Identity Access Management (IAM) - 4.6

Summary

Identity and Access Management (IAM) ensures the authentication and authorization of users, manages account provisioning and permissions, verifies identities through various methods, enables Single Sign-On (SSO), and ensures interoperability across systems to maintain secure and controlled access to resources.

Notes:

Provisioning and De-provisioning User Accounts

  • The process of granting access (provisioning) to resources when a user joins the organization and revoking access (de-provisioning) when they leave or change roles.
  • This process typically occurs during onboarding, promotions, role changes, or terminations to ensure proper access control.

Permission Assignments and Implications

  • Users should be assigned the minimum necessary permissions required to perform their job functions. This "principle of least privilege" helps reduce the risk of security breaches and limits potential damage if an account is compromised.
  • Over-provisioning of permissions can lead to excessive access rights, increasing the risk of data breaches and insider threats.

Identity Proofing

  • Verifying a user's identity before granting access to systems. This is typically done during onboarding to confirm that the individual is the person they claim to be.
  • Common methods include passwords, security questions, and multi-factor authentication (MFA).
  • Attestation: The process of confirming identity with documentation, such as government-issued IDs (passports, driver's licenses), or in-person verification.

Single Sign-On (SSO)

  • Allows users to authenticate once and gain access to multiple related but independent systems without needing to log in again.
    • Lightweight Directory Access Protocol (LDAP): A protocol used for querying and modifying items in directory services over an IP network. LDAP helps manage user authentication in a central directory.
    • Open Authorization (OAuth): A framework for delegated access, allowing applications to access resources on behalf of users without exposing credentials. OAuth is typically used in conjunction with OpenID Connect for authentication.
    • Security Assertion Markup Language (SAML): A standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP), enabling web-based SSO.
    • Federation: A partnership between multiple organizations that allows users to access resources across different domains with a single set of credentials (e.g., login using Facebook or Google credentials).

Interoperability

  • Ensuring that IAM systems and resources can seamlessly communicate and work together, regardless of vendor or platform.
  • Organizations often need to ensure that their IAM solutions are compatible with existing infrastructure, applications, and third-party services.
Next: Access Controls