Flashcards in DOMAIN 12 Identity, Entitlement, and Access Management Deck (21)
In cloud computing, the fundamental problem is that multiple organizations are now managing
the identity and access management to resources, which can greatly complicate the process. For example, imagine having to provision the same user on dozens—or hundreds—of different cloud services. ___________ is the primary tool used to manage this problem, by building trust relationships
between organizations and enforcing them through standards-based technologies.
________ is the expression of an identity with attributes that indicates context.
_______ is the person or “thing” that will have an identity. It could be an individual, a system, a device, or application code.
_______ is the process of asserting an identity across different systems or organizations. This is the key enabler of Single Sign On and also core to managing IAM in cloud computing..
Federated Identity Management
_______ is the “root” source of an identity, such as the directory server that manages employee identities.
_______ is the source of the identity in federation. The _______ isn’t always the authoritative source, but can sometimes rely on the authoritative source, especially if it is a broker for the process.
_______ is the system that relies on an identity assertion from an identity provider.
IAM Standards for Cloud Computing
Security Assertion Markup Language (SAML) 2.0,
eXtensible Access Control Markup Language (XACML),
System for Cross-domain Identity Management (SCIM)
True/False: Identity protocols and standards do not represent a complete solution by themselves, but they are a means to an end.
How do both cloud provider and cloud user manage identities?
•• Cloud providers need to nearly always support internal identities, identifiers, and attributes for
users who directly access the service, while also supporting federation so that organizations don’t have to manually provision and manage every user in the provider’s system and issue everyone separate credentials.
•• Cloud users need to decide where they want to manage their identities and which architectural models and technologies they want to support to integrate with cloud providers.
What are the two possible architectures to provision identities and determine the "authoritative source"?
“Hub & Spoke” Model,
“Free Form” Model
What are the issues that directly federating internal directory servers in the free-form model raise?
•• The directory needs Internet access. This can be a problem, depending on existing topography, or it may violate security policies.
•• It may require users to VPN back to the corporate network before accessing cloud services.
•• Depending on the existing directory server, and especially if you have multiple directory servers in different organizational silos, federating to an external provider may be complex and technically difficult.
_________ is the process of proving or confirming an identity. In information security authentication most commonly refers to the act of a user logging in, but it also refers to essentially any time an entity proves who they are and assumes an identity. _________ is the responsibility of the identity provider.
The biggest impact of cloud computing on authentication is a greater need for strong authentication using multiple factors. This is for two reasons:
•• Broad network access means cloud services are always accessed over the network, and often over the Internet. Loss of credentials could more easily lead to an account takeover by an attacker, since attacks aren’t restricted to the local network.
•• Greater use of federation for Single Sign On means one set of credentials can potentially compromise a greater number of cloud services.
There are multiple options for MFA, including:
Authorization, access control, entitlement
** An authorization is permission to do something—access a file or network, or perform a certain
function like an API call on a particular resource.
** An access control allows or denies the expression of that authorization, so it includes aspects like
assuring that the user is authenticated before allowing access.
** An entitlement maps identities to authorizations and any required attributes (e.g. user x is allowed
access to resource y when z attributes have designated values). We commonly refer to a map of
these entitlements as an entitlement matrix. Entitlements are often encoded as technical policies for
distribution and enforcement.
True/False: The cloud provider is responsible for enforcing authorizations and access controls.
True/False: The cloud user is responsible for defining entitlements and properly configuring them within
the cloud platform.
True/False: ABAC (Attribute-based Access Control) is the preferred model for cloud-based access management.
True/False: When using federation, the cloud user is responsible for mapping attributes, including roles
and groups, to the cloud provider and ensuring that these are properly communicated during