12. Identity, Entitlement and Access Management - DONE Flashcards
“The most important concept you need to be familiar with regarding IAM in a cloud environment is federated identity”
What is the purpose of federation identity
“Federation enables you to maintain control of authentication while delegating authorization to your CSPs based on your requirements. Cloud adoption of any significant size requires federation. Without federation, every user will require a user account in all services your organization uses.”
It is the interconnection of disparate directory services
What doesn’t change with IAM in the cloud? You
You still have to map an entity (anything interacting with a system, such as a person, a system, or an agent) to an identity that has attributes (such as a group) and then make an access decision based on resulting permissions.“You may know this process as role-based access control (RBAC).
What is role-based access control (RBAC)
So, a user is a member of a group and therefore gets permission to use a resource.”
Without federation, Working with many providers brings complications with regard to IAM.
How so?
Without something like federated IAM, you will ultimately have to manage hundreds, of different IAM systems. You may manage the settings in all these different locations to enforce IAM, but you will have to control this in environments that are owned and operated by a cloud provider, and what they expose to you may be limited.
From an operational perspective, you will have to create every user account not just once in your on-premises directory service (such as Active Directory), but dozens or hundreds of times. Who in your company is going to provision all these accounts? Worse yet, who is responsible for deprovisioning all these accounts?
define these terms:
entity
identity
identifier
*Entity - Someone or something that has an identity.
*Identity - A unique expression of an entity within a given environment.. When you log into a work system, your username would be your identity.
*Identifier - A cryptographic token in a digital environment that identifies an identity (such as a user) to an application or service. Windows systems, for example, use a security identifier (SID) to identify users. In real life, an identifier could be a passport.”
define these terms:
attribute
Persona
role
*Attribute - A facet (aspect) of an identity; anything about the identity and the connection itself. An attribute could be static (group membership, organizational unit) or highly dynamic (IP address used for your connection, your physical location). For example, if you log on with multifactor authentication, an attribute could be used to determine the permissions granted to your access (attribute-based access control).
*Persona - Your identity and attributes in a specific situation. You are you, but your persona will change based on context. For “example, at work you may be an IT administrator; that’s your work persona. At home, your persona may be the parent of two children. In your hockey league, your persona may be the left winger and captain of your team. Your identity is who you are. Your persona takes context and attributes into account.
*Role 1. A temporary credential that is inherited by a system within a cloud environment. 2. A part of federation; how your group membership within your company is granted entitlements in your Infrastructure as a Service (IaaS) provider. 3. The job you perform at work.
define these terms:
authentication
Multifactor authentication (MFA)
Access control
“*Authentication (Authn) - The process of confirming your identity. Want to check into a hotel on a business trip? The first thing the front desk will ask for is your ID so they can authenticate that you are who you say you are. Of course in a digital world, we generally present a username and password to authenticate ourselves.
*Multifactor authentication (MFA)- The three factors in authentication: something you know, something you have, and something you are. For example, you may be authenticating with your username and password (something you know) and then be prompted for a time-based one-time password (TOTP) generated on your cell phone with Google Authenticator (something you have).
*Access control - A control that restricts access to a resource. This is the “access management” portion of IAM.
define these terms:
accounting
authorization
entitlement
single sign-on (SSO)
“Accounting - Logging and monitoring capabilities.
*Authorization (Authz) - The ability to allow an identity to do something/ permission to do something. The hotel key you get after authorization allows you to access your room, the gym, laundry, and so on. In an IT analogy, you are authorized to access a file or system.
*Entitlement - The permissions you have to something. The CSA uses the term “entitlements” rather than “permissions,” but the meaning is the same. Entitlements determine what an identity is allowed to do by mapping an identity to an authorization. These can (and should) be documented as an entitlement matrix.
*Single-sign-on (SSO) - A token or ticket system used to authorize a user rather than having the user sign on to individual systems in a domain. Kerberos is an example of SSO in a Windows environment.”
define these terms:
federated identity management
Authoritative source
Identity provider
relying party
*Federated identity management A- key enabler of SSO across different systems that enables the action of authenticating locally and authorizing remotely.
*Authoritative source - The “root” source of an identity. A common example of this is a directory server (such as Active “Directory). Alternatively, the payroll system could be the true authoritative source.
*Identity provider The party that manages the identities and creates the identity assertions used in federation.
*Relying party The system that consumes identity assertions from the identity provider. This is sometimes referred to as a “service provider.”
There are numerous standards in the IAM world that you need to know about.
Describe
Security Assertion Markup Language (SAML) -
*Security Assertion Markup Language (SAML) -
This OASIS standard for federated identity management supports both authentication and authorization. Assertions are based on XML and are used between an identity provider and a relying party. These assertions can contain authentication, attribute, and authorization statements. SAML is widely supported by many cloud providers and many enterprise tools as a result. SAML is initially complex to configure.
There are numerous standards in the IAM world that you need to know about.
Describe
Ouath
“*OAuth
This IETF authorization standard is widely used for web and consumer services. OAuth works over HTTP and is currently at version 2.0. There is no backwards compatibility between version 2.0 and its predecessor, OAuth 1.0. In fact, OAuth 2.0 is considered more of a framework and is less rigid than version 1.0. OAuth is most often used for delegating access control and authorization (delegated authorization) between services.
There are numerous standards in the IAM world that you need to know about.
Describe
OpenID
*OpenID
This standard for federated authentication is well-supported for web services. Like OAuth, it runs over HTTP with URLs to identify identity providers. The current version is OpenID Connect 1.0 and is commonly seen in consumer services such as logging in to web sites.
“The CSA Guidance mentions two other standards that aren’t as widely adopted. ”
Describe
eXtensible Access Control Markup Language (XACML)
*eXtensible Access Control Markup Language (XACML)
This is the standard for defining attribute-based access controls and authorizations. XACML is a policy language for defining access controls at a policy decision point (PDP) and passing them to a policy enforcement point (PEP). XACML can work with both SAML and OAuth, as it decides what an entity is allowed to do with a set of attributes as opposed to handling logins or delegation of authority.
“The CSA Guidance mentions two other standards that aren’t as widely adopted. ”
Describe
System for Cross-domain Identity Management (SCIM)
All of these standards can be used in federated identity systems. For the most part, all of them rely on a series of redirects that involve the web browser, the identity provider, and the relying party.
System for Cross-domain Identity Management (SCIM)
This standard deals with exchanging identity information between domains. It is used for provisioning and deprovisioning accounts in external systems and exchanging attribute information.
Federation involves both an identity provider and a relying party. Both of these components must have a trust relationship established to enable assertions from the identity provider to be consumed by the relying party. These assertions are used to exchange credentials.
For an example of federation in operation, consider a scenario of a user logging into a workstation and then accessing an internal web server that has a list of SaaS applications the user can log into. The user selects the desired SaaS application and is automatically logged on without having to provide a username and password.
This is possible because the user’s identity provider will create an assertion and send that assertion to the relying party. The relying party will determine and implement the authorizations for the user based on the assertion that is created only after the trusted identity provider has authenticated the user.
In other words, the local directory server authenticates the user and tells the relying party what authorization the user should have in the remote system.”