Identity and Access Management Flashcards
What is the meaning of entity/identity/identifier/digtial identity ?
• Entity
– A person, organisation, agent, system, session, process, etc.
• Identity
– A set of names / attributes of entity in a specific domain
– An entity may have identities in multiple domains
– An entity may have multiple identities in one domain
• Digital identity
– Digital representation of names / attributes in a way that is
suitable for processing by computers
• Names and attributes of entity
• Can be unique or ambiguous within a domain
• Transient or permanent, self-defined or defined by
authority, interpretation by humans and/or by
computers, etc
What are the IAM phases with steps?
Vi har to faser. Første er: Configuration phase. Stegene er som føgle: 1) Registration of User Identity 2)Provisioning of Credential(s)
Begge disse inngår i identity management.
3)Access
Authorization ( går inn i access authorization)
Andre fasen: Operation phase. Stegene er som følge: 1.Present User Identity 2.Authentication by Credential(s)
Begge disse inngår i identity management.
3)Access Control(går inn i access authorization)
What are the meaning and principle of:
- MAC
- DAC
- RBAC
- ABAC
MAC:
Mandatory Access Control
• Access authorization is specified and enforced
with security labels
– Security clearance for subjects
– Classification levels for objects
• MAC compares subject and object labels
• MAC is mandatory in the sense that users do not
control access to the resources they create.
• A system-wide set of AC policy rules for
subjects and objects determine modes of access
• OS with MAC:
– SE Linux supports MAC
DAC:
Discretionary Access Control.
Access authorization is specified and enforced
based on the name/identity of subjects/objects.
• Typically implemented as ACL (Access Control Lists)
• DAC is discretionary in the sense that the owner of
the resource can decide at his/her discretion who is
authorized for access
• Operating systems using DAC:
– Windows and Linux
RBAC:
Role Based Access Control
• A user has access to an object based on the
assigned role.
• Roles are defined based on job functions.
• Permissions are defined based on job authority
and responsibilities within a job function.
• Operations on an object are invocated based on
the permissions.
• The object is concerned with the user’s role and
not the user
ABAC:
Attribute Based Access Control
• ABAC makes AC decisions based on Boolean conditions on
attribute values.
• Subject, Object, Context, and Action consist of attributes
– Subject attributes could be: Name, Sex, DOB, Role, etc.
– Each attributes has a value, e.g.:
– (Name (subject) = Alice), (Sex(subject) = F), (Role(subject) = HR-staff),
(AccessType(action) = {read, write}),
(Owner(object) = HR), (Type(object) = salary)
• The AC logic analyses all (attribute = value) tuples that are
required by the relevant policy.
– E.g. permit if:
[ Role(subject) = HR-staff) and (AccessType(action) = read) and
(Owner(object) = HR) ] and (Time(query) = office-hours) ]
Define IAM.
Identity and access management (IAM) is the security
discipline that enables the right individuals to access the
right resources at the right times for the right reasons.
IAM addresses the mission-critical need to ensure
appropriate access to resources across increasingly
heterogeneous technology environments, and to meet
increasingly rigorous compliance requirements.
Identity Federation
A set of agreements, standards and technologies that enable a group of Service Providers to recognise and trust user identities and credentials from different Identity Ps, Credential Ps and Service Ps
Four main types:
- Centralized Federation
- Distributed Identity with Centralised Authentication
- Centralised Identity with Distributed Authentication
- Distributed Federation
