1 Cloud Authorization IAM Technologies

Show video

Welcome to ITProTV, I'm your  host Don Pezet. Coming at you   live from San Francisco. >> [CROSSTALK] [MUSIC] >>   You're watching ITProTV. >> Hello and thank you  for watching ITProTV, helping you level up with IT  

learning everywhere you go. I'm your host  Zach Memos with this episode of CompTIA+,   Cloud Authorization IAM Technologies is the  title of this episode. What's it all about? Well,   we're gonna ask Ronnie Wong because he knows.  Ronnie, good to see you as usual, thanks for being   here. >> Well Zach, thank you again for joining  me as we continue on to learn more about the   realm of, well, cloud, right? So the idea of our  cloud platform, cloud computing, whatever it is   is all covered in CompTIA's Cloud+ series which  we are in the middle of. And Zach, we talked about   security almost ad nauseum at this point, multiple  episodes, but we're exactly quite done yet,   okay? So even though we talked about some of  the different components of cloud security,   part of that component is also gonna be kind of  an off shoot of that but much more in line with   what the users are gonna deal with. It's not so  much the security stuff but more in line with  

what we call authorization, okay? So Zach, that is  what we're gonna be taking a look at today is the   goal and the ways that we accomplish some of the  authorizations that we need to to allow for access   into the cloud. >> Well Ronnie and we're looking  forward to it. But how do we do authorization in   the cloud, and further what is IAM technologies,  what's that all about? >> All right, so when we   start talking about the idea here of authorization  okay, and the way that we do things. What we're   actually talking about it and trying to make sure  that we understand, right, is what it does for us,   okay? So when we start to mention that idea  of authorization, most people that are not as   familiar with security concepts might think  that it has to do with just identity, okay?   That I present my own identity and that gives me  authorization. But that's not exactly correct,   okay? That is a realm that we call authentication  if only you presenting something you like your   identity. Authorization really kinda helps you  to understand what it is that you do, okay,   or what you're allowed to do, okay? Now Zach also  asked about the idea here of IAM technologies.   And in the cloud realm, when we start dealing  with authorization, what we're normally going   to end up talking about the majority of times is  the idea of identity. And access management, or  

authorization management, is what you actually end  up talking about. So Zach, in terms of the cloud,   when we talk about authorization, it normally  turns in to IAM technologies. I wanna make sure   I'm telling you, access management, okay, so  identity and access management. I don't know   why I keep forgetting those two terms here, okay?  >> Because it's Friday. >> Yeah, it could be that,  

there's no doubt. Now, as we get started though,  let's go back to the basics and make sure that   we understand that when we start in the realm  of authorization of where it really begins. So   let's take a look at my screen. I'm gonna type out  some of the different terminology that you have  

to know. And I didn't go ahead and flash this  up here on the screen because I wanted you to   actually kind of work through it in your brain and  actually kind of to take notes out on this stuff,   okay? So Zach, when we start talking about  the realm of how we do authorization, okay,   at the most basic realm of authorization. What  we're normally actually talking about then   is making sure that we understand the ideas  here of authentication, authorization, and   accounting. >> Hey, hey, hey. >> Yep, so  sometimes you actually hear it called AAA   security. In the realm of Cisco that's what we  call it, AAA security. Also you might hear the   term new model security, AAA new model as the  way that is actually implemented in terms of   Cisco products. And the reason why that is called  new model, you have to go back 30 years or so,  

okay? Is that at one point we had just basic  authentication, okay? And then if you knew   the password something, you were able to get  access and do whatever the heck you wanted to,   okay? The new model essentially says, look, you  have to first present me some type of credential,   okay? Then I can link that to a particular  level of access that I can give you, okay?   But before you get access in I also want to make  sure I know when you did something, so I'm going   to log in as well, okay? So when we start talking  about this idea of authentication, we want to   make sure we link that to, well this is normally  when we actually say this is who I claim to be.   And this is important because remember, even  though a lot of people identify or explain,   Zach, the idea of authentication as being,  well, it's your identity. It's who you are.   It's not technically correct. And the reason why  is that, Zach, there is no doubt that over the   phone because Zach is a brilliant actor and he  can mimic a lot of things, that if on the phone,   if Zach called me and said, hey, I'm Ronnie  Wong, you might not actually know if he's   really Ronnie Wang on the other end of the  phone, okay? Why, well, cuz you can't see   that he's six feet taller than I am at this point  in time. >> [LAUGH] >> But the very fact is If he   says that, right, Zach, say I'm Ronnie Wong.  >> I'm Ronnie Wong. >> See, so if Zach says   something like that over the phone, you can't at  that point really validate that he's Ronnie Wong.  

He's telling you what? He's saying I am Ronnie  Wong and that is, what he's presenting there is   authentication. He's saying this is who I claim to  be. >> Who I claim to be, right. >> So it doesn't   go in and it doesn't do a DNA stick over the  phone, and- >> They're working on that. >> Yeah,   they are working on that. >> [LAUGH] >> Yeah, that  would be harsh. Wouldn't it, right in the ear?   Ow, yeah, that's pretty bad. But that's  authentication, right, it's who someone claims  

to be. Now what we're actually talking about  then is that this needs to somehow at some point,   in all reality we want it linked to an identity.  But for us at the most basic level we begin with,   who are you claiming to be? So the way that we  do that, right Zach, is we start talking about   the idea of authentication. >> Right. >> Is pretty  basic here. One, it can be actually something we  

literally are. So we can authenticate in several  ways. So Zach, when we start thinking about it,   you might be able to actually do this. Where  I have a fingerprint scanner and if Zach says,   all right, I'm gonna actually type that I'm Ronnie  Wong as an account name. It says, all right,   present your fingerprint. Well then Zach puts  his fingerprint down on it, now it doesn't   match. Well, that proves then at that point that  whatever he presented was not matching what they  

had on file, okay? But that's something that we  can do there that can do something like that. Now,   the other way is him just actually saying I'm  Ronnie, and you accept it. Because that's who   he says he is and you just go ahead and accept  it. That's perfectly fine that you can do that.  

The other thing that you can do is something  that he has. So, in that sense, it can be some   type of security badge. So let me give you a, so  you can see I have something like that, right?   So in here when I try to walk in in the mornings,  have to kind of just swipe this across the the pad   this on the outside of the door. And when I do  that, that actually does present my ticker ID.  

And that actually is mine, it doesn't say Zach  Memos, I didn't steal Zach's. So at this point   here you actually do have something like that that  is an access now. Now, this is not me, okay? It's   not son that I'm actually saying who I am. >> It's  something you have. >> It's something that I have,  

okay? So something like that's actually good.  You might, for those you that have actually   worked on military bases, well, you might hear  the term CAC, C-A-C, for common access card too.   So all that's actually possible when you start  talking about authentication, different means   when we start doing it. Something that we are,  something like my fingerprint or retinal scan,   something I have, some type of access token.  It might be an actual key for those that might   use some like the YubiKey or the Google Titan  Key or there's so many different products out   there today, you name it. There's plenty of them  out there, that's something else too. Now, Zach,  

the most common one that most people will end  up using is something that you know, okay. Now,   in that sense, Zach, what's my password to  my luggage? >> Ronnie123. >> You're close,   it should be 1234, is what it should be. So Zach  was almost correct in guessing the password to   my luggage there. So in that sense, it's something  that you actually know, okay? So if I can validate   it that way, Zach says he's Ronnie Wong and he  can actually type in my password, yeah. I go,  

all right, that's enough, that's sufficient to  link that to an identity in that sense, okay?   Now, there's a few other ones that are relatively  newer when we start thinking about this as well.   And the reason why is in the last few years, of  course, the old ways that we used to do things,   right? You present something that you are, okay,  you present something that you might have, okay,   and you present something that you know.  But today you can even actually kind of get   verified in terms of your authentication. >>  Somewhere you are. >> By somewhere that you are,   okay, and that can actually include something like  a particular GPS location. In other words, having   some type of geo-fencing to say, yes, not only is  this Ronnie, but he's actually within this area.   So if Zach goes across town to someplace else  and says, watch this, I'm gonna present myself as   Ronnie. Yeah, but you're not in that geolocated  area, then it might say, yeah, it's not gonna  

actually work for him. So it is possible to do  that, or it might be just that idea of a validated   IP address, okay, that you might actually have a  list that actually presents something like that.   And then Zach tries to log in from a different  location that's a different IP address, it doesn't   give him access, okay? So somewhere that you  are as well, okay? And lastly, Zach, it could   also be something that we do. Now, whenever I say  something like that, it's a little bit unusual,  

but today, I don't wanna say it's today. It's  actually been since, I'm trying to think, Windows   8 is kind of the first time I remember this. But  it might be where your challenge is no longer   just a password, or even a PIN number. >> How  many stoplights are in this picture, that kinda  

thing? >> Yeah, something like that, but the other  one is the Windows password picture, right? You   actually have a photograph, and then you actually  make a drawing on it. You actually have to do two   points and a slash or something like that, where  it actually says to do that. So you might have   a smiley face, or you might have a circle, and  then you draw in the smiley face, or a sad face,   or something like that. And then that says, yes,  that's the pattern that I'm expecting to see.   So all that's possible in terms of authentication,  okay? So we've added in a couple of them since.   For those that have actually been around for a  long, long time, you're like, are you joking? No,   I'm not joking. They've continue to expand the  realm of authentication in that sense. But Zach,   that's not the only way to do this, of course,  okay? The more popular way today, and probably   the more secure way to do authentication is what  we call MFA. Okay, Zach, have you heard that  

acronym before in terms of security, MFA? >>  Multi-factor authentication. >> That's right,   so Zach is perfectly right here in this sense,  multi-factor authentication. This is when we take,   well, two, right, usually, what we call one  or more, but usually it's two or more of these   particular factors, and we put them together.  So it might be where Zach types in a PIN number,   but then he still also has to present something  else to actually make that work, okay? Now,   for me, Zach, this is what I try and  use just about on everything, okay,   and when I mean everything, I mean this. So Zach,  I use a product called LastPass to help me manage   passwords. >> Sure, so do I. >> Now, on LastPass,  I have it where I actually have to present   my thumbprint to be able to get access into my  password manager on my phone. >> I don't do that,  

but I do use LastPass [LAUGH]. >> But I mean,  I have to do that, okay? But at that point,   though, once I present that, it also  says, hey, you've actually asked for   multi-factor authentication. So it's actually  asking me for a second authentication method,   and what it means by that is, hey, here's  what I'm gonna do. I'm gonna send this code   to your phone, okay, and on there, you  have what they call the authenticator,   okay, which is software that actually generates  that code. And what I have to actually be able  

to do at that point is actually accept that  that's actually who contacted it, and it sends   back the message. So Zach, I had to present a  token, essentially my phone and my fingerprint   at that point, to get access to my passwords. >>  Yeah, I do something similar with one of my email   addresses. >> Mm-hm, yeah, and that's the same. So  when we see that, that's probably more effective  

because it now doesn't depend on one of those  things actually kind of falling out of my hands.   It actually says, look, if you don't have the  other part, you're not gonna still be able to   get in. So multi-factor authentication, sometimes  also called 2FA if it's two-factor authentication,   these are actually fairly good for the idea of a  little bit more security. I'm not gonna tell you   it's the strongest security in the world. But it  at least brings a little bit more of a challenge   to anybody that just says, I'm gonna do some type  of social engineering, such as shoulder surfing,   to help us out. Okay, so that's kind of at  least some of the basics in authentication  

when you start doing something like that,  okay? Now, Zach, there's also something else   that we have to talk about as well in terms  of authentication, too, okay? When we start   thinking about that in terms of the authentication  methods, there are other things that have to come   in play in authentication. And that includes  authentication protocols, okay? Now, Zach,   when we start talking about authentication  protocols, so let me go back here. I didn't   fill in all this here. So I just said who I  claim to be, okay? Something I have, sorry.   So here's who I claim to be. Let me go back to,  what was I gonna do? Authentication protocol.  

Let's talk about some protocols here for just  a moment, okay? Now, authentication protocols,   that point, this is something that has actually  changed over time as well. So probably, the   earliest authentication protocol is something that  we call PAP, which is Password Authentication,   Protocol, okay, and this is fairly simple. I  actually try and connect with a username and a   password, and on the other side, that's set up  with the same username and password, it says,   all right, that matches. And we're off and we're  good to go, okay? So this one is probably, by far,   the most basic way that we can do this. Now, this  does it without any encryption at all. Okay, and   so that means if you have a chance here, it can  possibly be intercepted if you're over an open   type of network. Okay, so not exactly super  secure, but it does provide authentication.   The other one that's also fairly popular is what  they call CHAP, which is Challenge Handshake,   I can't spell hand, Handshake Authentication  Protocol. >> So you can spell authentication, but  

handshake was a bit of a stretch. >> I know, tell  me about it, yeah. There's times when the word and   is actually a stretch here. >> He's multitasking,  all right [LAUGH]. >> So Challenge Handshake   Authentication Protocol, this is a bit different,  right? So this one is a challenge. If you actually   think about it, it's kind of asking an unusual  question, right? So both sides, they have to come   up with the right answer to the question. >> Sure.  >> So on one side, I try to do this to not make it   cryptographically understood in that way, and talk  about hash values and stuff. That's exactly how it   works, but just think about it this way. So Zach,  I ask you, figure out this problem for me. Okay,  

and so Zach actually figures out the problem,  and he does this, okay? But then, once he   actually gets that in hand, he now presents to  me the answer that he got. Okay, and then what   I can do is I can run that same exact mathematical  problem, okay, and that should give me the exact   same value. So if all of a sudden, that didn't  give me the exact same value, and I know what   it's supposed to be, then I know that Zach is  not who he's claiming to be. So it is that way,  

and most of us have actually done this before. So  Zach, let's say I hand you, which I'm never gonna   do, Zach, so I say I'm gonna hand Zach $1,000.  I'll never hand Zach $1,000 because he's gonna   buy one knife with it, and I'll cry if he does  something like that. Okay, but I say, Zach,  

I'm gonna hand you $1,000, can you verify that  this is $1,000? Well, if Zach counts $900, then I   know Zach's pocketed the other, no, I'm joking. I  know one of two things, right, either Zach doesn't   know how to count, or I did give him $900 and I  told him it's supposed to be 1,000. Okay, so Zach   should come back and actually be able to tell  me, either it is 1,000 or it's not 1,000. Okay,  

if Zach says, it's supposed to be $1,000, I go,  ooh, well, no, I gave you 1,000, then Zach knows   I'm lying, okay? So that's the same idea in terms  of the challenge-handshake authentication protocol   in the most basic terms. Without getting into  hashing and stuff like that, which we're not   trying to get into at this point. So just kind of  realize that that is one of the analogies that we   can also use as well. Now, another one here is  called EAP, which is extensible, kinda weird,   extensible authentication protocol. Okay, now,  extensible authentication protocol, this says it  

can use anything. But what we're really talking  about the majority of the time is the use of   digital certificates to authenticate. And that  means, again, the third party that you trust,   they give you an identity. And then you present  that to whoever you're supposed to, and they go,   all right, let me check, verify that this is  working, and it actually works or doesn't. Okay,   so that's all it is, and it's also hardware-based  at times too. So just kind of realize,   on-premises, you're normally talking about  hardware-based types of authentication that you   can do. And in the cloud, we're actually normally  talking about use of digital certificates as well.  

All right, so that's another one, and then  there is, of course, some unusual ones,   like TACACS. Now this one I'm not gonna try  and actually spell out because it's weird.   TACACS stands for terminal access controller  access control services. Yeah, insanely redundant,   right, terminal access controller access control  services. Yeah, you can't get any more redundant  

than that. >> There's redundancy there, it's  from the Office of Redundancy Office. >> Yeah,   that is it, okay, so this one, it takes the realm  of AAA, okay, the accounting, the authorization,   and the authentication, and says, here's how  we're gonna do this. And actually sets out how it   actually ends up working out for us. And it works  fairly well, it's actually a fairly good system.   But it's a really old system at this particular  point in time, as well. So this one, at one point,   it used to be called TACACS+, which was  proprietary to Cisco. Now, of course,   it's actually more open source or open standard  at this point as well. RADIUS is probably the one  

that you see most often, RADIUS stands for remote  authentication dial up, Dial-in, sorry, dial-in   user service, I know, it's kinda weird. Okay,  so remote authentication dial-in user service,   now this one is probably used today. And once  again, because it can also be implemented together   with EAP, so you can do digital certificates  with it. And this offloads the authentication  

to a different device. So instead of you  actually authenticating against the device   that you're trying to get access to, it points  and goes, no. If you're gonna do authentication,   you have to come through me, and then I will talk  to whoever the authentication service is. And   then I'll let you in if it's actually okay with  them. If not, you won't be able to get access.   Now this one right here, along with EAP at this  point, let me go ahead and mark these here,   Zach. These two are used in the cloud, when  we start to take a look at it. Okay, so EAP   and RADIUS, they're actually used in the cloud.  Another one that's fairly similar, but is called  

DIAMETER, is another one. I don't even wanna  try and tell you what this actually stands for.   Zach, the weird thing about it, it's not an  acronym. So yeah, DIAMETER for us is essentially   RADIUS. But they say, look, there's some  weaknesses behind RADIUS. We called it DIAMETER   because it's twice as good as RADIUS, go figure.  >> Why didn't they call it RADIUS++? >> Yeah,  

who knows, but they called it DIAMETER instead.  DIAMETER is also able to be used in the cloud   as well, if you have that set up. And then one of  the kind of neat ones here is Kereberos. Kerberos,   okay, now Zach- >> That's Greek. >> That is Greek.  >> That's Greek and- [CROSSTALK] >> It is Greek,   it is as Greek as it can be. So Zach, do you know  where it actually comes from, the mythology? >> It   comes from Greece >> [LAUGH] >> It's about time,  no, Kronos is time. >> Yeah Kronos is time,   this is about the the legend of the three-headed  dog that guards the gate. >> Yeah, yeah,  

that's right, he's got bad breath. >> Yeah, so  this is an authentication process that requires,   well, multiple elements to it. Right, the  very fact that you get issued a token,   and then you present the token back. And if the  guy that's actually taking the token can say, yep,   you got it from the guy that I trust and know,  the authentication server, and it's time stamped   correctly, usually within five minutes, then I'll  let you in. But Zach, if you picked up that toekn  

three or four days ago from somebody else, and  then you try to present it, the guy's gonna say,   nah, I'm not letting you access in. Okay, so  Kerberos is all those together, a lot of things,   a lot of authentication servers end up  using Kerberos today. You can think about   Active Directory, they're probably the biggest  ones that you also hear about. So in terms of   authentication, Zach, this can be fairly hefty. >>  Yeah, there's quite a lot there. >> When we start   thinking about basic authentication, okay, so that  is some of that stuff. Now, like I told you, you  

need to know this because, well, you just gotta  know it, I don't know how else to say this. Okay,   all right, Zach, so once we start to think about  that idea of the authentication protocols and,   of course, the way that the authentication works.  Well, that means that we need to also talk about   authorization as well. But Zach, I looked over at  the clock and I'm realizing something. I do not  

have enough time to complete what has to happen.  So Zach, let's save this for a part two, and then   we'll actually be able to continue on. >> Okay,  cloud authorization, IAM technologies, another   great episode inside of CompTIA Cloud+. Brought to  you by ITProTV and Ronnie Wong, and this is part   one. Join us for part two, and make sure you watch  every single episode of CompTIA Cloud+. Ronnie's  

done a great job with this entire series of great  videos. You wanna pay attention and keep learning,   keep taking notes, keep studying, never  stop learning. Inside of our course library,   there's kinds of supplementary information. It is  there to do one thing, help you go even further,  

so check it out. And tell everybody you know  about ITProTV, ITProTV is binge-worthy. Thanks   for watching, I'm Zach Memos. >> And I'm Ronnie  Wong. >> We'll see you again soon. [MUSIC] >>   Thank you for watching ITProTV.

2021-04-13

Show video