SlideShare a Scribd company logo

unit4.pptx

Download as PPTX, PDF
A
ApurvSingh65

ASTHETIC In computing, identity management (IdM) describes the management of individual principals, their authentication, authorization, and privileges within or across system and enterprise boundaries with the goal of increasing security and productivity while decreasing cost, downtime and repetitive tasks. The terms "Identity Management" and "Identity and Access Management" are used interchangeably in the area of Identity access management, while identity management its

Internet
1 of 22
Identity and Access Management
Identity management • In computing, identity management (IdM) describes the management of individual principals, their authentication, authorization, and privileges within or across system and enterprise boundaries with the goal of increasing security and productivity while decreasing cost, downtime and repetitive tasks. • The terms "Identity Management" and "Identity and Access Management" are used interchangeably in the area of Identity access management, while identity management itself falls under the umbrella of IT Security
• Technologies, services and terms related to identity management include Directory services, Digital Cards, Service Providers, Identity Providers, Web Services, Access control , Digital Identities, Password Managers, Single Sign- on, Security Tokens, Security Token Services (STS), Workflows, OpenID, WS- Security, WS-Trust, SAML 2.0, OAuth and RBAC.
Definition • Identity management (IdM) is the task of controlling information about users on computers. Such information includes information that authenticates the identity of a user, and information that describes information and actions they are authorized to access and/or perform. It also includes the management of descriptive information about the user and how and by whom that information can be accessed and modified. Managed entities typically include users, hardware and network resources and even applications. • Digital identity is an entity's online presence, encompassing personal identifying information (PII) and ancillary information.
Identity management function • In the real-world context of engineering online systems, identity management can involve three basic functions: – The pure identity function: Creation, management and deletion of identities without regard to access or entitlements; – The user access (log-on) function: For example: a smart card and its associated data used by a customer to log on to a service or services (a traditional view); – The service function: A system that delivers personalized, role-based, online, on- demand, multimedia (content), presence-based services to users and their devices. – Identity Federation: A system that relies on Federated identity to authenticate a user without knowing his or her password • Pure identity – In general, an entity (real or virtual) can have multiple identities and each identity can encompass multiple attributes, some of which are unique within a given name space. The diagram below illustrates the conceptual relationship between identities and entities, as well as between identities and their attributes. – The most common departure from "pure identity" in practice occurs with properties intended to assure some aspect of identity, for example a digital signature or software tokenwhich the model may use internally to verify some aspect of the identity in satisfaction of an external purpose. To the extent that the model expresses such semantics internally, it is not a pure model.
• User access – User access enables users to assume a specific digital identity across applications, which enables access controls to be assigned and evaluated against this identity. The use of a single identity for a given user across multiple systems eases tasks for administrators and users. It simplifies access monitoring and verification and allows the organization to minimize excessive privileges granted to one user. User access can be tracked from initiation to termination of user access. – When organizations deploy an identity management process or system, their motivation is normally not primarily to manage a set of identities, but rather to grant appropriate access rights to those entities via their identities. In other words, access management is normally the motivation for identity management and the two sets of processes are consequently closely related. • Services – Organizations continue to add services for both internal users and by customers. Many such services require identity management to properly provide these services. Increasingly, identity management has been partitioned from application functions so that a single identity can serve many or even all of an organization's activities. – For internal use identity management is evolving to control access to all digital assets, including devices, network equipment, servers, portals, content, applications and/or products. – Services often require access to extensive information about a user, including address books, preferences, entitlements and contact information. Since much of this information is subject to privacy and/or confidentiality requirements, controlling access to it is vital. • Identity federation – As the name implies, identity federation comprises one or more systems that federate user access and allow users to login based on authenticating against one of the system participating in the federation. This trust between several systems is often known as “Circle of Trust”. In this setup, one system acts as the Identity Provider (idP) and other system(s) acts as Service Provider (SP). When a user needs to access some service controlled by SP, he/she first authenticates against the IdP. Upon successful authentication, the IdP sends a secure “assertion” to the Service Provider. "SAML assertions, specified using a mark up language intended for describing security assertions, can be used by a verifier to make a statement to a relying party about the identity of a claimant. SAML assertions may optionally be digitally signed.
System capabilities • In addition to creation, deletion, modification of user identity data either assisted or self-service, Identity Management is tasked with controlling ancillary entity data for use by applications, such as contact information or location. • Authentication : Verification that an entity is who/what it claims to be using a password, biometrics such as a fingerprint, or distinctive behavior such as a gesture pattern on a touchscreen. • Authorization : Managing authorization information that defines what operations an entity can perform in the context of a specific application. For example, one user might be authorized to enter a sales order, while a different user is authorized to approve the credit request for that order. • Roles : Roles are groups of operations and/or other roles. Users are granted roles often related to a particular job or job function. For example, a user administrator role might be authorized to reset a user's password, while a system administrator role might have the ability to assign a user to a specific server. • Delegation : Delegation allows local administrators or supervisors to perform system modifications without a global administrator or for one user to allow another to perform actions on their behalf. For example, a user could delegate the right to manage office-related information. • Interchange : The SAML protocol is a prominent means used to exchange identity information between two identity domains.
Standardization • ISO (and more specifically ISO/IEC JTC1, SC27 IT Security techniques WG5 Identity Access Management and Privacy techniques) is conducting some standardization work for identity management (ISO 2009), such as the elaboration of a framework for identity management, including the definition of identity-related terms. The published standards and current work items includes the following: – ISO/IEC 24760-1 A framework for identity management—Part 1: Terminology and concepts – ISO/IEC CD 24760-2 A Framework for Identity Management—Part 2: Reference architecture and requirements – ISO/IEC WD 24760-3 A Framework for Identity Management—Part 3: Practice – ISO/IEC 29115 Entity Authentication Assurance – ISO/IEC WD 29146 A framework for access management – ISO/IEC WD 29003 Identity Proofing and Verification – ISO/IEC 29100 Privacy framework – ISO/IEC 29101 Privacy Architecture – ISO/IEC 29134 Privacy Impact Assessment Methodology
10 Inter-institutional integration: the transport function • Federations • Peering of federations – Levels of assurance – Attribute mapping – WAYF functionality • Virtual Organization (VOs)
11 Federated identity • A federated identity in information technology is the means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems. • Related to federated identity is single sign-on (SSO), in which a user's single authentication ticket, or token, is trusted across multiple IT systems or even organizations. SSO is a subset of federated identity management, as it relates only to authentication and is understood on the level of technical interoperability. • FIdM, or the "federation" of identity, describes the technologies, standards and use-cases which serve to enable the portability of identity information across otherwise autonomous security domains. The ultimate goal of identity federation is to enable users of one domain to securely access data or systems of another domain seamlessly, and without the need for completely redundant user administration. Identity federation comes in many flavors, including "user- controlled" or "user-centric" scenarios, as well as enterprise-controlled. • Technologies used for federated identity include SAML (Security Assertion Markup Language), OAuth, OpenID, Security Tokens (Simple Web Tokens, JSON Web Tokens, and SAML Tokens), Web Service Specifications, Microsoft Azure Cloud Services, and Windows Identity Foundation.
12 Federated Identities • “Federated identities” is – A hierarchical approach to decompose the problem into manageable pieces – Analogous to the problem that IAM addresses, and rests upon IAM infrastructure • “Identity federation” (noun) is a set of service providers, identity providers, and other context in which the magic happens
13 Federating Technologies • SAML implementations – Security Assertion Markup Language – Shibboleth – Bodington/Guanxi – AthensIM – SourceID – SAMUEL – MS ADFS – Other proprietary • Liberty Identity Federation implementations – SourceID – Lasso – Proprietary • Others – MS Inter-Forest Trust
IAM life cycle phases • User access request and approve – Definition objective: • Gaining access to the applications, systems and data required to be productive. – Common challenges: • Processes differ by location, business unit and resource. • Approvers have insufficient context of user access needs — do users really need access to private or confidential data. • Users find it difficult to request required access. • Reconcile – Definition objective: • Enforcing that access within the system, matching approved access levels. – Common challenges: • Actual rights on systems exceed access levels that were originally approved/provisioned. • There is no single authoritative identity repository for employees/non-employees. • Review and certify – Definition objective: • Reviewing user access periodically to realign it with job function or role. Common challenges: • Processes are manual and differ by location, business unit and resource. • Reviewers must complete multiple, redundant and granular access reviews. • Reviewers have insufficient context of user access needs. • Provision/de-provision – Definition objective: • Granting users appropriate entitlements and access in a timely manner • Revoking access in a timely manner when no longer required due to termination or transfer. – Common challenges • Time lines to grant/remove access are excessive. • Inefficient and error-prone manual provisioning processes are used. • Access profile cloning occurs inappropriately. • Ad hoc job role to access profile mappings exist. • Inappropriate access may not be de-provisioned. • Enforce – Definition objective: • Enforcing user access to applications and systems using authentication and authorization. • Enforcing compliance with access management policies and requirements. – Common challenges: • • Applications do not support central access management solutions (directories, web single sign-on) • Access management policies do not exist • Role/rule-based access is used inconsistently. • Segregation of duties (toxic combinations) is not enforced • Report and audit – Definition objective: • Defining business-relevant key performance indicators (KPIs) and metrics. • Auditing user access. – Common challenges • KPIs/metrics do not exist or do not align with business- driven success criteria (e.g., reduce risk by removing terminated user access on the day of termination). • Audits are labor intensive.
Cloud computing • Several distinct scenarios have emerged with the evolution of cloud computing and IAM — there is a need to securely access applications hosted on the cloud, and there is a need to manage identities in cloud-based applications, including protecting personally identifiable information (PII). Federation, role-based access (RBAC) and cloud application identity management solutions have emerged to address these requirements. • The concept of identity as a service (IDaaS) is also an emerging solution to this challenge and has made it possible to accelerate the realization of benefits from IAM deployments. IDaaS aims to support federated authentication, authorization and provisioning. As an alternative to on- premise IAM solutions, IDaaS allows organizations to avoid the expense of extending their own IAM capabilities to their cloud service provider but to still support secure interaction with a cloud computing environment. When using IDaaS, instead of a traditional onpremise IAM system, these capabilities are provided by a thirdparty-hosted service provider.
Identity Provisioning • Identity provisioning practice within an organization deals with the provisioning and de-provisioning of various types of user accounts (e.g., end user, application administrator, IT administrator, supervisor, developer, billing administrator) to cloud services. It is very common for cloud services to rely on a registry of users, each representing either an individual or an organization, maintained by the cloud service provider (CSP) to support billing, authentication, authorization, federation, and auditing processes. • With the rapid adoption of cloud services, customers must find ways to automate the provisioning and deprovisioning of users using industry standard specifications such as SPML and web APIs. • Software as a Service / Platform as a Service – SPML adoption by CSPs and support for automated provisioning with workflows. – Customer adoption of automated provisioning using CSP supplied connectors. – Support for transient provisioning using SAML. – PaaS provider support for delegated user administration to owners of applications hosted in the PaaS platform.
Authentication • Authentication is the process of validating or confirming that access credentials provided by a user (for instance, a user ID and password) are valid. A user in this case could be a person, another application, or a service; all should be required to authenticate. • SaaS and PaaS Credential management presents a significant challenge in any environment. In SaaS and PaaS cloud environments, various options are available based on the type of cloud service. • SaaS and PaaS providers typically offer built-in authentication services to their applications or platforms, and alternately support delegating authentication to the enterprise. • Customers have the following options: – Enterprise: Consider authenticating users with the enterprise’s Identity Provider (IdP) and establishing trust with the SaaS vendor by federation. – Individual user (acting on their own behalf): Consider using user-centric authentication such as Google, Yahoo ID, OpenID, Live ID, etc., to enable use of a single set of credentials at multiple sites. • Note: Any SaaS provider that requires proprietary methods to delegate authentication (e.g., handling trust by means of a shared encrypted cookie or other means) be carefully considered with a proper security evaluation before proceeding. The general preference should be for the use of open standards.
IaaS Authentication • In IaaS, two sets of users need to be authenticated. The first set of users is enterprise IT personnel, who will deploy applications and manage applications. The second set is application users; who might be employees, customers, or partner organizations. For IT personnel, establishing a dedicated VPN is generally a better option, as they can leverage existing systems and processes. • A dedicated VPN tunnel will work better when the application leverages existing identity management systems, such as a single sign-on (SSO) solution or an LDAP-based authentication service that provides an authoritative source of identity data. • In cases where a dedicated VPN tunnel is not feasible, applications should be designed to accept authentication assertions in various formats (SAML, WSFederation, etc), in combination with standard web encryption such as SSL. This approach enables the organizations federate SSO outside the enterprise, extending it to cloud applications. • OpenID is another option when the application is targeted beyond enterprise users. • OATH-compliant systems can support any similarly compliant form factor, including tokens, cell phones, and PDAs.
Identity as a Service (IDaaS) • Identity as a Service (IDaaS) is an authentication infrastructure that is built, hosted and managed by a third-party service provider. IDaaS can be thought of as single sign-on (SSO) for the cloud. • According to Gartner, IDaaS functionality includes: – Identity governance and administration ("IGA") — this includes the ability to provision identities held by the service to target applications. – Access — this includes user authentication, single sign-on (SSO), and authorization enforcement. – Intelligence — this includes logging events and providing reporting that can answer questions such as “who accessed what, and when?” • It offers all of cloud's benefits, such as a reduced on-site infrastructure, easier management and a broader range of integration options. • Gregg Kreizman, research vice president at Stamford, Conn.-based research firm Gartner Inc., divides IDaaS services into two categories: Web access software for cloud-based applications such as software as a service (SaaS) and Web-architected applications; and cloud-delivered legacy identity management services. With the latter, vendors deliver the traditional identity management software stack from the cloud.
Enterprise Architecture with IDaaS • Identity Services provide identity in a consistent, reusable way to all applications/services • Enables them to make identity an integral part of their business logic in a coordinated and meaningful way.
Threats • Regardless of the operating model used, cloud computing creates new IAM risks that must be managed. Management of virtual servers within the cloud requires elevated rights that when compromised, may give attackers the ability to gain control of the most valuable targets in the cloud. Such rights also give attackers the ability to create sophisticated data intercept capabilities that may be difficult for cloud providers to detect in a timely manner. The risk of undetected data loss, tampering and resultant fraud can be magnified by the use of cloud computing unless equally sophisticated controls are in place. As a result, the implementation of controls over cloud computing services should account for traditional and emerging risks that are unique to the cloud.
Key IAM capabilities • Job role or application access matrices using rule mining tools: this serves as the logical access foundation needed to embrace cloud-based and mobile applications in addition to ensuring appropriateness of access a key regulatory requirement, especially for data privacy. • Automated workflow-based access request and approval processes, using job role or application access matrices and segregation of duties checking: this helps increase the consistency and efficiency of your IAM procedures and reduce the risk of inappropriate access. • Entitlement warehouse solution: this accelerates the ability to address security and access management needs across a high volume of applications, host and database platforms within large organizations: it results in streamlined provisioning/ access attestation and provides a centralized view of access privileges across systems. • Access proxy solutions, central authentication (application, host and database layers): this improves the end user experience and addresses key requirements around user de-provisioning. • Risk-based authentication solutions: this addresses exposures related to compromise of basic authentication techniques, enables secure access for sensitive transactions (e.g., access to PII) and fulfills key regulatory requirements around multifactor authentication. • Identity analytics and behavioral analysis services to integrate with DLP and security information and event management: this helps to enable behavior-based profiling, identifies access outliers for risk-based verification and effective reduction of insider risk. Context-aware identity and access intelligence solutions are being used to identify anomalous activities/exception-based access, perform account analysis, and execute oversight and monitoring functions, helping to protect data governed by privacy regulations. • Data and access management process governance program, which includes HR, application owners, information security and IAM stakeholders: this helps to confirm that the appropriate people (i.e., departments, roles) are supporting and sponsoring the IAM program — vital to the success of process and technology changes. • Federation solutions: this improves end user experience and management of identities for cloud-based applications. • Consider emerging solutions that combine logical and physical security: these solutions will address business risks related to critical infrastructure protection. • Design solution with future scalability requirements in mind: these access transformation initiatives are impacted by negative end user experience, including performance delays; therefore, it is imperative to deploy solutions after considering future adoption and scalability requirements.

Recommended

Identity and access management
Identity and access managementIdentity and access management
Identity and access managementPiyush Jain
 
Co p
Co pCo p
Co pAllyn McGillicuddy
 
Co p
Co pCo p
Co pAllyn McGillicuddy
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)Jack Forbes
 
Audit Controls Paper
Audit Controls PaperAudit Controls Paper
Audit Controls PaperJennifer Lopez
 
Salesforce DevOps Online Training Institute
Salesforce DevOps Online Training InstituteSalesforce DevOps Online Training Institute
Salesforce DevOps Online Training Instituteeshwarvisualpath
 
Why IAM is the Need of the Hour
Why IAM is the Need of the HourWhy IAM is the Need of the Hour
Why IAM is the Need of the HourTechdemocracy
 
IDM in telecom industry
IDM in telecom industryIDM in telecom industry
IDM in telecom industryAjit Dadresa
 

Recommended

Identity and access management
Identity and access managementIdentity and access management
Identity and access managementPiyush Jain
 
Co p
Co pCo p
Co pAllyn McGillicuddy
 
Co p
Co pCo p
Co pAllyn McGillicuddy
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)Jack Forbes
 
Audit Controls Paper
Audit Controls PaperAudit Controls Paper
Audit Controls PaperJennifer Lopez
 
Salesforce DevOps Online Training Institute
Salesforce DevOps Online Training InstituteSalesforce DevOps Online Training Institute
Salesforce DevOps Online Training Instituteeshwarvisualpath
 
Why IAM is the Need of the Hour
Why IAM is the Need of the HourWhy IAM is the Need of the Hour
Why IAM is the Need of the HourTechdemocracy
 
IDM in telecom industry
IDM in telecom industryIDM in telecom industry
IDM in telecom industryAjit Dadresa
 
Remote Access Policy Is A Normal Thing
Remote Access Policy Is A Normal ThingRemote Access Policy Is A Normal Thing
Remote Access Policy Is A Normal ThingKaren Oliver
 
Defining Enterprise Identity Management
Defining Enterprise Identity ManagementDefining Enterprise Identity Management
Defining Enterprise Identity ManagementHitachi ID Systems, Inc.
 
Eds user authenticationuser authentication methods
Eds user authenticationuser authentication methodsEds user authenticationuser authentication methods
Eds user authenticationuser authentication methodslapao2014
 
IdM Reference Architecture
IdM Reference ArchitectureIdM Reference Architecture
IdM Reference ArchitectureHannu Kasanen
 
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...Entrust Datacard
 
Access Control System_ An Overview - Bahaa Abdul Hadi.pdf
Access Control System_ An Overview - Bahaa Abdul Hadi.pdfAccess Control System_ An Overview - Bahaa Abdul Hadi.pdf
Access Control System_ An Overview - Bahaa Abdul Hadi.pdfBahaa Abdulhadi
 
Module 2 - Information Assurance Concepts.pptx
Module 2 - Information Assurance Concepts.pptxModule 2 - Information Assurance Concepts.pptx
Module 2 - Information Assurance Concepts.pptxHumphrey Humphrey
 
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET Journal
 
Directions Answer each question individual and respond with full .docx
Directions Answer each question individual and respond with full .docxDirections Answer each question individual and respond with full .docx
Directions Answer each question individual and respond with full .docxmariona83
 
[WSO2 Integration Summit Johannesburg 2019] Security in a Distributed Computi...
[WSO2 Integration Summit Johannesburg 2019] Security in a Distributed Computi...[WSO2 Integration Summit Johannesburg 2019] Security in a Distributed Computi...
[WSO2 Integration Summit Johannesburg 2019] Security in a Distributed Computi...WSO2
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions www.ijeijournal.com
 
Identity and Security in the Cloud
Identity and Security in the CloudIdentity and Security in the Cloud
Identity and Security in the CloudRichard Diver
 
Security for Future Networks: A Prospective Study of AAIs
Security for Future Networks: A Prospective Study of AAIsSecurity for Future Networks: A Prospective Study of AAIs
Security for Future Networks: A Prospective Study of AAIsidescitation
 
A SURVEY ON FEDERATED IDENTITY MANAGEMENT SYSTEMS LIMITATION AND SOLUTIONS
A SURVEY ON FEDERATED IDENTITY MANAGEMENT SYSTEMS LIMITATION AND SOLUTIONSA SURVEY ON FEDERATED IDENTITY MANAGEMENT SYSTEMS LIMITATION AND SOLUTIONS
A SURVEY ON FEDERATED IDENTITY MANAGEMENT SYSTEMS LIMITATION AND SOLUTIONSIJNSA Journal
 
Addressing Insider Threat using "Where You Are" as Fourth Factor Authentication
Addressing Insider Threat using "Where You Are" as Fourth Factor AuthenticationAddressing Insider Threat using "Where You Are" as Fourth Factor Authentication
Addressing Insider Threat using "Where You Are" as Fourth Factor AuthenticationPeter Choi
 
Intelligence Driven Identity and Access Management
Intelligence Driven Identity and Access ManagementIntelligence Driven Identity and Access Management
Intelligence Driven Identity and Access ManagementEMC
 
Capgemini ses - security po v (gr)
Capgemini ses - security po v (gr)Capgemini ses - security po v (gr)
Capgemini ses - security po v (gr)Gord Reynolds
 
Need of Adaptive Authentication in defending the borderless Enterprise
Need of Adaptive Authentication in defending the borderless EnterpriseNeed of Adaptive Authentication in defending the borderless Enterprise
Need of Adaptive Authentication in defending the borderless Enterprisehardik soni
 
InsiderAttack_p3.ppt
InsiderAttack_p3.pptInsiderAttack_p3.ppt
InsiderAttack_p3.pptVaishnavGhadge1
 
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD Editor
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 
Denver Web Design brochure for public viewing
Denver Web Design brochure for public viewingDenver Web Design brochure for public viewing
Denver Web Design brochure for public viewingbigorange77
 

More Related Content

Similar to unit4.pptx

Remote Access Policy Is A Normal Thing
Remote Access Policy Is A Normal ThingRemote Access Policy Is A Normal Thing
Remote Access Policy Is A Normal ThingKaren Oliver
 
Eds user authenticationuser authentication methods
Eds user authenticationuser authentication methodsEds user authenticationuser authentication methods
Eds user authenticationuser authentication methodslapao2014
 
IdM Reference Architecture
IdM Reference ArchitectureIdM Reference Architecture
IdM Reference ArchitectureHannu Kasanen
 
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...Entrust Datacard
 
Access Control System_ An Overview - Bahaa Abdul Hadi.pdf
Access Control System_ An Overview - Bahaa Abdul Hadi.pdfAccess Control System_ An Overview - Bahaa Abdul Hadi.pdf
Access Control System_ An Overview - Bahaa Abdul Hadi.pdfBahaa Abdulhadi
 
Module 2 - Information Assurance Concepts.pptx
Module 2 - Information Assurance Concepts.pptxModule 2 - Information Assurance Concepts.pptx
Module 2 - Information Assurance Concepts.pptxHumphrey Humphrey
 
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET Journal
 
Directions Answer each question individual and respond with full .docx
Directions Answer each question individual and respond with full .docxDirections Answer each question individual and respond with full .docx
Directions Answer each question individual and respond with full .docxmariona83
 
[WSO2 Integration Summit Johannesburg 2019] Security in a Distributed Computi...
[WSO2 Integration Summit Johannesburg 2019] Security in a Distributed Computi...[WSO2 Integration Summit Johannesburg 2019] Security in a Distributed Computi...
[WSO2 Integration Summit Johannesburg 2019] Security in a Distributed Computi...WSO2
 
Identity and Security in the Cloud
Identity and Security in the CloudIdentity and Security in the Cloud
Identity and Security in the CloudRichard Diver
 
Security for Future Networks: A Prospective Study of AAIs
Security for Future Networks: A Prospective Study of AAIsSecurity for Future Networks: A Prospective Study of AAIs
Security for Future Networks: A Prospective Study of AAIsidescitation
 
A SURVEY ON FEDERATED IDENTITY MANAGEMENT SYSTEMS LIMITATION AND SOLUTIONS
A SURVEY ON FEDERATED IDENTITY MANAGEMENT SYSTEMS LIMITATION AND SOLUTIONSA SURVEY ON FEDERATED IDENTITY MANAGEMENT SYSTEMS LIMITATION AND SOLUTIONS
A SURVEY ON FEDERATED IDENTITY MANAGEMENT SYSTEMS LIMITATION AND SOLUTIONSIJNSA Journal
 
Addressing Insider Threat using "Where You Are" as Fourth Factor Authentication
Addressing Insider Threat using "Where You Are" as Fourth Factor AuthenticationAddressing Insider Threat using "Where You Are" as Fourth Factor Authentication
Addressing Insider Threat using "Where You Are" as Fourth Factor AuthenticationPeter Choi
 
Intelligence Driven Identity and Access Management
Intelligence Driven Identity and Access ManagementIntelligence Driven Identity and Access Management
Intelligence Driven Identity and Access ManagementEMC
 
Capgemini ses - security po v (gr)
Capgemini ses - security po v (gr)Capgemini ses - security po v (gr)
Capgemini ses - security po v (gr)Gord Reynolds
 
Need of Adaptive Authentication in defending the borderless Enterprise
Need of Adaptive Authentication in defending the borderless EnterpriseNeed of Adaptive Authentication in defending the borderless Enterprise
Need of Adaptive Authentication in defending the borderless Enterprisehardik soni
 
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD Editor
 

Similar to unit4.pptx (20)

Remote Access Policy Is A Normal Thing
Remote Access Policy Is A Normal ThingRemote Access Policy Is A Normal Thing
Remote Access Policy Is A Normal Thing
 
Defining Enterprise Identity Management
Defining Enterprise Identity ManagementDefining Enterprise Identity Management
Defining Enterprise Identity Management
 
Eds user authenticationuser authentication methods
Eds user authenticationuser authentication methodsEds user authenticationuser authentication methods
Eds user authenticationuser authentication methods
 
IdM Reference Architecture
IdM Reference ArchitectureIdM Reference Architecture
IdM Reference Architecture
 
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
 
Access Control System_ An Overview - Bahaa Abdul Hadi.pdf
Access Control System_ An Overview - Bahaa Abdul Hadi.pdfAccess Control System_ An Overview - Bahaa Abdul Hadi.pdf
Access Control System_ An Overview - Bahaa Abdul Hadi.pdf
 
Module 2 - Information Assurance Concepts.pptx
Module 2 - Information Assurance Concepts.pptxModule 2 - Information Assurance Concepts.pptx
Module 2 - Information Assurance Concepts.pptx
 
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
 
Directions Answer each question individual and respond with full .docx
Directions Answer each question individual and respond with full .docxDirections Answer each question individual and respond with full .docx
Directions Answer each question individual and respond with full .docx
 
[WSO2 Integration Summit Johannesburg 2019] Security in a Distributed Computi...
[WSO2 Integration Summit Johannesburg 2019] Security in a Distributed Computi...[WSO2 Integration Summit Johannesburg 2019] Security in a Distributed Computi...
[WSO2 Integration Summit Johannesburg 2019] Security in a Distributed Computi...
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)
 
Identity and Security in the Cloud
Identity and Security in the CloudIdentity and Security in the Cloud
Identity and Security in the Cloud
 
Security for Future Networks: A Prospective Study of AAIs
Security for Future Networks: A Prospective Study of AAIsSecurity for Future Networks: A Prospective Study of AAIs
Security for Future Networks: A Prospective Study of AAIs
 
A SURVEY ON FEDERATED IDENTITY MANAGEMENT SYSTEMS LIMITATION AND SOLUTIONS
A SURVEY ON FEDERATED IDENTITY MANAGEMENT SYSTEMS LIMITATION AND SOLUTIONSA SURVEY ON FEDERATED IDENTITY MANAGEMENT SYSTEMS LIMITATION AND SOLUTIONS
A SURVEY ON FEDERATED IDENTITY MANAGEMENT SYSTEMS LIMITATION AND SOLUTIONS
 
Addressing Insider Threat using "Where You Are" as Fourth Factor Authentication
Addressing Insider Threat using "Where You Are" as Fourth Factor AuthenticationAddressing Insider Threat using "Where You Are" as Fourth Factor Authentication
Addressing Insider Threat using "Where You Are" as Fourth Factor Authentication
 
Intelligence Driven Identity and Access Management
Intelligence Driven Identity and Access ManagementIntelligence Driven Identity and Access Management
Intelligence Driven Identity and Access Management
 
Capgemini ses - security po v (gr)
Capgemini ses - security po v (gr)Capgemini ses - security po v (gr)
Capgemini ses - security po v (gr)
 
Need of Adaptive Authentication in defending the borderless Enterprise
Need of Adaptive Authentication in defending the borderless EnterpriseNeed of Adaptive Authentication in defending the borderless Enterprise
Need of Adaptive Authentication in defending the borderless Enterprise
 
InsiderAttack_p3.ppt
InsiderAttack_p3.pptInsiderAttack_p3.ppt
InsiderAttack_p3.ppt
 
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
 

Recently uploaded

VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 
Denver Web Design brochure for public viewing
Denver Web Design brochure for public viewingDenver Web Design brochure for public viewing
Denver Web Design brochure for public viewingbigorange77
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607dollysharma2066
 
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on DeliveryCall Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Deliverybabeytanya
 
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...akbard9823
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...aditipandeya
 
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一3sw2qly1
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaimessage0108
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Roomishabajaj13
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)Damian Radcliffe
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Roomgirls4nights
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 

Recently uploaded (20)

VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 
Denver Web Design brochure for public viewing
Denver Web Design brochure for public viewingDenver Web Design brochure for public viewing
Denver Web Design brochure for public viewing
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
Call Girls Service Dwarka @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICE
Call Girls Service Dwarka @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICECall Girls Service Dwarka @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICE
Call Girls Service Dwarka @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICE
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
 
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on DeliveryCall Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
 
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
 
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of india
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 

unit4.pptx

  • 1. Identity and Access Management
  • 2. Identity management • In computing, identity management (IdM) describes the management of individual principals, their authentication, authorization, and privileges within or across system and enterprise boundaries with the goal of increasing security and productivity while decreasing cost, downtime and repetitive tasks. • The terms "Identity Management" and "Identity and Access Management" are used interchangeably in the area of Identity access management, while identity management itself falls under the umbrella of IT Security
  • 3. • Technologies, services and terms related to identity management include Directory services, Digital Cards, Service Providers, Identity Providers, Web Services, Access control , Digital Identities, Password Managers, Single Sign- on, Security Tokens, Security Token Services (STS), Workflows, OpenID, WS- Security, WS-Trust, SAML 2.0, OAuth and RBAC.
  • 4. Definition • Identity management (IdM) is the task of controlling information about users on computers. Such information includes information that authenticates the identity of a user, and information that describes information and actions they are authorized to access and/or perform. It also includes the management of descriptive information about the user and how and by whom that information can be accessed and modified. Managed entities typically include users, hardware and network resources and even applications. • Digital identity is an entity's online presence, encompassing personal identifying information (PII) and ancillary information.
  • 5. Identity management function • In the real-world context of engineering online systems, identity management can involve three basic functions: – The pure identity function: Creation, management and deletion of identities without regard to access or entitlements; – The user access (log-on) function: For example: a smart card and its associated data used by a customer to log on to a service or services (a traditional view); – The service function: A system that delivers personalized, role-based, online, on- demand, multimedia (content), presence-based services to users and their devices. – Identity Federation: A system that relies on Federated identity to authenticate a user without knowing his or her password • Pure identity – In general, an entity (real or virtual) can have multiple identities and each identity can encompass multiple attributes, some of which are unique within a given name space. The diagram below illustrates the conceptual relationship between identities and entities, as well as between identities and their attributes. – The most common departure from "pure identity" in practice occurs with properties intended to assure some aspect of identity, for example a digital signature or software tokenwhich the model may use internally to verify some aspect of the identity in satisfaction of an external purpose. To the extent that the model expresses such semantics internally, it is not a pure model.
  • 6.
  • 7. • User access – User access enables users to assume a specific digital identity across applications, which enables access controls to be assigned and evaluated against this identity. The use of a single identity for a given user across multiple systems eases tasks for administrators and users. It simplifies access monitoring and verification and allows the organization to minimize excessive privileges granted to one user. User access can be tracked from initiation to termination of user access. – When organizations deploy an identity management process or system, their motivation is normally not primarily to manage a set of identities, but rather to grant appropriate access rights to those entities via their identities. In other words, access management is normally the motivation for identity management and the two sets of processes are consequently closely related. • Services – Organizations continue to add services for both internal users and by customers. Many such services require identity management to properly provide these services. Increasingly, identity management has been partitioned from application functions so that a single identity can serve many or even all of an organization's activities. – For internal use identity management is evolving to control access to all digital assets, including devices, network equipment, servers, portals, content, applications and/or products. – Services often require access to extensive information about a user, including address books, preferences, entitlements and contact information. Since much of this information is subject to privacy and/or confidentiality requirements, controlling access to it is vital. • Identity federation – As the name implies, identity federation comprises one or more systems that federate user access and allow users to login based on authenticating against one of the system participating in the federation. This trust between several systems is often known as “Circle of Trust”. In this setup, one system acts as the Identity Provider (idP) and other system(s) acts as Service Provider (SP). When a user needs to access some service controlled by SP, he/she first authenticates against the IdP. Upon successful authentication, the IdP sends a secure “assertion” to the Service Provider. "SAML assertions, specified using a mark up language intended for describing security assertions, can be used by a verifier to make a statement to a relying party about the identity of a claimant. SAML assertions may optionally be digitally signed.
  • 8. System capabilities • In addition to creation, deletion, modification of user identity data either assisted or self-service, Identity Management is tasked with controlling ancillary entity data for use by applications, such as contact information or location. • Authentication : Verification that an entity is who/what it claims to be using a password, biometrics such as a fingerprint, or distinctive behavior such as a gesture pattern on a touchscreen. • Authorization : Managing authorization information that defines what operations an entity can perform in the context of a specific application. For example, one user might be authorized to enter a sales order, while a different user is authorized to approve the credit request for that order. • Roles : Roles are groups of operations and/or other roles. Users are granted roles often related to a particular job or job function. For example, a user administrator role might be authorized to reset a user's password, while a system administrator role might have the ability to assign a user to a specific server. • Delegation : Delegation allows local administrators or supervisors to perform system modifications without a global administrator or for one user to allow another to perform actions on their behalf. For example, a user could delegate the right to manage office-related information. • Interchange : The SAML protocol is a prominent means used to exchange identity information between two identity domains.
  • 9. Standardization • ISO (and more specifically ISO/IEC JTC1, SC27 IT Security techniques WG5 Identity Access Management and Privacy techniques) is conducting some standardization work for identity management (ISO 2009), such as the elaboration of a framework for identity management, including the definition of identity-related terms. The published standards and current work items includes the following: – ISO/IEC 24760-1 A framework for identity management—Part 1: Terminology and concepts – ISO/IEC CD 24760-2 A Framework for Identity Management—Part 2: Reference architecture and requirements – ISO/IEC WD 24760-3 A Framework for Identity Management—Part 3: Practice – ISO/IEC 29115 Entity Authentication Assurance – ISO/IEC WD 29146 A framework for access management – ISO/IEC WD 29003 Identity Proofing and Verification – ISO/IEC 29100 Privacy framework – ISO/IEC 29101 Privacy Architecture – ISO/IEC 29134 Privacy Impact Assessment Methodology
  • 10. 10 Inter-institutional integration: the transport function • Federations • Peering of federations – Levels of assurance – Attribute mapping – WAYF functionality • Virtual Organization (VOs)
  • 11. 11 Federated identity • A federated identity in information technology is the means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems. • Related to federated identity is single sign-on (SSO), in which a user's single authentication ticket, or token, is trusted across multiple IT systems or even organizations. SSO is a subset of federated identity management, as it relates only to authentication and is understood on the level of technical interoperability. • FIdM, or the "federation" of identity, describes the technologies, standards and use-cases which serve to enable the portability of identity information across otherwise autonomous security domains. The ultimate goal of identity federation is to enable users of one domain to securely access data or systems of another domain seamlessly, and without the need for completely redundant user administration. Identity federation comes in many flavors, including "user- controlled" or "user-centric" scenarios, as well as enterprise-controlled. • Technologies used for federated identity include SAML (Security Assertion Markup Language), OAuth, OpenID, Security Tokens (Simple Web Tokens, JSON Web Tokens, and SAML Tokens), Web Service Specifications, Microsoft Azure Cloud Services, and Windows Identity Foundation.
  • 12. 12 Federated Identities • “Federated identities” is – A hierarchical approach to decompose the problem into manageable pieces – Analogous to the problem that IAM addresses, and rests upon IAM infrastructure • “Identity federation” (noun) is a set of service providers, identity providers, and other context in which the magic happens
  • 13. 13 Federating Technologies • SAML implementations – Security Assertion Markup Language – Shibboleth – Bodington/Guanxi – AthensIM – SourceID – SAMUEL – MS ADFS – Other proprietary • Liberty Identity Federation implementations – SourceID – Lasso – Proprietary • Others – MS Inter-Forest Trust
  • 14. IAM life cycle phases • User access request and approve – Definition objective: • Gaining access to the applications, systems and data required to be productive. – Common challenges: • Processes differ by location, business unit and resource. • Approvers have insufficient context of user access needs — do users really need access to private or confidential data. • Users find it difficult to request required access. • Reconcile – Definition objective: • Enforcing that access within the system, matching approved access levels. – Common challenges: • Actual rights on systems exceed access levels that were originally approved/provisioned. • There is no single authoritative identity repository for employees/non-employees. • Review and certify – Definition objective: • Reviewing user access periodically to realign it with job function or role. Common challenges: • Processes are manual and differ by location, business unit and resource. • Reviewers must complete multiple, redundant and granular access reviews. • Reviewers have insufficient context of user access needs. • Provision/de-provision – Definition objective: • Granting users appropriate entitlements and access in a timely manner • Revoking access in a timely manner when no longer required due to termination or transfer. – Common challenges • Time lines to grant/remove access are excessive. • Inefficient and error-prone manual provisioning processes are used. • Access profile cloning occurs inappropriately. • Ad hoc job role to access profile mappings exist. • Inappropriate access may not be de-provisioned. • Enforce – Definition objective: • Enforcing user access to applications and systems using authentication and authorization. • Enforcing compliance with access management policies and requirements. – Common challenges: • • Applications do not support central access management solutions (directories, web single sign-on) • Access management policies do not exist • Role/rule-based access is used inconsistently. • Segregation of duties (toxic combinations) is not enforced • Report and audit – Definition objective: • Defining business-relevant key performance indicators (KPIs) and metrics. • Auditing user access. – Common challenges • KPIs/metrics do not exist or do not align with business- driven success criteria (e.g., reduce risk by removing terminated user access on the day of termination). • Audits are labor intensive.
  • 15. Cloud computing • Several distinct scenarios have emerged with the evolution of cloud computing and IAM — there is a need to securely access applications hosted on the cloud, and there is a need to manage identities in cloud-based applications, including protecting personally identifiable information (PII). Federation, role-based access (RBAC) and cloud application identity management solutions have emerged to address these requirements. • The concept of identity as a service (IDaaS) is also an emerging solution to this challenge and has made it possible to accelerate the realization of benefits from IAM deployments. IDaaS aims to support federated authentication, authorization and provisioning. As an alternative to on- premise IAM solutions, IDaaS allows organizations to avoid the expense of extending their own IAM capabilities to their cloud service provider but to still support secure interaction with a cloud computing environment. When using IDaaS, instead of a traditional onpremise IAM system, these capabilities are provided by a thirdparty-hosted service provider.
  • 16. Identity Provisioning • Identity provisioning practice within an organization deals with the provisioning and de-provisioning of various types of user accounts (e.g., end user, application administrator, IT administrator, supervisor, developer, billing administrator) to cloud services. It is very common for cloud services to rely on a registry of users, each representing either an individual or an organization, maintained by the cloud service provider (CSP) to support billing, authentication, authorization, federation, and auditing processes. • With the rapid adoption of cloud services, customers must find ways to automate the provisioning and deprovisioning of users using industry standard specifications such as SPML and web APIs. • Software as a Service / Platform as a Service – SPML adoption by CSPs and support for automated provisioning with workflows. – Customer adoption of automated provisioning using CSP supplied connectors. – Support for transient provisioning using SAML. – PaaS provider support for delegated user administration to owners of applications hosted in the PaaS platform.
  • 17. Authentication • Authentication is the process of validating or confirming that access credentials provided by a user (for instance, a user ID and password) are valid. A user in this case could be a person, another application, or a service; all should be required to authenticate. • SaaS and PaaS Credential management presents a significant challenge in any environment. In SaaS and PaaS cloud environments, various options are available based on the type of cloud service. • SaaS and PaaS providers typically offer built-in authentication services to their applications or platforms, and alternately support delegating authentication to the enterprise. • Customers have the following options: – Enterprise: Consider authenticating users with the enterprise’s Identity Provider (IdP) and establishing trust with the SaaS vendor by federation. – Individual user (acting on their own behalf): Consider using user-centric authentication such as Google, Yahoo ID, OpenID, Live ID, etc., to enable use of a single set of credentials at multiple sites. • Note: Any SaaS provider that requires proprietary methods to delegate authentication (e.g., handling trust by means of a shared encrypted cookie or other means) be carefully considered with a proper security evaluation before proceeding. The general preference should be for the use of open standards.
  • 18. IaaS Authentication • In IaaS, two sets of users need to be authenticated. The first set of users is enterprise IT personnel, who will deploy applications and manage applications. The second set is application users; who might be employees, customers, or partner organizations. For IT personnel, establishing a dedicated VPN is generally a better option, as they can leverage existing systems and processes. • A dedicated VPN tunnel will work better when the application leverages existing identity management systems, such as a single sign-on (SSO) solution or an LDAP-based authentication service that provides an authoritative source of identity data. • In cases where a dedicated VPN tunnel is not feasible, applications should be designed to accept authentication assertions in various formats (SAML, WSFederation, etc), in combination with standard web encryption such as SSL. This approach enables the organizations federate SSO outside the enterprise, extending it to cloud applications. • OpenID is another option when the application is targeted beyond enterprise users. • OATH-compliant systems can support any similarly compliant form factor, including tokens, cell phones, and PDAs.
  • 19. Identity as a Service (IDaaS) • Identity as a Service (IDaaS) is an authentication infrastructure that is built, hosted and managed by a third-party service provider. IDaaS can be thought of as single sign-on (SSO) for the cloud. • According to Gartner, IDaaS functionality includes: – Identity governance and administration ("IGA") — this includes the ability to provision identities held by the service to target applications. – Access — this includes user authentication, single sign-on (SSO), and authorization enforcement. – Intelligence — this includes logging events and providing reporting that can answer questions such as “who accessed what, and when?” • It offers all of cloud's benefits, such as a reduced on-site infrastructure, easier management and a broader range of integration options. • Gregg Kreizman, research vice president at Stamford, Conn.-based research firm Gartner Inc., divides IDaaS services into two categories: Web access software for cloud-based applications such as software as a service (SaaS) and Web-architected applications; and cloud-delivered legacy identity management services. With the latter, vendors deliver the traditional identity management software stack from the cloud.
  • 20. Enterprise Architecture with IDaaS • Identity Services provide identity in a consistent, reusable way to all applications/services • Enables them to make identity an integral part of their business logic in a coordinated and meaningful way.
  • 21. Threats • Regardless of the operating model used, cloud computing creates new IAM risks that must be managed. Management of virtual servers within the cloud requires elevated rights that when compromised, may give attackers the ability to gain control of the most valuable targets in the cloud. Such rights also give attackers the ability to create sophisticated data intercept capabilities that may be difficult for cloud providers to detect in a timely manner. The risk of undetected data loss, tampering and resultant fraud can be magnified by the use of cloud computing unless equally sophisticated controls are in place. As a result, the implementation of controls over cloud computing services should account for traditional and emerging risks that are unique to the cloud.
  • 22. Key IAM capabilities • Job role or application access matrices using rule mining tools: this serves as the logical access foundation needed to embrace cloud-based and mobile applications in addition to ensuring appropriateness of access a key regulatory requirement, especially for data privacy. • Automated workflow-based access request and approval processes, using job role or application access matrices and segregation of duties checking: this helps increase the consistency and efficiency of your IAM procedures and reduce the risk of inappropriate access. • Entitlement warehouse solution: this accelerates the ability to address security and access management needs across a high volume of applications, host and database platforms within large organizations: it results in streamlined provisioning/ access attestation and provides a centralized view of access privileges across systems. • Access proxy solutions, central authentication (application, host and database layers): this improves the end user experience and addresses key requirements around user de-provisioning. • Risk-based authentication solutions: this addresses exposures related to compromise of basic authentication techniques, enables secure access for sensitive transactions (e.g., access to PII) and fulfills key regulatory requirements around multifactor authentication. • Identity analytics and behavioral analysis services to integrate with DLP and security information and event management: this helps to enable behavior-based profiling, identifies access outliers for risk-based verification and effective reduction of insider risk. Context-aware identity and access intelligence solutions are being used to identify anomalous activities/exception-based access, perform account analysis, and execute oversight and monitoring functions, helping to protect data governed by privacy regulations. • Data and access management process governance program, which includes HR, application owners, information security and IAM stakeholders: this helps to confirm that the appropriate people (i.e., departments, roles) are supporting and sponsoring the IAM program — vital to the success of process and technology changes. • Federation solutions: this improves end user experience and management of identities for cloud-based applications. • Consider emerging solutions that combine logical and physical security: these solutions will address business risks related to critical infrastructure protection. • Design solution with future scalability requirements in mind: these access transformation initiatives are impacted by negative end user experience, including performance delays; therefore, it is imperative to deploy solutions after considering future adoption and scalability requirements.