Tuesday, March 14, 2023

Identity and Access Management Concept

Identity and Access Management is the concept behind controlling access to assets, including information, systems and devices. IAM focuses on issues related to granting and revoking privileges to access data or perform actions on systems. The goal of IAM is to provide the right people with the right access to the right resources at the right time. Controlling access to assets is a central theme of security. All assets should be protected, but with different levels of protection depending on the system context or criticality.

IAM can be broken down into four core interconnected concepts.

  • Identification
  • Authentication
  • Authorization
  • Auditing and Accountability

Various regulations require that all activities of identification, authentication, and authorization are monitored through audit or security logs to provide accountability and support forensic analysis if security issues occur.

Identification

  • Identification is the process of a user claiming an identity. 
  • A user is an active entity that accesses a system to receive information or perform an action. 
  • Users can be persons, programs, services, or anything else that can access a resource. 
  • A user must provide an identity to a system to start the authentication, authorization, and accountability processes. 
  • Providing an identity might entail typing a username, swiping a smartcard, or positioning your hand, face or finger in front of a scanning device. 
  • Identification is usually integrated with user management. 
  • User management involves creating and managing user identities, bundling them into groups for effective management and assigning users and groups to roles. 
  • User management operations include creating, modifying, and deleting user identities, as well as granting and revoking credentials and roles.

Authentication

  • Authentication is the process of validating the identity of a user. 
  • The three basic methods of authentication are as follows. 
    • Type one authentication factor is something you know, this may be a password or a phrase, or a personal identification number or pin. 
    • Type two authentication factor is something you have. Physical devices that a user possesses can help them provide authentication. Examples include a one-time password generator, smartcard, or hardware token. 
    • Type three authentication factor is something you are. It is a physical characteristic of a person identified with different types of biometrics. Examples include fingerprints, voice prints, and retina patterns. 
  • Multi-factor authentication involves using two or more authentication factors. For example, combining something you know, with something you have. 
  • Ideally, the factors should be from different categories. This method increases security as it requires a malicious user to break multiple authentication methods to break the schemes.

Authorization

  • Authorization defines what users are allowed to access after authenticating, unauthorized users should not be able to access business assets or perform critical functions. 
  • Authorization can be controlled by policies. For example, it could be time of day restrictions, length of time restrictions, file or folder access rights and more. 
  • Setting the right authorizations is critical to ensure data protection, prevent fraud, and for regulatory compliance in general. 
  • Here are some important authorization principles to consider. 
    • Firstly, the principle of least privilege means giving a user or process only those privileges which are essential to perform its intended function. 
    • Secondly, separation of duty as a security principle, has as its primary objective, the prevention of fraud and errors. This objective is achieved by disseminating the tasks and associated privileges for a specific business process among multiple users.

Auditing and Accountability

  • The final piece of the IAM puzzle is auditing and accountability. 
  • The process of tracking users and their activities to provide accountability. 
  • If a user misuses privileges or compromise is suspected, we can investigate and ensure that the user is held accountable based on collected audit logs. 
  • These capabilities ensure users are accountable for their actions, verify that the security policies are enforced and can be used as forensic tools. 
  • Auditing capabilities are also necessary to fulfil regulatory or compliance activities.

Challenges

There are several challenges that may result from insecure implementation of identification, authentication, authorization, and accounting systems. 
Some examples are:

  • Identity theft
  • Attacks on authentication
  • Trusting the means of authentication
  • Improper or missing authorization checks
  • Incorrect permission assignments
  • Unprotected or unencrypted API and external calls
  • Untraceable access
  • Missing logs of security events
  • Unnecessary usage or storage of personal data.

By at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)