Identity, Entitlement and Access Management

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
9 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Transcription
00:01
>> We are on Domain 12, Identity,
00:01
Entitlement and Access Management.
00:01
In this module, we'll cover those topics by looking
00:01
at identity access management terminology,
00:01
IAM standards for the Cloud,
00:01
managing identities in the Cloud.
00:01
Then we'll go onto authentication and
00:01
credentials and wrap up
00:01
talking about entitlement and access management.
00:01
The remainder of this video is focused on
00:01
the CSA definitions for
00:01
identity and access management terminology.
00:01
According to Gartner,
00:01
identity and access management is
00:01
the security discipline that enables
00:01
the right individuals to access
00:01
the right resources at
00:01
the right times for the right reasons.
00:01
I added my own clause to reflect the inverse as well,
00:01
which is Identity Access Management safeguards
00:01
to ensure only those individuals have that access.
00:01
You wanna make sure that they have
00:01
the right access to the right reasons,
00:01
the individuals that should be having the access.
00:01
Those that should not have
00:01
that access are not provided with that access.
00:01
It's a two-way street.
00:01
Terminology is often ambiguous
00:01
and the CSA guidance provides
00:01
definitions for a variety of terms in
00:01
the identity and access management space.
00:01
I'm going to go through and read those and
00:01
explain those to you in these next few slides.
00:01
We'll start out with an entity.
00:01
An entity is the person or thing
00:01
that will have the identity.
00:01
It could be an individual, it could be a system,
00:01
it could be a device, or it could
00:01
even be application code.
00:01
Then the identity is a reflection of that entity.
00:01
This is a unique expression of
00:01
an entity within a given namespace.
00:01
An entity can have multiple digital identities.
00:01
For example, a single individual
00:01
can have their work identity,
00:01
which I've outlined here,
00:01
jcool@work.com or jcoolwork.com.
00:01
They can have social media identity.
00:01
They can have a personal identity.
00:01
I've given an example here where
00:01
we have this one individual entity.
00:01
It's the same human being,
00:01
but they have multiple digital identities.
00:01
Expanding on identities, we get into identifiers.
00:01
This is the means by which the identity can be asserted.
00:01
For digital identities, this is
00:01
often a cryptological token.
00:01
In the real world, it might
00:01
be something like your passport.
00:01
In this particular example,
00:01
I've laid out the windows SID and the Linux
00:01
UID to identify this individual uniquely.
00:01
These are the user IDs and the system IDs
00:01
that are assigned to this individual's account,
00:01
which is his identity jcool@work.com.
00:01
Then we also have attributes and
00:01
these are facets of an identity.
00:01
Attributes can be relatively static.
00:01
For example, our organizational unit or
00:01
group memberships or they can be very dynamic.
00:01
For example, IP addresses
00:01
or the device that you are accessing a system from,
00:01
or if you've been authenticated
00:01
using multi-factor authentication.
00:01
A persona is the expression of an identity
00:01
with attributes that indicates context.
00:01
Here we have an example, the same identity.
00:01
We have the entity, Joe Cool.
00:01
He has multiple different personas.
00:01
Outside of the workplace,
00:01
he is the father of four.
00:01
At work, he is both a functional manager,
00:01
he's managing people, providing
00:01
annual reports, feedback, guidance,
00:01
and at the same time he has a different persona
00:01
where he gets down in front of
00:01
that keyboard and he's an actual Linux admin himself,
00:01
and he performs technical tasks and work.
00:01
We'll go into role here.
00:01
Identities can have multiple roles
00:01
for which indicate contexts.
00:01
Role is a confusing and abused term
00:01
used in many different ways.
00:01
For our own purposes, we'll think of
00:01
it similar to a persona,
00:01
but as a subset of a persona.
00:01
For example, a given Linux admin will be the server
00:01
admin role when he logs
00:01
into the particular Linux machine.
00:01
This hypothetical example I've
00:01
laid out where the role of server
00:01
admin is given to Joe Cool as
00:01
he's operating in the Linux admin persona.
00:01
When he logs into a particular server,
00:01
he has the associated rights and
00:01
permissions to perform the administrative actions.
00:01
Continuing on with terminology, authentication.
00:01
This is the process of confirming an identity.
00:01
When you log into a system,
00:01
you present a username and password.
00:01
This is also referred to as AuthN.
00:01
That's the shorthand for it and you'll see me using
00:01
it and you'll also see it a lot of other papers.
00:01
Authorization, on the other hand,
00:01
is allowing an identity to access something,
00:01
whether it's data or perform a certain function.
00:01
This is also referred to as AuthZ in shorthand.
00:01
If you see those on the test,
00:01
if you see those in general in the real world,
00:01
AuthN, remember its authentication,
00:01
that's confirming who you are.
00:01
Authorization is saying,
00:01
yes, you're allowed to do this.
00:01
Access control is restricting access to a resource.
00:01
Access management is the process of
00:01
managing access to the resources.
00:01
Then finally, let's look at entitlements
00:01
that's mapping an identity,
00:01
including its roles, personas,
00:01
and attributes to an authorization.
00:01
The entitlement is what they are allowed to do.
00:01
For documentation purposes, we
00:01
keep all of these in an entitlement matrix.
00:01
We've talked about that previously in earlier modules,
00:01
and we will be touching on that again
00:01
later in this module as well.
00:01
We add a little more color here
00:01
with Federated Identity Management,
00:01
which is the process of asserting an identity
00:01
across different systems or organizations.
00:01
This is a key enabler of single sign-on and also core
00:01
to identity and access management
00:01
in the Cloud computing environment.
00:01
Within that context, we have an authoritative source.
00:01
This is the root source of an identity,
00:01
such as the directory server
00:01
that manages employee identities.
00:01
You have an identity provider.
00:01
This is the source of the identity
00:01
in the federation context.
00:01
The identity provider isn't
00:01
always the authoritative source.
00:01
The identity provider isn't always
00:01
the authoritative source as
00:01
sometimes the two can be decoupled.
00:01
Especially when we're talking about identity brokers,
00:01
which we'll get into that pattern in a little bit.
00:01
Then we finally have the relying party.
00:01
This is the system that relies on
00:01
an identity assertion from the identity provider.
00:01
In this video, we reviewed
00:01
the definitions for key terms and
00:01
identity and access management
00:01
according to the CSA guidance.
00:01
You may encounter in the real world
00:01
slightly variances on these definitions.
00:01
Personally, I like these definitions and it
00:01
helps disambiguate conversations and
00:01
adds clarity to when you're talking
00:01
about some of the very related concepts,
00:01
but potentially overlapping concepts
00:01
in the world of Identity and Access Management.
Up Next