Describe identity concepts

Question 1

Authentication

Answer 1

• Proves a person’s identity.
• Similar to showing identification when making a credit card purchase.
• Involves verifying credentials like a username and password.
• Username alone is not sufficient for access.Combined with a password, it grants access to systems.
• Often referred to as AuthN in cybersecurity.

Question 2

Authorization

Answer 2

• Determines access rights and permissions after authentication.
• Like a hotel key card, it allows access to specific areas based on permissions.
• Controls what a user can see, touch, and do within a system.
• Ensures users have appropriate privileges and restrictions.
• Crucial for maintaining data security and preventing unauthorized access.
• Often referred to as AuthZ in cybersecurity.

Question 3

Digital collaboration and remote work have changed the security landscape.

Answer 3

• Employees and partners need to collaborate from anywhere, on any device.
• Security perimeter extends beyond the on-premises network:
  Includes SaaS applications, personal devices (BYOD), unmanaged devices, and IoT devices.
• Identity is the new security perimeter.
• An identity includes authentication information (username, password) and authorization level.
• Identity can be associated with users, applications, devices, etc.

Question 4

Four pillars of an identity infrastructure

Answer 4

1. Administration: Creation and management of identities for users, devices, and services. Governing changes to identity characteristics.
2. Authentication: Verifying the identity of individuals or entities accessing IT systems. Challenging for legitimate credentials.
3. Authorization: Processing identity data to determine the level of access for authenticated users or services within applications or services.
4. Auditing: Tracking and monitoring identity-related activities. In-depth reporting, alerts, and governance of identities.

Question 5

Modern authentication

Answer 5

• Modern authentication encompasses authentication and authorization methods between a client and a server.
• The identity provider plays a central role in modern authentication by creating, maintaining, and managing identity information.
• The identity provider offers authentication, authorization, and auditing services.
• Centralizing authentication services through an identity provider allows for consistent policies, user behaviour monitoring, and improved security against malicious attacks.

Question 6

Modern authentication and central identity provider

Answer 6

• In modern authentication, the client communicates with the identity provider to authenticate an identity.
• The identity provider verifies the identity and issues a security token.
• The client sends the security token to the server for resource access.
• The server validates the security token through its trust relationship with the identity provider.
• The centralized identity provider stores and manages the security token and associated information.
• Examples of cloud-based identity providers include Microsoft Azure Active Directory, Twitter, Google, Amazon, LinkedIn, and GitHub.

Question 7

Single Sign-On (SSO) and Federation:

Answer 7

• Single Sign-On (SSO) allows users to log in once and access multiple applications or resources without the need for repeated authentication.
• SSO improves user experience by reducing the need to remember and enter multiple credentials.
• An identity provider that supports SSO acts as a central authentication authority for multiple applications.
• Federation is the process of setting up SSO between multiple identity providers.
• Federation enables seamless authentication and access across different domains or organizations.
• SSO and federation enhance security by reducing the proliferation of passwords and simplifying access management.

Question 8

Active Directory (AD) and Azure Active Directory (Azure AD):

Answer 8

• A directory is a hierarchical structure that stores information about objects on a computer network.
• Active Directory (AD) is a set of directory services developed by Microsoft for on-premises domain-based networks.
• Active Directory Domain Services (AD DS) is the best-known service of AD, storing information about domain members, verifying credentials, and defining access rights.
• AD DS is a central component for managing on-premises infrastructure in organizations.
• AD DS doesn’t natively support mobile devices, SaaS applications, or modern authentication methods.
• Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity provider, providing Identity as a Service (IDaaS) solution.
• Azure AD enables organizations to manage identities across cloud and on-premises applications.
• Azure AD is designed to support modern authentication methods and integrates with cloud services, SaaS applications, and personal devices.
• Azure AD is an evolution of Active Directory-based identity solutions, addressing the needs of the modern IT landscape.
• Azure AD is covered in detail in the course and is Microsoft’s recommended solution for identity and access management in the cloud.

Question 9

Federation

Answer 9

• Federation enables access to services across organizational or domain boundaries by establishing trust relationships between identity providers.
• With federation, users don’t need to maintain separate usernames and passwords for accessing resources in different domains.
• In a simplified view, federation works by allowing a website in one domain (A) to use the authentication services of Identity Provider A (IdP-A) while the user in another domain (B) authenticates with Identity Provider B (IdP-B).
• IdP-A and IdP-B have a trust relationship configured, allowing the website to trust the user’s authentication from IdP-B.
• Federation doesn’t require bidirectional trust. IdP-A may trust IdP-B and allow access, but the opposite may not be true unless explicitly configured.
• An example of federation is when users log in to third-party sites using their social media accounts. The social media platform acts as the identity provider, and the third-party site may use a different identity provider with a trust relationship established.
• Azure AD is an identity provider that supports federation and can establish trust relationships with other identity providers for seamless access to resources.

Question 10

What is a benefit of single sign-on?

A. A central identity provider can be used.

B. The user signs in once and can then access many applications or resources.

C. Passwords always expire after 72 days.

Answer 10

B. The user signs in once and can then access many applications or resources.

With single sign-on, a user signs in once and can then access a number of applications or resources.

Question 11

Which relationship allows federated services to access resources?

A. Claim relationship.

B. Shared access relationship.

C. Trust relationship.

Answer 11

C. Trust relationship.

Federated services use a trust relationship to allow access to resources.

Question 12

Authentication is the process of doing what?

A. Verifying that a user or device is who they say they are.

B. The process of tracking user behaviour.

C. Enabling federated services.

Answer 12

A. Verifying that a user or device is who they say they are.

Authentication is the process of verifying that a user or device is who they say they are.