WEBVTT

00:00.199 --> 00:05.490
>> Welcome back. We have
made it to the last chapter.

00:05.490 --> 00:07.170
Here, we'll be talking about

00:07.170 --> 00:09.195
identity and access management,

00:09.195 --> 00:11.730
which is a field that
is exploding and

00:11.730 --> 00:14.625
evolving today. It's exciting.

00:14.625 --> 00:16.410
We'll start out by covering what

00:16.410 --> 00:20.925
Identity and Access
Management, or IAM is.

00:20.925 --> 00:25.515
The four main areas of
IAM are Identification,

00:25.515 --> 00:29.940
Authentication,
Authorization, and Auditing.

00:29.940 --> 00:32.750
These all relate to how
we manage the users or

00:32.750 --> 00:36.360
entities who are going
to access our network.

00:36.820 --> 00:41.150
Let's define what Identity
and Access Management is.

00:41.150 --> 00:44.215
Like I said, you'll
hear it called IAM.

00:44.215 --> 00:48.109
It specifies the processes
for giving access to users.

00:48.109 --> 00:50.840
These processes fall
into the four I

00:50.840 --> 00:53.855
triple A categories
of Identification,

00:53.855 --> 00:57.610
Authentication,
Authorization, and Auditing.

00:57.610 --> 00:59.445
Anytime a subject,

00:59.445 --> 01:00.660
such as a person,

01:00.660 --> 01:02.555
wants access to an object

01:02.555 --> 01:04.490
such as a folder
and a directory,

01:04.490 --> 01:05.765
the subject needs to

01:05.765 --> 01:08.530
identify and make a
claim of who they are,

01:08.530 --> 01:10.130
then they should have to

01:10.130 --> 01:12.320
authenticate to prove
their identity.

01:12.320 --> 01:14.720
Then we should check
their authorization

01:14.720 --> 01:15.950
and see if their account is

01:15.950 --> 01:18.215
authorized to access that folder

01:18.215 --> 01:20.480
before allowing
them to access it.

01:20.480 --> 01:23.780
Finally, auditing means
having a record and

01:23.780 --> 01:25.325
accountability of the actions

01:25.325 --> 01:27.790
a user has taken on the network.

01:27.790 --> 01:32.010
That's the whole access
management set of processes.

01:32.080 --> 01:35.545
Now, we start off
with identification.

01:35.545 --> 01:38.705
But even before the
identification process happens,

01:38.705 --> 01:40.430
typically a company
will have done

01:40.430 --> 01:42.230
some identity
proofing to confirm

01:42.230 --> 01:44.075
a person is who
they say they are

01:44.075 --> 01:47.180
before they are hired and
given access to the system.

01:47.180 --> 01:49.310
For example, you provide

01:49.310 --> 01:51.830
human resources with a
social security card,

01:51.830 --> 01:55.590
a passport, and so forth
to prove who you are.

01:55.690 --> 01:58.505
Then after the person is hired,

01:58.505 --> 02:01.525
a new user account will be
provisioned for that person.

02:01.525 --> 02:03.440
That provisioning process also

02:03.440 --> 02:05.300
includes giving
the user access to

02:05.300 --> 02:07.580
particular systems or parts of

02:07.580 --> 02:10.970
the system with specific
permissions and so forth.

02:10.970 --> 02:14.180
The account will include
identifier for the user,

02:14.180 --> 02:16.735
typically in the
form of a username.

02:16.735 --> 02:18.710
The organization should use

02:18.710 --> 02:20.240
a standardized naming convention

02:20.240 --> 02:21.740
for each person's identifier.

02:21.740 --> 02:25.055
A lot of times it's last
name first initial,

02:25.055 --> 02:28.390
or first initial last
name, that type of thing.

02:28.390 --> 02:31.805
The identifier for each
person should be unique.

02:31.805 --> 02:33.800
You don't want to
have any cases where

02:33.800 --> 02:36.260
a single account is
shared by multiple people

02:36.260 --> 02:37.640
because then you don't have

02:37.640 --> 02:39.260
the auditing capability to keep

02:39.260 --> 02:42.055
track of what each
individual does.

02:42.055 --> 02:44.720
There are also other scenarios

02:44.720 --> 02:46.985
where identification
takes place.

02:46.985 --> 02:49.670
What I've been talking
about so far is a person

02:49.670 --> 02:52.355
logging in and gaining
access to a network.

02:52.355 --> 02:54.140
But it can also apply when

02:54.140 --> 02:55.370
my computer system makes

02:55.370 --> 02:57.770
a connection to a
port on a switch.

02:57.770 --> 03:00.710
Maybe that switch has
MAC filtering enabled

03:00.710 --> 03:03.635
and my system has to
provide its MAC address,

03:03.635 --> 03:05.710
and that's how it identifies,

03:05.710 --> 03:09.740
or some policies are set
up based on IP address.

03:09.740 --> 03:12.380
Sometimes this
identification process is

03:12.380 --> 03:15.020
happening underneath the
surface and you and I,

03:15.020 --> 03:17.350
as users, don't even see it.

03:17.350 --> 03:20.195
But when a subject
accesses an object,

03:20.195 --> 03:21.860
that first step is still going

03:21.860 --> 03:23.989
>> to involve identification.

03:23.989 --> 03:26.060
>> Now, the problem is,

03:26.060 --> 03:28.090
unless the person
provides some proof,

03:28.090 --> 03:30.740
then identification
is easily spoofed,

03:30.740 --> 03:33.185
I can claim to be a
network administrator,

03:33.185 --> 03:34.990
but that doesn't make it true.

03:34.990 --> 03:37.580
What we'll follow up
identification with is

03:37.580 --> 03:41.250
authentication and that's
what we'll cover next.