Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
2 views21 pages

Cloud Security 2

Uploaded by

Abdul Aziz
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
2 views21 pages

Cloud Security 2

Uploaded by

Abdul Aziz
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 21

Identity and Access Management (IAM) - Lecture 3

• With the adoption of cloud services, the


organizations trust boundaries have shift
dynamically.
• Thus the network, system and application
domain has shifted into the service provider
domain
• This reduces the amount of control
enterprises have.
1. Provisioning
IAM supports the process of onboarding and offloading users to
systems and applications.
Provide users access to resources like
• Data repositories
• Applications
• Databases
• Service

Note that provisioning is not responsible for the actual allocation


of access rights
2. Credential and Attribute Management
To minimize the risks associated with impersonation and
inappropriate account use IAM supports the management of
credentials.
Handles the following:
• Static credentials (passwords)
• Dynamic (one time passwords)
• Password expiration
• Encryption management of credentials
• Access policies
3. Entitlement Management
Provisioning and deprovisioning of privileges.
4. Compliance Management
Monitoring of access rights and privileges. Helps auditors and
analysts verify the compliance to access rights. Logging and
other related services also provided.
5. Centralization of authentication and
authorization
Alleviates the need for creating custom authentication and
authorization methods as a central authentication and
authorization infrastructure is created.
• Identity federation is an industrial best
practice that helps deal with heterogeneous,
dynamic, loosely coupled trust relationships.
• Identity federation enables interaction of
systems and applications separated by an
organizations trust boundary.
• Current mechanism assume applications are within the
same administrative domain
• Adding a user from outside means creating an account
within your identity module. This could result in the new
user having access to more than just the intended
application.

• Federated Identity Management (FIM) securely shares


information managed at a users home organization
with remote services.
• Within FIM systems it doesn’t matter if the service is in
your administrative domain or another. It’s all handled the
same.

9
• In Federated Identity Management:
• Identity Providers (IdP) publish authentication and identity
information about users
• Service Providers (SP) consume this information and make it
available to an application
• An IdP or SP is generically known as an entity
• The first principle within federated identity management is
the active protection of user information
• Protect the user’s credentials
• only the IdP ever handles the credential
• Protect the user’s identity information, including identifier
• customized set of information released to each SP. This limits the
chances of a compromise

10
• Users generally find the resulting single sign-
on experience to be nicer than logging in
numerous times.
• Ease of integrating new services.
• Studies of applications that maintain user data
show that the majority of data is out of date.
Hence we are often protecting apps with stale
data?
• A group of organizations running IdPs and SPs
that agree on a common set of rules and
standards
• It’s a label for people to talk about such a collection of
organizations
• An organization may belong to more than one
federation at a time
• IdPs and SPs
‘know’ nothing about
federations

12
• IAM enables the right individuals to access the
right resources at the right times and for the
right reasons
• IAM provides
– Authentication
– Authorization
– Auditing
• IAM is not a monolithic architecture
• It is a collection of technology components, processes, and
standard practices.
• IAM is composed of the following components
– User Management – Management of identities
– Authentication Management – management of authentication
activities
– Authorization Management – entitlement right management
– Access Management – Enforcement of access control policies
– Data management and provisioning – propagation of identity
and data for authorization to IT resources
– Monitoring and auditing – monitoring, auditing, reporting and
compliance activities.
• SAML is an XML based markup language
• It is an open standard for exchanging
authentication and authorization data
between IdP and SP.
• There are three roles in SAML
– Identity provider
– Service provider
– Principal (the user)
1. User attempts to reach a hosted google application
2. Google generates a SAML authentication request.
3. The request is encoded and embedded into the URL and redirected to
SSO page.
4. The IdP decodes the URL and extracts the SAML request.
5. The IdP authenticates the user.
6. IdP returns an SAML response encrypted with his own private key.
7. The browser forwards the response to the google Assertion Consumer
Service (ACS). The google ACS verifies the SAML response via public key
decryption.
8. The user is logged into your application.
Encoding by the SP

Decoding by the IdP


IdP=Identity
Provider

SP=service
provider

SSO=single sign
On

ACS=Assertion
Consumer
Service
• Why do all these transactions place the user
at the center?

• Because if the user/ browser is not involved


how would we trigger remotely when a user
credential is accepted after authentication.

You might also like