Define identity concepts Flashcards
Authentication
Authentication is the process of proving that a person is who they say they are. The username and password, together, are a form of authentication. Authentication is sometimes shortened to AuthN.
Authorization
Once you authenticate a user, you’ll need to decide where they can go, and what they’re allowed to see and touch. This process is called authorization. In cybersecurity terms, authorization determines the level of access or the permissions an authenticated person has to your data and resources. Authorization is sometimes shortened to AuthZ.
Identity as the Primary Security Perimeter
The traditional perimeter-based security model is no longer enough. Identity has become the new security perimeter that enables organizations to secure their assets.
-An identity is the set of things that define or characterize someone or something.
-An identity may be associated with a user, an application, a device, or something else.
Four pillars of an identity infrastructure
-Administration is about the creation and management/governance of identities for users, devices, and services. As an administrator, you manage how and under what circumstances the characteristics of identities can change (be created, updated, deleted).
-The authentication pillar tells the story of how much an IT system needs to know about an identity to have sufficient proof that they really are who they say they are. It involves the act of challenging a party for legitimate credentials.
-The authorization pillar is about processing the incoming identity data to determine the level of access an authenticated person or service has within the application or service that it wants to access.
-The auditing pillar is about tracking who does what, when, where, and how. Auditing includes having in-depth reporting, alerts, and governance of identities.
The Role of an Identity Provider
An identity provider creates, maintains, and manages identity information while offering authentication, authorization, and auditing services.
With modern authentication, all services, including all authentication services, are supplied by a central identity provider. Information that’s used to authenticate the user with the server is stored and managed centrally by the identity provider.
With a central identity provider, organizations can establish authentication and authorization policies, monitor user behavior, identify suspicious activities, and reduce malicious attacks.
An identity provider creates, maintains, and manages identity information while offering authentication, authorization, and auditing services.
With modern authentication, all services, including all authentication services, are supplied by a central identity provider. Information that’s used to authenticate the user with the server is stored and managed centrally by the identity provider.
With a central identity provider, organizations can establish authentication and authorization policies, monitor user behavior, identify suspicious activities, and reduce malicious attacks.
-Microsoft Entra ID is an example of a cloud-based identity provider.
Concept of Directory Services and Active Directory
A directory is a hierarchical structure that stores information about objects on the network. A directory service stores directory data and makes it available to network users, administrators, services, and applications.
-Active Directory (AD) is a set of directory services developed by Microsoft
-Active Directory Domain Services (AD DS) stores information about members of the domain, including devices and users, verifies their credentials, and defines their access rights. A server running AD DS is a domain controller (DC).
-AD DS gives organizations the ability to manage multiple on-premises infrastructure components and systems using a single identity per user. AD DS doesn’t, however, natively support mobile devices, SaaS applications, or line of business apps that require modern authentication methods.
-Microsoft Entra ID (previously referred to as Azure Active Directory) and part of the Microsoft Entra family of multicloud identity and access solutions
Single Sign-On
With SSO, the user logs in once and that credential is used to access multiple applications or resources. When you set up SSO between multiple identity providers, it’s called federation.
Federation
Federation enables the access of services across organizational or domain boundaries by establishing trust relationships between the respective domain’s identity provider. With federation, there’s no need for a user to maintain a different username and password when accessing resources in other domains.
-Trust isn’t always bidirectional
A common example of federation in practice is when a user logs in to a third-party site with their social media account, such as Twitter. In this scenario, Twitter is an identity provider, and the third-party site might be using a different identity provider, such as Microsoft Entra ID. There’s a trust relationship between Microsoft Entra ID and Twitter.
