Identity and Access Management (IAM)

• With the adoption of cloud services, the

organizations trust boundaries have
shifted dynamically.
• Thus the network, system and application
domain has shifted into the service provider
domain
• This reduces the amount of control
enterprises have.
• Identity and Access Management (IAM) is
the security discipline that enables the
right individuals to access the right
resources at the right times for the right
reasons.
• IAM addresses the mission-critical need to
ensure appropriate access to resources
across increasingly heterogeneous
technology environments.
• Enterprises traditionally used on-premises
IAM software to manage identity and
access policies, but nowadays, as
companies add more cloud services to
their environments, the process of
managing identities is getting more
complex.
• Therefore, adopting cloud-based Identity-
as-a-Service (IDaaS) and cloud IAM
solutions becomes a logical step.
• Single Access Control Interface- Cloud
IAM solutions provide a clean and consistent
access control interface for all cloud platform
services. The same interface can be used for
all cloud services.
• Enhanced Security- You can define
increased security for critical applications.
• Resource-level Access Control- You can
define roles and grant permissions to users to
access resources at different granularity
levels.
1. Provisioning
IAM supports the process of onboarding and offloading users to
systems and applications. Mainly focuses on what you have access to.
Provide users access to resources like
• Data repositories
• Applications
• Databases
• Service

Note that provisioning is not responsible for the actual allocation of

access rights- works on authentication-as-a-service
2. Credential and Attribute Management
To minimize the risks associated with impersonation and
inappropriate account use IAM supports the management of
credentials.
Handles the following:
• Static credentials (passwords)
• Dynamic (one time passwords)
• Password expiration
• Encryption management of credentials
• Access policies
3. Entitlement Management
Provisioning and deprovisioning of privileges.
4. Compliance Management
Monitoring of access rights and privileges. Helps auditors and
analysts verify the compliance to access rights. Logging and
other related services also provided.
5. Centralization of authentication and
authorization
Alleviates the need for creating custom authentication and
authorization methods as a central authentication and
authorization infrastructure is created.
• Identity federation is an industrial best
practice that helps deal with heterogeneous,
dynamic, loosely coupled trust relationships.
• Identity federation enables interaction of
systems and applications separated by an
organizations trust boundary.
• Current mechanism assume applications are within the
same administrative domain
• Adding a user from outside means creating an account
within your identity module. This could result in the new
user having access to more than just the intended
application.

• Federated Identity Management (FIM) securely shares

information managed at a users home organization
with remote services.
• Within FIM systems it doesn’t matter if the service is in
your administrative domain or another. It’s all handled the
same.
• In Federated Identity Management:
• Identity Providers (IdP) publish identity information about
users to be used for authentication
• Service Providers (SP) consume this information and make it
available to an application
• An IdP or SP is generically known as an entity
• The first principle within federated identity management is
the active protection of user information
• Protect the user’s credentials
• only the IdP ever handles the credential
• Protect the user’s identity information, including attributes
• customized set of information released to each SP. This limits the
chances of a compromise
• Users generally find the resulting single sign-
on experience to be nicer than logging in
numerous times.
• Ease of integrating new services.
• Studies of applications that maintain user data
show that the majority of data is out of date.
Hence we are often protecting apps with stale
data?
• A group of organizations running IdPs and SPs
that agree on a common set of rules and
standards
• It’s a label for people to talk about such as collection
of organizations
• An organization may belong to more than one
federation at a time
• IdPs and SPs
‘know’ nothing about
federations
• IAM enables the right individuals to access the
right resources at the right times and for the
right reasons
• IAM provides
– Authentication
– Authorization
– Auditing
• Authorization Modeling:
• What a user has access to, once he has been
authenticated?
• Steps:
 Identify assets
 Identify users
 Activities they can perform i.e., CRUD
 Attributes filtering / Privileges escalation
 Role vs Rule based access
 ACL Table: rows (roles) x columns (assets)
with entries defining CRUD
• IAM is not a monolithic architecture
• It is a collection of technology components, processes, and
standard practices.
• IAM is composed of the following components
– User Management – Management of identities
– Authentication Management – management of authentication
activities
– Authorization Management – entitlement right management
– Access Management – Enforcement of access control policies
– Data management and provisioning – propagation of identity
and data for authorization to IT resources
– Monitoring and auditing – monitoring, auditing, reporting and
compliance activities.
• SAML is an XML based markup language
• It is an open standard for exchanging
authentication and authorization data
between IdP and SP.
• There are three roles in SAML
– Identity provider
– Service provider
– Principal (the user)
1. User attempts to reach a hosted google application
2. Google generates a SAML authentication request.
3. The request is encoded and embedded into the URL and redirected to
SSO page.
4. The IdP decodes the URL and extracts the SAML request.
5. The IdP authenticates the user.
6. IdP returns an SAML response encrypted with his own private key.
7. The browser forwards the response to the google Assertion Consumer
Service (ACS). The session is formed on assertion response.
8. The user is logged into your application.
Encoding
by the SP
• Why do all these transactions place the user
at the center?

• Because if the user/ browser is not involved

how would we trigger remotely when a user
credential is accepted after authentication.