Page 1th: Why use IAM
In the traditional sense, the agency's investment in IAM practice is designed to improve operational efficiency and meet the requirements of regulatory, privacy, and data protection:
Improve operational efficiency
Well-architected IAM technologies and processes can automate repetitive tasks such as user entry, thereby improving efficiency (for example, self-service reset user request passwords without the need for system administrators to intervene with the help desk dispatch system).
Regulatory Compliance
To protect the system, applications and information that are not subject to internal and external threats, such as the removal of sensitive data by disgruntled employees, and compliance with various regulatory, privacy, and data protection requirements, organizations implement the "IT generic and application-level control" framework, which comes from industry-standard frameworks such as ISO 27002 and Information Technology Infrastructure Library (ITIL). IAM programs and practices can help organizations achieve access control and operational security goals (for example, compliance requirements, such as "separation of duties" and the minimum rights assignment for staff to perform their duties). Auditors typically map internal controls to it controls to support compliance management processes such as the payment Card industry (PCI) data Security Standard (DSS) and the 2003 Sarbanes-Oxley Act (SOX).
In addition to improving operational efficiency and compliance management efficiencies, IAM can implement new it delivery and deployment patterns (such as cloud computing services). For example, identity union, as a key component of the IAM, enables identity information to be connected and carried across trust boundaries. Therefore, the IAM enables enterprise and cloud computing service providers to establish channels between secure trust domains through web single sign-on and federated users.
Some cloud use cases that require IAM support from cloud computing service providers include:
• Agency employees and related contractors use identity syndication to access SaaS services (for example, sales and support personnel using corporate identity and credentials to access Salesforce.com).
• The IT administrator accesses the cloud computing service Provider console, provides resources and access to users who use enterprise identity (for example, newco.com IT administrators provide virtual machines and VMS in the Amazon Flex Cloud and configure virtual machine operations such as Start, stop, suspend, and delete) Rights and certificates).
• Developers create accounts for their partner users on the PAAs platform (for example, newco.com developers provide accounts for contracted partnerco.com employees in force.com, while the latter performs newco.com business processes).
• End users use Access policy management capabilities to access storage services in the cloud, such as Amazon Simple storage services, and share files and objects with users within and outside the domain.
• Applications within cloud computing services providers, such as the Amazon Resilient computing cloud, access storage through other cloud computing services such as Mosso.
Because IAM such as SSO allows the application to materialize the authentication feature, this allows the enterprise to quickly adopt the *aas service (Salesforce.com is an example) to reduce the time of business integration with the service provider. The IAM functionality can also help organizations outsource certain processes or services to their partners and reduce the impact on corporate privacy and security, for example, the employees of business partners who fulfill orders, who can use identity syndication to access real-time information stored in business applications and manage the product implementation process. In short, an extension of the IAM strategy, practice, and architecture enables organizations to extend user access management practices and processes in cloud computing. Therefore, the implementation of IAM institutions can quickly adopt cloud computing services, and maintain its security control efficiency and effectiveness.
Page 2nd: IAM challenges
A key challenge for IAM is access management for different groups of users (employees, contractors, partners, etc.) that access internal and external services. IT always faces the challenge of providing users with the appropriate access mechanism quickly because the roles and responsibilities of the user are often changed by business factors. The flow of people within the organization is another important issue. Mobility varies by industry and function, such as seasonal employee fluctuations in the financial sector, and staff mobility may rise as a result of changes in business, such as mergers and acquisitions, release of new products and services, business process outsourcing, and change of responsibilities. Therefore, the maintenance of the IAM process will be a long-term challenge.
The access policies for information are rarely centralized and consistently adopted. Organizations often use a variety of different directories to create complex Web pages that manage user identities, access rights, and processes, which makes the user and access management process inefficient, and poses a significant risk to the organization in terms of security, compliance, reputation, and so on.
To address these challenges and risks, many companies are looking for centralized technology solutions that automate the management of user rights. Many of these new schemes have been given high expectations, and the expectation is not surprising that the problems are often significant and complex. The vast majority of these new IAM-enhanced schemes take years and considerable costs. As a result, organizations should address their IAM policies and architectures from two aspects of business and it drivers, while maintaining the effectiveness of control (related to access control) while addressing inefficiencies at the core. Only in this way can the organization be more likely to succeed and recoup its investment.
Page 3rd: definition of IAM
First we propose the basic concepts and definitions that apply to the IAM functionality of any service:
Certification
Authentication is the process of verifying the identity of a user or system (for example, a Lightweight Directory Access protocol that LDAP verifies that a user submits a certificate that is the unique ID of an enterprise user assigned to an employee or contractor). Certification usually means a more reliable form of identification. In some situations, such as the interaction of a service to a service, authentication includes authentication of a network service request that requests access to information provided by another service (for example, a travel Web service connected to a credit card gateway that validates a credit card on behalf of the user).
Authorized
Authorization is the process of determining the identity of a user or system and granting permissions. In digital services, authorization is usually the next step in authentication, and authorization is used to determine whether a user or service has the required permissions to perform an operation, in other words, authorization is the process of executing a policy.
Audit
For IAM, auditing refers to viewing and checking for certification, authorized records and activities to determine the completeness of the IAM system control, verify compliance with existing security policies and processes (such as separation of duties), detect violations in security services (such as elevation of privilege), and provide appropriate countermeasures and suggestions for rectification.
Page 4th: IAM Architecture and practice
The IAM is not an overall solution that can be easily deployed and immediately effective, but rather an architecture consisting of various technical components, processes, and standard practices (see Figure 5-1). The standard enterprise-level IAM architecture contains several layers of technology, services, and processes, and the core of the deployment architecture is directory services (such as Lightweight Directory Access Protocol or Active Directory), where the directory service is the repository of identity, certificates, and user attributes for the organization's user base. The directory interacts with the IAM technology component, which includes authentication, user management, identity syndication services that provide and support standard IAM practices and processes within the organization. Because of the special computing environment, organizations often use multiple directories (for example, the window system uses active directories while UNIX systems use Lightweight Directory access Protocols), and environmental consolidation resulting from business mergers and acquisitions can also result in multiple directory coexistence.
Support for business of the IAM process can be broadly divided into the following categories:
User Management
Activities for effective governance and management of the identity lifecycle.
Certification Management
Activities to effectively govern and manage the process of entity identification and entity declaration content.
Authorization Management
To effectively govern and manage activities that are based on the process by which the institutional policy entity has access to resource rights.
Access Management
Respond to an entity (user, Service) request to access the execution of an access control policy for an IT resource within an organization.
Data management and provisioning
The transfer of identity and data authorized by an IT resource through automated or manual processes.
Monitoring and auditing
Monitor, audit and report on user access to resource compliance within an organization based on defined policies.
The IAM process supports the following business activities:
Business Opening
This term is commonly used for enterprise resource management, which refers to the process by which new recruits start using systems and applications that provide users with the necessary access to data and technical resources. Business opening can be considered a common responsibility of both human resources and IT departments, where users Access databases or systems, applications, and database based on unique identity IDs. Business cancellation works in the opposite way, deleting or hibernating the identity or permissions that are assigned to the user.
Relayed to Tencent Weibo
Figure 5-1: Functional Architecture for enterprise identity and access management
certificate and attribute management
These processes are used to create, issue, manage, and revoke the lifecycle management of certificates and user attributes, thereby minimizing business risks such as identity counterfeiting and account abuse. Certificates are usually bound to individuals and verified during authentication. This process includes the provision of attributes, the static (such as standard text passwords) and dynamic (such as a one-time password) certificate, password expiration processing, the encryption management of certificates in transit and static procedures, and the access policies for user properties that conform to the password criteria (such as passwords that protect against dictionary attacks) ( Privacy and property processing for various regulatory reasons.
Rights Management Permissions
Also known as authorization policy. In this area, the process addresses the opening and removal of user-required permissions that users can use to access including systems, applications, and database resources. Appropriate rights management ensures that only the required permissions (least privilege) are assigned to the user in accordance with their job functions. Rights management can be used to enhance the security of Web services, network applications, legacy applications, files and files, and physical security systems.
Compliance Management
This process means monitoring and tracking access rights and privileges, ensuring the security of enterprise resources. The process also helps auditors verify compliance with various internal access control policies and standards, including practices such as segregation of duties, access monitoring, periodic audits, and reporting. For example, the user authentication process allows the application owner to verify that only authorized users have the required permissions to access business-sensitive information.
Identity Joint management
Identity Union is the process of managing trust relationships that are built outside the boundaries of internal networks or administrative domains between different agencies. Identity unions are coalitions of agencies that exchange information about users and resources, collaborate and trade (for example, the insurance system, which is administered by a Third-party provider, shares user information). A service provider's identity union requires a single sign-on that supports cloud computing services.
Centralized authentication (AUTHN) and authorization (Authz)
A centralized authentication and authorization architecture lowers the need for application developers to build customized authentication and authorization capabilities in their applications. In addition, it facilitates a loosely coupled structure where applications are agnostic to authentication methods and policies. This method is also called the "externalized Authn and Authz" of the application.
Figure 5-2 illustrates each phase of identity lifecycle management.
broadcast to Tencent Weibo
Figure 5-2: Identity Lifecycle Management diagram