Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

AIT 672 > Week 8 - IdM-Access-Cloud > Flashcards

Week 8 - IdM-Access-Cloud Flashcards

1
Q

API

A

Application programming interfaces

Resources in the cloud are offered and accessed through specific services and APIs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

CSC

A

Cloud service customer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

CSP

A

Cloud service provider

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Identity Federation in the Cloud

A

The Identity management infrastructure that enables a CSC user to access the cloud services that his/her company has subscribed to with a CSP is always based on an Identity Federation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Identity Provider (IdP)

A

Create, maintain and manage identity information and credentials for users –Issues them to users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Relying Party (RP) / Service Provider (SP)

A

Receive and Consume identity data, authentication event and attributes from identity providers in the form of assertions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

CSC vs CSP in identity federation in a cloud environment

A

the CSC plays the role of an Identity provider (IdP) while the CSP plays the role of service provider (SP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Private Cloud

A

A private cloud can only be accessed by a single CSC and is thus accessible only to users from that CSC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Public Cloud

A

A public cloud is accessed by many CSCs each with many users. Sometimes a subscribing CSC may provide access to cloud service for not only its own employees and contractors but for certain affiliates such as partners.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

For cloud-based identity federation trust must be established between…

A

CSC and CSP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

STS

A

Security Token Service

Provides tokens in private cloud infrasturcture

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Authentication in a private cloud

A

The user, a member of the CSC, requests a service from the private cloud

The cloud requests an identity token from Secure Token Service (STS)

The identity token generated from the user’s attributes is transmitted to the private cloud

The cloud checks the token’s validity and if successful, allows the user access to service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Authentication in a public cloud

A
  1. A CSC user attempts to connect to the public cloud provider in order to access a service.
  2. The cloud redirects the user to the identity provider, which may be the CSC itself (or a third party or IDaaS provider) for authentication=
  3. The user authenticates to the redirected IdP
  4. The IdP generates the identity token containing all required information regarding the identity of the CSC user and sends it to the CSP.
  5. The CSP validates the token and permits the user to access the cloud service.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The cloud provider who provides the identity management as a service is called

A

Identity as a Service (IDaaS) provider

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

IDaaS Advantages

A

reduces the cost and complexity of identity management for cloud service access to some CSCs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

IDaaS Disadvantages

A

the IDaaS provider must be trusted to keep the CSC users identity data safe against breach and misuse. This is especially critical since the IDaaS provider may also hold sensitive data such as CSC users’ passwords.

17
Q

First model of IDaaS

A

The identity information of all CSC users (who need access to cloud services) is stored in the IDaaS provider directories.

The above information is not integrated with contents of on-premises directories of CSC.

This approach may work for new organizations (especially if they are small and have not invested well in an identity infrastructure) but it is unlikely to work for most medium and large businesses (CSCs in our context).

18
Q

Second Model of IDaaS

A

The business (CSC) also maintains on-premise directories for storing identity information

All the identity information including passwords are synchronized between on-premises directories and the IDaaS provider’s cloud-based directories. This process is called replication

The replication is carried out using special tools and use of scripting (e.g., PowerShell).

The synchronization (or replication) architecture has several security implications: (a) When User IDs and authenticators (e.g., passwords) are copied between on-premises and cloud-based directories (of IDaaS provider) there is potential for attacker to capture them

the on-premises and cloud-based directories (of IDaaS provider) could fall out of sync due to the fact that changes made in in-premise directory (e.g., Active Directory) may not be replicated immediately to IDaaS provider’s cloud-based directory. This is due to the fact that scripts for replication may be programmed to run at only certain intervals of time..

19
Q

Third mode of IDaaS

A

This method is to federate identity between the on-premises directory and the cloud-based directories (of IDaaS provider).

This is done through a directory federation software (e.g., Active Directory Federation Services (ADFS)).

The advantage here is that you can have multiple cloud-based directories for different services.

A directory federation links a person’s electronic identity and attributes that are stored across multiple directories.

Federation enables a single sign-on (SSO) access for CSC users to access multiple cloud services.

That is a CSC may have subscribed to many Software-as-a-Service (SaaS) cloud applications. A CSC user can access these applications as well as on-premise applications by signing in once and be authenticated to any of these applications (on-premise or cloud service).

Examples of SaaS cloud services include Office 365, Salesforce, ServiceNow, Workday and Zendesk.

20
Q

OAuth 2.0 in the cloud

A

OAuth 2.0 is the protocol used for secure calls to the REST API from CSC to CSP.

21
Q

OAuth 2.0 Protocol for Secure Access to CSP APIs

A
  1. It is assumed that the CSC user (called OAuth client in this context) is able to obtain a SAML Assertion (Identity token) through a local security token service (when the CSC itself plays the role of IdP).
  2. The SAML Assertion is digitally signed by enterprise IdP (i.e., local STS). This signature serves to demonstrate that the CSC user (OAuth Client in our context) belongs to the enterprise and is implicitly authorized by the enterprise to request access tokens from the OAuth 2.0 Access Server (AS)
  3. The OAuth client, instead of sending the signed SAML Assertion directly to CSP (SaaS provider in our discussion) through the browser, sends it to SaaS provider’s Authorization Server (AS) for the desired access token.
  4. After obtaining the access token from AS, the OAuth client includes it on subsequent API calls to the SaaS provider’s Resource Server (RS) which is the entry point for SaaS provider application.
  5. As the access token was issued based on named user in the SAML assertion, the SaaS provider allows the API call to execute to provide the necessary resource.

AIT 672 (4 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions