Understanding Identity and Access Management

Dec 15, 2024

Lecture Notes: Identity and Access Management (IAM) and Authentication Protocols

Overview of System Access

  • Applications run on various devices: desktops, laptops, and mobile devices.
  • Data can be stored locally, in a data center, or in the cloud.
  • Different user types: employees, vendors, contractors, customers.
  • Importance of granting the correct permissions to the right individuals at the right times.

Identity and Access Management (IAM)

  • IAM is the process of managing user access from onboarding to offboarding.
  • Involves changes in permissions as a user's role changes within an organization.
  • Access control is crucial, determining what resources a user can access.

IAM Process

  • Begins with account creation and ends with account deactivation.
  • Key during onboarding, offboarding, promotions, or departmental changes.
  • Involves provisioning and de-provisioning user accounts.
  • Goal is to assign necessary permissions only.
  • Uses group-based permissions for ease, e.g., email access group.
  • Identity proofing to ensure users are who they claim to be.
  • Resolution and attestation processes verify identity.

Authentication and Authorization

  • Authentication: Verifying user identity (e.g., username, password).
  • Authorization: Determining what resources a user can access.

Single Sign-On (SSO)

  • Allows logging in once to access multiple resources without re-authenticating.
  • Reduces repeated logins for different network shares or printers.

LDAP (Lightweight Directory Access Protocol)

  • Standardized protocol (x.500 specification) for accessing network directories.
  • Utilizes a hierarchical structure (directory information tree) for organizing data.

SAML (Security Assertion Markup Language)

  • Allows third-party database authentication.
  • Not designed for mobile devices.
  • Involves client, resource server, and authorization server.
    • Client requests access, server sends SAML request, user provides credentials, and a SAML token is generated.

OAuth

  • Built for modern, mobile systems; an authorization framework.
  • Combined with OpenID for authentication.
  • Example: authorizing third-party applications (e.g., Zapier accessing Google Drive).

Federation

  • Allows access without local authentication database via third-party authentication (e.g., logging in with social media accounts).
  • Requires setup relationships between sites and third-party services.

Interoperability Considerations

  • Organizations must ensure technology interoperability for seamless access.
  • Example: using an LDAP server with a VPN concentrator.
  • Decision-making involves evaluating current resources and future goals.