Damian T. Gordon, profile picture
Uploaded byDamian T. Gordon
PPTX, PDF271 views

Cloud Identity Management

This document discusses identity management and security in cloud computing. It covers key topics such as: - Centralized identity management provides benefits like a single user identity, consistent security policies, and reduced costs. - Authentication establishes a user's identity through credentials. Popular methods include JSON web tokens (JWTs) which use digital signatures to authenticate API requests without authenticating each one individually. - JWTs work by having a client authenticate once to get a token, then include that token in subsequent requests to prove identity without further authentication. The token contains identity claims and is digitally signed by an authentication authority.

Education
Related topics:
Identity Management

Embed presentation

Download to read offline
Cloud Computing Identity Management and Security TECH9810 - System Architectures
Identity Management ● The term identity management describes the process of managing individuals, entities or group authentication, authorisation, roles, privileges, etc across the enterprise information systems suite ● The majority of enterprise applications will require the identity of their users and entities to be verified and to restrict what actions particular users and entities can carry out within them ● A typical enterprise user will need to access and use dozens of different applications all of which will have this authentication and authorisation requirement ● Same issue arises with cloud services
Centralised ● Intuitively, it makes sense that identity management would be largely centralised within the Enterprise/Cloud for at least three compelling reasons ● The presumed tradeoff here the that the benefit of the increased complexity and inflexibility of a centralised approach outweighs the downsides of a looser, distributed autonomous approach ● Identity - The same user or entity (having a single identity everywhere) can be managed and tracked across all of their application accesses and ● Security - Centralisation enforces consistency as to how privileges are applied and standards are maintained across the enterprise IS suite; In addition, it is easier to take remedial action in the event of a security breach ● Cost Control - Centralisation allows for the reduction or elimination of duplication which should be more cost effective
Cloud Vendor Identity Management Systems ● All of the large providers offer, as a packaged service, some kind of identity management tier which can be used to mediate access to cloud resources ● But cloud-based applications need to support some identity management system at the application layer which may or may not be able to leverage the vendor’s offering ● And anyway, there’s the lock-in consideration ● We’ll focus here on the application-layer building blocks as they pertain to cloud-hosted application services in the enterprise context
Activation ● User identities are created using a process often known as activation ● This is a one-time event where a user is created within the identity management system and assigned the appropriate privileges ● For example, onboarding a new employee or creating a materials supplier account ● In the following discussion, we will assume that users are already activated and have been provided their credentials and privileges
Authentication ● The term authenticate means to establish and verify the identity of some user ● Activated users authenticated through credentials usually comprising a publicly-known part and one or more secrets, known only to the user ● The base assumption is that the activated user who can successfully pass a credentials check is authenticated ● The authenticated user then assumes some preassigned identity within the application(s) for subsequent access and actions
Authentication Strength ● Security is second only to correctness in enterprise information systems because of the sensitivity of the data being managed and processed ● As authentication is the first line of defence of the access network and the application software itself, enterprises increasingly employ ever more sophisticated credential schemes to make them harder to compromise ● In general, the more secrets that are required, the more secure the scheme will be ● Multi-factor authentication implies two or more secrets are needed ● Something you know and something you have ● Includes a so-called air-gap
Credentials Distribution ● The chicken and egg problem for authentication systems is how the would-be authenticating user has possession of their credentials before they need to use them (e.g. a shared secret or two-factor device) ● This is typically solved by using some out-of-band distribution mechanism, i.e. over some other interface which is not the API itself ● Credentials distribution can be a complex problem and is the concern of the wider identify management system itself ● We will assume, for our discussion, that the user already has somehow obtained the necessary credentials prior to authentication
Authenticating Authority ● We will also assume the existence of some authenticating authority that we can programmatically consult to authenticate a user ● In the context of a SOA, we can imagine this authority is just another service that exposes a secure API allowing the users credentials to be presented and a response as to whether that user is authenticated ● The authentication authority is itself an abstraction of the underlying identity management system’s security mechanism and policy framework
Authenticating API Requests ● In SOA application stacks, each service makes requests of some other service to carry out some function on its behalf ● In reality, a service request is typically carried out on behalf of some identity (ultimately a user) which, in most cases, will require the request to be authenticated and authorised before being executed ● There are two approaches for authenticating API requests, namely: ● In both approaches, the requesting service must possess the identity credentials (shared secret) in advance by some out-of-band means 1. Authenticate each and every service request at request time 2. Preauthenticate in advance and use some temporary access token for each subsequent request verified at request time
API Authentication Independence ● It is generally good practice to decouple the API authentication specification from the API specification itself ● The principal advantage is that different mechanisms (or none) can used with the same API in different contexts ● By implication, the API call syntax is therefore not directly polluted with authentication syntax but rather as a wrapper around API messages ● In context of HTTP-based API like REST, the authentication data would generally be carried in one or more specialised header fields Auth Data API Data
Authentication Methods ● We mentioned already, that there are two approaches for authenticating API requests, namely: ● (1) is usually done using Hashing, and (2) is usually done with tokens (that may or may not be encrypted. 1. Authenticate each and every service request at request time 2. Preauthenticate in advance and use some temporary access token for each subsequent request verified at request time
JSON Web Tokens
Pre-authentication ● JSON web tokens (JWTs) are an example of a pre-authentication and token scheme ● In pre-authentication schemes, the API caller performs the authentication steps in advance and then uses some issued token to make subsequent API requests ● The issued token, usually temporary in nature, acts as a cheaper-to- implement proxy for having to authenticate each request separately ● In addition to being less resource-intensive, JWT pre-authentication, being stateless, can also be easier to distribute, allowing for better performance and scalability characteristics of the API system
How JWTs Work ● JWT is a simple idea which is based on secure message signing 1. The client issues an authentication request which includes the requester credentials, called claims 2. The server verifies the claims for the requester with the authenticating authority 3. Assuming verified, the server then builds a BASE64-encoded token, which includes caller identity information and an expiry timestamp 4. The token is then signed using a secure MAC by the authenticating authority using its secret private key 5. The server responds to the client with the signed token to indicate success 6. In subsequent API requests, the client includes this token (called a bearer token) in the request header 7. The server verifies the token signature using the public key and un-bundles the token information to determine the user identity and token expiry timestamp 8. If successful, the server allows the request forward for further verification and processing
● The logical view of JWT authentication looks like something like this: JWT Authentication Authenticating Authority API Server Client Tier Public Key Private Key
RFC 7519 ● At the time of writing the JWT authentication scheme is covered by an RFC proposed standard which sets out the format of messages and the expected behaviour of participating parties ● The standard describes the format of a token as follows (dot-separated) Header Payload Signature { "typ": "JWT", "alg": "HS256" } { "sub": "user:12345", "iat": "1300819380", "exp": "1300829380" } Hashed and signed over the previous parts: ● Header ● Payload eyJhbGciOiJIUzI1NiIsI nR5cCI6IkpXVCJ9... eyJleHAiOjE0ODgxMzMzMjcsImlhdCI 6MTQ4Nzg3NDEyNywic3ViIj... 03f329983b86f7d9a9f5fef853 05880101d5e302afaf... base64
Signing Method ● The JWT specification allows for different crypto technologies to be used in the signing process ● The authenticating authority can include a field in the token specifying which hashing and encryption algorithm was used to create the token signature (e.g. HMAC-SHA256 or RSA-SHA256) ● If symmetric key signing is used, then both the issuer and the verifier need to possess the same shared secret ● If asymmetric key signing is used, then the issuer can hold the private key and the verifiers can use the public key
JWT Security Properties ● Operationally, it should be noted that the cryptography described in the RFC 7519 mechanism is used for signing tokens which establishes two important facts about a token ● Importantly, RFC 7519 does not provide for token encryption so it is expected that services using JWTs would independently implement some token or transmission encryption system such as TLS ● The token must not be publicly divulged as an attacker could gain the same access as the compromised user 1. The issuer’s identity because of the secret key in its possession 2. The token’s integrity (i.e. that it has not been altered in any way)
Javascript API ● Install crypto packages and tools with NPM ● Example usage in JS npm install jsonwebtoken var jwt = require('jsonwebtoken'); // sign with RSA SHA256 (i.e. using HMAC256 hashing) var cert = fs.readFileSync('private.key'); // get private key from disk var token = jwt.sign({ sub: 'user:12345', iat: Math.floor(Date.now() / 1000) }, cert, { algorithm: 'RS256'});
Bearer Token ● Once created, signed and distributed by the server, the token can then be used by the client to authenticate a particular identity (i.e. user) ● The client does this by including the token in each API request in a header field Authorization: BEARER eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0ODg0NjQ5NTAsImlhdCI6MTQ4ODIwNTc1MC wic3ViIjoiOWJhNGRlYWItMDdiMy00NTVjLTk1YTMtMDhkYmQ4MGFkMmUwIn0.NShG3qC2I_LBxZoKX- 8UBz_kFkWKSzJs6JrgDc27P9Lbd-OR9nIsV35Jk2uNvspJH2VyZ7bHS3RR- 8CtTexRqcsozrkZsicBWbauX4ph3DULGST5ju3tVNXi-NsQoFHij- 4BPGNMjjr4DftwnKmJeGA0dI4exZ0Q33AHJVjXNAEVA16x9FOBMkBfXXDQFKIyJtg46GB3hd7IX8Di4WB8i V- 99bsb911UmSb1FKrZQ32zhpFQ0ybms2RGxN1MeMfYeZLjB4c3BpkrV84ucl3VoXd6qxWzuvWF9r6EyGa9kK xgtGIDOZB0kYCSLLKef9i2EDxyTCRmOK8HJvYwNdH-Vg
Expiry and Revocation ● It is common and a good practice to set some expiry time for server-issued tokens to force the API client to periodically reauthenticate ● This can be done including an expiry timestamp in the token which the client is free to read ● In other circumstances, the server may want to revoke a token altogether which can happen if: ● To implement revocation, the server (authenticating authority) must keep track of issued tokens and their status - less flexible and less scalable in practice ● The token is only intended to be user a fixed number of times (e.g. once) ● The associated identity credentials have been changed since the token was issued
Hash-based Message Authentication
Authenticate Every Request ● An alternative to pre-authentication (and tokens) is to authenticate each request individually ● Ideally we’d like to be able do this without having to incur any additional API calls ● The context here is that the API calls are being made on behalf of some identity which needs to be authenticated ● And we assume that client and server possess identity credentials (including a shared secret) distributed in advance by some out-of-band means
A Note on Hashing ● A hash function is any function that can be used to map data of arbitrary size to fixed-size values ● Use of hash functions relies on statistical properties of key and function interaction: worst- case behaviour is intolerably bad with a vanishingly small probability, and average-case behaviour can be nearly optimal (minimal collision). ● A hashed value cannot be de-hashed, it’s a one- way operation, unlike encryption.
Message Authentication ● A simple scheme which allows API calls to be authenticated with more extra messages is to securely authenticate each request using the shared key which works as follows: 1. The client generate a secure signature using on a HMAC (symmetric key) over the API message contents 2. This signature is sent along with the API request and a unique key to identify which user is making the request 3. On message receipt, the server, which also knows the shared secret key, generates the signature for the API call and compares it with the one being sent 4. If they match, then the server can assume that the client was in possession of the secret for the associated user (unique key) and is therefore authenticated
Security Properties ● It is assumed the the shared secret key is known only to the client and server and would be “hard” to guess (e.g. 320 bits) ● The signature is based on a known-secure hashing algorithm with a extremely low probability of collisions (e.g. SHA256) ● The hash is encrypted using a shared key symmetric-key algorithm (e.g. HMAC-SHA256) ● It is impossible for an attacker to generate the MAC of message and a secret key without knowing the secret key ● The message cannot be altered by an attacker and also pass the message integrity and signature check
Security Guidelines ● There is no standard which dictates how hash-based message authentication should be implemented but there are some good practice guidelines: ● In practice, enterprise solutions will provide for bespoke application-specific implementations of these guidelines 1. Use known-secure crypto algorithms (hashing and encryption for signature) 2. Include the message body (if any), the query parameters (if any), the resource path (assuming REST) and the unique key in the bytes block to be hashed 3. Randomise the request message signature to guard against replay attacks by, for example, including a variable component such as a timestamp 4. Independently encrypt the message (e.g. TLS) for transmission 5. Periodically reissue new secret keys and invalidate old ones
HTTP Message Authentication ● Let’s consider an HTTP-based API request (e.g. REST) being authenticated using HMAC-SHA256 ● Keeping with the principle of separating authentication metadata from API message data, we would see the authentication data being placed into a HTTP header field as in the following example: ● The encoding can be implementation specific - (e.g. could use base64 instead of hexadecimal) Authorization: HMAC-SHA256 Key=7e96106333af9110bc50d4f3cbfc806b76cf1a3a Signature=d44869e9bb60c5696dc72199388f96d89739a800891242509fbb827b9fee6 40988eafc7db540283d
Considerations ● Hash-based message authentication (when done properly) is secure and provides a high degree of confidence for authentication ● In theory, the per-request checking steps are no more expensive than pre- authentication and token verification schemes ● However, the HMAC verification may need to consult the authenticating authority each time so this can be more expensive and be less flexible and scalable in practice - (i.e. only the authority has a copy of the shared secret key) ● Generating signatures for API requests is non-trivial (a complex computation) and this adds some logical complexity to the client-side in terms of signing and solution testing
Authorisation
Authorization ● The term authorise will means to grant or reject access to specific operations on behalf of an API requester ● A prerequisite for authorisation (usually) is that the requester identity has already been verified, that is the requester has been authenticated ● By operation, we mean a query or an update of one or more service-managed resources ● Authorisation asks the question “does this identity have rights to carry out this operation on this resource?” ● For example, can a specific user add a new product to a catalog or change the attribute value of a product item?
Authorisation Authority ● In the context of an enterprise application stack, the authorisation checking would likely be carried out centrally within some component of the overall identity management system ● The benefit of centralisation of authorisation is similar to the benefit of centralised management of the authentication function, namely: ● Identity - The same user or entity (having a single identity everywhere) can be managed and tracked across all of their application accesses ● Security - Centralisation enforces consistency as to how privileges are applied and standards are maintained across the enterprise IS suite; In addition, it is easier to take remedial action in the event of a security breach ● Cost Control - Centralisation allows for the reduction or elimination of duplication which should be more cost effective
Granularity and Control ● At a high level, authorization is a mechanism for protecting assets from unauthorised access or modification ● Depending on the application, some assets may be open for reading and writing by anyone whereas others would be restricted to a small number of privileged users ● Authorisation schemes are characterised by the level of granularity and control they offer ● These range from crude CRUD-level checking to specific named operations on specific attributes of a resource
Granularity Illustration ● Suppose there exists a products table describing items for sale ● Users could be authorised at the level of creating new products, reading product descriptions, changing product descriptions or removing products ● Or alternatively, the authorisation could go down to the level of authorisation reads and update to a specific product attribute or could include rights to carry out other operations on the resource such as commenting on a product or sharing the product with a third-party ● In general, the more sophisticated the sets of operations support on a resource, the more granularity and control that is required
Rights and Privileges ● Rights (or privileges) are what determine what allowed to be carried out on a resource ● An authorisation is essentially a conferral of zero or more rights (associated with a resource) to a particular identity ● Resource rights can be granted or revoked and the managing services are expected to honour these rights contracts in their API implementations
Role-Based Access Control ● A popular way to model and implement authorisation schemes is to control access to resources and operations through a role abstraction ● A role is a convenience grouping of set of rights associated with an identity ● An identity may be assigned one or more roles ● The benefit of a role-based approach is that it simplifies the mapping of rights to identities ● Roles recognise the reality that many of the same kinds of users will want similar rights so the role acts as a convenience shorthand, albeit at the cost of an extra level of indirection
Authorisation Failures ● From an API perspective there is a question as to how to handle authorisation failures, i.e. requests for which the caller has insufficient rights to carry out, including, say, read operations ● There are two popular approaches each with different security characteristics 1. Return an “not authorised” status code to the caller (e.g. HTTP 403). This has the side-effect of validating the existence of the resource(s) but reporting that the attempted operation is not allowed 2. Return a “not found” status code to the caller (e.g. HTTP 404). This has the benefit of not leaking confirmation of the existence or non-existance of the resource(s) but is indistinguishable from either
The Good, the Bad, and the Interesting of Identity Management
THE GOOD
Identity Management: The Benefits ● Peace of mind ● The primary benefit of implementing it is simply peace of mind. ● When the relevant people know precisely who can access a business’s data, when they can access it, and how much of it they can access, a great sense of security is achieved.
Identity Management: The Benefits ● Boost in productivity ● By simply implementing IAM into any business, productivity trends upwards by a fairly significant amount. This can be traced back to IAM’s ability to simplify sign-ins, signups, or processes related to user management for end-users, systems administrators, and app owners themselves.
Identity Management: The Benefits ● Reduced IT costs ● By utilizing IAM to free up time spent on role changes or employee onboarding/offboarding, businesses can slash costs by a surprising amount. Not only this, with the inclusion of SSO (Single Sign-On), IT resources are freed up due to a reduction in help desk calls and service tickets.
Identity Management: The Benefits ● Information or data sharing ● By providing a platform for any information related to access and ID management, businesses are able to apply preset, customized security policies across all the company’s devices, which ensures no differentiation arises from one to the other (unless of course the business wants this).
Identity Management: The Benefits ● Remote access ● As the possibilities of remote work among businesses become more common, employees and/or clients need access to certain information, databases, webpages, etc., regardless of their physical location. SSO is a key feature in making this happen.
THE BAD
Identity Management: The Weaknesses ● Cloud security breaches ● If a business is committed to the cloud, access management and user identities must be secure to ensure minimal risk to the company’s and clients’ data. If a company’s IAM is unsecure, it has the potential to result in serious damage, which could be detrimental to the business.
Identity Management: The Weaknesses ● Infrequent audits ● While IAM makes business policy implementation a simple, streamline process, we need to update audit practices so they pertain to the access policies currently in place. It’s advised that businesses continue to schedule regular audits to allow for the potential discovery of vulnerabilities as well as for defining what can and should be automated.
Identity Management: The Weaknesses ● Business scaling issues ● With the possibility of new technologies, staff, policies, or other elements businesses may add as they grow, the IAM framework must scale to keep up with any of these changes. IAM, in some scenarios, can limit how these implementations scale. This is not always the case, but for many businesses that wish to scale as fast as possible, this is certainly something to consider.
Identity Management: The Weaknesses ● Incorrect definition of roles or attributes ● With somewhat of a vague idea of what access is required for certain user groups, many businesses often include too many users in a single group. Based on how permissions are defined, whether it’s by roles or attributes, business leaders must take into account why a person needs access to a particular resource.
Identity Management: The Weaknesses ● Offboarding of staff ● Believe it or not, offboarding employees can, at times, pose serious threats to a business in the long run. Though this is rarely a concern and only in some cases amounts to anything serious, the chance for a former employee to utilize their old business permissions with malicious intent always exists.
THE INTERESTING
Identity Management: Interesting ● Single sign-on capabilities are a must since having too many passwords tends to lead to insecure password management practices. Recent research reported by Dark Reading shows that 61% of people use the same password for multiple accounts and applications.
Identity Management: Interesting ● Installing an IAM solution in place helps the organization to cease manual privileges and permission settings that can sometimes lead to errors. Because of IAM, the IT team does not have to manage access rights to user or employee accounts manually – the process will be automated.
Identity Management: Interesting ● Security tools like IAM solutions come with modern technologies like machine learning (ML) algorithms to identify the internal threats and notify the security professionals for prompt actions.
Identity Management: Interesting ● Security tools like IAM solutions come with modern technologies like machine learning (ML) algorithms to identify the internal threats and notify the security professionals for prompt actions.
Cloud Identity Management

More Related Content

PPTX
Identity and Access Management (IAM)
byIdentacor
 
PDF
Cybersecurity - Mobile Application Security
byEryk Budi Pratama
 
PPTX
Network security
byEstiak Khan
 
PPTX
WLAN Attacks and Protection
byChandrak Trivedi
 
PDF
Email security
bySultanErbo
 
PDF
Virtualization security and threat
byAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
PPTX
Information Security Awareness: at Work, at Home, and For Your Kids
byNicholas Davis
 
PPTX
Sql injections - with example
byPrateek Chauhan
 
Identity and Access Management (IAM)
byIdentacor
 
Cybersecurity - Mobile Application Security
byEryk Budi Pratama
 
Network security
byEstiak Khan
 
WLAN Attacks and Protection
byChandrak Trivedi
 
Email security
bySultanErbo
 
Virtualization security and threat
byAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Information Security Awareness: at Work, at Home, and For Your Kids
byNicholas Davis
 
Sql injections - with example
byPrateek Chauhan
 

What's hot

PPTX
Data security in cloud computing
byPrince Chandu
 
PDF
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
bySam Bowne
 
PPTX
Cloud security Presentation
byAjay p
 
PPTX
Domain 5 - Identity and Access Management
byMaganathin Veeraragaloo
 
PPTX
Network Security
bymoviebro1
 
PPTX
Cloud Encryption
byRituparnaNag
 
PPSX
Intrusion detection system
bygaurav koriya
 
PPT
authentication.ppt
byjayarao21
 
PPT
Ch07 Access Control Fundamentals
byInformation Technology
 
PDF
An overview of access control
byElimity
 
PDF
Malicious software
byDr.Florence Dayana
 
PPTX
The strategies of password
byMohammedAlhamoodi
 
PDF
Working with MS Endpoint Manager
byGeorge Grammatikos
 
PPT
Network security
byDhaval Kaneria
 
PPTX
Integrating Public & Private Clouds
byProact Belgium
 
PDF
Machine Learning in Cyber Security Domain
byBGA Cyber Security
 
PPTX
System Security-Chapter 1
byVamsee Krishna Kiran
 
PDF
Network Security Presentation
byAllan Pratt MBA
 
PPTX
Wireless Attacks
byprimeteacher32
 
PDF
Uso más seguro de contraseñas. Algunos consejos
byJuan Ramón Palomino de Frutos
 
Data security in cloud computing
byPrince Chandu
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
bySam Bowne
 
Cloud security Presentation
byAjay p
 
Domain 5 - Identity and Access Management
byMaganathin Veeraragaloo
 
Network Security
bymoviebro1
 
Cloud Encryption
byRituparnaNag
 
Intrusion detection system
bygaurav koriya
 
authentication.ppt
byjayarao21
 
Ch07 Access Control Fundamentals
byInformation Technology
 
An overview of access control
byElimity
 
Malicious software
byDr.Florence Dayana
 
The strategies of password
byMohammedAlhamoodi
 
Working with MS Endpoint Manager
byGeorge Grammatikos
 
Network security
byDhaval Kaneria
 
Integrating Public & Private Clouds
byProact Belgium
 
Machine Learning in Cyber Security Domain
byBGA Cyber Security
 
System Security-Chapter 1
byVamsee Krishna Kiran
 
Network Security Presentation
byAllan Pratt MBA
 
Wireless Attacks
byprimeteacher32
 
Uso más seguro de contraseñas. Algunos consejos
byJuan Ramón Palomino de Frutos
 

Similar to Cloud Identity Management

PPTX
Best Practices for API Security
byMuleSoft
 
PDF
IoT Security Elements
byEurotech
 
PPT
Unit_5 grid and cloud comuting security.pt
bygvlbcy
 
PDF
JWT stands for JSON Web Token. It's a compact, URL-safe means of representing...
byVarun Mithran
 
PPTX
Best Practices for API Security
byBui Kiet
 
PDF
API Security best practices Protect your APIs with Anypoint Platform
byMoumidBouabid
 
PDF
Talk Microservices to Me: The Role of IAM in Microservice Architecture
byWSO2
 
PPTX
Financial Grade OAuth & OpenID Connect
byNat Sakimura
 
PDF
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
byapidays
 
PDF
WSO2Con EU 2015: API Management Strategies and Best Practices
byWSO2
 
PPTX
Unit 3_detailed_automotiving_mobiles.pptx
byVijaySasanM21IT
 
PDF
Oauth Nightmares Abstract OAuth Nightmares
byNino Ho
 
PPT
CTO-CyberSecurityForum-2010-Brisson-Boren
bysegughana
 
PDF
New Trends in Web Security
byOliver Pfaff
 
PPTX
Microservices Manchester: Authentication in Microservice Systems by David Borsos
byOpenCredo
 
PDF
Identiverse 2018 nathanael coffing
byJoshuaCiccone2
 
PDF
Anil saldhana cloudidentitybestpractices
byAnil Saldanha
 
PDF
Apidays Paris 2023 - I Have an OAuth2 Access Token, Now what do I do with it,...
byapidays
 
PDF
JavaScript App Security: Auth and Identity on the Client
byJonathan LeBlanc
 
PPTX
Jacob has a horse, says Travis
byjacobideskog
 
Best Practices for API Security
byMuleSoft
 
IoT Security Elements
byEurotech
 
Unit_5 grid and cloud comuting security.pt
bygvlbcy
 
JWT stands for JSON Web Token. It's a compact, URL-safe means of representing...
byVarun Mithran
 
Best Practices for API Security
byBui Kiet
 
API Security best practices Protect your APIs with Anypoint Platform
byMoumidBouabid
 
Talk Microservices to Me: The Role of IAM in Microservice Architecture
byWSO2
 
Financial Grade OAuth & OpenID Connect
byNat Sakimura
 
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
byapidays
 
WSO2Con EU 2015: API Management Strategies and Best Practices
byWSO2
 
Unit 3_detailed_automotiving_mobiles.pptx
byVijaySasanM21IT
 
Oauth Nightmares Abstract OAuth Nightmares
byNino Ho
 
CTO-CyberSecurityForum-2010-Brisson-Boren
bysegughana
 
New Trends in Web Security
byOliver Pfaff
 
Microservices Manchester: Authentication in Microservice Systems by David Borsos
byOpenCredo
 
Identiverse 2018 nathanael coffing
byJoshuaCiccone2
 
Anil saldhana cloudidentitybestpractices
byAnil Saldanha
 
Apidays Paris 2023 - I Have an OAuth2 Access Token, Now what do I do with it,...
byapidays
 
JavaScript App Security: Auth and Identity on the Client
byJonathan LeBlanc
 
Jacob has a horse, says Travis
byjacobideskog
 

More from Damian T. Gordon

PPTX
Early 20th Century Modern Art: Movements and Artists
byDamian T. Gordon
 
PPTX
Writing an Abstract: A Question-based Approach
byDamian T. Gordon
 
PPTX
Introduction to Prompts and Prompt Engineering
byDamian T. Gordon
 
PPTX
Hyperparameter Tuning in Neural Networks
byDamian T. Gordon
 
PPTX
Introduction to Vibe Coding and Vibe Engineering
byDamian T. Gordon
 
PPTX
A History of Different Versions of Microsoft Windows
byDamian T. Gordon
 
PPTX
An Introduction to Generative Artificial Intelligence
byDamian T. Gordon
 
PPTX
A History of Versions of the Apple MacOS
byDamian T. Gordon
 
PPTX
Using GenAI for Universal Design for Learning
byDamian T. Gordon
 
PPTX
The Growth Mindset: Explanations and Activities
byDamian T. Gordon
 
PPTX
An Introduction to Green Computing with a fun quiz.
byDamian T. Gordon
 
PPTX
Some Ethical Considerations of AI and GenAI
byDamian T. Gordon
 
PPTX
Some Common Errors that Generative AI Produces
byDamian T. Gordon
 
PPTX
68 Ways that Data Science and AI can help address the UN Sustainability Goals
byDamian T. Gordon
 
PPTX
The Use of Data and Datasets in Data Science
byDamian T. Gordon
 
PPTX
Exam Preparation: Some Ideas and Suggestions
byDamian T. Gordon
 
PPTX
Copyright and Creative Commons Considerations
byDamian T. Gordon
 
PPTX
Studying and Notetaking: Some Suggestions
byDamian T. Gordon
 
PPTX
TRIZ: Theory of Inventive Problem Solving
byDamian T. Gordon
 
DOC
A CheckSheet for Inclusive Software Design
byDamian T. Gordon
 
Early 20th Century Modern Art: Movements and Artists
byDamian T. Gordon
 
Writing an Abstract: A Question-based Approach
byDamian T. Gordon
 
Introduction to Prompts and Prompt Engineering
byDamian T. Gordon
 
Hyperparameter Tuning in Neural Networks
byDamian T. Gordon
 
Introduction to Vibe Coding and Vibe Engineering
byDamian T. Gordon
 
A History of Different Versions of Microsoft Windows
byDamian T. Gordon
 
An Introduction to Generative Artificial Intelligence
byDamian T. Gordon
 
A History of Versions of the Apple MacOS
byDamian T. Gordon
 
Using GenAI for Universal Design for Learning
byDamian T. Gordon
 
The Growth Mindset: Explanations and Activities
byDamian T. Gordon
 
An Introduction to Green Computing with a fun quiz.
byDamian T. Gordon
 
Some Ethical Considerations of AI and GenAI
byDamian T. Gordon
 
Some Common Errors that Generative AI Produces
byDamian T. Gordon
 
68 Ways that Data Science and AI can help address the UN Sustainability Goals
byDamian T. Gordon
 
The Use of Data and Datasets in Data Science
byDamian T. Gordon
 
Exam Preparation: Some Ideas and Suggestions
byDamian T. Gordon
 
Copyright and Creative Commons Considerations
byDamian T. Gordon
 
Studying and Notetaking: Some Suggestions
byDamian T. Gordon
 
TRIZ: Theory of Inventive Problem Solving
byDamian T. Gordon
 
A CheckSheet for Inclusive Software Design
byDamian T. Gordon
 

Recently uploaded

PDF
The Drift Principle: When Information Accelerates Faster Than Minds Can Compress
byReality Drift Archive
 
DOCX
Mobile applications Devlopment ReTest year 2025-2026
byDr. Mazin Mohamed alkathiri
 
PDF
FAMILY ASSESSMENT FORMAT - CHN practical
byDr. Sudhadevi Sadanandan
 
PDF
Ketogenic diet in Epilepsy in children..
bymirzasania0810
 
PPTX
The Art Pastor's Guide to the Liturgical Calendar
bySteve Thomason
 
PDF
Projecte de la porta de la classe de primer A: Mar i cel.
byeduardrubio1
 
PDF
The Pity of War: Form, Fragment, and the Artificial Echo | Understanding War ...
byNidhi Pandya
 
PPTX
Cost of Capital - Cost of Equity, Cost of debenture, Cost of Preference share...
bySundar B N
 
PPTX
Vitamins and mineral deficiency , signs and symptoms associated with exercise
byvirupa chandrika reddy
 
PPTX
Campfens "The Data Qualify Challenge: Publishers, institutions, and funders r...
byNational Information Standards Organization (NISO)
 
PPTX
ELEMENTS OF COMMUNICATION (UNIT 2) .pptx
byPOOJA KARVANDE
 
PDF
Blue / Green: Troop Leading Procedure (TLP) Overview.pdf
byBlue / Green Training
 
PPTX
CHAPTER NO.08 HCP BY GG CLINICAL PHARMACY
byGanu Gavade
 
PDF
Models of Teaching - TNTEU - B.Ed I Semester - Teaching and Learning - BD1TL ...
byDr Raja Mohammed T
 
PDF
Current Electricity for first year physiotherapy
byGanesh Jadhav
 
PPTX
Accounting Skills Paper-II (Registers of PACs and Credit Co-operative Societies)
byDr. Sushil Bansode
 
PDF
DHA/HAAD/MOH/DOH OPTOMETRY MCQ PYQ. .pdf
byAnmol Singh
 
PPTX
Semester 6 unit 2 Atopic dermatitis.pptx
bysachin7989
 
PPTX
York "Collaboration for Research Support at U-M Library"
byNational Information Standards Organization (NISO)
 
PDF
1ST APPLICATION FOR ANNULMENT (4)8787666.pdf
bykonstantinantountoum1
 
The Drift Principle: When Information Accelerates Faster Than Minds Can Compress
byReality Drift Archive
 
Mobile applications Devlopment ReTest year 2025-2026
byDr. Mazin Mohamed alkathiri
 
FAMILY ASSESSMENT FORMAT - CHN practical
byDr. Sudhadevi Sadanandan
 
Ketogenic diet in Epilepsy in children..
bymirzasania0810
 
The Art Pastor's Guide to the Liturgical Calendar
bySteve Thomason
 
Projecte de la porta de la classe de primer A: Mar i cel.
byeduardrubio1
 
The Pity of War: Form, Fragment, and the Artificial Echo | Understanding War ...
byNidhi Pandya
 
Cost of Capital - Cost of Equity, Cost of debenture, Cost of Preference share...
bySundar B N
 
Vitamins and mineral deficiency , signs and symptoms associated with exercise
byvirupa chandrika reddy
 
Campfens "The Data Qualify Challenge: Publishers, institutions, and funders r...
byNational Information Standards Organization (NISO)
 
ELEMENTS OF COMMUNICATION (UNIT 2) .pptx
byPOOJA KARVANDE
 
Blue / Green: Troop Leading Procedure (TLP) Overview.pdf
byBlue / Green Training
 
CHAPTER NO.08 HCP BY GG CLINICAL PHARMACY
byGanu Gavade
 
Models of Teaching - TNTEU - B.Ed I Semester - Teaching and Learning - BD1TL ...
byDr Raja Mohammed T
 
Current Electricity for first year physiotherapy
byGanesh Jadhav
 
Accounting Skills Paper-II (Registers of PACs and Credit Co-operative Societies)
byDr. Sushil Bansode
 
DHA/HAAD/MOH/DOH OPTOMETRY MCQ PYQ. .pdf
byAnmol Singh
 
Semester 6 unit 2 Atopic dermatitis.pptx
bysachin7989
 
York "Collaboration for Research Support at U-M Library"
byNational Information Standards Organization (NISO)
 
1ST APPLICATION FOR ANNULMENT (4)8787666.pdf
bykonstantinantountoum1
 

Cloud Identity Management

  • 1.
    Cloud Computing Identity Managementand Security TECH9810 - System Architectures
  • 2.
    Identity Management ● Theterm identity management describes the process of managing individuals, entities or group authentication, authorisation, roles, privileges, etc across the enterprise information systems suite ● The majority of enterprise applications will require the identity of their users and entities to be verified and to restrict what actions particular users and entities can carry out within them ● A typical enterprise user will need to access and use dozens of different applications all of which will have this authentication and authorisation requirement ● Same issue arises with cloud services
  • 3.
    Centralised ● Intuitively, itmakes sense that identity management would be largely centralised within the Enterprise/Cloud for at least three compelling reasons ● The presumed tradeoff here the that the benefit of the increased complexity and inflexibility of a centralised approach outweighs the downsides of a looser, distributed autonomous approach ● Identity - The same user or entity (having a single identity everywhere) can be managed and tracked across all of their application accesses and ● Security - Centralisation enforces consistency as to how privileges are applied and standards are maintained across the enterprise IS suite; In addition, it is easier to take remedial action in the event of a security breach ● Cost Control - Centralisation allows for the reduction or elimination of duplication which should be more cost effective
  • 4.
    Cloud Vendor IdentityManagement Systems ● All of the large providers offer, as a packaged service, some kind of identity management tier which can be used to mediate access to cloud resources ● But cloud-based applications need to support some identity management system at the application layer which may or may not be able to leverage the vendor’s offering ● And anyway, there’s the lock-in consideration ● We’ll focus here on the application-layer building blocks as they pertain to cloud-hosted application services in the enterprise context
  • 5.
    Activation ● User identitiesare created using a process often known as activation ● This is a one-time event where a user is created within the identity management system and assigned the appropriate privileges ● For example, onboarding a new employee or creating a materials supplier account ● In the following discussion, we will assume that users are already activated and have been provided their credentials and privileges
  • 6.
    Authentication ● The termauthenticate means to establish and verify the identity of some user ● Activated users authenticated through credentials usually comprising a publicly-known part and one or more secrets, known only to the user ● The base assumption is that the activated user who can successfully pass a credentials check is authenticated ● The authenticated user then assumes some preassigned identity within the application(s) for subsequent access and actions
  • 7.
    Authentication Strength ● Securityis second only to correctness in enterprise information systems because of the sensitivity of the data being managed and processed ● As authentication is the first line of defence of the access network and the application software itself, enterprises increasingly employ ever more sophisticated credential schemes to make them harder to compromise ● In general, the more secrets that are required, the more secure the scheme will be ● Multi-factor authentication implies two or more secrets are needed ● Something you know and something you have ● Includes a so-called air-gap
  • 8.
    Credentials Distribution ● Thechicken and egg problem for authentication systems is how the would-be authenticating user has possession of their credentials before they need to use them (e.g. a shared secret or two-factor device) ● This is typically solved by using some out-of-band distribution mechanism, i.e. over some other interface which is not the API itself ● Credentials distribution can be a complex problem and is the concern of the wider identify management system itself ● We will assume, for our discussion, that the user already has somehow obtained the necessary credentials prior to authentication
  • 9.
    Authenticating Authority ● Wewill also assume the existence of some authenticating authority that we can programmatically consult to authenticate a user ● In the context of a SOA, we can imagine this authority is just another service that exposes a secure API allowing the users credentials to be presented and a response as to whether that user is authenticated ● The authentication authority is itself an abstraction of the underlying identity management system’s security mechanism and policy framework
  • 10.
    Authenticating API Requests ●In SOA application stacks, each service makes requests of some other service to carry out some function on its behalf ● In reality, a service request is typically carried out on behalf of some identity (ultimately a user) which, in most cases, will require the request to be authenticated and authorised before being executed ● There are two approaches for authenticating API requests, namely: ● In both approaches, the requesting service must possess the identity credentials (shared secret) in advance by some out-of-band means 1. Authenticate each and every service request at request time 2. Preauthenticate in advance and use some temporary access token for each subsequent request verified at request time
  • 11.
    API Authentication Independence ●It is generally good practice to decouple the API authentication specification from the API specification itself ● The principal advantage is that different mechanisms (or none) can used with the same API in different contexts ● By implication, the API call syntax is therefore not directly polluted with authentication syntax but rather as a wrapper around API messages ● In context of HTTP-based API like REST, the authentication data would generally be carried in one or more specialised header fields Auth Data API Data
  • 12.
    Authentication Methods ● Wementioned already, that there are two approaches for authenticating API requests, namely: ● (1) is usually done using Hashing, and (2) is usually done with tokens (that may or may not be encrypted. 1. Authenticate each and every service request at request time 2. Preauthenticate in advance and use some temporary access token for each subsequent request verified at request time
  • 13.
  • 14.
    Pre-authentication ● JSON webtokens (JWTs) are an example of a pre-authentication and token scheme ● In pre-authentication schemes, the API caller performs the authentication steps in advance and then uses some issued token to make subsequent API requests ● The issued token, usually temporary in nature, acts as a cheaper-to- implement proxy for having to authenticate each request separately ● In addition to being less resource-intensive, JWT pre-authentication, being stateless, can also be easier to distribute, allowing for better performance and scalability characteristics of the API system
  • 15.
    How JWTs Work ●JWT is a simple idea which is based on secure message signing 1. The client issues an authentication request which includes the requester credentials, called claims 2. The server verifies the claims for the requester with the authenticating authority 3. Assuming verified, the server then builds a BASE64-encoded token, which includes caller identity information and an expiry timestamp 4. The token is then signed using a secure MAC by the authenticating authority using its secret private key 5. The server responds to the client with the signed token to indicate success 6. In subsequent API requests, the client includes this token (called a bearer token) in the request header 7. The server verifies the token signature using the public key and un-bundles the token information to determine the user identity and token expiry timestamp 8. If successful, the server allows the request forward for further verification and processing
  • 16.
    ● The logicalview of JWT authentication looks like something like this: JWT Authentication Authenticating Authority API Server Client Tier Public Key Private Key
  • 17.
    RFC 7519 ● Atthe time of writing the JWT authentication scheme is covered by an RFC proposed standard which sets out the format of messages and the expected behaviour of participating parties ● The standard describes the format of a token as follows (dot-separated) Header Payload Signature { "typ": "JWT", "alg": "HS256" } { "sub": "user:12345", "iat": "1300819380", "exp": "1300829380" } Hashed and signed over the previous parts: ● Header ● Payload eyJhbGciOiJIUzI1NiIsI nR5cCI6IkpXVCJ9... eyJleHAiOjE0ODgxMzMzMjcsImlhdCI 6MTQ4Nzg3NDEyNywic3ViIj... 03f329983b86f7d9a9f5fef853 05880101d5e302afaf... base64
  • 18.
    Signing Method ● TheJWT specification allows for different crypto technologies to be used in the signing process ● The authenticating authority can include a field in the token specifying which hashing and encryption algorithm was used to create the token signature (e.g. HMAC-SHA256 or RSA-SHA256) ● If symmetric key signing is used, then both the issuer and the verifier need to possess the same shared secret ● If asymmetric key signing is used, then the issuer can hold the private key and the verifiers can use the public key
  • 19.
    JWT Security Properties ●Operationally, it should be noted that the cryptography described in the RFC 7519 mechanism is used for signing tokens which establishes two important facts about a token ● Importantly, RFC 7519 does not provide for token encryption so it is expected that services using JWTs would independently implement some token or transmission encryption system such as TLS ● The token must not be publicly divulged as an attacker could gain the same access as the compromised user 1. The issuer’s identity because of the secret key in its possession 2. The token’s integrity (i.e. that it has not been altered in any way)
  • 20.
    Javascript API ● Installcrypto packages and tools with NPM ● Example usage in JS npm install jsonwebtoken var jwt = require('jsonwebtoken'); // sign with RSA SHA256 (i.e. using HMAC256 hashing) var cert = fs.readFileSync('private.key'); // get private key from disk var token = jwt.sign({ sub: 'user:12345', iat: Math.floor(Date.now() / 1000) }, cert, { algorithm: 'RS256'});
  • 21.
    Bearer Token ● Oncecreated, signed and distributed by the server, the token can then be used by the client to authenticate a particular identity (i.e. user) ● The client does this by including the token in each API request in a header field Authorization: BEARER eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0ODg0NjQ5NTAsImlhdCI6MTQ4ODIwNTc1MC wic3ViIjoiOWJhNGRlYWItMDdiMy00NTVjLTk1YTMtMDhkYmQ4MGFkMmUwIn0.NShG3qC2I_LBxZoKX- 8UBz_kFkWKSzJs6JrgDc27P9Lbd-OR9nIsV35Jk2uNvspJH2VyZ7bHS3RR- 8CtTexRqcsozrkZsicBWbauX4ph3DULGST5ju3tVNXi-NsQoFHij- 4BPGNMjjr4DftwnKmJeGA0dI4exZ0Q33AHJVjXNAEVA16x9FOBMkBfXXDQFKIyJtg46GB3hd7IX8Di4WB8i V- 99bsb911UmSb1FKrZQ32zhpFQ0ybms2RGxN1MeMfYeZLjB4c3BpkrV84ucl3VoXd6qxWzuvWF9r6EyGa9kK xgtGIDOZB0kYCSLLKef9i2EDxyTCRmOK8HJvYwNdH-Vg
  • 22.
    Expiry and Revocation ●It is common and a good practice to set some expiry time for server-issued tokens to force the API client to periodically reauthenticate ● This can be done including an expiry timestamp in the token which the client is free to read ● In other circumstances, the server may want to revoke a token altogether which can happen if: ● To implement revocation, the server (authenticating authority) must keep track of issued tokens and their status - less flexible and less scalable in practice ● The token is only intended to be user a fixed number of times (e.g. once) ● The associated identity credentials have been changed since the token was issued
  • 23.
  • 24.
    Authenticate Every Request ●An alternative to pre-authentication (and tokens) is to authenticate each request individually ● Ideally we’d like to be able do this without having to incur any additional API calls ● The context here is that the API calls are being made on behalf of some identity which needs to be authenticated ● And we assume that client and server possess identity credentials (including a shared secret) distributed in advance by some out-of-band means
  • 25.
    A Note onHashing ● A hash function is any function that can be used to map data of arbitrary size to fixed-size values ● Use of hash functions relies on statistical properties of key and function interaction: worst- case behaviour is intolerably bad with a vanishingly small probability, and average-case behaviour can be nearly optimal (minimal collision). ● A hashed value cannot be de-hashed, it’s a one- way operation, unlike encryption.
  • 26.
    Message Authentication ● Asimple scheme which allows API calls to be authenticated with more extra messages is to securely authenticate each request using the shared key which works as follows: 1. The client generate a secure signature using on a HMAC (symmetric key) over the API message contents 2. This signature is sent along with the API request and a unique key to identify which user is making the request 3. On message receipt, the server, which also knows the shared secret key, generates the signature for the API call and compares it with the one being sent 4. If they match, then the server can assume that the client was in possession of the secret for the associated user (unique key) and is therefore authenticated
  • 27.
    Security Properties ● Itis assumed the the shared secret key is known only to the client and server and would be “hard” to guess (e.g. 320 bits) ● The signature is based on a known-secure hashing algorithm with a extremely low probability of collisions (e.g. SHA256) ● The hash is encrypted using a shared key symmetric-key algorithm (e.g. HMAC-SHA256) ● It is impossible for an attacker to generate the MAC of message and a secret key without knowing the secret key ● The message cannot be altered by an attacker and also pass the message integrity and signature check
  • 28.
    Security Guidelines ● Thereis no standard which dictates how hash-based message authentication should be implemented but there are some good practice guidelines: ● In practice, enterprise solutions will provide for bespoke application-specific implementations of these guidelines 1. Use known-secure crypto algorithms (hashing and encryption for signature) 2. Include the message body (if any), the query parameters (if any), the resource path (assuming REST) and the unique key in the bytes block to be hashed 3. Randomise the request message signature to guard against replay attacks by, for example, including a variable component such as a timestamp 4. Independently encrypt the message (e.g. TLS) for transmission 5. Periodically reissue new secret keys and invalidate old ones
  • 29.
    HTTP Message Authentication ●Let’s consider an HTTP-based API request (e.g. REST) being authenticated using HMAC-SHA256 ● Keeping with the principle of separating authentication metadata from API message data, we would see the authentication data being placed into a HTTP header field as in the following example: ● The encoding can be implementation specific - (e.g. could use base64 instead of hexadecimal) Authorization: HMAC-SHA256 Key=7e96106333af9110bc50d4f3cbfc806b76cf1a3a Signature=d44869e9bb60c5696dc72199388f96d89739a800891242509fbb827b9fee6 40988eafc7db540283d
  • 30.
    Considerations ● Hash-based messageauthentication (when done properly) is secure and provides a high degree of confidence for authentication ● In theory, the per-request checking steps are no more expensive than pre- authentication and token verification schemes ● However, the HMAC verification may need to consult the authenticating authority each time so this can be more expensive and be less flexible and scalable in practice - (i.e. only the authority has a copy of the shared secret key) ● Generating signatures for API requests is non-trivial (a complex computation) and this adds some logical complexity to the client-side in terms of signing and solution testing
  • 31.
  • 32.
    Authorization ● The termauthorise will means to grant or reject access to specific operations on behalf of an API requester ● A prerequisite for authorisation (usually) is that the requester identity has already been verified, that is the requester has been authenticated ● By operation, we mean a query or an update of one or more service-managed resources ● Authorisation asks the question “does this identity have rights to carry out this operation on this resource?” ● For example, can a specific user add a new product to a catalog or change the attribute value of a product item?
  • 33.
    Authorisation Authority ● Inthe context of an enterprise application stack, the authorisation checking would likely be carried out centrally within some component of the overall identity management system ● The benefit of centralisation of authorisation is similar to the benefit of centralised management of the authentication function, namely: ● Identity - The same user or entity (having a single identity everywhere) can be managed and tracked across all of their application accesses ● Security - Centralisation enforces consistency as to how privileges are applied and standards are maintained across the enterprise IS suite; In addition, it is easier to take remedial action in the event of a security breach ● Cost Control - Centralisation allows for the reduction or elimination of duplication which should be more cost effective
  • 34.
    Granularity and Control ●At a high level, authorization is a mechanism for protecting assets from unauthorised access or modification ● Depending on the application, some assets may be open for reading and writing by anyone whereas others would be restricted to a small number of privileged users ● Authorisation schemes are characterised by the level of granularity and control they offer ● These range from crude CRUD-level checking to specific named operations on specific attributes of a resource
  • 35.
    Granularity Illustration ● Supposethere exists a products table describing items for sale ● Users could be authorised at the level of creating new products, reading product descriptions, changing product descriptions or removing products ● Or alternatively, the authorisation could go down to the level of authorisation reads and update to a specific product attribute or could include rights to carry out other operations on the resource such as commenting on a product or sharing the product with a third-party ● In general, the more sophisticated the sets of operations support on a resource, the more granularity and control that is required
  • 36.
    Rights and Privileges ●Rights (or privileges) are what determine what allowed to be carried out on a resource ● An authorisation is essentially a conferral of zero or more rights (associated with a resource) to a particular identity ● Resource rights can be granted or revoked and the managing services are expected to honour these rights contracts in their API implementations
  • 37.
    Role-Based Access Control ●A popular way to model and implement authorisation schemes is to control access to resources and operations through a role abstraction ● A role is a convenience grouping of set of rights associated with an identity ● An identity may be assigned one or more roles ● The benefit of a role-based approach is that it simplifies the mapping of rights to identities ● Roles recognise the reality that many of the same kinds of users will want similar rights so the role acts as a convenience shorthand, albeit at the cost of an extra level of indirection
  • 38.
    Authorisation Failures ● Froman API perspective there is a question as to how to handle authorisation failures, i.e. requests for which the caller has insufficient rights to carry out, including, say, read operations ● There are two popular approaches each with different security characteristics 1. Return an “not authorised” status code to the caller (e.g. HTTP 403). This has the side-effect of validating the existence of the resource(s) but reporting that the attempted operation is not allowed 2. Return a “not found” status code to the caller (e.g. HTTP 404). This has the benefit of not leaking confirmation of the existence or non-existance of the resource(s) but is indistinguishable from either
  • 39.
    The Good, theBad, and the Interesting of Identity Management
  • 40.
  • 41.
    Identity Management: TheBenefits ● Peace of mind ● The primary benefit of implementing it is simply peace of mind. ● When the relevant people know precisely who can access a business’s data, when they can access it, and how much of it they can access, a great sense of security is achieved.
  • 42.
    Identity Management: TheBenefits ● Boost in productivity ● By simply implementing IAM into any business, productivity trends upwards by a fairly significant amount. This can be traced back to IAM’s ability to simplify sign-ins, signups, or processes related to user management for end-users, systems administrators, and app owners themselves.
  • 43.
    Identity Management: TheBenefits ● Reduced IT costs ● By utilizing IAM to free up time spent on role changes or employee onboarding/offboarding, businesses can slash costs by a surprising amount. Not only this, with the inclusion of SSO (Single Sign-On), IT resources are freed up due to a reduction in help desk calls and service tickets.
  • 44.
    Identity Management: TheBenefits ● Information or data sharing ● By providing a platform for any information related to access and ID management, businesses are able to apply preset, customized security policies across all the company’s devices, which ensures no differentiation arises from one to the other (unless of course the business wants this).
  • 45.
    Identity Management: TheBenefits ● Remote access ● As the possibilities of remote work among businesses become more common, employees and/or clients need access to certain information, databases, webpages, etc., regardless of their physical location. SSO is a key feature in making this happen.
  • 46.
  • 47.
    Identity Management: TheWeaknesses ● Cloud security breaches ● If a business is committed to the cloud, access management and user identities must be secure to ensure minimal risk to the company’s and clients’ data. If a company’s IAM is unsecure, it has the potential to result in serious damage, which could be detrimental to the business.
  • 48.
    Identity Management: TheWeaknesses ● Infrequent audits ● While IAM makes business policy implementation a simple, streamline process, we need to update audit practices so they pertain to the access policies currently in place. It’s advised that businesses continue to schedule regular audits to allow for the potential discovery of vulnerabilities as well as for defining what can and should be automated.
  • 49.
    Identity Management: TheWeaknesses ● Business scaling issues ● With the possibility of new technologies, staff, policies, or other elements businesses may add as they grow, the IAM framework must scale to keep up with any of these changes. IAM, in some scenarios, can limit how these implementations scale. This is not always the case, but for many businesses that wish to scale as fast as possible, this is certainly something to consider.
  • 50.
    Identity Management: TheWeaknesses ● Incorrect definition of roles or attributes ● With somewhat of a vague idea of what access is required for certain user groups, many businesses often include too many users in a single group. Based on how permissions are defined, whether it’s by roles or attributes, business leaders must take into account why a person needs access to a particular resource.
  • 51.
    Identity Management: TheWeaknesses ● Offboarding of staff ● Believe it or not, offboarding employees can, at times, pose serious threats to a business in the long run. Though this is rarely a concern and only in some cases amounts to anything serious, the chance for a former employee to utilize their old business permissions with malicious intent always exists.
  • 52.
  • 53.
    Identity Management: Interesting ●Single sign-on capabilities are a must since having too many passwords tends to lead to insecure password management practices. Recent research reported by Dark Reading shows that 61% of people use the same password for multiple accounts and applications.
  • 54.
    Identity Management: Interesting ●Installing an IAM solution in place helps the organization to cease manual privileges and permission settings that can sometimes lead to errors. Because of IAM, the IT team does not have to manage access rights to user or employee accounts manually – the process will be automated.
  • 55.
    Identity Management: Interesting ●Security tools like IAM solutions come with modern technologies like machine learning (ML) algorithms to identify the internal threats and notify the security professionals for prompt actions.
  • 56.
    Identity Management: Interesting ●Security tools like IAM solutions come with modern technologies like machine learning (ML) algorithms to identify the internal threats and notify the security professionals for prompt actions.