1 Cloud Authorization IAM Technologies
Welcome to ITProTV, I'm your host Don Pezet. Coming at you live from San Francisco. >> [CROSSTALK] [MUSIC] >> You're watching ITProTV. >> Hello and thank you for watching ITProTV, helping you level up with IT
learning everywhere you go. I'm your host Zach Memos with this episode of CompTIA+, Cloud Authorization IAM Technologies is the title of this episode. What's it all about? Well, we're gonna ask Ronnie Wong because he knows. Ronnie, good to see you as usual, thanks for being here. >> Well Zach, thank you again for joining me as we continue on to learn more about the realm of, well, cloud, right? So the idea of our cloud platform, cloud computing, whatever it is is all covered in CompTIA's Cloud+ series which we are in the middle of. And Zach, we talked about security almost ad nauseum at this point, multiple episodes, but we're exactly quite done yet, okay? So even though we talked about some of the different components of cloud security, part of that component is also gonna be kind of an off shoot of that but much more in line with what the users are gonna deal with. It's not so much the security stuff but more in line with
what we call authorization, okay? So Zach, that is what we're gonna be taking a look at today is the goal and the ways that we accomplish some of the authorizations that we need to to allow for access into the cloud. >> Well Ronnie and we're looking forward to it. But how do we do authorization in the cloud, and further what is IAM technologies, what's that all about? >> All right, so when we start talking about the idea here of authorization okay, and the way that we do things. What we're actually talking about it and trying to make sure that we understand, right, is what it does for us, okay? So when we start to mention that idea of authorization, most people that are not as familiar with security concepts might think that it has to do with just identity, okay? That I present my own identity and that gives me authorization. But that's not exactly correct, okay? That is a realm that we call authentication if only you presenting something you like your identity. Authorization really kinda helps you to understand what it is that you do, okay, or what you're allowed to do, okay? Now Zach also asked about the idea here of IAM technologies. And in the cloud realm, when we start dealing with authorization, what we're normally going to end up talking about the majority of times is the idea of identity. And access management, or
authorization management, is what you actually end up talking about. So Zach, in terms of the cloud, when we talk about authorization, it normally turns in to IAM technologies. I wanna make sure I'm telling you, access management, okay, so identity and access management. I don't know why I keep forgetting those two terms here, okay? >> Because it's Friday. >> Yeah, it could be that,
there's no doubt. Now, as we get started though, let's go back to the basics and make sure that we understand that when we start in the realm of authorization of where it really begins. So let's take a look at my screen. I'm gonna type out some of the different terminology that you have
to know. And I didn't go ahead and flash this up here on the screen because I wanted you to actually kind of work through it in your brain and actually kind of to take notes out on this stuff, okay? So Zach, when we start talking about the realm of how we do authorization, okay, at the most basic realm of authorization. What we're normally actually talking about then is making sure that we understand the ideas here of authentication, authorization, and accounting. >> Hey, hey, hey. >> Yep, so sometimes you actually hear it called AAA security. In the realm of Cisco that's what we call it, AAA security. Also you might hear the term new model security, AAA new model as the way that is actually implemented in terms of Cisco products. And the reason why that is called new model, you have to go back 30 years or so,
okay? Is that at one point we had just basic authentication, okay? And then if you knew the password something, you were able to get access and do whatever the heck you wanted to, okay? The new model essentially says, look, you have to first present me some type of credential, okay? Then I can link that to a particular level of access that I can give you, okay? But before you get access in I also want to make sure I know when you did something, so I'm going to log in as well, okay? So when we start talking about this idea of authentication, we want to make sure we link that to, well this is normally when we actually say this is who I claim to be. And this is important because remember, even though a lot of people identify or explain, Zach, the idea of authentication as being, well, it's your identity. It's who you are. It's not technically correct. And the reason why is that, Zach, there is no doubt that over the phone because Zach is a brilliant actor and he can mimic a lot of things, that if on the phone, if Zach called me and said, hey, I'm Ronnie Wong, you might not actually know if he's really Ronnie Wang on the other end of the phone, okay? Why, well, cuz you can't see that he's six feet taller than I am at this point in time. >> [LAUGH] >> But the very fact is If he says that, right, Zach, say I'm Ronnie Wong. >> I'm Ronnie Wong. >> See, so if Zach says something like that over the phone, you can't at that point really validate that he's Ronnie Wong.
He's telling you what? He's saying I am Ronnie Wong and that is, what he's presenting there is authentication. He's saying this is who I claim to be. >> Who I claim to be, right. >> So it doesn't go in and it doesn't do a DNA stick over the phone, and- >> They're working on that. >> Yeah, they are working on that. >> [LAUGH] >> Yeah, that would be harsh. Wouldn't it, right in the ear? Ow, yeah, that's pretty bad. But that's authentication, right, it's who someone claims
to be. Now what we're actually talking about then is that this needs to somehow at some point, in all reality we want it linked to an identity. But for us at the most basic level we begin with, who are you claiming to be? So the way that we do that, right Zach, is we start talking about the idea of authentication. >> Right. >> Is pretty basic here. One, it can be actually something we
literally are. So we can authenticate in several ways. So Zach, when we start thinking about it, you might be able to actually do this. Where I have a fingerprint scanner and if Zach says, all right, I'm gonna actually type that I'm Ronnie Wong as an account name. It says, all right, present your fingerprint. Well then Zach puts his fingerprint down on it, now it doesn't match. Well, that proves then at that point that whatever he presented was not matching what they
had on file, okay? But that's something that we can do there that can do something like that. Now, the other way is him just actually saying I'm Ronnie, and you accept it. Because that's who he says he is and you just go ahead and accept it. That's perfectly fine that you can do that.
The other thing that you can do is something that he has. So, in that sense, it can be some type of security badge. So let me give you a, so you can see I have something like that, right? So in here when I try to walk in in the mornings, have to kind of just swipe this across the the pad this on the outside of the door. And when I do that, that actually does present my ticker ID.
And that actually is mine, it doesn't say Zach Memos, I didn't steal Zach's. So at this point here you actually do have something like that that is an access now. Now, this is not me, okay? It's not son that I'm actually saying who I am. >> It's something you have. >> It's something that I have,
okay? So something like that's actually good. You might, for those you that have actually worked on military bases, well, you might hear the term CAC, C-A-C, for common access card too. So all that's actually possible when you start talking about authentication, different means when we start doing it. Something that we are, something like my fingerprint or retinal scan, something I have, some type of access token. It might be an actual key for those that might use some like the YubiKey or the Google Titan Key or there's so many different products out there today, you name it. There's plenty of them out there, that's something else too. Now, Zach,
the most common one that most people will end up using is something that you know, okay. Now, in that sense, Zach, what's my password to my luggage? >> Ronnie123. >> You're close, it should be 1234, is what it should be. So Zach was almost correct in guessing the password to my luggage there. So in that sense, it's something that you actually know, okay? So if I can validate it that way, Zach says he's Ronnie Wong and he can actually type in my password, yeah. I go,
all right, that's enough, that's sufficient to link that to an identity in that sense, okay? Now, there's a few other ones that are relatively newer when we start thinking about this as well. And the reason why is in the last few years, of course, the old ways that we used to do things, right? You present something that you are, okay, you present something that you might have, okay, and you present something that you know. But today you can even actually kind of get verified in terms of your authentication. >> Somewhere you are. >> By somewhere that you are, okay, and that can actually include something like a particular GPS location. In other words, having some type of geo-fencing to say, yes, not only is this Ronnie, but he's actually within this area. So if Zach goes across town to someplace else and says, watch this, I'm gonna present myself as Ronnie. Yeah, but you're not in that geolocated area, then it might say, yeah, it's not gonna
actually work for him. So it is possible to do that, or it might be just that idea of a validated IP address, okay, that you might actually have a list that actually presents something like that. And then Zach tries to log in from a different location that's a different IP address, it doesn't give him access, okay? So somewhere that you are as well, okay? And lastly, Zach, it could also be something that we do. Now, whenever I say something like that, it's a little bit unusual,
but today, I don't wanna say it's today. It's actually been since, I'm trying to think, Windows 8 is kind of the first time I remember this. But it might be where your challenge is no longer just a password, or even a PIN number. >> How many stoplights are in this picture, that kinda
thing? >> Yeah, something like that, but the other one is the Windows password picture, right? You actually have a photograph, and then you actually make a drawing on it. You actually have to do two points and a slash or something like that, where it actually says to do that. So you might have a smiley face, or you might have a circle, and then you draw in the smiley face, or a sad face, or something like that. And then that says, yes, that's the pattern that I'm expecting to see. So all that's possible in terms of authentication, okay? So we've added in a couple of them since. For those that have actually been around for a long, long time, you're like, are you joking? No, I'm not joking. They've continue to expand the realm of authentication in that sense. But Zach, that's not the only way to do this, of course, okay? The more popular way today, and probably the more secure way to do authentication is what we call MFA. Okay, Zach, have you heard that
acronym before in terms of security, MFA? >> Multi-factor authentication. >> That's right, so Zach is perfectly right here in this sense, multi-factor authentication. This is when we take, well, two, right, usually, what we call one or more, but usually it's two or more of these particular factors, and we put them together. So it might be where Zach types in a PIN number, but then he still also has to present something else to actually make that work, okay? Now, for me, Zach, this is what I try and use just about on everything, okay, and when I mean everything, I mean this. So Zach, I use a product called LastPass to help me manage passwords. >> Sure, so do I. >> Now, on LastPass, I have it where I actually have to present my thumbprint to be able to get access into my password manager on my phone. >> I don't do that,
but I do use LastPass [LAUGH]. >> But I mean, I have to do that, okay? But at that point, though, once I present that, it also says, hey, you've actually asked for multi-factor authentication. So it's actually asking me for a second authentication method, and what it means by that is, hey, here's what I'm gonna do. I'm gonna send this code to your phone, okay, and on there, you have what they call the authenticator, okay, which is software that actually generates that code. And what I have to actually be able
to do at that point is actually accept that that's actually who contacted it, and it sends back the message. So Zach, I had to present a token, essentially my phone and my fingerprint at that point, to get access to my passwords. >> Yeah, I do something similar with one of my email addresses. >> Mm-hm, yeah, and that's the same. So when we see that, that's probably more effective
because it now doesn't depend on one of those things actually kind of falling out of my hands. It actually says, look, if you don't have the other part, you're not gonna still be able to get in. So multi-factor authentication, sometimes also called 2FA if it's two-factor authentication, these are actually fairly good for the idea of a little bit more security. I'm not gonna tell you it's the strongest security in the world. But it at least brings a little bit more of a challenge to anybody that just says, I'm gonna do some type of social engineering, such as shoulder surfing, to help us out. Okay, so that's kind of at least some of the basics in authentication
when you start doing something like that, okay? Now, Zach, there's also something else that we have to talk about as well in terms of authentication, too, okay? When we start thinking about that in terms of the authentication methods, there are other things that have to come in play in authentication. And that includes authentication protocols, okay? Now, Zach, when we start talking about authentication protocols, so let me go back here. I didn't fill in all this here. So I just said who I claim to be, okay? Something I have, sorry. So here's who I claim to be. Let me go back to, what was I gonna do? Authentication protocol.
Let's talk about some protocols here for just a moment, okay? Now, authentication protocols, that point, this is something that has actually changed over time as well. So probably, the earliest authentication protocol is something that we call PAP, which is Password Authentication, Protocol, okay, and this is fairly simple. I actually try and connect with a username and a password, and on the other side, that's set up with the same username and password, it says, all right, that matches. And we're off and we're good to go, okay? So this one is probably, by far, the most basic way that we can do this. Now, this does it without any encryption at all. Okay, and so that means if you have a chance here, it can possibly be intercepted if you're over an open type of network. Okay, so not exactly super secure, but it does provide authentication. The other one that's also fairly popular is what they call CHAP, which is Challenge Handshake, I can't spell hand, Handshake Authentication Protocol. >> So you can spell authentication, but
handshake was a bit of a stretch. >> I know, tell me about it, yeah. There's times when the word and is actually a stretch here. >> He's multitasking, all right [LAUGH]. >> So Challenge Handshake Authentication Protocol, this is a bit different, right? So this one is a challenge. If you actually think about it, it's kind of asking an unusual question, right? So both sides, they have to come up with the right answer to the question. >> Sure. >> So on one side, I try to do this to not make it cryptographically understood in that way, and talk about hash values and stuff. That's exactly how it works, but just think about it this way. So Zach, I ask you, figure out this problem for me. Okay,
and so Zach actually figures out the problem, and he does this, okay? But then, once he actually gets that in hand, he now presents to me the answer that he got. Okay, and then what I can do is I can run that same exact mathematical problem, okay, and that should give me the exact same value. So if all of a sudden, that didn't give me the exact same value, and I know what it's supposed to be, then I know that Zach is not who he's claiming to be. So it is that way,
and most of us have actually done this before. So Zach, let's say I hand you, which I'm never gonna do, Zach, so I say I'm gonna hand Zach $1,000. I'll never hand Zach $1,000 because he's gonna buy one knife with it, and I'll cry if he does something like that. Okay, but I say, Zach,
I'm gonna hand you $1,000, can you verify that this is $1,000? Well, if Zach counts $900, then I know Zach's pocketed the other, no, I'm joking. I know one of two things, right, either Zach doesn't know how to count, or I did give him $900 and I told him it's supposed to be 1,000. Okay, so Zach should come back and actually be able to tell me, either it is 1,000 or it's not 1,000. Okay,
if Zach says, it's supposed to be $1,000, I go, ooh, well, no, I gave you 1,000, then Zach knows I'm lying, okay? So that's the same idea in terms of the challenge-handshake authentication protocol in the most basic terms. Without getting into hashing and stuff like that, which we're not trying to get into at this point. So just kind of realize that that is one of the analogies that we can also use as well. Now, another one here is called EAP, which is extensible, kinda weird, extensible authentication protocol. Okay, now, extensible authentication protocol, this says it
can use anything. But what we're really talking about the majority of the time is the use of digital certificates to authenticate. And that means, again, the third party that you trust, they give you an identity. And then you present that to whoever you're supposed to, and they go, all right, let me check, verify that this is working, and it actually works or doesn't. Okay, so that's all it is, and it's also hardware-based at times too. So just kind of realize, on-premises, you're normally talking about hardware-based types of authentication that you can do. And in the cloud, we're actually normally talking about use of digital certificates as well.
All right, so that's another one, and then there is, of course, some unusual ones, like TACACS. Now this one I'm not gonna try and actually spell out because it's weird. TACACS stands for terminal access controller access control services. Yeah, insanely redundant, right, terminal access controller access control services. Yeah, you can't get any more redundant
than that. >> There's redundancy there, it's from the Office of Redundancy Office. >> Yeah, that is it, okay, so this one, it takes the realm of AAA, okay, the accounting, the authorization, and the authentication, and says, here's how we're gonna do this. And actually sets out how it actually ends up working out for us. And it works fairly well, it's actually a fairly good system. But it's a really old system at this particular point in time, as well. So this one, at one point, it used to be called TACACS+, which was proprietary to Cisco. Now, of course, it's actually more open source or open standard at this point as well. RADIUS is probably the one
that you see most often, RADIUS stands for remote authentication dial up, Dial-in, sorry, dial-in user service, I know, it's kinda weird. Okay, so remote authentication dial-in user service, now this one is probably used today. And once again, because it can also be implemented together with EAP, so you can do digital certificates with it. And this offloads the authentication
to a different device. So instead of you actually authenticating against the device that you're trying to get access to, it points and goes, no. If you're gonna do authentication, you have to come through me, and then I will talk to whoever the authentication service is. And then I'll let you in if it's actually okay with them. If not, you won't be able to get access. Now this one right here, along with EAP at this point, let me go ahead and mark these here, Zach. These two are used in the cloud, when we start to take a look at it. Okay, so EAP and RADIUS, they're actually used in the cloud. Another one that's fairly similar, but is called
DIAMETER, is another one. I don't even wanna try and tell you what this actually stands for. Zach, the weird thing about it, it's not an acronym. So yeah, DIAMETER for us is essentially RADIUS. But they say, look, there's some weaknesses behind RADIUS. We called it DIAMETER because it's twice as good as RADIUS, go figure. >> Why didn't they call it RADIUS++? >> Yeah,
who knows, but they called it DIAMETER instead. DIAMETER is also able to be used in the cloud as well, if you have that set up. And then one of the kind of neat ones here is Kereberos. Kerberos, okay, now Zach- >> That's Greek. >> That is Greek. >> That's Greek and- [CROSSTALK] >> It is Greek, it is as Greek as it can be. So Zach, do you know where it actually comes from, the mythology? >> It comes from Greece >> [LAUGH] >> It's about time, no, Kronos is time. >> Yeah Kronos is time, this is about the the legend of the three-headed dog that guards the gate. >> Yeah, yeah,
that's right, he's got bad breath. >> Yeah, so this is an authentication process that requires, well, multiple elements to it. Right, the very fact that you get issued a token, and then you present the token back. And if the guy that's actually taking the token can say, yep, you got it from the guy that I trust and know, the authentication server, and it's time stamped correctly, usually within five minutes, then I'll let you in. But Zach, if you picked up that toekn
three or four days ago from somebody else, and then you try to present it, the guy's gonna say, nah, I'm not letting you access in. Okay, so Kerberos is all those together, a lot of things, a lot of authentication servers end up using Kerberos today. You can think about Active Directory, they're probably the biggest ones that you also hear about. So in terms of authentication, Zach, this can be fairly hefty. >> Yeah, there's quite a lot there. >> When we start thinking about basic authentication, okay, so that is some of that stuff. Now, like I told you, you
need to know this because, well, you just gotta know it, I don't know how else to say this. Okay, all right, Zach, so once we start to think about that idea of the authentication protocols and, of course, the way that the authentication works. Well, that means that we need to also talk about authorization as well. But Zach, I looked over at the clock and I'm realizing something. I do not
have enough time to complete what has to happen. So Zach, let's save this for a part two, and then we'll actually be able to continue on. >> Okay, cloud authorization, IAM technologies, another great episode inside of CompTIA Cloud+. Brought to you by ITProTV and Ronnie Wong, and this is part one. Join us for part two, and make sure you watch every single episode of CompTIA Cloud+. Ronnie's
done a great job with this entire series of great videos. You wanna pay attention and keep learning, keep taking notes, keep studying, never stop learning. Inside of our course library, there's kinds of supplementary information. It is there to do one thing, help you go even further,
so check it out. And tell everybody you know about ITProTV, ITProTV is binge-worthy. Thanks for watching, I'm Zach Memos. >> And I'm Ronnie Wong. >> We'll see you again soon. [MUSIC] >> Thank you for watching ITProTV.
2021-04-13 02:03