No se cuenta con la tecnología para hacer un trabajo de importancia.

which is validated by the Authorization Server.

6. In the case the authorization grant was valid, the Client receives the access token and connects to the Resource Server.

7. The Client authenticates at the Resource Server and presents the access token, which is validated before the access to the requested resource is granted [30].

With OAuth, it is not possible to implement complex policies based on subjects, resources, and actions. For web-based scenarios the approach of OAuth usually suffices but in net- work infrastructures with privileged user accounts the XACML standard offers more flex- ibility and functionality.

2.6 Shibboleth

Shibboleth is an implementation for a federated identity-based authentication and autho- rization infrastructure. It uses the Security Assertion Markup Language (SAML) standard for the exchange of messages between the Service Provider (SP) and the Identity Provider (IP). In contrast to OpenID, in a Shibboleth architecture the service provider can trust the information that it receives from the identity provider because it asserts that the user is who he pretends to be.

The main components of the Shibboleth architecture are: • the user that wants to access a resource,

• the resource that is protected,

• the Identity Provider (IP) which authenticates the user,

• the Service Provider (SP) which performs the single sign-on process [13].

Although Shibboleth supports Attribute Release Policies (ARPs), the format has some down- sides. For example, it does not allow to group attributes and it only supports simple con- ditions. Moreover, there are no obligations which is an important functionality in the area of access rights of privileged user accounts. Thus, replacing the ARPs of Shibboleth with a more flexible access control policy language like XACML is suitable for some organiza- tions [33].

3 Threat Model

In the last couple of years the infrastructures of many organizations changed significantly. Not only the trend towards heterogeneous networks with different systems and the in- creasing amount of users with different access rights create a challenge. Also the dis- tributed and dynamic environments that are comprised of systems that come and go need to be taken into account. Furthermore, the accompanying connection of systems over the Internet increases the security risks and attack vectors. Subsequently, the growing market of cloud computing and the outsourcing of departments as well as the remote administra- tion brings up more challenging aspects.

For that reason, it is important to isolate the most critical data of the system and protected it from insiders and external attackers with contemporary security mechanisms [51]. Most notably, this applies to systems that are managed by a lot of people which have privileged access rights and use shared accounts to maintain the infrastructure. This is because the abuse of privileged user accounts is a growing threat.

In a recent study, Ponemon Institute and IBM surveyed 265 C-level executives. One result of the survey was that “ninety percent of senior executives surveyed say their company has had a data breach and almost half (forty-eight percent) expect more data breaches to occur” [36]. The chart in Figure 3.1 shows that they identify negligent insiders as the greatest threat to sensitive data, followed by lost or stolen devices. Twelve percent identified malicious insider attacks as a risk to sensitive data.

3.1 Basic Terms

In information security, there are three core goals: the confidentiality, integrity and availabil- ity of information and information systems. These terms are also referred to as the CIA triad or information security triad [12].

Confidentiality“[...] means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information” [44 U.S.C., Sec. 3542].

In the area of privileged user password management a breach of confidentiality is, for ex- ample, that an unauthorized person gains access to a password (e.g., by stealing a device that contains a list of passwords or by handing a password to someone that is not autho- rized to know it). The consideration of confidentiality of privileged user passwords can be extended to the data that are only accessible with elevated access rights. If the confiden- tiality of privileged user credentials is not given, the confidentiality of the data cannot be

Figure 3.1: The Source of Greatest Risk to Sensitive Data

Source: Ponemon Institute and IBM survey of 265 c-level executives, February 2012

guaranteed as well.

Integrity “[...] means guarding against improper information modification or destruc- tion, and includes ensuring information nonrepudiation and authenticity” [44 U.S.C., Sec. 3542].

If the integrity is not guaranteed, unauthorized modifications and destruction can happen without noticing, which leads to untrustworthy information and systems. This especially applies to privileged accounts since administrators can perform malicious or accidental actions that cause a breach of integrity. Moreover, if the access control cannot guarantee a separation of duties, the violation of integrity cannot be detected if the privileged user covers the tracks by manipulating audit logs.

Availability“[...] means ensuring timely and reliable access to and use of information” [44 U.S.C., Sec. 3542].

If the availability goal is not met, it will lead to a disruption of service or information will be unaccessible. Thus, the security mechanisms that protect and monitor the availability of systems need to be made accessible only to authorized administrators. If a privileged user can lock down important network components, it can cause a huge damage to the business of an organization.

Beyond that, there are other principles of information security that are used in this thesis:

Threat.“A potential for violation of security, which exists when there is an entity, circum- stance, capability, action, or event that could cause harm” [28].