DOMAIN 12 Identity, Entitlement, and Access Management

Question 1

In cloud computing, the fundamental problem is that multiple organizations are now managing
the identity and access management to resources, which can greatly complicate the process. For example, imagine having to provision the same user on dozens—or hundreds—of different cloud services. ___________ is the primary tool used to manage this problem, by building trust relationships
between organizations and enforcing them through standards-based technologies.

Answer 1

Federation

Question 2

________ is the expression of an identity with attributes that indicates context.

Answer 2

Persona

Question 3

_______ is the person or “thing” that will have an identity. It could be an individual, a system, a device, or application code.

Answer 3

Entity

Question 4

_______ is the process of asserting an identity across different systems or organizations. This is the key enabler of Single Sign On and also core to managing IAM in cloud computing..

Answer 4

Federated Identity Management

Question 5

_______ is the “root” source of an identity, such as the directory server that manages employee identities.

Answer 5

Authoritative source

Question 6

_______ is the source of the identity in federation. The _______ isn’t always the authoritative source, but can sometimes rely on the authoritative source, especially if it is a broker for the process.

Answer 6

Identity Provider

Question 7

_______ is the system that relies on an identity assertion from an identity provider.

Answer 7

Relying Party

Question 8

IAM Standards for Cloud Computing

Answer 8

Security Assertion Markup Language (SAML) 2.0,
OAuth,
OpenID,
eXtensible Access Control Markup Language (XACML),
System for Cross-domain Identity Management (SCIM)

Question 9

True/False: Identity protocols and standards do not represent a complete solution by themselves, but they are a means to an end.

Answer 9

True

Question 10

How do both cloud provider and cloud user manage identities?

Answer 10

•• Cloud providers need to nearly always support internal identities, identifiers, and attributes for
users who directly access the service, while also supporting federation so that organizations don’t have to manually provision and manage every user in the provider’s system and issue everyone separate credentials.
•• Cloud users need to decide where they want to manage their identities and which architectural models and technologies they want to support to integrate with cloud providers.

Question 11

What are the two possible architectures to provision identities and determine the “authoritative source”?

Answer 11

“Hub & Spoke” Model,

“Free Form” Model

Question 12

What are the issues that directly federating internal directory servers in the free-form model raise?

Answer 12

• • The directory needs Internet access. This can be a problem, depending on existing topography, or it may violate security policies.
• • It may require users to VPN back to the corporate network before accessing cloud services.
• • Depending on the existing directory server, and especially if you have multiple directory servers in different organizational silos, federating to an external provider may be complex and technically difficult.

Question 13

_________ is the process of proving or confirming an identity. In information security authentication most commonly refers to the act of a user logging in, but it also refers to essentially any time an entity proves who they are and assumes an identity. _________ is the responsibility of the identity provider.

Answer 13

Authentication

Question 14

The biggest impact of cloud computing on authentication is a greater need for strong authentication using multiple factors. This is for two reasons:

Answer 14

• • Broad network access means cloud services are always accessed over the network, and often over the Internet. Loss of credentials could more easily lead to an account takeover by an attacker, since attacks aren’t restricted to the local network.
• • Greater use of federation for Single Sign On means one set of credentials can potentially compromise a greater number of cloud services.

Question 15

There are multiple options for MFA, including:

Answer 15

Hard tokens,
Soft tokens,
Out-of-band Passwords,
Bio-metrics

Question 16

Authorization, access control, entitlement

Answer 16

** An authorization is permission to do something—access a file or network, or perform a certain
function like an API call on a particular resource.

** An access control allows or denies the expression of that authorization, so it includes aspects like
assuring that the user is authenticated before allowing access.

** An entitlement maps identities to authorizations and any required attributes (e.g. user x is allowed
access to resource y when z attributes have designated values). We commonly refer to a map of
these entitlements as an entitlement matrix. Entitlements are often encoded as technical policies for
distribution and enforcement.

Question 17

True/False: The cloud provider is responsible for enforcing authorizations and access controls.

Answer 17

True

Question 18

True/False: The cloud user is responsible for defining entitlements and properly configuring them within
the cloud platform.

Answer 18

True

Question 19

True/False: ABAC (Attribute-based Access Control) is the preferred model for cloud-based access management.

Answer 19

True

Question 20

True/False: When using federation, the cloud user is responsible for mapping attributes, including roles
and groups, to the cloud provider and ensuring that these are properly communicated during
authentication.

Answer 20

True

Question 21

True/False: Cloud providers are responsible for supporting granular attributes and authorizations to
enable ABAC and effective security for cloud users.

Answer 21

True