/pcq/media/agency_attachments/L8pkS8gpnodJThOdAfv1.jpg)
Follow UsBanks, insurance companies, healthcare providers, retailers, and capital markets firms are faced with the enormous task of managing identity and access for multiple projects. Many organizations are now collaborating for better integration with business partners. As the number of applications to support increase, users need to be given a different level of security identity access. Organizations must address identity management compliance concerns related to regulations like Sarbanes-Oxley(SOX), the Health Information Portability and Accountability Act (HIPPA), and the Gramm-Leach-Bliley Act.For each application, high administrative costs are expected to account for maintenance, password resets, inconsistent information, inflexible information technology (IT) environments and silos due to bank mergers and acquisitions.
Identity and Access Management (IAM)/pcq/media/post_attachments/243090332b21eeacb8a4f14846c74cde4aeb27e32424232e092208aca4316a68.jpg)
In the current world, the organization's trust boundary is dynamic and is outside company's IT control. Current software services and applications require access to the network and systems which are secured via network security controls including virtual private networks (VPNs), intrusion detection systems (IDSs), intrusion prevention systems (IPSs), and multifactor authentication. We can imagine the current enterprises using e-commerce, supply chain management, outsourcing, and collaboration with partners and communities all need to support unified security framework for users which take into account Identity and Access management. Organizations are forced to rely on other higher-level software controls such as application security and user access controls. These controls manifest as strong authentication, authorization based on the role or claims, trusted sources with accurate attributes, identity federation, single sign-on (SSO), user activity monitoring, and auditing. The most salient aspect of security is the identity federation architecture and processes, as they can strengthen the controls and trust between organizations and their partners.
Identity federation is emerging industry best practice standards for dealing with the heterogeneous, dynamic, loosely coupled trust relationships that characterize an organization's external and internal applications. Federation enables the interaction of systems and applications separated by an organization's trust boundary (e.g., a sales person interacting with Salesforce.com from a corporate network).
Now the question comes why do Identity Access Management? There are two main reasons to look at:
1. Improve operational efficiency: Efficiency of the application is improved by automating user on-boarding and other repetitive tasks. For example, self-service for users for requesting password resets after some time that otherwise will require the intervention of system administrators using a help desk ticketing system.
2. Regulatory compliance management: Regulatory compliance management is necessary to protect systems, applications, and information from internal and external threats (e.g., disgruntled employees deleting sensitive files) and to comply with various regulatory, privacy, and data protection requirements (e.g., HIPAA, SOX). It is crucial to look at industry standards like ISO 27002 and Information Technology Infrastructure Library (ITIL). Identity Access Management (IAM) processes and practices can help organizations meet objectives in the area of access control and operational security (e.g., enforcement of compliance requirements such as “segregation of duties” and assignment of limited privileges for staff members to perform their duties). Auditors routinely map internal controls to IT controls as they support management of regulatory compliance processes including Payment Card Industry (PCI) Data Security Standards (DSSs) and the Sarbanes-Oxley Act of 2003 (SOX).
I AM Definitions
- Authentication: Authentication is the process of verifying the identity of a user or system (e.g., Lightweight Directory Access Protocol
verifying the credentials presented by the user, where the identifier is the corporate user ID that is unique and assigned to an employee or contractor). - Authorization: Authorization is the process of determining the privileges the user or system is entitled to once the identity is established. In the context of digital services, authorization usually follows the authentication step and is used to determine whether the user or service has the necessary privileges to perform certain operations-in other words, authorization is the process of enforcing policies.
- Auditing: Auditing entails the process of review and examination of authentication, authorization records, and activities to determine the adequacy of IAM system controls. Auditing helps in verifying compliance with established security policies and procedures (e.g., separation of duties), detecting breaches in security services (e.g., privilege escalation), and recommending any changes that are indicated for countermeasures.
I AM functional Architecture
/pcq/media/post_attachments/887997b72ecad58a9269ea9c936bd32e1377606dd3708a463f4aca6e27e5d663.jpg)
- User management:Activities for the effective governance and management of identity life cycles.
- Authentication management: Activities for the effective governance and management of the process for determining that an entity is who or what it claims to be.
- Authorization management: Activities for the effective governance and management of the process for determining entitlement rights that decide what resources an entity is permitted to access in accordance with the organization's policies.
- Access management: Enforcement of policies for access control in response to a request from an entity (user, services) wanting to access an IT resource within the organization.
- Data management and provisioning: Propagation of identity and data for authorization to IT resources via automated or manual processes.
- Monitoring and auditing: Monitoring, auditing, and reporting compliance by users regarding access to resources within the organization based on the defined policies.
Identity life cycle
1. Provisioning: This is the process of on-boarding users to systems and applications. These processes provide users with necessary access to data and technology resources. Provisioning can be thought of as a combination of the duties of the human resources and IT departments, where users are given access to data repositories or systems, applications, and databases based on a unique user identity. Deprovisioning works in the opposite manner, resulting in the deletion or deactivation of an identity or of privileges assigned to the user identity.
2. Credential and attribute management: These processes are designed to manage the life cycle of credentials and user attributes-create, issue, manage, revoke-to minimize the business risk associated with identity impersonation and inappropriate account use. Credentials are usually bound to an individual and are verified during the authentication process. The processes include rovisioning of attributes, static (e.g., standard text password) and dynamic (e.g., one-time password) credentials that comply with a password standard (e.g., passwords resistant to dictionary attacks). Credential management helps in handling password expiration, encryption management of credentials during transit and at rest, and access policies of user attributes (privacy and handling of attributes for various regulatory reasons).
3. Entitlement management: Entitlements are also referred to as authorization policies. The processes in this domain address the provisioning and deprovisioning of privileges needed for the user to access resources including systems, applications, and databases.
/pcq/media/post_attachments/3d954a1233513de61cf11790594312cd04a38759846cb7f9a404a11214f8f885.jpg)
4. Compliance management: This process implies that access rights and privileges are monitored and tracked to ensure the security of an enterprise's resources.
5. Identity federation management: Federation is the process of managing the trust relationships established beyond the internal network boundaries or administrative domain boundaries among distinct organizations. A federation is an association of organizations that come together to exchange information about their users and resources to enable collaborations and transactions (e.g., sharing user information with the organizations' benefits systems managed by a third-party provider).
6. Centralization of authentication (authN) and authorization (authZ): A central authentication and authorization infrastructure alleviates the need for application developers to build custom authentication and authorization features into their applications. Furthermore, it promotes a loose coupling architecture where applications become agnostic to the authentication methods and policies. This approach is also called an “externalization of authN and authZ” from applications.
I AM Standards and Specifications
The following IAM standards and specifications that will help organizations implement effective and efficient user access management practices and processes. The main questions to ask for Identity access management are as follows.
- How can I avoid duplication of identity, attributes, and credentials and provide a single sign-on user experience for my users? SAML.
- How can I automatically provision user accounts for different applications and automate the process of provisioning and deprovisioning? SPML.
- How can I provision user accounts with appropriate privileges and manage entitlements for my users? XACML.
- How can I authorize application service X to access my data in an application service Y without disclosing credentials? OAuth.
In the next part we will examine these standards and look at how organizations are building software with them.