Identify and Access Management (IAM)

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> Identity and access management.
00:00
In this lesson, we want to talk about the concepts
00:00
of identity and access management,
00:00
often refer to as IAM,
00:00
the need for IAM in Cloud environments,
00:00
and IAM considerations for application security.
00:00
Identity and access management are really
00:00
two different management tasks
00:00
that are often boxed together in what's
00:00
referred to as IAM versus identity management.
00:00
In Domain 2,
00:00
we talked about data classification,
00:00
figuring out its importance,
00:00
figuring out its sensitivity.
00:00
In Domain 1, we figured out which
00:00
are critical pieces of Cloud infrastructure.
00:00
Well, based on those pieces of information,
00:00
we determine the roles and
00:00
responsibilities of the individuals who should access it.
00:00
Now, anybody who's going to be accessing
00:00
the system needs to have an identifier,
00:00
such as a username,
00:00
that this identifier is what's used
00:00
to identify them whenever they try to access the system.
00:00
But for everybody who has access to the system,
00:00
we also have a repository of those identities.
00:00
The first step in determining access
00:00
is to identify a person presents
00:00
a username says I am this individual.
00:00
Any application or broader environment,
00:00
you need to have some mechanism that looks
00:00
at that person's statement of who they are and
00:00
checks it against the registry of the identities
00:00
that are permitted to access
00:00
the system and says yes or no,
00:00
whether this identity is even in the system.
00:00
Next comes to access management.
00:00
Someone may identify themselves
00:00
and we may even say, oh, yes,
00:00
this person is in
00:00
our records as being either an employee,
00:00
a contractor, or having some form of access.
00:00
However, we need to authenticate that person,
00:00
although they are claiming that identity,
00:00
needs to then authenticated, most often,
00:00
a password is used in tandem
00:00
with a username to authenticate
00:00
the users identity as valid that they have
00:00
the password in order to prove,
00:00
not only is it then they have
00:00
the password to show that they can access the system.
00:00
Then another important component of access management is,
00:00
we've authenticated that this individual
00:00
who they say they are,
00:00
or at least has that individual's password,
00:00
now we need to look at the system and determine
00:00
what accesses are they authorized to have?
00:00
What privileges do they have within
00:00
the context of this system?
00:00
That's where it's really important to
00:00
have important roles and responsibilities
00:00
assigned and make sure that people
00:00
have just as much access as they need to do their jobs.
00:00
This is referred to as least privilege.
00:00
The confirmation of authorization
00:00
is really the mechanism that
00:00
enforces this and that's
00:00
where policy management comes in.
00:00
The policy really sets
00:00
the roles and responsibilities throughout
00:00
the whole organization and
00:00
based on what people need to access,
00:00
the policy really sets out what accesses are
00:00
appropriate for individuals within every group.
00:00
Then an individual's identity is added to
00:00
a certain access or authorization group
00:00
so that when they authenticate to the system,
00:00
they are then able to based on
00:00
this policy access and do
00:00
the different tasks they need
00:00
to in the Cloud environment.
00:00
This is very important when it
00:00
comes to individuals trying to
00:00
escalate or change their privilege
00:00
or posses the brands of their privilege.
00:00
An organization with effective
00:00
identity access management should really
00:00
review the access of
00:00
all the individuals within their organization,
00:00
especially, when it comes to
00:00
sensitive applications and piece
00:00
of infrastructure on a regular basis.
00:00
There should be mechanisms to remove
00:00
users who have left the organization,
00:00
whether they are permanent employees who have been
00:00
terminated or consultants who are
00:00
only coming in for a certain period of time.
00:00
Another important concept to understand is federation.
00:00
Federation is the practice
00:00
of identity and access management,
00:00
but extended to other organizations.
00:00
There is a federated
00:00
refers to the trust between these organizations that
00:00
when an individual is identified
00:00
and authenticated within one organization,
00:00
that authentication extends to other organizations.
00:00
They don't have to get authorized
00:00
and login every single time
00:00
they go to another organization.
00:00
That trust is federated
00:00
across the different organizations.
00:00
Quiz question. Which of
00:00
the following is the correct order of
00:00
steps to evaluate a users access to a cloud-based system?
00:00
Number 1, authenticate, identify, authorize.
00:00
Two, identify, authenticate,
00:00
and authorize, or three,
00:00
authorize, authenticate, and identify.
00:00
If you said identify, authenticate,
00:00
and authorize, you're correct.
00:00
First an individual claims an identity.
00:00
Second, they provide some piece of
00:00
secret information that only that individual should know,
00:00
such as a password,
00:00
in order to authenticate that claim of that identity.
00:00
Then within the system,
00:00
that identity and their privileges is checked
00:00
and authorized against the organization's policy.
00:00
These things work in tandem or in
00:00
concert to really create identity and access management.
00:00
In this video, we covered
00:00
the importance of identity and access management.
00:00
It's really the main mechanism and
00:00
series of concepts that are used to grant
00:00
people access and determine
00:00
the authorization they have
00:00
to do different things within a Cloud environment.
00:00
We talked about the components
00:00
of IAM in Cloud environments.
00:00
We tried to back to
00:00
our business impact analysis
00:00
and determining the appropriate roles and
00:00
responsibilities within a Cloud environment to ensure
00:00
that the principle of least privilege is enforced.
00:00
To provide greatest amount of
00:00
security and make sure that anybody
00:00
who has accessed and shouldn't
00:00
is identified and that access is removed.
00:00
I'll see you in the next lesson.
Up Next