we are on domain 12 Identity entitlement in access management and this model will cover those topics by looking at identity access management terminology.
I am standards for the cloud managing identities in the cloud,
and we'll go into authentication and credentials
and wrap up talking about entitlement in access management.
The remainder of this video is focused on the C S. A definitions for identity and access management terminology.
According to Gartner, identity and access management is the security discipline that enables the right individuals to access. The right resource is at the right times for the right reasons.
And I added my own claws to reflect the inverse as well, which is an IT identity access management safeguards to ensure Onley those individuals have that access so you want to make sure that they have the right access to the right reasons. The individuals that should be having the access
and those that should not have that access are not provided with that access. It's a two way street
terminology is often ambiguous in the C s. A guidance provides definitions for a variety of terms in the identity and access management space. I'm gonna go through and read those and explain those to you in these next few slides will start out with an entity. An entity is the person or thing that will have the identity.
It could be an individual. It could be a system. It could be a device or could even be application code.
Then the identity is a reflection of that entity, and this is a unique expression of an entity within a given name space. An entity can have multiple digital identities. For example, a single individual can have their work identity, which I've outlined here. Joe Cool at work dot com or jay. Cool work dot com They can have
social media identity.
They can have a personal identity. Right? And I've given an example here where that we have this one individual entities, the same human being. But they have multiple digital identities expanding on identities we get into identifiers. This is the means by which the identity can be asserted for digital identities. This is often a cryptologic token.
In the real world, it might be something like your passport.
This particular example. I've laid out the windows s I d in the linen you I d to identify this individual uniquely these air that the user ID's and the System I DS that are assigned to this individual's account, which is his identity. Jay cool at work dot com.
Then we also have attributes, and these air facets of an identity attributes can be relatively static
for example, organizational unit or group memberships. Or they could be very dynamic. For example, I P addresses or the device that you are accessing a system from or if you've been authenticated, using multi factor authentication. Persona is the expression of an identity with attributes that indicates context.
So here we have an example the same identity we have. The entity
Joe Cool. He has multiple different personas outside of the workplace. He is the father of four at work. He is both a functional manager. He's managing people, providing annual reports, feedback guidance. At the same time, he has a different persona where he gets down in front of that keyboard
and he's an actual limits admin himself, and he performs technical tasks and work.
We're going to roll here. Identities can have multiple roles for which indicate context role Is it confusing and abused term used in many different ways for our purposes will think of it similar to a persona, but as a subset of a persona. For example, a Given Lennox admin will be the server admin role when he logs into the particular linens machine.
This hypothetical example. I've
laid out where the role of server admin is given to Joeckel as he's operating in the Lenox admin persona. So when he logs into a particular server, he has the associated rights and permissions to perform the administrative actions continuing on with terminology authentication. This is the process of confirming an identity.
When you log into a system, you present a user name
and this is also referred to his off em. That's the shorthand for and you'll see me using. And you also see it a lot of other papers. Authorization, on the other hand, is allowing an identity to access something, whether it's data or perform a certain function. This is also referred to his off Z in shorthand. So if you see those
on the test, if you see those in general in the world, real world often remember, it's authentication. That's confirming who you are.
Authorization is saying yes, you're allowed to do this. Access control is restricting access to a resource. Access management is the process of managing access to the resource is,
and finally, little get entitlements. That's mapping and identity,
including his roles, personas and attributes to an authorization Entitlement is what they are allowed to do and for documentation purposes. We keep all of these in an entitlement matrix. We've talked about that previously and earlier models, and we will be touching on that again later in this module as well. We had a little more color here with
Federated Identity Management, which is the process of asserting an identity across different systems
or organizations. This is a key enabler of single sign on and also court to identity and access management in the cloud computing environment. Within that context, we have an authoritative source. This is the root source of an identity, such as the directory server that manages employees identities.
You have an identity provider. This is the source of the identity in the federation context.
That entity provider isn't always the authoritative source. The identity provider isn't always the authoritative source, as sometimes the two can be decoupled, especially when we're talking about identity brokers, which will get into that pattern a little bit. And then we finally have the relying party.
This is the system that relies on identity assertion from the identity provider.
This video we reviewed the definitions for key terms and identity and access management. According to the C S. A guidance you make encounter in the real world slightly variances on these definitions. Personally, I like these definitions, and it helps dis ambiguity conversations and adds clarity to when you're talking about some of the
very related concepts
but potentially overlapping concepts in the world of identity and access management.