DOMAIN 12 Identity, Entitlement, and Access Management Flashcards
In cloud computing, the fundamental problem is that multiple organizations are now managing
the identity and access management to resources, which can greatly complicate the process. For example, imagine having to provision the same user on dozens—or hundreds—of different cloud services. ___________ is the primary tool used to manage this problem, by building trust relationships
between organizations and enforcing them through standards-based technologies.
Federation
________ is the expression of an identity with attributes that indicates context.
Persona
_______ is the person or “thing” that will have an identity. It could be an individual, a system, a device, or application code.
Entity
_______ is the process of asserting an identity across different systems or organizations. This is the key enabler of Single Sign On and also core to managing IAM in cloud computing..
Federated Identity Management
_______ is the “root” source of an identity, such as the directory server that manages employee identities.
Authoritative source
_______ is the source of the identity in federation. The _______ isn’t always the authoritative source, but can sometimes rely on the authoritative source, especially if it is a broker for the process.
Identity Provider
_______ is the system that relies on an identity assertion from an identity provider.
Relying Party
IAM Standards for Cloud Computing
Security Assertion Markup Language (SAML) 2.0,
OAuth,
OpenID,
eXtensible Access Control Markup Language (XACML),
System for Cross-domain Identity Management (SCIM)
True/False: Identity protocols and standards do not represent a complete solution by themselves, but they are a means to an end.
True
How do both cloud provider and cloud user manage identities?
•• Cloud providers need to nearly always support internal identities, identifiers, and attributes for
users who directly access the service, while also supporting federation so that organizations don’t have to manually provision and manage every user in the provider’s system and issue everyone separate credentials.
•• Cloud users need to decide where they want to manage their identities and which architectural models and technologies they want to support to integrate with cloud providers.
What are the two possible architectures to provision identities and determine the “authoritative source”?
“Hub & Spoke” Model,
“Free Form” Model
What are the issues that directly federating internal directory servers in the free-form model raise?
- • The directory needs Internet access. This can be a problem, depending on existing topography, or it may violate security policies.
- • It may require users to VPN back to the corporate network before accessing cloud services.
- • Depending on the existing directory server, and especially if you have multiple directory servers in different organizational silos, federating to an external provider may be complex and technically difficult.
_________ is the process of proving or confirming an identity. In information security authentication most commonly refers to the act of a user logging in, but it also refers to essentially any time an entity proves who they are and assumes an identity. _________ is the responsibility of the identity provider.
Authentication
The biggest impact of cloud computing on authentication is a greater need for strong authentication using multiple factors. This is for two reasons:
- • Broad network access means cloud services are always accessed over the network, and often over the Internet. Loss of credentials could more easily lead to an account takeover by an attacker, since attacks aren’t restricted to the local network.
- • Greater use of federation for Single Sign On means one set of credentials can potentially compromise a greater number of cloud services.
There are multiple options for MFA, including:
Hard tokens,
Soft tokens,
Out-of-band Passwords,
Bio-metrics