Here is my write up on identity and access management based on my CISSP course.
Identity & access management is the tool, framework, and process to control access to privileged resources. Let's look at current framework to deploy identity and access management : inspired by ISC2 is the IAAA framework : Identity, Authenticate, Authorize Accounting. Decoding what this frame requires:
- Identity : the unique attributes that define you, usually validated and issued by a trusted entity
- Authentication : proof that you are indeed the person that you claim to be, sometimes called identity proofing
- Authorization (or Access Control) : once you prove who you are, what are you allowed to do and not do
- Accounting : logging of everything so that there is a forensic trail to audit all activities
Let's dig deeper into IAAA.
Identification - the unique attributes that define you, validated and issued by a trusted entity
Identity of a person usually starts at birth - your name - written on an official document. In California, it is on a "Certificate of Live Birth" document. Other examples identification include passports issued by its sovereign national government, drivers license by the state government, school ID by a university.
Authentication - prove that you are indeed the person that you claim to be
For you to prove that you are you, there are five types of authentication that can be used.
- Type I : what you know, such as PIN, passwords, favorite ice cream flavor
- Type II : what you have, such as a physical "token fob"
- Type III : what you are (bio), such as fingerprints, iris color
- Type IV : where are you, such as work campus
- Type V : what you do, such as a signature
Authorization (or Access) - once you prove who you are, what are you allowed to do
Once that your identity is know, you authenticate to be the identity, the IAM/IdM system controls what you can do. Authorization can be 1) centralized or 2) decentralized. Centralized control is implemented via Single Sign On (SSO) systems. Decentralized control is trusting the the tools, process, and framework will enforce the IAAA framework.
Systems that implements identity and access management : authenticate + authorize
SAML 2.0 (authenticate + authorize)
Security And Markup Language (SAML) is a framework for systems to exchange information on security. The information format is in XML. It is common used in Single Sign On (SSO) - using one login (un+pw) to access multiple web applications. Detractors say that it can be too verbose and cumbersome to use.
OpenID Connect (authenticate) + OAuth 2 (authorize)
Conclusion
You have a protected resource - such as data or hardware. You only want to allow authorized users to be able to use it. Identity and Access Management (IdM or IAM) is the tool, process, and framework that can do this. It will follow the Identity Authentication Authorization Accounting (IAAA) framework to ensure that the user is authenticated, authorized to use the resource, and all actions will be tracked.
No comments :
Post a Comment