Access provision Lifecycle
IBM identity life cycle rules:
- Password Policy compliance checking
- Notifying users to change their passwords before they expire
- Identifying life cycle changes such as accounts that are inactive for more than 30 consecutive days
- Identifying accounts that are candidates for deletion because they have been suspended for more than 30 days
- Identifying new accounts that have not been used for more than 10 days following their creation
- When a contract expires, identifying all accounts belonging to a business partner or contractor’s employees and revoking their access rights
Account revoking and coordination with HR to track terminations and horizons and vertical moves or promotions within an organization.
User Entitlement, Access Review and Audit
- Access Aggregation – Individual users gain more access to more systems – intentional (as a function of SSO) or unintentional (gain new access rights)
- Authorization Creep – Users gain more access rights without shedding old ones
As part of the IAM (Identity and Access management) user entitlements need to be periodically reviewed and audited.
Federated Identity Management
With enterprise identity management rather than having separate credentials for each system, a user can employ a single digital identity to access all resources the user is entitled to. Federated identity management permits extending this approach above the enterprise level creating a trusted authority for digital identities across multiple organizations.
XML based framework for exchanging security information, including authentication data. One goal of SAML is enable web SSO at an Internet scale. Other forms of SSO also use SAML to exchange data.
Identity as a service (IDaaS)
Also know as Cloud identity such as Microsoft’s Live ID. The most significant justification for IDaaS stems from organizations continued adoption and integration of cloud hosted applications. Many IDaaS vendors directly integrate with theses services for SSO and central management. Other benefits include easier deployment and integration of 2 factor, self-service account management, password resets, support for mobile devices, and centralized audit capabilities.
The obvious security question is concern over breach of data.
Credential Management Systems
Credential Management Systems can help harden user credentials in meaningful ways such as: secure password generation, secure password storage, credential check-in and check-out, automatic password rotation, reduction in number of credentials users must remember, multi factor authentication to unlock credentials, audit logging of all interactions.
Integrating Third-Party Identity services
Deploying on premise 3rd party identity service helps integrate with internal applications that may not be able to interface externally. Another architecture calls for an on premise solution to integrate with cloud identity solutions allowing for greater portability.
Lightweight directory services provides a common open protocol for interfacing and queuing directory service information provides by network operating systems. It runs on TCP or UDP 389 is transmitted in cleartext and supports encryption. Active directory is an example of an LDAP.
Kerberos is a network authentication system for use on physically insecure networks, based on the key distribution model presented by Needham and Schroeder. It allows entities communicating over networks to prove their identity to each other while preventing eavesdropping or replay attacks. It also provides for data stream integrity (detection of modification) and secrecy (preventing unauthorized reading) using cryptography systems such as DES.
The current version is 5
- Principle: Client (user) or service
- Realm: A logical Kerberos Network
- Ticket: Data that authenticates a principle’s identity
- Credentials: A ticket and a service key
- KDC: Key Distribution Centre, which authenticates principals
- TGS: Ticket Granting Service
- TGT: Ticket Granting Ticket
- C/S: Client/Server, regarding communications between the two