Chapter 33: Identity and Access Security¶

Overview¶

Identity is the new perimeter. With cloud adoption eliminating traditional network boundaries, a user's identity and the access it grants has become the primary target for attackers. This chapter covers Identity and Access Management (IAM) architecture, Active Directory hardening, Privileged Access Management (PAM), federation and SSO, multi-factor authentication, Identity Governance and Administration (IGA), and Zero Trust identity principles. Understanding how identities are compromised and how to protect them is essential for every security practitioner.

Learning Objectives¶

By the end of this chapter, students SHALL be able to:

Design a comprehensive IAM architecture using zero trust principles
Harden Active Directory against the most common attack techniques
Implement and operate a Privileged Access Management (PAM) solution
Configure federation, SSO, and OAuth/OIDC securely
Deploy phishing-resistant MFA and respond to MFA bypass attempts
Build an Identity Governance program with automated access certification

Prerequisites¶

Chapter 17 (Red Team Operations) — AD attack techniques
Basic understanding of Active Directory, LDAP, and Kerberos
Familiarity with OAuth 2.0 / OIDC concepts

Why This Matters

Okta was breached in 2023 through a support system compromise — attackers accessed customer IAM configurations for hundreds of organizations. The MGM Resorts breach started with a vishing call that bypassed MFA. The Colonial Pipeline breach exploited a single VPN account without MFA. Microsoft's senior leadership emails were compromised by Midnight Blizzard (APT29) through password spray against legacy accounts. Identity is attacked more than any other vector because it grants access to everything. Securing identity is not optional — it is the foundation of modern security.

33.1 IAM Architecture¶

33.1.1 Modern IAM Stack¶

graph TB
    subgraph "Identity Providers"
        AD[Active Directory\nOn-Premises]
        ENTRA[Microsoft Entra ID\n(Azure AD)]
        OKTA[Okta Identity Cloud]
    end

    subgraph "Access Management"
        SSO[Single Sign-On\nSAML / OIDC]
        MFA[Multi-Factor Authentication\nFIDO2 / TOTP / Push]
        PAM[Privileged Access Management\nCyberArk / Delinea]
        ZTNA[Zero Trust Network Access]
    end

    subgraph "Identity Governance"
        IGA[Identity Governance\nSailPoint / Saviynt]
        CERT[Access Certification]
        PROV[Automated Provisioning\nSCIM]
        SOD[Segregation of Duties]
    end

    subgraph "Applications"
        SAAS[SaaS Apps\nO365, Salesforce, GitHub]
        ONPREM[On-Prem Apps]
        API[APIs / Services]
    end

    AD -->|Sync| ENTRA
    ENTRA --> SSO
    OKTA --> SSO
    SSO --> SAAS
    SSO --> ONPREM
    MFA --> SSO
    PAM --> API
    IGA --> PROV
    PROV --> SAAS
    CERT --> IGA

    style MFA fill:#e63946,color:#fff
    style PAM fill:#780000,color:#fff

33.2 Active Directory Hardening¶

33.2.1 AD Attack Mitigations¶

Attack	Mitigation
Kerberoasting	Use Managed Service Accounts (gMSA) — 240-character auto-rotating passwords
AS-REP Roasting	Require Kerberos pre-authentication on all accounts (default)
Pass-the-Hash	Enable Protected Users security group; disable NTLM where possible
Pass-the-Ticket	Disable unconstrained delegation; use constrained/resource-based delegation only
DCSync	Audit DS-Replication rights; alert on AD replication outside DCs
Golden Ticket	Regular krbtgt rotation (2x with 10-day gap); Protected Users group
ADCS ESC1	Audit certificate templates; require manager approval; disable "Enroll All"
BloodHound attack paths	Remove unnecessary admin rights; tier your admin model
LDAP anonymous bind	Disable anonymous LDAP bind on all DCs
NTLMv1	Disable via GPO: Network security: LAN Manager authentication level → NTLMv2 only

33.2.2 AD Tiering Model¶

graph TB
    T0[Tier 0 — Control Plane\nDomain Controllers\nCA Servers\nPrivileged Access Workstations] --> T1[Tier 1 — Server Infrastructure\nApplication Servers\nSQL Databases\nVirtualization Hosts]
    T1 --> T2[Tier 2 — User Workstations\nDesktops\nLaptops\nDevices]

    style T0 fill:#e63946,color:#fff
    style T1 fill:#f4a261,color:#000
    style T2 fill:#2d6a4f,color:#fff

Core Rules: - Tier 0 admins (Domain Admins) MUST ONLY log on to Tier 0 systems - A Tier 0 admin logging on to a Tier 2 workstation exposes DA credentials to any malware on that workstation - Each tier uses separate admin accounts — t0-admin, t1-admin, t2-admin - Privileged Access Workstations (PAWs) for Tier 0 — dedicated, hardened, internet-disconnected

33.2.3 Key AD Security Settings¶

# Enable Audit Policies (GPO → Computer Configuration → Windows Settings → Security Settings)
# Audit Account Logon Events: Success + Failure
# Audit Logon Events: Success + Failure
# Audit Directory Service Access: Success + Failure
# Audit Privilege Use: Success + Failure
# Audit Process Tracking (Creation): Success (for EDR correlation)

# Protected Users Security Group
# Members cannot use: NTLM, DES, RC4 encryption, unconstrained delegation
# Members can only use: Kerberos with AES, no credential caching
Add-ADGroupMember -Identity "Protected Users" -Members "JohnSmith", "JaneDoe"
# Apply to ALL privileged accounts (admins, service accounts where compatible)

# Disable NTLM (phased approach)
# Step 1: Audit NTLM usage
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" `
  -Name "NTLMMinClientSec" -Value 537395200  # Require NTLMv2 session security

# Step 2: Log all NTLM (identify dependencies)
# GPO → Computer Configuration → Policies → Windows Settings → Security Settings →
# Local Policies → Security Options:
# "Network security: Restrict NTLM: Audit Incoming NTLM Traffic" = Enable auditing for all accounts
# "Network security: Restrict NTLM: Audit NTLM authentication in this domain" = Enable all

# Fine-grained password policy for service accounts
New-ADFineGrainedPasswordPolicy -Name "ServiceAccountPolicy" `
  -PasswordHistoryCount 24 `
  -MaxPasswordAge "90.00:00:00" `
  -MinPasswordAge "1.00:00:00" `
  -MinPasswordLength 25 `
  -ComplexityEnabled $true `
  -Precedence 10

Add-ADFineGrainedPasswordPolicySubject -Identity "ServiceAccountPolicy" `
  -Subjects "ServiceAccounts"

33.3 Multi-Factor Authentication¶

33.3.1 MFA Methods — Phishing Resistance Spectrum¶

graph LR
    WEAK[WEAK\nSMS OTP] --> MEDIUM[MEDIUM\nTOTP App\nGoogle Auth]
    MEDIUM --> BETTER[BETTER\nPush Notification\nDuo Mobile]
    BETTER --> STRONG[STRONG\nHardware TOTP Token\nYubiKey OTP]
    STRONG --> BEST[PHISHING-RESISTANT\nFIDO2 / WebAuthn\nPasskeys\nHardware Security Keys]

    style WEAK fill:#e63946,color:#fff
    style BEST fill:#2d6a4f,color:#fff

Method	Phishing Resistant	SIM Swap Resistant	Offline Capable
SMS OTP	NO	NO	NO
TOTP (Authenticator app)	NO (can be proxied)	YES	YES
Push notification	NO (MFA fatigue attacks)	YES	NO
Hardware OTP token	Partially	YES	YES
FIDO2/WebAuthn	YES	YES	Depends
PIV Smartcard	YES	YES	YES
Passkeys	YES	YES	YES (on-device)

33.3.2 FIDO2 / WebAuthn Implementation¶

// Passkey / FIDO2 registration (browser)
const credential = await navigator.credentials.create({
  publicKey: {
    challenge: serverChallenge,  // Random bytes from server
    rp: {
      name: "Example Corp",
      id: "example.com"
    },
    user: {
      id: Uint8Array.from(userId),
      name: "user@example.com",
      displayName: "John Smith"
    },
    pubKeyCredParams: [
      { type: "public-key", alg: -7 },   // ES256 (ECDSA with P-256)
      { type: "public-key", alg: -257 }  // RS256 (fallback)
    ],
    authenticatorSelection: {
      authenticatorAttachment: "platform",  // Device-bound passkey
      residentKey: "required",
      userVerification: "required"  // PIN or biometric required
    },
    timeout: 60000,
    attestation: "direct"
  }
});

// Send credential.response to server for verification
// Server verifies: clientDataJSON, attestationObject, signature chain

33.3.3 MFA Bypass Attacks and Defenses¶

Attack	Method	Defense
MFA Fatigue	Flood user with push notifications until they approve	Number matching; context-based approval; rate limiting
AiTM Phishing	Reverse proxy captures session cookie after MFA	FIDO2 passkeys (bound to origin — phishing-proof)
SIM Swapping	Social engineer carrier to redirect SMS	Eliminate SMS MFA; use TOTP or FIDO2
SS7 Attack	Intercept SMS at network level	Same as SIM swap — eliminate SMS
Social Engineering	"I need MFA reset" to helpdesk	Strict verification protocol for MFA resets
Recovery Code Theft	Steal stored backup codes	Recovery codes in password manager; require manager approval

33.4 Privileged Access Management (PAM)¶

33.4.1 PAM Core Capabilities¶

CORE PAM CAPABILITIES:

1. Privileged Account Vault
   - Encrypted storage for privileged credentials
   - No admin knows the password — PAM checks it out and checks it back in
   - Auto-rotation after use (or on schedule)

2. Just-In-Time (JIT) Access
   - No standing privileges — request access when needed
   - Workflow-based approval for sensitive systems
   - Time-limited (1-8 hour windows)
   - Reduced attack surface: no always-on admin accounts

3. Session Management
   - All privileged sessions proxied through PAM
   - Full video/keystroke recording
   - Real-time monitoring — security team can watch or terminate
   - Forensic audit trail

4. Credential Injection
   - Passwords injected at session initiation — user never sees credential
   - Eliminates password sharing and hardcoded creds in scripts

5. Service Account Management
   - Auto-discovery of service accounts
   - Automatic password rotation with application restart
   - Prevent service accounts from interactive login

33.4.2 HashiCorp Vault JIT Access¶

# HashiCorp Vault — dynamic credential generation
# No standing database credentials — Vault generates on demand

# Configure database secrets engine
vault secrets enable database
vault write database/config/prod-postgres \
  plugin_name=postgresql-database-plugin \
  connection_url="postgresql://{{username}}:{{password}}@db.prod.internal:5432/appdb" \
  allowed_roles="app-readonly" \
  username="vault-admin" \
  password="vault-password"

# Define a role with time-limited credentials
vault write database/roles/app-readonly \
  db_name=prod-postgres \
  creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
  default_ttl="1h" \
  max_ttl="24h"

# Application requests credentials (no stored password)
vault read database/creds/app-readonly
# Key     Value
# lease_duration  1h
# username  v-appservice-app-read-xxxx
# password  A1a-RandomSecurePassword

# Credentials auto-expire after 1 hour; auto-revoked if lease not renewed

33.5 Federation and SSO¶

33.5.1 SAML 2.0 Flow¶

sequenceDiagram
    participant U as User
    participant SP as Service Provider (App)
    participant IdP as Identity Provider (Okta/Azure AD)

    U->>SP: Access protected resource
    SP-->>U: Redirect to IdP with SAML AuthnRequest
    U->>IdP: Follow redirect
    IdP->>IdP: Authenticate user (password + MFA)
    IdP-->>U: SAML Response (signed assertion)
    U->>SP: POST SAML Response
    SP->>SP: Verify signature, extract attributes
    SP-->>U: Grant access to resource

33.5.2 OAuth 2.0 / OIDC Security¶

# OAuth 2.0 / OIDC security implementation checklist

class OAuthConfig:

    # PKCE — required for all public clients (mobile, SPA)
    # Prevents authorization code interception attacks
    USE_PKCE = True
    CODE_CHALLENGE_METHOD = "S256"  # SHA-256, not plain

    # State parameter — CSRF protection
    STATE_ENTROPY_BITS = 128  # os.urandom(16) → base64url

    # Nonce — replay protection for OIDC
    NONCE_ENTROPY_BITS = 128

    # Token configuration
    ACCESS_TOKEN_LIFETIME = 3600     # 1 hour
    REFRESH_TOKEN_LIFETIME = 604800  # 7 days
    ID_TOKEN_LIFETIME = 3600         # 1 hour

    # Audience validation — verify token is for YOUR app
    VALIDATE_AUDIENCE = True
    EXPECTED_AUDIENCE = "https://api.example.com"

    # Issuer validation
    VALIDATE_ISSUER = True
    EXPECTED_ISSUER = "https://accounts.example.com"

    # Redirect URI — exact match required (no wildcards!)
    ALLOWED_REDIRECT_URIS = [
        "https://app.example.com/callback",
        "https://app.example.com/silent-renew"
    ]
    # Never allow: localhost, wildcard domains, fragment redirects

33.6 Identity Governance¶

33.6.1 IGA Core Processes¶

Identity Lifecycle Management:
├── Joiner: New hire → auto-provision accounts based on role
├── Mover: Role change → modify access to reflect new duties
│   └── CRITICAL: Remove old access when moving departments
└── Leaver: Termination → immediate, complete access revocation

Access Certification (Reviews):
├── Quarterly: All privileged access (Domain Admins, Cloud Admins)
├── Semi-annual: Application administrators
├── Annual: All user access
├── Event-based: After role change, after incident
└── Process: Manager certifies "user still needs this access" or revokes

Segregation of Duties (SoD):
├── Cannot be approver AND requester for same workflow
├── Finance: Cannot both create AND approve payments
├── IT: Cannot both create AND approve privileged access requests
└── Procurement: Cannot both order AND approve purchases

33.6.2 Access Review Automation¶

# SailPoint IdentityNow API — trigger access certification
import requests

headers = {"Authorization": f"Bearer {token}", "Content-Type": "application/json"}

# Create access certification campaign
campaign = {
    "name": "Q1 2026 Privileged Access Review",
    "description": "Quarterly certification of all privileged accounts",
    "type": "MANAGER",
    "deadline": "2026-04-15T23:59:59Z",
    "emailNotificationEnabled": True,
    "certifiers": [
        {"type": "MANAGER"}  # Each user's manager certifies their access
    ],
    "filter": {
        "entitlementCriteria": {
            "entitlementMatchType": "ANY",
            "entitlements": [
                {"id": "DOMAIN_ADMINS_GROUP_ID"},
                {"id": "CLOUD_ADMIN_GROUP_ID"}
            ]
        }
    }
}

response = requests.post(
    "https://tenant.api.identitynow.com/v3/campaigns",
    json=campaign, headers=headers
)

33.7 Benchmark Controls¶

Control ID	Title	Requirement
Nexus SecOps-IAM-01	MFA Everywhere	MFA required for all user access; phishing-resistant MFA for privileged users
Nexus SecOps-IAM-02	AD Tiering	Administrative tiering implemented; no cross-tier logon
Nexus SecOps-IAM-03	PAM Deployment	All privileged accounts managed in PAM; JIT access for admin
Nexus SecOps-IAM-04	Access Certification	Quarterly review of privileged access; annual review of all access
Nexus SecOps-IAM-05	Account Deprovisioning	Access revoked within 1 hour of termination; verified by quarterly audit
Nexus SecOps-IAM-06	SSO with Strong MFA	All applications integrated with IdP; direct login disabled

Exam Prep & Certifications¶

Relevant Certifications

The topics in this chapter align with the following certifications:

CISSP — Domains: Identity and Access Management, Security Architecture
SC-300 — Domains: Microsoft Identity and Access, Azure AD, Conditional Access

View full Certifications Roadmap →

Key Terms¶

Federation — A trust relationship between two organizations that allows users from one to authenticate to systems in the other using their home credentials.

FIDO2 — Fast Identity Online 2 — a phishing-resistant authentication standard using public key cryptography, binding credentials to the authenticating origin.

IGA (Identity Governance and Administration) — Processes and technology for managing the identity lifecycle, access rights, and compliance throughout an organization.

Just-In-Time (JIT) Access — A privileged access model where elevated permissions are granted only for the specific time period needed, with no standing privileges.

PAM (Privileged Access Management) — Technology and processes for controlling, monitoring, and auditing all access and activity associated with privileged accounts.

Passkey — A FIDO2 credential stored on a device (phone, laptop) that enables phishing-resistant authentication using biometrics or PIN, without passwords.