Study Notes: CCSK Identity, Entitlement, and Access Management
Here’s my study notes from Identity, Entitlement, and Access Management in Graham Thompson’s CCSK book.
Table of Contents
- Identity and Access Management Terms
- Identity and Access Management Standards
- Questions to ask when designing IAM solutions
- Authentication and Credentials
Identity and Access Management Terms
Term | Description |
---|---|
Entity | Someone or something with identity |
Identity | Unique expression of an entity withing an environment |
Identifier | Cryptographic token tied to identity, application or service |
Attribute | A static or dynamic aspect of an identity |
Persona | The combination of identity and attributes in a specific situation/context |
Role | Temporary credential or job function |
Authentication (AuthN) | Process of confirming identity |
Multifactor authentication (MFA) | Something you know, something you have, something you are |
Access control | A technical implementation that restricts access to a resource |
Accounting | Logging and monitoring activities |
Authorization (AuthZ) | Provides access for an identity |
Entitlement | Mapping between and identity and its authorization |
Single Sign-On (SSO) | Token system used to allow one sign-in across multiple systems |
Federated identity management | Enabled authenticating locally and authorizing remotely in context of SSO |
Authoritative source | The source of an identity |
Identity provider | The identity management party |
Relying party | System that consumes identity assertions from the provider |
Identity and Access Management Standards
Standard | Description |
---|---|
Security Assertion Markup Language (SAML) | Federated identity management standard supporting both authentication and authorization. |
OAuth | Authorization standard used for web and consumer services. |
OpenID | Standard for federated authentication, using URLs to identify identity providers. |
Questions to ask when designing IAM solutions
- How will identities for application code, systems, devices, and other services be managed?
- How will identity provisioning process change when consuming cloud service, if at all?
- How will new cloud providers and integration with the IAM solution be onboarded?
Other considerations when establishing federation
- Building a permissions matrix based on the relevant cloud service model (SaaS, IaaS, etc.)
- Determine how attributes will be mapped between the identity provider and the relying party.
- Determining and enabling monitoring and logging to meet security policies.
- Documenting any break/fix processes related to services used.
- Updating current incident response plans related to identity takeovers to include the cloud environment.
- Determining how accounts can be deprovisioned or changed in the cloud environment.
Authentication and Credentials
Options | Description |
---|---|
Hard token | Physical device presenting a one-time password |
Soft token | Like hard token, but runs as software on phone or computer |
Out-of-band passwords | Separate communication methods, like SMS. |
Biometrics | Involves the “something you are” factor of authentication. |