12. Identity, Entitlement and Access Management - DONE Flashcards
“The most important concept you need to be familiar with regarding IAM in a cloud environment is federated identity”
What is the purpose of federation identity
“Federation enables you to maintain control of authentication while delegating authorization to your CSPs based on your requirements. Cloud adoption of any significant size requires federation. Without federation, every user will require a user account in all services your organization uses.”
It is the interconnection of disparate directory services
What doesn’t change with IAM in the cloud? You
You still have to map an entity (anything interacting with a system, such as a person, a system, or an agent) to an identity that has attributes (such as a group) and then make an access decision based on resulting permissions.“You may know this process as role-based access control (RBAC).
What is role-based access control (RBAC)
So, a user is a member of a group and therefore gets permission to use a resource.”
Without federation, Working with many providers brings complications with regard to IAM.
How so?
Without something like federated IAM, you will ultimately have to manage hundreds, of different IAM systems. You may manage the settings in all these different locations to enforce IAM, but you will have to control this in environments that are owned and operated by a cloud provider, and what they expose to you may be limited.
From an operational perspective, you will have to create every user account not just once in your on-premises directory service (such as Active Directory), but dozens or hundreds of times. Who in your company is going to provision all these accounts? Worse yet, who is responsible for deprovisioning all these accounts?
define these terms:
entity
identity
identifier
*Entity - Someone or something that has an identity.
*Identity - A unique expression of an entity within a given environment.. When you log into a work system, your username would be your identity.
*Identifier - A cryptographic token in a digital environment that identifies an identity (such as a user) to an application or service. Windows systems, for example, use a security identifier (SID) to identify users. In real life, an identifier could be a passport.”
define these terms:
attribute
Persona
role
*Attribute - A facet (aspect) of an identity; anything about the identity and the connection itself. An attribute could be static (group membership, organizational unit) or highly dynamic (IP address used for your connection, your physical location). For example, if you log on with multifactor authentication, an attribute could be used to determine the permissions granted to your access (attribute-based access control).
*Persona - Your identity and attributes in a specific situation. You are you, but your persona will change based on context. For “example, at work you may be an IT administrator; that’s your work persona. At home, your persona may be the parent of two children. In your hockey league, your persona may be the left winger and captain of your team. Your identity is who you are. Your persona takes context and attributes into account.
*Role 1. A temporary credential that is inherited by a system within a cloud environment. 2. A part of federation; how your group membership within your company is granted entitlements in your Infrastructure as a Service (IaaS) provider. 3. The job you perform at work.
define these terms:
authentication
Multifactor authentication (MFA)
Access control
“*Authentication (Authn) - The process of confirming your identity. Want to check into a hotel on a business trip? The first thing the front desk will ask for is your ID so they can authenticate that you are who you say you are. Of course in a digital world, we generally present a username and password to authenticate ourselves.
*Multifactor authentication (MFA)- The three factors in authentication: something you know, something you have, and something you are. For example, you may be authenticating with your username and password (something you know) and then be prompted for a time-based one-time password (TOTP) generated on your cell phone with Google Authenticator (something you have).
*Access control - A control that restricts access to a resource. This is the “access management” portion of IAM.
define these terms:
accounting
authorization
entitlement
single sign-on (SSO)
“Accounting - Logging and monitoring capabilities.
*Authorization (Authz) - The ability to allow an identity to do something/ permission to do something. The hotel key you get after authorization allows you to access your room, the gym, laundry, and so on. In an IT analogy, you are authorized to access a file or system.
*Entitlement - The permissions you have to something. The CSA uses the term “entitlements” rather than “permissions,” but the meaning is the same. Entitlements determine what an identity is allowed to do by mapping an identity to an authorization. These can (and should) be documented as an entitlement matrix.
*Single-sign-on (SSO) - A token or ticket system used to authorize a user rather than having the user sign on to individual systems in a domain. Kerberos is an example of SSO in a Windows environment.”
define these terms:
federated identity management
Authoritative source
Identity provider
relying party
*Federated identity management A- key enabler of SSO across different systems that enables the action of authenticating locally and authorizing remotely.
*Authoritative source - The “root” source of an identity. A common example of this is a directory server (such as Active “Directory). Alternatively, the payroll system could be the true authoritative source.
*Identity provider The party that manages the identities and creates the identity assertions used in federation.
*Relying party The system that consumes identity assertions from the identity provider. This is sometimes referred to as a “service provider.”
There are numerous standards in the IAM world that you need to know about.
Describe
Security Assertion Markup Language (SAML) -
*Security Assertion Markup Language (SAML) -
This OASIS standard for federated identity management supports both authentication and authorization. Assertions are based on XML and are used between an identity provider and a relying party. These assertions can contain authentication, attribute, and authorization statements. SAML is widely supported by many cloud providers and many enterprise tools as a result. SAML is initially complex to configure.
There are numerous standards in the IAM world that you need to know about.
Describe
Ouath
“*OAuth
This IETF authorization standard is widely used for web and consumer services. OAuth works over HTTP and is currently at version 2.0. There is no backwards compatibility between version 2.0 and its predecessor, OAuth 1.0. In fact, OAuth 2.0 is considered more of a framework and is less rigid than version 1.0. OAuth is most often used for delegating access control and authorization (delegated authorization) between services.
There are numerous standards in the IAM world that you need to know about.
Describe
OpenID
*OpenID
This standard for federated authentication is well-supported for web services. Like OAuth, it runs over HTTP with URLs to identify identity providers. The current version is OpenID Connect 1.0 and is commonly seen in consumer services such as logging in to web sites.
“The CSA Guidance mentions two other standards that aren’t as widely adopted. ”
Describe
eXtensible Access Control Markup Language (XACML)
*eXtensible Access Control Markup Language (XACML)
This is the standard for defining attribute-based access controls and authorizations. XACML is a policy language for defining access controls at a policy decision point (PDP) and passing them to a policy enforcement point (PEP). XACML can work with both SAML and OAuth, as it decides what an entity is allowed to do with a set of attributes as opposed to handling logins or delegation of authority.
“The CSA Guidance mentions two other standards that aren’t as widely adopted. ”
Describe
System for Cross-domain Identity Management (SCIM)
All of these standards can be used in federated identity systems. For the most part, all of them rely on a series of redirects that involve the web browser, the identity provider, and the relying party.
System for Cross-domain Identity Management (SCIM)
This standard deals with exchanging identity information between domains. It is used for provisioning and deprovisioning accounts in external systems and exchanging attribute information.
Federation involves both an identity provider and a relying party. Both of these components must have a trust relationship established to enable assertions from the identity provider to be consumed by the relying party. These assertions are used to exchange credentials.
For an example of federation in operation, consider a scenario of a user logging into a workstation and then accessing an internal web server that has a list of SaaS applications the user can log into. The user selects the desired SaaS application and is automatically logged on without having to provide a username and password.
This is possible because the user’s identity provider will create an assertion and send that assertion to the relying party. The relying party will determine and implement the authorizations for the user based on the assertion that is created only after the trusted identity provider has authenticated the user.
In other words, the local directory server authenticates the user and tells the relying party what authorization the user should have in the remote system.”
“Most, if not all, cloud providers will have their own IAM system
these are referred to as?
internal identities
Providers may expose access to their IAM functionality using HTTP request signing.
how does this work?
HTTP request signing can use an access key as an identifier and a secret access key used to sign the request cryptographically.
In the backend, the cloud provider will use their IAM system to determine the appropriate access controls that apply to the entity requesting to perform an action. This request signing may leverage standards such as SAML and/or OAuth or use its own token mechanism.
As you consider which identity protocols to use, also consider the following from the CSA Guidance:
*There is no “one-size-fits-all” standard when it comes to federation protocols. You have to consider the use case you’re trying to solve. Are you looking at users logging in via a web browser? You might want to look at SAML. Are you looking at delegated authorization? Then you might want to consider OAuth instead.
*The key operating assumption should be that your identity is a perimeter in and of itself, and as such, any protocol used must be adequately secured to traverse the hostile network known as the public Internet.
you probably shouldn’t be surprised to learn that identity management itself may actually be done outside of a directory service (such as Active Directory).”
how so?
The authoritative source of identities in your network may actually be the payroll system, for example: users are added to the payroll system, and their identities are then propagated to the directory server.”
Thanks to these centralized directory services, it is no longer required to add accounts to every individual server and application in a traditional environment. Of course, users still have multiple accounts to support applications that are not integrated with these centralized directory services, so the dream of true SSO remains elusive, but there are, thankfully, fewer of these accounts than there used to be in the past.
In a cloud environment, both providers and consumers need to plan on how they will manage identities:
*Cloud providers need to offer an identity service that supports customers to use their own identities, identifiers, and attributes. They should also offer federation services based on standards to enable customers to minimize the overhead associated with identity management when using their cloud offerings.
EXAM TIPThe identity service offered by the provider may be referred to as the “internal” identity system on the exam.
*Cloud customers need to determine how they want to manage identities moving forward. This will require that customers determine the architecture models to use for identity management and the technologies that should be implemented to support integration with their current and future cloud providers.
Federation will be required as an enabling technology for cloud implementations of any substantial size. Without federation, you will lose control of IAM. This isn’t to say there won’t be any accounts created and managed in a provider’s internal IAM system. You will likely still have a limited amount of administrator accounts within the provider’s IAM system to support troubleshooting in the event of failure of the federated link.
To establish a federated link, the customer needs to determine what system will be the “authoritative source” to serve as the identity provider. This is usually a directory server. This identity provider then needs to perform the federation. There are two main approaches to creating this connectivity:”
use a free-form model that creates a separate connection between the identity provider and the various cloud services (as shown in Figure 12-6), or use the hybrid (hub-and-spoke) model that uses a central identity broker to connect to all the cloud providers (as shown in Figure 12-7).
what are the disadvantages of a free-form model?
First off, your authoritative source needs to be connected to the Internet to connect with all of the cloud providers.
Second, in order to support users outside of your network, these users will need to VPN into the corporate network to access any cloud solution that has a federated link established.
Finally, in an environment that may have multiple authoritative servers (such as multiple domains that are not joined for corporate purposes), each of these authoritative servers will need to connect to the providers, which multiplies the number of connections required.”
what are the advantages of a free-form model?
an identity broker can be cloud-based. Implementation of a cloud-based identity broker can facilitate the establishment of the federation with numerous cloud providers,
and external users need not VPN into the corporate network to use federated links to your various providers.”
Another option exists in running your directory server in a cloud environment itself (or by consuming a directory service from the provider).
In this scenario, you could synchronize your internal directory server with the cloud-based directory server (or service). In turn, this cloud-based directory could serve the operating systems and applications (applistructure) in the cloud environment and act as an authoritative server for any federated links with other parties that rely on the cloud provider.
