Identity and Access Management
1. Overview of IAM
- Definition:
- IAM is a framework of policies and technologies.
- Ensures that the right users (identity) have the appropriate access (authorization) to the right resources.
- Core Components:
- Identification: Uniquely identifying a user or entity.
- Authentication: Verifying the identity of that user or entity.
- Authorization: Determining what resources the authenticated entity can access and what actions they can perform.
- Access Control: Enforcing the authorization policies.
- Auditing: Recording and reviewing access events for security and compliance.
- Key Concepts:
- Identity Provider (IdP)*: A system that creates, maintains, and manages identity information for users and provides authentication services.
- Principal: An entity (user, application, service) that can be authenticated and authorized to access resources.
- Resource: Any entity that a principal might want to access (e.g., files, applications, databases).
- Policy: A set of rules that define who has access to what resources and under what conditions.
- Role: A collection of permissions that can be assigned to a user or group.
- Common IAM Practices:
- Benefits of IAM:
- Enhanced Security: Reduces the risk of unauthorized access and data breaches.
- Improved Compliance: Helps meet regulatory requirements for data protection and privacy.
- Increased Efficiency: Streamlines user access management and reduces administrative overhead.
- Better User Experience: Simplifies the login process and provides users with easy access to the resources they need.
2. Domain Specific IAM
- Definition: Cloud IAM systems manage identities and access to cloud resources and services.
- Key Features:
- Identity Management: Creating, managing, and authenticating user and application identities.
- Access Control: Defining and enforcing permissions on cloud resources (e.g., compute instances, storage buckets, databases).
- Multi-Factor Authentication (MFA): Enhancing security by requiring multiple verification factors.
- Role-Based Access Control (RBAC): Assigning permissions based on roles within an organization.
- Policy Management: Defining policies that govern access to resources.
- Auditing and Logging: Tracking access attempts and resource usage for compliance and security monitoring.
- Examples:
- AWS IAM (Identity and Access Management): AWS's service for controlling access to AWS resources.
- Azure Active Directory (Azure AD): Microsoft's cloud-based identity and access management service.
2.2. Web Applications IAM
- Definition: IAM for web applications focuses on authenticating users and authorizing access to application resources and APIs.
- Key Features:
- Authentication: Verifying user identities, often through usernamepassword, social logins, or federated identity providers.
- Authorization: Determining what resources and actions a user is permitted to access.
- Single Sign-On (SSO): Allowing users to authenticate once and access multiple applications.
- Delegated Authorization: Enabling users to grant limited access to their resources to third-party applications.
- Protocols and Standards:
- OAuth (Open Authorization): A standard for delegated authorization, commonly used to grant third-party applications access to user resources without sharing credentials.
- OpenID Connect (OIDC): An authentication layer built on top of OAuth 2.0, providing user identity information to applications.
- SAML (Security Assertion Markup Language): An XML-based standard for exchanging authentication and authorization data between security domains.
- Definition: OS-level IAM manages user authentication and access control for operating system resources.
- Key Features:
- User Account Management: Creating, managing, and authenticating user accounts.
- Privilege Management: Assigning and controlling user privileges and permissions.
- Authentication Mechanisms: Supporting various authentication methods, such as passwords, keys, and biometrics.
- Access Control Lists (ACLs): Defining permissions on files, directories, and other OS resources.
- Group-Based Access Control: Managing access based on user groups.
- Examples:
- Linux PAM (Pluggable Authentication Modules): A framework for flexible authentication in Linux systems.
- Windows Active Directory (AD): Microsoft's directory service for managing users, computers, and other network resources in a Windows domain.
- Definition: Database IAM controls access to database resources, ensuring that only authorized users and applications can access sensitive data.
- Key Features:
- Authentication: Verifying the identity of users and applications connecting to the database.
- Authorization: Controlling access to database objects (e.g., tables, views, stored procedures).
- Role-Based Access Control (RBAC): Assigning database privileges based on roles.
- Data Encryption: Protecting data at rest and in transit.
- Auditing: Tracking database access and modifications.
- Examples:
- Oracle Database Security: Using roles, privileges, and profiles to control access to Oracle databases.
- SQL Server Security: Managing logins, users, and permissions in Microsoft SQL Server.
- MySQLMariaDB Privileges: Granting and revoking privileges to users for specific database objects.
Tags::cs:sec: