if you 110 00:08:32,820 --> 00:08:38,520 have an employee who has been terminated and if he still has access to his account, he may leverage 111 00:08:38,520 --> 00:08:42,900 that access to launch attacks on the company, for example, or cause any other type of damage. 112 00:08:43,169 --> 00:08:50,850 So it is always a nice idea to quickly revoke access to accounts of users who leave, retire or terminated. 113 00:08:52,500 --> 00:08:57,420 We have different categories of authentication factors and we're going to go from the weakest to the 114 00:08:57,420 --> 00:08:58,290 strongest ones. 115 00:08:59,360 --> 00:09:04,520 So the first type is type one, this is something that, you know, for example, you know, your password 116 00:09:05,210 --> 00:09:08,950 or, you know your secret pin. It is an authentication factor, 117 00:09:08,960 --> 00:09:14,840 but it is not a great one because people sometimes do lose their passwords and pins to other people. 118 00:09:14,930 --> 00:09:18,020 They may note it down somewhere, or it may get hacked and so on. 119 00:09:19,070 --> 00:09:24,890 So the next category, which is slightly stronger, is something that you have, for example, if 120 00:09:24,890 --> 00:09:29,580 you possess a smart card or a mobile SIM and you receive a message on that SIM, for example. 121 00:09:30,020 --> 00:09:36,080 Now, this is something that you have. The strongest type of authentication factor is type three, which 122 00:09:36,080 --> 00:09:37,400 is something that you are. 123 00:09:38,410 --> 00:09:43,050 So your retina pattern, fingerprints, so these are some things which cannot really be stolen. 124 00:09:43,090 --> 00:09:45,790 Nobody's going to steal your retina, for example. 125 00:09:46,920 --> 00:09:52,260 So as we move from type one to type three, we move from the weakest authentication factors to strongest 126 00:09:52,260 --> 00:09:52,620 ones. 127 00:09:54,360 --> 00:09:59,640 Let's start with the Type 1 authentication factor, which is something you know, and a typical example 128 00:09:59,640 --> 00:10:00,830 of this is the password. 129 00:10:01,860 --> 00:10:06,560 There are some safety tips which must be observed if you are using this type of an authentication factor. 130 00:10:07,050 --> 00:10:10,710 So let's have some tips on password, for example, to your password. 131 00:10:10,710 --> 00:10:12,780 Should at least be eight characters long. 132 00:10:12,780 --> 00:10:15,000 If it's very short, it would be easily broken. 133 00:10:16,040 --> 00:10:19,770 It should always contain both uppercase and lowercase alphabets. 134 00:10:20,810 --> 00:10:23,550 It should also contain at least one numeric character. 135 00:10:23,810 --> 00:10:29,480 So the reason we are increasing the length of your password and including uppercase and lowercase alphabet 136 00:10:29,480 --> 00:10:35,630 and numerics is we want to increase the number of possibilities so that it becomes exponentially difficult 137 00:10:35,630 --> 00:10:37,550 to break it through brute force, for example. 138 00:10:38,650 --> 00:10:40,910 It should contain at least one special character. 139 00:10:42,010 --> 00:10:46,880 It's always better to have passphrases which are easier to remember, but difficult to break. 140 00:10:47,470 --> 00:10:49,410 So, for example, I like Superman. 141 00:10:49,960 --> 00:10:56,470 This is a phrase easier to remember and much harder to break because it has a longer length compared 142 00:10:56,470 --> 00:10:59,630 to a typical password. Even if you write a normal sentence, 143 00:10:59,650 --> 00:11:06,400 it is very hard to break that because the sheer length of that password makes it exponentially difficult 144 00:11:06,400 --> 00:11:06,970 to break it. 145 00:11:07,570 --> 00:11:12,100 You should never use common names, for example, cities, or use common patterns like 1 2, 146 00:11:12,100 --> 00:11:13,450 3, ABC. and so on. 147 00:11:15,120 --> 00:11:21,390 But always remember, you should never enforce an I.T. policy which forces users to select extremely 148 00:11:21,390 --> 00:11:22,550 complex passwords. 149 00:11:22,980 --> 00:11:28,470 So, for example, if you ask your users to have passwords which are at least 12 characters and which 150 00:11:28,470 --> 00:11:32,970 contain uppercase, lowercase, numeric and special characters and so on, then they are definitely 151 00:11:32,970 --> 00:11:36,020 going to have to create a password, which is difficult and complex. 152 00:11:36,600 --> 00:11:42,710 And in order not to forget it, they are very likely to write it down on a Post-it and stick it under 153 00:11:42,720 --> 00:11:43,260 the desk. 154 00:11:43,800 --> 00:11:45,110 So this is just common sense. 155 00:11:45,120 --> 00:11:48,660 We always need to balance security compared with complexity. 156 00:11:48,670 --> 00:11:52,110 We don't want to make a solution which is so complex to implement. 157 00:11:53,370 --> 00:11:59,280 Next is type two, this is something that you have so this refers to something which you physically 158 00:11:59,280 --> 00:12:04,650 possess, it could be your identity badge, a smart card, your mobile sim on which you receive messages, 159 00:12:05,100 --> 00:12:06,810 or it could even be an application. 160 00:12:07,080 --> 00:12:09,570 So, for example, you can install Google authenticator. 161 00:12:09,990 --> 00:12:15,270 So the contrast from Type-I is that in Type-I, it was something that you knew, something stored 162 00:12:15,270 --> 00:12:15,870 in your brain. 163 00:12:16,170 --> 00:12:18,840 Now, this is something which you have to physically possess. 164 00:12:21,170 --> 00:12:26,660 The last type is Type-III, which is something that you ARE. Now, this refers to biometrics. 165 00:12:28,650 --> 00:12:33,480 So basically, we have different type of biometrics, so the first is retinal scan, which is top of 166 00:12:33,480 --> 00:12:39,420 the list, it is the most accurate and it can even successfully differentiate between identical twins. 167 00:12:40,740 --> 00:12:45,400 Next is Iris scan, which seems similar, but it's quite different from retinal scan. 168 00:12:45,810 --> 00:12:49,120 So iris scans is slightly less accurate compared to retinal scan. 169 00:12:49,500 --> 00:12:54,900 However, there is a cost associated with retina scans because in retina scans, you have to put your 170 00:12:54,900 --> 00:12:58,800 eye really close to the scanner and then a beam of light enters your eye. 171 00:12:59,400 --> 00:13:02,730 This makes the whole process quite uncomfortable for a lot of users. 172 00:13:03,120 --> 00:13:08,380 In contrast, Iris scan can be done from a few feet away and it is not at all uncomfortable. 173 00:13:08,760 --> 00:13:12,940 So there's always this human tradeoff between these two. Next are finger prints. 174 00:13:12,960 --> 00:13:17,760 So if you're scanning 4 or more fingers, then your results would be pretty accurate around ninety 175 00:13:17,760 --> 00:13:19,370 nine point nine percent accurate. 176 00:13:21,180 --> 00:13:27,040 Next are palm scans. Now this previously referred to the geography of your palm, but modern palm 177 00:13:27,240 --> 00:13:33,030 scanners, they basically capture millions of data points of your palm veins and they can produce amazingly 178 00:13:33,030 --> 00:13:34,020 accurate results. 179 00:13:35,280 --> 00:13:41,910 The last one is your voice pattern. It is traditionally regarded not as accurate as other type of biometric 180 00:13:41,910 --> 00:13:43,740 scans, such as retinal scans. 181 00:13:44,280 --> 00:13:46,380 There's another factor which you need to consider. 182 00:13:46,860 --> 00:13:52,170 Some of these biometrics are constant throughout your life and some of them change over age. 183 00:13:52,620 --> 00:13:56,490 So, for example, your voice changes over age, your fingerprints. 184 00:13:56,490 --> 00:13:59,280 If you get really old, they may start to fade. 185 00:13:59,670 --> 00:14:04,650 But your retina scan, for example, is something which never really changes throughout your life until 186 00:14:04,650 --> 00:14:10,140 and unless, you know, if you have any medical problem which can obviously affect any of these biometrics. 187 00:14:11,490 --> 00:14:16,320 A great tool in the arsenal of cybersecurity specialists is multifactor authentication. 188 00:14:17,660 --> 00:14:22,310 So the problem stems from the fact that, you know, if you're just using a password, you know, you 189 00:14:22,310 --> 00:14:24,710 give your username and password to log into a system. 190 00:14:25,040 --> 00:14:31,070 So this is single factor authentication because you're just using the password and this provides very 191 00:14:31,070 --> 00:14:31,940 weak security. 192 00:14:32,630 --> 00:14:36,680 Only your password needs to be compromised in order for the system to be breached. 193 00:14:37,820 --> 00:14:43,250 So this can be alleviated if you use multifactor authentication, which combines more than one type 194 00:14:43,250 --> 00:14:44,120 of authentication. 195 00:14:45,290 --> 00:14:47,960 So often we combine Type-I and Type-II. 196 00:14:48,770 --> 00:14:54,080 So Type-I was something that, you know, for example, your password and Type-II is something that 197 00:14:54,080 --> 00:14:54,620 you have. 198 00:14:54,830 --> 00:14:59,200 So, for example, you have your mobile SIM card and then you can receive an SMS. 199 00:14:59,630 --> 00:15:03,440 So the way this works is that let's say you're logging into a system, you provide your username and 200 00:15:03,440 --> 00:15:09,260 password, but after providing your password, if your password is authenticated, the system is going 201 00:15:09,260 --> 00:15:12,030 to generate an SMS and send it to your mobile phone. 202 00:15:12,920 --> 00:15:17,870 Now, your SIM is something that you have and then you need to put in the confirmation code that you 203 00:15:17,870 --> 00:15:19,100 receive in your SMS. 204 00:15:19,520 --> 00:15:24,230 So this provides for two factors and hence the name multifactor authentication. 205 00:15:24,320 --> 00:15:26,770 When we combine two factors, it's called 2FA. 206 00:15:26,810 --> 00:15:29,850 And when we combine three factors, it's called 3FA. 207 00:15:31,330 --> 00:15:37,870 Let's have a quick question to see if you understand authentication factors, so in this example, is 208 00:15:37,870 --> 00:15:41,020 it a single factor authentication or multifactor authentication? 209 00:15:42,360 --> 00:15:44,630 I'll let you think about it for a few seconds. 210 00:15:46,290 --> 00:15:53,220 And secondly, which type of authentication factors are being used? is it Type-I, Type-II, Type-III, 211 00:15:53,730 --> 00:15:54,360 which one's? 212 00:15:55,760 --> 00:16:01,760 So the answer to the first question is that, yes, this is multifactor authentication, because two 213 00:16:01,760 --> 00:16:08,020 different factors are being used and the person is using both Type-I and Type-II factors. 214 00:16:08,690 --> 00:16:13,880 So Type-I is something, you know, so the person is, you know, punching in his pin number. 215 00:16:14,030 --> 00:16:15,460 So this is something he knows. 216 00:16:15,800 --> 00:16:17,900 And second is the card which he plugged in. 217 00:16:18,260 --> 00:16:24,080 So this is Type-II, which is something that you have. So, whenever you see any authentication system, 218 00:16:24,410 --> 00:16:30,230 you can try to, you know, dissect it and analyze it and try to determine which type of authentication 219 00:16:30,230 --> 00:16:32,030 factors is the system using. 23861