1. Provisioning User Accouts

Provisioning 是根據使用者的工作角色建立、管理佮設定使用者提取組織資源的權限。這个過程包括建立使用者的 identities、分配 privileges 佮分配資源。

Active Directory(Directory Services)
在公司的環境下 Identity management 會使用一个 directory database。
Microsoft 的 Active Directory 使用 "Lightweight Directory Access Protocol(LDAP) 管理伊的 objects

New User Accounts

Kerberos
提供 single sign-on(SSO) authentication，使用者毋免 koh 在 log in 一遍 chiah 會用得使用其他資源。

Linux

useradd alicedoe

使用者口座資訊囥佇兩个所在：/etc/passed 佮 /etc/shadow

2. Deprovisioning User Accounts

3. Permission Assignments and Implications

• Group-based authentication
• context-aware authentication
  考慮傳統 authentication 以外因素：
  • Location
  • Time
  • Device
  • Network
  • Biometrics

4. Identity Proofing

5. Federation

6. Single Sign-On(SSO)

三種使用 SSO 的 authentication types：

• Kerberos authentication
• Open Authorization(OAuth)
• Security Assertions Markup Language(SAML)

7. Interoperability

8. Attestation

• Certificates
• Tokens
• Federation
• Microsoft's Active Directory

9. Access Controls

• Mandatory Access Control(MAC)
• Role-Based Access Controls(RBAC)
• Attribute-Based Access Control(ABAC)
• Discretionary-Based Access Control(DAC)
• Time-of-Day Restrictions
• Least Privilege

10. Multi-Factor Authentication(MFA)

• Biometric Authentication

  • Fingerprint scanner
  • Retina scanner
  • Iris scanner
  • Voice recognition
  • Facial recognition
  • Vein pattern recognition
  • Gait analysis

  Biometric 系統會柱著的錯誤：

  • False Acceptance Rate(FAR)
  • False Rejection Rate(FRR)
  • Crossover Error Rate(CER)

• Hard Authentication
  各種形式的 Hard Authentication 技術：

  • Smart cards
  • Fobs
  • Security keys
  • Secure Shell(SSH) keys

• Soft Authentication

  • One-Time Password(OTP)
  • Biometric authentication
  • Knowledge-Based Authenticaton(KBA)

• Factors of Authentication

  • Something you know
  • Something you have
  • Something you are
  • Something you do
  • Somewhere you are

• Tokens

  • RSA SecureID
  • Google Authenticator

11. Password Concepts

• Password length
• Password complexity
• Password reuse
• Password expiry
• Password age
  • Minimum password age
  • Maxmum password age
• Account lockout

12. Password Managers

13. Passwordless

14. privileged Access Management(PAM)

PAM Tools

• JIT permissions
• Password vaulting
• Ephemeral credentials