12. Identity, Entitlement and Access Management - DONE

Question 1

“The most important concept you need to be familiar with regarding IAM in a cloud environment is federated identity”

What is the purpose of federation identity

Answer 1

“Federation enables you to maintain control of authentication while delegating authorization to your CSPs based on your requirements. Cloud adoption of any significant size requires federation. Without federation, every user will require a user account in all services your organization uses.”

It is the interconnection of disparate directory services

Question 2

What doesn’t change with IAM in the cloud? You

Answer 2

You still have to map an entity (anything interacting with a system, such as a person, a system, or an agent) to an identity that has attributes (such as a group) and then make an access decision based on resulting permissions.“You may know this process as role-based access control (RBAC).

Question 3

What is role-based access control (RBAC)

Answer 3

So, a user is a member of a group and therefore gets permission to use a resource.”

Question 4

Without federation, Working with many providers brings complications with regard to IAM.

How so?

Answer 4

Without something like federated IAM, you will ultimately have to manage hundreds, of different IAM systems. You may manage the settings in all these different locations to enforce IAM, but you will have to control this in environments that are owned and operated by a cloud provider, and what they expose to you may be limited.

From an operational perspective, you will have to create every user account not just once in your on-premises directory service (such as Active Directory), but dozens or hundreds of times. Who in your company is going to provision all these accounts? Worse yet, who is responsible for deprovisioning all these accounts?

Question 5

define these terms:

entity
identity
identifier

Answer 5

*Entity - Someone or something that has an identity.

*Identity - A unique expression of an entity within a given environment.. When you log into a work system, your username would be your identity.

*Identifier - A cryptographic token in a digital environment that identifies an identity (such as a user) to an application or service. Windows systems, for example, use a security identifier (SID) to identify users. In real life, an identifier could be a passport.”

Question 6

define these terms:

attribute
Persona
role

Answer 6

*Attribute - A facet (aspect) of an identity; anything about the identity and the connection itself. An attribute could be static (group membership, organizational unit) or highly dynamic (IP address used for your connection, your physical location). For example, if you log on with multifactor authentication, an attribute could be used to determine the permissions granted to your access (attribute-based access control).

*Persona - Your identity and attributes in a specific situation. You are you, but your persona will change based on context. For “example, at work you may be an IT administrator; that’s your work persona. At home, your persona may be the parent of two children. In your hockey league, your persona may be the left winger and captain of your team. Your identity is who you are. Your persona takes context and attributes into account.

*Role 1. A temporary credential that is inherited by a system within a cloud environment. 2. A part of federation; how your group membership within your company is granted entitlements in your Infrastructure as a Service (IaaS) provider. 3. The job you perform at work.

Question 7

define these terms:

authentication
Multifactor authentication (MFA)
Access control

Answer 7

“*Authentication (Authn) - The process of confirming your identity. Want to check into a hotel on a business trip? The first thing the front desk will ask for is your ID so they can authenticate that you are who you say you are. Of course in a digital world, we generally present a username and password to authenticate ourselves.

*Multifactor authentication (MFA)- The three factors in authentication: something you know, something you have, and something you are. For example, you may be authenticating with your username and password (something you know) and then be prompted for a time-based one-time password (TOTP) generated on your cell phone with Google Authenticator (something you have).

*Access control - A control that restricts access to a resource. This is the “access management” portion of IAM.

Question 8

define these terms:

accounting
authorization
entitlement
single sign-on (SSO)

Answer 8

“Accounting - Logging and monitoring capabilities.

*Authorization (Authz) - The ability to allow an identity to do something/ permission to do something. The hotel key you get after authorization allows you to access your room, the gym, laundry, and so on. In an IT analogy, you are authorized to access a file or system.

*Entitlement - The permissions you have to something. The CSA uses the term “entitlements” rather than “permissions,” but the meaning is the same. Entitlements determine what an identity is allowed to do by mapping an identity to an authorization. These can (and should) be documented as an entitlement matrix.

*Single-sign-on (SSO) - A token or ticket system used to authorize a user rather than having the user sign on to individual systems in a domain. Kerberos is an example of SSO in a Windows environment.”

Question 9

define these terms:

federated identity management
Authoritative source
Identity provider
relying party

Answer 9

*Federated identity management A- key enabler of SSO across different systems that enables the action of authenticating locally and authorizing remotely.

*Authoritative source - The “root” source of an identity. A common example of this is a directory server (such as Active “Directory). Alternatively, the payroll system could be the true authoritative source.

*Identity provider The party that manages the identities and creates the identity assertions used in federation.

*Relying party The system that consumes identity assertions from the identity provider. This is sometimes referred to as a “service provider.”

Question 10

There are numerous standards in the IAM world that you need to know about.

Describe

Security Assertion Markup Language (SAML) -

Answer 10

*Security Assertion Markup Language (SAML) -

This OASIS standard for federated identity management supports both authentication and authorization. Assertions are based on XML and are used between an identity provider and a relying party. These assertions can contain authentication, attribute, and authorization statements. SAML is widely supported by many cloud providers and many enterprise tools as a result. SAML is initially complex to configure.

Question 11

There are numerous standards in the IAM world that you need to know about.

Describe

Ouath

Answer 11

“*OAuth

This IETF authorization standard is widely used for web and consumer services. OAuth works over HTTP and is currently at version 2.0. There is no backwards compatibility between version 2.0 and its predecessor, OAuth 1.0. In fact, OAuth 2.0 is considered more of a framework and is less rigid than version 1.0. OAuth is most often used for delegating access control and authorization (delegated authorization) between services.

Question 12

There are numerous standards in the IAM world that you need to know about.

Describe

OpenID

Answer 12

*OpenID

This standard for federated authentication is well-supported for web services. Like OAuth, it runs over HTTP with URLs to identify identity providers. The current version is OpenID Connect 1.0 and is commonly seen in consumer services such as logging in to web sites.

Question 13

“The CSA Guidance mentions two other standards that aren’t as widely adopted. ”

Describe

eXtensible Access Control Markup Language (XACML)

Answer 13

*eXtensible Access Control Markup Language (XACML)

This is the standard for defining attribute-based access controls and authorizations. XACML is a policy language for defining access controls at a policy decision point (PDP) and passing them to a policy enforcement point (PEP). XACML can work with both SAML and OAuth, as it decides what an entity is allowed to do with a set of attributes as opposed to handling logins or delegation of authority.

Question 14

“The CSA Guidance mentions two other standards that aren’t as widely adopted. ”

Describe

System for Cross-domain Identity Management (SCIM)

All of these standards can be used in federated identity systems. For the most part, all of them rely on a series of redirects that involve the web browser, the identity provider, and the relying party.

Answer 14

System for Cross-domain Identity Management (SCIM)

This standard deals with exchanging identity information between domains. It is used for provisioning and deprovisioning accounts in external systems and exchanging attribute information.

Question 15

Federation involves both an identity provider and a relying party. Both of these components must have a trust relationship established to enable assertions from the identity provider to be consumed by the relying party. These assertions are used to exchange credentials.

Answer 15

For an example of federation in operation, consider a scenario of a user logging into a workstation and then accessing an internal web server that has a list of SaaS applications the user can log into. The user selects the desired SaaS application and is automatically logged on without having to provide a username and password.

This is possible because the user’s identity provider will create an assertion and send that assertion to the relying party. The relying party will determine and implement the authorizations for the user based on the assertion that is created only after the trusted identity provider has authenticated the user.

In other words, the local directory server authenticates the user and tells the relying party what authorization the user should have in the remote system.”

Question 16

“Most, if not all, cloud providers will have their own IAM system

these are referred to as?

Answer 16

internal identities

Question 17

Providers may expose access to their IAM functionality using HTTP request signing.

how does this work?

Answer 17

HTTP request signing can use an access key as an identifier and a secret access key used to sign the request cryptographically.

In the backend, the cloud provider will use their IAM system to determine the appropriate access controls that apply to the entity requesting to perform an action. This request signing may leverage standards such as SAML and/or OAuth or use its own token mechanism.

Question 18

As you consider which identity protocols to use, also consider the following from the CSA Guidance:

Answer 18

*There is no “one-size-fits-all” standard when it comes to federation protocols. You have to consider the use case you’re trying to solve. Are you looking at users logging in via a web browser? You might want to look at SAML. Are you looking at delegated authorization? Then you might want to consider OAuth instead.

*The key operating assumption should be that your identity is a perimeter in and of itself, and as such, any protocol used must be adequately secured to traverse the hostile network known as the public Internet.

Question 19

you probably shouldn’t be surprised to learn that identity management itself may actually be done outside of a directory service (such as Active Directory).”

how so?

Answer 19

The authoritative source of identities in your network may actually be the payroll system, for example: users are added to the payroll system, and their identities are then propagated to the directory server.”

Thanks to these centralized directory services, it is no longer required to add accounts to every individual server and application in a traditional environment. Of course, users still have multiple accounts to support applications that are not integrated with these centralized directory services, so the dream of true SSO remains elusive, but there are, thankfully, fewer of these accounts than there used to be in the past.

Question 20

In a cloud environment, both providers and consumers need to plan on how they will manage identities:

Answer 20

*Cloud providers need to offer an identity service that supports customers to use their own identities, identifiers, and attributes. They should also offer federation services based on standards to enable customers to minimize the overhead associated with identity management when using their cloud offerings.

EXAM TIPThe identity service offered by the provider may be referred to as the “internal” identity system on the exam.

*Cloud customers need to determine how they want to manage identities moving forward. This will require that customers determine the architecture models to use for identity management and the technologies that should be implemented to support integration with their current and future cloud providers.

Federation will be required as an enabling technology for cloud implementations of any substantial size. Without federation, you will lose control of IAM. This isn’t to say there won’t be any accounts created and managed in a provider’s internal IAM system. You will likely still have a limited amount of administrator accounts within the provider’s IAM system to support troubleshooting in the event of failure of the federated link.

Question 21

To establish a federated link, the customer needs to determine what system will be the “authoritative source” to serve as the identity provider. This is usually a directory server. This identity provider then needs to perform the federation. There are two main approaches to creating this connectivity:”

Answer 21

use a free-form model that creates a separate connection between the identity provider and the various cloud services (as shown in Figure 12-6), or use the hybrid (hub-and-spoke) model that uses a central identity broker to connect to all the cloud providers (as shown in Figure 12-7).

Question 22

what are the disadvantages of a free-form model?

Answer 22

First off, your authoritative source needs to be connected to the Internet to connect with all of the cloud providers.

Second, in order to support users outside of your network, these users will need to VPN into the corporate network to access any cloud solution that has a federated link established.

Finally, in an environment that may have multiple authoritative servers (such as multiple domains that are not joined for corporate purposes), each of these authoritative servers will need to connect to the providers, which multiplies the number of connections required.”

Question 23

what are the advantages of a free-form model?

Answer 23

an identity broker can be cloud-based. Implementation of a cloud-based identity broker can facilitate the establishment of the federation with numerous cloud providers,

and external users need not VPN into the corporate network to use federated links to your various providers.”

Question 24

Another option exists in running your directory server in a cloud environment itself (or by consuming a directory service from the provider).

Answer 24

In this scenario, you could synchronize your internal directory server with the cloud-based directory server (or service). In turn, this cloud-based directory could serve the operating systems and applications (applistructure) in the cloud environment and act as an authoritative server for any federated links with other parties that rely on the cloud provider.

Question 25

“In addition to the big-picture deployment model considerations, the following process and architectural decisions need to be made:”

Answer 25

*How will identities for application code, systems, devices, and other services be managed? Services accessing services and other requirements may call for a different approach.”

*How will identity provisioning processes change when consuming cloud services, if at all? Identity provisioning is not limited to creating identities only; it also deals with changing permissions and de-provisioning identities. A provisioning system could take information from an HR database and then be used to provision access to various systems in addition to the directory server, such as web applications, database servers, and cloud services.

Question 26

*Formal processes should be implemented when onboarding new cloud providers and integrating them into your existing IAM environment. This includes establishing a federation and the following considerations:

Answer 26

*Building an entitlement matrix that is created using the granularity exposed by the provider. This may vary based on the service model

*Determining how attributes will be mapped between the identity provider and the relying party. This includes mapping internal groups (roles) to the groups in the provider environment.

*Determining and enabling any monitoring and logging that need to be implemented to meet your security policies. Newer “IAM implementations may offer new services that you may want to include in your policies, such as behavioral analytics.

*Documenting any break/fix processes in case of failure of any of the federation (or other techniques) used for the relationship.

*Updating current incident response plans related to identity takeovers to include the process for cloud providers. This may include steps required to engage the provider for their assistance, especially when dealing with a privileged account takeover.

*Determining how accounts can be deprovisioned (or attributes changed) in the cloud environment.
Finally, providers need to determine which identity standards they will offer to customers. As you know, providers will generally offer some form of identity and access management system. Providers may enhance this with either custom or standards-based federation offerings. In the event of standards-based offerings, SAML will likely be requested by customers.

Question 27

Authentication is always the responsibility of the identity provider. If you have a federation in place, a system under your control acts as the identity provider. If you don’t have a federated link, the CSP acts as the identity provider. Authentication technically occurs any time an identity needs to be confirmed, such as when an entity proves who they are and assumes an identity, not just during logon

As cloud services, by their very nature, have broad network access, simple usernames and passwords are insufficient to protect accounts. Multifactor authentication should always be offered by a cloud provider to enhance authentication security, especially for privileged accounts. The CSA Guidance calls this “strong authentication using multiple factors.

Answer 27

“Being authenticated with MFA can be used as an attribute. That said, using this as part of your access control (access management), you can enhance security by granting entitlements based on this attribute. This would be an example of an attribute-based access control (ABAC). Preferring ABAC over RBAC is generally recommended for cloud environments. Keep in mind, though, that adding attributes to access decisions will introduce complexities.

Question 28

“You know the factors involved with authentication: you know something, have something, or are something. With these in mind, the CSA Guidance calls out the following options for different factors above and beyond the simple factor of knowing a password:”

Answer 28

*Hard token This physical device shows a one-time password or can be plugged in to a computer. This is the best option when high security is required.

*Soft token This serves the same purpose as a hard token in as much as it will display a one-time password, but it runs as software on a phone or computer. Unlike the hard token, any compromise (such as malware) of a user’s device may compromise the one-time passwords. This must be considered as part of a threat model. There are a multitude of applications that can offer soft tokens.

*Out-of-band passwords These passwords are sent via a separate communication method, such as a text message (SMS). Threat models must consider that messages may be intercepted (especially SMS text messages).

*Biometrics Unlike the other options presented that all involve a “something you have” factor, biometrics are a “something you are” factor. For cloud services, the biometric is a local protection and any biometric data is kept on the device, not sent to the provider. Biometric authentication may be an attribute that can be sent to the provider and used as part of ABAC.”

“Beyond the listed options, you might want to check out the FIDO Alliance for new MFA approaches, such a FIDO Universal 2nd Factor (U2F) authentication that will offer stronger security options in the future.”

Question 29

“The cloud impacts entitlements, authorizations, and access management in multiple ways. Following is a list of changes that you should be comfortable with before taking your CCSK exam:”

Answer 29

“*Cloud providers will have authorizations specific to them. Some providers will offer more granular authorization options than others. Mapping entities to these authorizations (entitlements) will usually need to be performed by the consumer (unless the provider supports XACML, which is rare).

*The cloud provider is always responsible for enforcing authorizations and access controls. The federation doesn’t change this. Federation enables the identity provider to control authentication and instruct the relying party on enforcing authorization.

*Attribute-based access control (ABAC) is the preferred model for cloud services because it offers greater flexibility and security than the role-based access control (RBAC) model. Attribute decisions can be based on anything regarding the user and the connection itself, such as MFA authentication, IP address, geographical location, etc.

*Cloud providers should offer granular attributes and authorizations to enable ABAC that enable customers to implement more effective security for cloud users”

Question 30

“Privileged accounts require the strongest authentication possible. Additionally, all actions taken by a privileged account should be recorded to obtain maximum visibility and therefore accountability for actions performed by these accounts.

Answer 30

Having these accounts log on via a bastion host or a “jump box” may allow for tighter control of both authentication and monitoring of actions.”