Chapter 15. Authentication
Authentication is a cornerstone of information security and one of the few subjects that will impact almost everyone. From protecting access to email to state secrets and now even being able to start and drive cars, authentication is ingrained in almost everything we do. In this chapter, we’ll look at some high-level concepts around access and authentication and dig into how some of them work.
Identity and Access Management
Identity and access management (IAM) is a term that collectively describes the processes, policies, and products used to manage access for user identities/entities in an environment. The rest of this chapter is divided into three main sections, covering passwords, authentication protocols, and MFA; however, you can think of both passwords and MFA as subcategories of the broader IAM category. We’ll also cover encryption, hashing, and salting, as those usually come up in relation to protecting passwords.
There are a handful of common best practices when it comes to IAM. While the individual cloud providers all provide their own specific technical guidance, the following concepts are universal regardless of whether you’re operating systems on premises, in the cloud, or as SaaS:
- Least privilege
-
We’ve talked about the principle of least privilege a few times already. As a reminder, this is the concept of granting users and endpoints (collectively called an identity or entity) access to only the applications, endpoints, files, etc., ...
Get Defensive Security Handbook, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
