Identity and Access Management

1. Overview of IAM

  • Definition:
    • IAM is a framework of policies and technologies.
    • Ensures that the right users (identity) have the appropriate access (authorization) to the right resources.
  • Core Components:
    • Identification: Uniquely identifying a user or entity.
    • Authentication: Verifying the identity of that user or entity.
    • Authorization: Determining what resources the authenticated entity can access and what actions they can perform.
    • Access Control: Enforcing the authorization policies.
    • Auditing: Recording and reviewing access events for security and compliance.
  • Key Concepts:
    • Identity Provider (IdP)*: A system that creates, maintains, and manages identity information for users and provides authentication services.
    • Principal: An entity (user, application, service) that can be authenticated and authorized to access resources.
    • Resource: Any entity that a principal might want to access (e.g., files, applications, databases).
    • Policy: A set of rules that define who has access to what resources and under what conditions.
    • Role: A collection of permissions that can be assigned to a user or group.
  • Common IAM Practices:
  • Benefits of IAM:
    • Enhanced Security: Reduces the risk of unauthorized access and data breaches.
    • Improved Compliance: Helps meet regulatory requirements for data protection and privacy.
    • Increased Efficiency: Streamlines user access management and reduces administrative overhead.
    • Better User Experience: Simplifies the login process and provides users with easy access to the resources they need.

2. Domain Specific IAM

2.1. Cloud Computing IAM

  • Definition: Cloud IAM systems manage identities and access to cloud resources and services.
  • Key Features:
    • Identity Management: Creating, managing, and authenticating user and application identities.
    • Access Control: Defining and enforcing permissions on cloud resources (e.g., compute instances, storage buckets, databases).
    • Multi-Factor Authentication (MFA): Enhancing security by requiring multiple verification factors.
    • Role-Based Access Control (RBAC): Assigning permissions based on roles within an organization.
    • Policy Management: Defining policies that govern access to resources.
    • Auditing and Logging: Tracking access attempts and resource usage for compliance and security monitoring.
  • Examples:
    • AWS IAM (Identity and Access Management): AWS's service for controlling access to AWS resources.
    • Azure Active Directory (Azure AD): Microsoft's cloud-based identity and access management service.

2.2. Web Applications IAM

  • Definition: IAM for web applications focuses on authenticating users and authorizing access to application resources and APIs.
  • Key Features:
    • Authentication: Verifying user identities, often through usernamepassword, social logins, or federated identity providers.
    • Authorization: Determining what resources and actions a user is permitted to access.
    • Single Sign-On (SSO): Allowing users to authenticate once and access multiple applications.
    • Delegated Authorization: Enabling users to grant limited access to their resources to third-party applications.
  • Protocols and Standards:
    • OAuth (Open Authorization): A standard for delegated authorization, commonly used to grant third-party applications access to user resources without sharing credentials.
    • OpenID Connect (OIDC): An authentication layer built on top of OAuth 2.0, providing user identity information to applications.
    • SAML (Security Assertion Markup Language): An XML-based standard for exchanging authentication and authorization data between security domains.

2.3. Operating Systems IAM

  • Definition: OS-level IAM manages user authentication and access control for operating system resources.
  • Key Features:
    • User Account Management: Creating, managing, and authenticating user accounts.
    • Privilege Management: Assigning and controlling user privileges and permissions.
    • Authentication Mechanisms: Supporting various authentication methods, such as passwords, keys, and biometrics.
    • Access Control Lists (ACLs): Defining permissions on files, directories, and other OS resources.
    • Group-Based Access Control: Managing access based on user groups.
  • Examples:
    • Linux PAM (Pluggable Authentication Modules): A framework for flexible authentication in Linux systems.
    • Windows Active Directory (AD): Microsoft's directory service for managing users, computers, and other network resources in a Windows domain.

2.4. Databases IAM

  • Definition: Database IAM controls access to database resources, ensuring that only authorized users and applications can access sensitive data.
  • Key Features:
    • Authentication: Verifying the identity of users and applications connecting to the database.
    • Authorization: Controlling access to database objects (e.g., tables, views, stored procedures).
    • Role-Based Access Control (RBAC): Assigning database privileges based on roles.
    • Data Encryption: Protecting data at rest and in transit.
    • Auditing: Tracking database access and modifications.
  • Examples:
    • Oracle Database Security: Using roles, privileges, and profiles to control access to Oracle databases.
    • SQL Server Security: Managing logins, users, and permissions in Microsoft SQL Server.
    • MySQLMariaDB Privileges: Granting and revoking privileges to users for specific database objects.
Tags::cs:sec: