1.22 Identity Proofing and Account Provisioning Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

12 hours 48 minutes
Video Transcription
So when we look ATT, identity and account provisioning and we just said our goal is to remove redundancy.
Let's let's first look at how things have traditionally happened.
Um, so let's say that I'm an HR person. Hire someone to come in and I put all of their information into the HR database.
Well, I'll either run a report. We're in smaller companies. I may just pick up the phone and say, Hey, Jeff and I T Can you add this user to the domain here? His credentials now? Usually there's a more formalized process as organizations become more formalized.
But often there's a process that takes time for that information. To get Fed from HR based on reports gets inner down at that page.
And ultimately, what we're doing is entering information. That's the same that we've already entered. So again, what we want to do streamline this process.
And if you take a look at this slide, what we'll see is there are multiple ways in which accounts can get created. I've just talked about HR, right. We have an HR database, you're hired. I enter your information, but also maybe I have a database of customers and you call up your customer. Let me get your information.
Congratulations. You're a new customer. You're in our database
on. And then we have multiple applications that need that information, right that need those credentials. I go into a sales application. I need to be able to pull up your customer number.
And maybe I have three different sales applications. So I have to create three different accounts or even three same accounts that air redundant across those APS. That's not what we want to do.
So if you focus on this slide, what we have in the center is an identity repositories. This is often referred to as an identity provider. In this instance, this is within the domain. So within a domain, basically, we have a provisioning system where counts are created and those accounts,
rather than staying locally in some sort of HR after c. R M application,
those accounts live or wind up being created in the identity depository. And like I said, that will often be referred to as an identity provider.
And then all we need to do is to point the applications to the identity provider, as opposed to creating them again. and again and again. It's a matter of fact. You'll see this if you go to. If you ever log on to a resource out on the Internet with your Facebook account,
right, you know how in the world can orbits or the Washington Post. Use my Facebook account because the Facebook account is where my information resides, and they're simply using that identity repositories. It's an identity provider, and that's one of the areas that Facebook eyes participating in.
Currently they serves an identity provide.
So basically what that allows is me not have to sign on again to multiple applications, multiple functions. It allows me not have to create the same account over and over and over.
It also makes it easy for me to remove on account that account is removed as faras. All applications are concerned,
So this idea of streamlining count provisioning is one that's very important.
Now, when we look at this process, we've gotta think certain application architectures. We've gotta think certain languages for making this streamlined. So the first thing that we've got to think about is if we go back to this,
we have to make sure that these applications can pull information from this standard repositories.
Can they be integrated with this identity provider? You know what makes it so? The Washington Post can pull information from Facebook, right? They're not the same. They're not owned by the same organization. Well, the beauty of these are AP eyes application programming interfaces
and a B I's or how Web applications communicate with each other. So AP eyes were really important.
The problem with AP eyes is that they're not always standardized. So if you have your own custom, a p I and I have my own customer, we're not gonna be able to communicate.
So what we prefer are the standards based AP eyes so that I know if I designed an app that I'll be able to communicate with yours because you're standardized and I'm standardized, we'll talk about this a lot. But we prefer standardization
a now a couple of languages, just to mention a couple of elements. First of all, I want to mention s PML service provisioning markup language. A lot of times that does show up on the exam, so service provisioning markup language, and that tells you right away
what this particular language does is it helps provisioned accounts.
So when you're looking at the creation of an account in one application and being able to have that provisioned in an identity database or depository, it's S p M l. That makes that work. It's that, um, moving
information from one application to another.
So when we look at these s PML elements,
the benefit of it is things have been around forever. Their tried and true. They're standardized. We like standardization. So s P M. L has some stuff going for it.
unfortunately, as PML in any time you see m l, it's always gonna be an indicator that it's based on XML Extensible markup language. An extensible markup language is slow.
It has, um, it's too clunky, is too cumbersome.
And we know that speed is everything today, especially when we're connecting Thio unit with smartphones and tablets and so on.
So s PML is really fallen out of favor for a new provisioning language called skim system for cross domain identity management. You may also see it's simple cloud identity management, but I think the first you'll see much more formally system for cross identity management.
What does it do you know it gives a structure or schema for the a p i n and provides the AP eyes standards based again, which is so important. And it's slimmer than S p M l. It's more efficient. So that's what we want.
So when we're talking about provisioning,
we looked at S p m l traditionally but skim today. One of the things you want to make sure in these domains is we'll talk about some different languages, different types of AP eyes. You want to be able to place each one in its category. What does this do? SPM sp melon skim help for the automated
creation of accounts.
Up Next
Certified Cloud Security Professional (CCSP)

This Certified Cloud Security Professional (CCSP) certification course covers topics across six domains, to ensure the candidate has a wide range of competencies and is capable in the assessment and implementation of cloud service solutions.

Instructed By