Study Notes: CCSK Identity, Entitlement, and Access Management

Here’s my study notes from Identity, Entitlement, and Access Management in Graham Thompson’s CCSK book.

Table of Contents

Identity and Access Management Terms

Term Description
Entity Someone or something with identity
Identity Unique expression of an entity withing an environment
Identifier Cryptographic token tied to identity, application or service
Attribute A static or dynamic aspect of an identity
Persona The combination of identity and attributes in a specific situation/context
Role Temporary credential or job function
Authentication (AuthN) Process of confirming identity
Multifactor authentication (MFA) Something you know, something you have, something you are
Access control A technical implementation that restricts access to a resource
Accounting Logging and monitoring activities
Authorization (AuthZ) Provides access for an identity
Entitlement Mapping between and identity and its authorization
Single Sign-On (SSO) Token system used to allow one sign-in across multiple systems
Federated identity management Enabled authenticating locally and authorizing remotely in context of SSO
Authoritative source The source of an identity
Identity provider The identity management party
Relying party System that consumes identity assertions from the provider

Identity and Access Management Standards

Standard Description
Security Assertion Markup Language (SAML) Federated identity management standard supporting both authentication and authorization.
OAuth Authorization standard used for web and consumer services.
OpenID Standard for federated authentication, using URLs to identify identity providers.

Questions to ask when designing IAM solutions

  • How will identities for application code, systems, devices, and other services be managed?
  • How will identity provisioning process change when consuming cloud service, if at all?
  • How will new cloud providers and integration with the IAM solution be onboarded?

Other considerations when establishing federation

  • Building a permissions matrix based on the relevant cloud service model (SaaS, IaaS, etc.)
  • Determine how attributes will be mapped between the identity provider and the relying party.
  • Determining and enabling monitoring and logging to meet security policies.
  • Documenting any break/fix processes related to services used.
  • Updating current incident response plans related to identity takeovers to include the cloud environment.
  • Determining how accounts can be deprovisioned or changed in the cloud environment.

Authentication and Credentials

Options Description
Hard token Physical device presenting a one-time password
Soft token Like hard token, but runs as software on phone or computer
Out-of-band passwords Separate communication methods, like SMS.
Biometrics Involves the “something you are” factor of authentication.

Similar posts