ASTHETIC In computing, identity management (IdM) describes the management of individual principals, their authentication, authorization, and privileges within or across system and enterprise boundaries with the goal of increasing security and productivity while decreasing cost, downtime and repetitive tasks.
The terms "Identity Management" and "Identity and Access Management" are used interchangeably in the area of Identity access management, while identity management its
2. Identity management
• In computing, identity management (IdM) describes
the management of individual principals,
their authentication, authorization, and privileges
within or across system and enterprise boundaries with
the goal of increasing security and productivity while
decreasing cost, downtime and repetitive tasks.
• The terms "Identity Management" and "Identity and
Access Management" are used interchangeably in the
area of Identity access management, while identity
management itself falls under the umbrella of IT
Security
3. • Technologies, services and terms related to
identity management include Directory
services, Digital Cards, Service
Providers, Identity Providers, Web
Services, Access control , Digital
Identities, Password Managers, Single Sign-
on, Security Tokens, Security Token
Services (STS), Workflows, OpenID, WS-
Security, WS-Trust, SAML 2.0, OAuth and
RBAC.
4. Definition
• Identity management (IdM) is the task of controlling
information about users on computers. Such information
includes information that authenticates the identity of a
user, and information that describes information and
actions they are authorized to access and/or perform. It
also includes the management of descriptive information
about the user and how and by whom that information can
be accessed and modified. Managed entities typically
include users, hardware and network resources and even
applications.
• Digital identity is an entity's online presence, encompassing
personal identifying information (PII) and ancillary
information.
5. Identity management function
• In the real-world context of engineering online systems, identity management
can involve three basic functions:
– The pure identity function: Creation, management and deletion of identities
without regard to access or entitlements;
– The user access (log-on) function: For example: a smart card and its associated data
used by a customer to log on to a service or services (a traditional view);
– The service function: A system that delivers personalized, role-based, online, on-
demand, multimedia (content), presence-based services to users and their devices.
– Identity Federation: A system that relies on Federated identity to authenticate a
user without knowing his or her password
• Pure identity
– In general, an entity (real or virtual) can have multiple identities and each identity
can encompass multiple attributes, some of which are unique within a given name
space. The diagram below illustrates the conceptual relationship between identities
and entities, as well as between identities and their attributes.
– The most common departure from "pure identity" in practice occurs with
properties intended to assure some aspect of identity, for example a digital
signature or software tokenwhich the model may use internally to verify some
aspect of the identity in satisfaction of an external purpose. To the extent that the
model expresses such semantics internally, it is not a pure model.
6.
7. • User access
– User access enables users to assume a specific digital identity across applications, which
enables access controls to be assigned and evaluated against this identity. The use of a single
identity for a given user across multiple systems eases tasks for administrators and users. It
simplifies access monitoring and verification and allows the organization to minimize excessive
privileges granted to one user. User access can be tracked from initiation to termination of
user access.
– When organizations deploy an identity management process or system, their motivation is
normally not primarily to manage a set of identities, but rather to grant appropriate access
rights to those entities via their identities. In other words, access management is normally the
motivation for identity management and the two sets of processes are consequently closely
related.
• Services
– Organizations continue to add services for both internal users and by customers. Many such
services require identity management to properly provide these services. Increasingly, identity
management has been partitioned from application functions so that a single identity can
serve many or even all of an organization's activities.
– For internal use identity management is evolving to control access to all digital assets,
including devices, network equipment, servers, portals, content, applications and/or products.
– Services often require access to extensive information about a user, including address books,
preferences, entitlements and contact information. Since much of this information is subject
to privacy and/or confidentiality requirements, controlling access to it is vital.
• Identity federation
– As the name implies, identity federation comprises one or more systems that federate user
access and allow users to login based on authenticating against one of the system
participating in the federation. This trust between several systems is often known as “Circle of
Trust”. In this setup, one system acts as the Identity Provider (idP) and other system(s) acts as
Service Provider (SP). When a user needs to access some service controlled by SP, he/she first
authenticates against the IdP. Upon successful authentication, the IdP sends a secure
“assertion” to the Service Provider. "SAML assertions, specified using a mark up language
intended for describing security assertions, can be used by a verifier to make a statement to a
relying party about the identity of a claimant. SAML assertions may optionally be digitally
signed.
8. System capabilities
• In addition to creation, deletion, modification of user identity data either assisted
or self-service, Identity Management is tasked with controlling ancillary entity data
for use by applications, such as contact information or location.
• Authentication : Verification that an entity is who/what it claims to be using a
password, biometrics such as a fingerprint, or distinctive behavior such as a
gesture pattern on a touchscreen.
• Authorization : Managing authorization information that defines what operations
an entity can perform in the context of a specific application. For example, one
user might be authorized to enter a sales order, while a different user is authorized
to approve the credit request for that order.
• Roles : Roles are groups of operations and/or other roles. Users are granted roles
often related to a particular job or job function. For example, a user administrator
role might be authorized to reset a user's password, while a system administrator
role might have the ability to assign a user to a specific server.
• Delegation : Delegation allows local administrators or supervisors to perform
system modifications without a global administrator or for one user to allow
another to perform actions on their behalf. For example, a user could delegate the
right to manage office-related information.
• Interchange : The SAML protocol is a prominent means used to exchange identity
information between two identity domains.
9. Standardization
• ISO (and more specifically ISO/IEC JTC1, SC27 IT Security techniques
WG5 Identity Access Management and Privacy techniques) is
conducting some standardization work for identity management
(ISO 2009), such as the elaboration of a framework for identity
management, including the definition of identity-related terms. The
published standards and current work items includes the following:
– ISO/IEC 24760-1 A framework for identity management—Part 1:
Terminology and concepts
– ISO/IEC CD 24760-2 A Framework for Identity Management—Part 2:
Reference architecture and requirements
– ISO/IEC WD 24760-3 A Framework for Identity Management—Part 3:
Practice
– ISO/IEC 29115 Entity Authentication Assurance
– ISO/IEC WD 29146 A framework for access management
– ISO/IEC WD 29003 Identity Proofing and Verification
– ISO/IEC 29100 Privacy framework
– ISO/IEC 29101 Privacy Architecture
– ISO/IEC 29134 Privacy Impact Assessment Methodology
11. 11
Federated identity
• A federated identity in information technology is the means of linking a
person's electronic identity and attributes, stored across multiple distinct identity
management systems.
• Related to federated identity is single sign-on (SSO), in which a user's
single authentication ticket, or token, is trusted across multiple IT systems or even
organizations. SSO is a subset of federated identity management, as it relates only
to authentication and is understood on the level of technical interoperability.
• FIdM, or the "federation" of identity, describes the technologies, standards and
use-cases which serve to enable the portability of identity information across
otherwise autonomous security domains. The ultimate goal of identity federation
is to enable users of one domain to securely access data or systems of another
domain seamlessly, and without the need for completely redundant user
administration. Identity federation comes in many flavors, including "user-
controlled" or "user-centric" scenarios, as well as enterprise-controlled.
• Technologies used for federated identity include SAML (Security Assertion Markup
Language), OAuth, OpenID, Security Tokens (Simple Web Tokens, JSON Web
Tokens, and SAML Tokens), Web Service Specifications, Microsoft Azure Cloud
Services, and Windows Identity Foundation.
12. 12
Federated Identities
• “Federated identities” is
– A hierarchical approach to decompose the problem into manageable
pieces
– Analogous to the problem that IAM addresses, and rests upon IAM
infrastructure
• “Identity federation” (noun) is a set of service providers,
identity providers, and other context in which the magic
happens
13. 13
Federating Technologies
• SAML implementations
– Security Assertion Markup
Language
– Shibboleth
– Bodington/Guanxi
– AthensIM
– SourceID
– SAMUEL
– MS ADFS
– Other proprietary
• Liberty Identity
Federation
implementations
– SourceID
– Lasso
– Proprietary
• Others
– MS Inter-Forest Trust
14. IAM life cycle phases
• User access request and approve
– Definition objective:
• Gaining access to the applications, systems and data
required to be productive.
– Common challenges:
• Processes differ by location, business unit and resource.
• Approvers have insufficient context of user access needs —
do users really need access to private or confidential
data.
• Users find it difficult to request required access.
• Reconcile
– Definition objective:
• Enforcing that access within the system, matching
approved access levels.
– Common challenges:
• Actual rights on systems exceed access levels that were
originally approved/provisioned.
• There is no single authoritative identity repository for
employees/non-employees.
• Review and certify
– Definition objective:
• Reviewing user access periodically to realign it with job
function or role. Common challenges:
• Processes are manual and differ by location, business
unit and resource.
• Reviewers must complete multiple, redundant and
granular access reviews.
• Reviewers have insufficient context of user access needs.
• Provision/de-provision
– Definition objective:
• Granting users appropriate entitlements and access in a
timely manner
• Revoking access in a timely manner when no longer
required due to termination or transfer.
– Common challenges
• Time lines to grant/remove access are excessive.
• Inefficient and error-prone manual provisioning
processes are used.
• Access profile cloning occurs inappropriately.
• Ad hoc job role to access profile mappings exist.
• Inappropriate access may not be de-provisioned.
• Enforce
– Definition objective:
• Enforcing user access to applications and systems using
authentication and authorization.
• Enforcing compliance with access management policies
and requirements.
– Common challenges:
• • Applications do not support central access
management solutions (directories, web single sign-on)
• Access management policies do not exist
• Role/rule-based access is used inconsistently.
• Segregation of duties (toxic combinations) is not
enforced
• Report and audit
– Definition objective:
• Defining business-relevant key performance indicators
(KPIs) and metrics.
• Auditing user access.
– Common challenges
• KPIs/metrics do not exist or do not align with business-
driven success criteria (e.g., reduce risk by removing
terminated user access on the day of termination).
• Audits are labor intensive.
15. Cloud computing
• Several distinct scenarios have emerged
with the evolution of cloud computing
and IAM — there is a need to securely
access applications hosted on the cloud,
and there is a need to manage identities
in cloud-based applications, including
protecting personally identifiable
information (PII). Federation, role-based
access (RBAC) and cloud application
identity management solutions have
emerged to address these requirements.
• The concept of identity as a service
(IDaaS) is also an emerging solution
to this challenge and has made it
possible to accelerate the realization
of benefits from IAM deployments.
IDaaS aims to support federated
authentication, authorization and
provisioning. As an alternative to on-
premise IAM solutions, IDaaS allows
organizations to avoid the expense of
extending their own IAM capabilities
to their cloud service provider but to
still support secure interaction with a
cloud computing environment. When
using IDaaS, instead of a traditional
onpremise IAM system, these
capabilities are provided by a
thirdparty-hosted service provider.
16. Identity Provisioning
• Identity provisioning practice within an organization deals with the
provisioning and de-provisioning of various types of user accounts (e.g., end
user, application administrator, IT administrator, supervisor, developer,
billing administrator) to cloud services. It is very common for cloud services
to rely on a registry of users, each representing either an individual or an
organization, maintained by the cloud service provider (CSP) to support
billing, authentication, authorization, federation, and auditing processes.
• With the rapid adoption of cloud services, customers must find ways to
automate the provisioning and deprovisioning of users using industry
standard specifications such as SPML and web APIs.
• Software as a Service / Platform as a Service
– SPML adoption by CSPs and support for automated provisioning with workflows.
– Customer adoption of automated provisioning using CSP supplied connectors.
– Support for transient provisioning using SAML.
– PaaS provider support for delegated user administration to owners of applications
hosted in the PaaS platform.
17. Authentication
• Authentication is the process of validating or confirming that access
credentials provided by a user (for instance, a user ID and password)
are valid. A user in this case could be a person, another application, or
a service; all should be required to authenticate.
• SaaS and PaaS Credential management presents a significant challenge
in any environment. In SaaS and PaaS cloud environments, various
options are available based on the type of cloud service.
• SaaS and PaaS providers typically offer built-in authentication services
to their applications or platforms, and alternately support delegating
authentication to the enterprise.
• Customers have the following options:
– Enterprise: Consider authenticating users with the enterprise’s Identity
Provider (IdP) and establishing trust with the SaaS vendor by federation.
– Individual user (acting on their own behalf): Consider using user-centric
authentication such as Google, Yahoo ID, OpenID, Live ID, etc., to enable use
of a single set of credentials at multiple sites.
• Note: Any SaaS provider that requires proprietary methods to
delegate authentication (e.g., handling trust by means of a shared
encrypted cookie or other means) be carefully considered with a
proper security evaluation before proceeding. The general preference
should be for the use of open standards.
18. IaaS Authentication
• In IaaS, two sets of users need to be authenticated. The first set of users
is enterprise IT personnel, who will deploy applications and manage
applications. The second set is application users; who might be
employees, customers, or partner organizations. For IT personnel,
establishing a dedicated VPN is generally a better option, as they can
leverage existing systems and processes.
• A dedicated VPN tunnel will work better when the application leverages
existing identity management systems, such as a single sign-on (SSO)
solution or an LDAP-based authentication service that provides an
authoritative source of identity data.
• In cases where a dedicated VPN tunnel is not feasible, applications
should be designed to accept authentication assertions in various
formats (SAML, WSFederation, etc), in combination with standard web
encryption such as SSL. This approach enables the organizations
federate SSO outside the enterprise, extending it to cloud applications.
• OpenID is another option when the application is targeted beyond
enterprise users.
• OATH-compliant systems can support any similarly compliant form
factor, including tokens, cell phones, and PDAs.
19. Identity as a Service (IDaaS)
• Identity as a Service (IDaaS) is an authentication infrastructure that is
built, hosted and managed by a third-party service provider. IDaaS can
be thought of as single sign-on (SSO) for the cloud.
• According to Gartner, IDaaS functionality includes:
– Identity governance and administration ("IGA") — this includes the ability to
provision identities held by the service to target applications.
– Access — this includes user authentication, single sign-on (SSO), and
authorization enforcement.
– Intelligence — this includes logging events and providing reporting that can
answer questions such as “who accessed what, and when?”
• It offers all of cloud's benefits, such as a reduced on-site infrastructure,
easier management and a broader range of integration options.
• Gregg Kreizman, research vice president at Stamford, Conn.-based
research firm Gartner Inc., divides IDaaS services into two categories:
Web access software for cloud-based applications such as software as
a service (SaaS) and Web-architected applications; and cloud-delivered
legacy identity management services. With the latter, vendors deliver
the traditional identity management software stack from the cloud.
20. Enterprise Architecture with IDaaS
• Identity Services provide
identity in a consistent,
reusable way to all
applications/services •
Enables them to make
identity an integral part of
their business logic in a
coordinated and
meaningful way.
21. Threats
• Regardless of the operating model used, cloud computing
creates new IAM risks that must be managed.
Management of virtual servers within the cloud requires
elevated rights that when compromised, may give
attackers the ability to gain control of the most valuable
targets in the cloud. Such rights also give attackers the
ability to create sophisticated data intercept capabilities
that may be difficult for cloud providers to detect in a
timely manner. The risk of undetected data loss,
tampering and resultant fraud can be magnified by the
use of cloud computing unless equally sophisticated
controls are in place. As a result, the implementation of
controls over cloud computing services should account for
traditional and emerging risks that are unique to the
cloud.
22. Key IAM capabilities
• Job role or application access matrices using rule mining tools: this serves as the logical access foundation
needed to embrace cloud-based and mobile applications in addition to ensuring appropriateness of access a
key regulatory requirement, especially for data privacy.
• Automated workflow-based access request and approval processes, using job role or application access
matrices and segregation of duties checking: this helps increase the consistency and efficiency of your IAM
procedures and reduce the risk of inappropriate access.
• Entitlement warehouse solution: this accelerates the ability to address security and access management needs
across a high volume of applications, host and database platforms within large organizations: it results in
streamlined provisioning/ access attestation and provides a centralized view of access privileges across
systems.
• Access proxy solutions, central authentication (application, host and database layers): this improves the end
user experience and addresses key requirements around user de-provisioning.
• Risk-based authentication solutions: this addresses exposures related to compromise of basic authentication
techniques, enables secure access for sensitive transactions (e.g., access to PII) and fulfills key regulatory
requirements around multifactor authentication.
• Identity analytics and behavioral analysis services to integrate with DLP and security information and event
management: this helps to enable behavior-based profiling, identifies access outliers for risk-based verification
and effective reduction of insider risk. Context-aware identity and access intelligence solutions are being used
to identify anomalous activities/exception-based access, perform account analysis, and execute oversight and
monitoring functions, helping to protect data governed by privacy regulations.
• Data and access management process governance program, which includes HR, application owners,
information security and IAM stakeholders: this helps to confirm that the appropriate people (i.e.,
departments, roles) are supporting and sponsoring the IAM program — vital to the success of process and
technology changes.
• Federation solutions: this improves end user experience and management of identities for cloud-based
applications.
• Consider emerging solutions that combine logical and physical security: these solutions will address business
risks related to critical infrastructure protection.
• Design solution with future scalability requirements in mind: these access transformation initiatives are
impacted by negative end user experience, including performance delays; therefore, it is imperative to deploy
solutions after considering future adoption and scalability requirements.