4.

4 Identity and access management architecture( IAM)

Basic concept and definitions of IAM functions for any service:
 Authentication – is a process of verifying the identity of a user or a
system.Authentication usually connotes a more roburst form of identification. In some
use cases such as service – to- service interaction, authentication involves verifying the
network service.
 Authorization – is a process of determining the privileges the user or system is entitled
to once the identity is established. Authorization usually follows the authentication step
and is used to determine whether the user or service has the necessary privileges to
perform certain operations.
 Auditing – Auditing entails the process of review and examination of authentication,
authorization records and activities to determine the adequacy of IAM system controls, to
verify complaints with established security policies and procedure,to detect breaches in
security services and to recommend any changes that are indicated for counter measures
IAM Architecture and Practice
 IAM is not a monolithic solution that can be easily deployed to gain capabilities
immediately.
 It is as much an aspect of architecture as it is acollection of technology components,
processes, and standard practices.
 Standardenterprise IAM architecture encompasses several layers of technology, services,
andprocesses. At the core of the deployment architecture is a directory service (such as
LDAP or Active Directory) that acts as a repository for the identity, credential, and user
attributes of the organization’s user pool.
 The directory interacts with IAM technology components such as authentication, user
management, provisioning, and federation services that support the standard IAM
practice and processes within the organization.
The IAM processes to support the business can be broadly categorized as follows:
 User management: Activities for the effective governance and management of identity
life cycles
 Authentication management: Activities for the effective governance and management
of the process for determining that an entity is who or what it claims tobe.
 Authorization management: Activities for the effective governance and management of
the process for determining entitlement rights that decide what resources an entity is
permitted to access in accordance with the organization’s policies.
 Access management: Enforcement of policies for access control in response to a request
from an entity (user, services) wanting to access an IT resource within the organization.
 Data management and provisioning: Propagation of identity and data for authorization
to IT resources via automated or manual processes.
 Monitoring and auditing: Monitoring, auditing, and reporting compliance by users
regarding access to resources within the organization based on the defined policies.
IAM processes support the following operational activities:
 Provisioning: Provisioning can be thought of as a combination of the duties of the
human resources and IT departments, where users are given access to data repositories or
systems, applications, and databases based on a unique user identity. Deprovisioning
works in the opposite manner, resulting in the deletion or deactivation of an identity or
of privileges
assigned to the user identity.
 Credential and attribute management: These processes are designed to manage the life
cycle of credentials and user attributes— create, issue, manage, revoke—to inappropriate
account use. Credentials are usually bound to an individual and are verified during the
authentication process.The processes include provisioning of attributes, static (e.g.,
standard text password) and dynamic (e.g., one-time password) credentials that comply
with a password standard (e.g., passwords resistant to dictionary attacks), handling
password expiration, encryption management of credentials during transit and at rest, and
access policies of user attributes (privacy and handling of attributes for various regulatory
reasons).Minimize the business risk associated with identity impersonation.

 Entitlement management: Entitlements are also referred to as authorization policies.

The processes in this domain address the provisioning and deprovisioning of privileges
needed for the user to access resources including systems, applications, and databases.
Proper entitlement management ensures that users are assigned only the required
privileges.
 Compliance management: This process implies that access rights and privileges are
monitored and tracked to ensure the security of an enterprise’s resources. The process
also helps auditors verify compliance to various internal access control policies, and
standards that include practices such as segregation of duties, access monitoring, periodic
auditing, and reporting. An example is a user certification process that allows application
owners to certify that only authorized users have the privileges necessary to access
business-sensitive information.
  Identity federation management: Federation is the process of managing the trust
relationships established beyond the internal network boundaries or administrative
domain boundaries among distinct organizations. A federation is an association of
organizations that come together to exchange information about their users and resources
to enable collaborations and transactions
 Centralization of authentication (authN) and authorization (authZ): A central
authentication and authorization infrastructure alleviates the need for application
developers to build custom authentication and authorization features into their
applications. Furthermore, it promotes a loose coupling architecture where applications
become agnostic to the authentication methods and policies. This approach is also called
an ―externalization of authN and authZ from applications

Fig.Identity Life cycle

IAM Standards and Specifications for Organisations
The following IAM standards and specifications will help organizations implement effective and
efficient user access management practices and processes inthe cloud. These sections are ordered
by four major challenges in user and access management faced by cloud users:
1. How can I avoid duplication of identity, attributes, and credentials and provide a single
signon user experience for my users? SAML.
2. How can I automatically provision user accounts with cloud services and automate the
process of provisoning and deprovisioning? SPML.
IAM Practices in the Cloud
When compared to the traditional applications deployment model within the enterprise, IAM
practices in the cloud are still evolving. In the current state of IAM technology, standards
support by CSPs (SaaS, PaaS, and IaaS) is not consistent across providers. Although large
providers such as Google, Microsoft, and Salesforce.com seem to demonstrate basic IAM
capabilities, our assessment is that they still fall short of enterprise IAM requirements for
managing regulatory, privacy, and data protection requirements. The maturity model takes into
account the dynamic nature of IAM users, systems, and applications in the cloud and addresses
the four key components of the IAM automation process:
• User Management, New Users
 • User Management, User Modifications
• Authentication Management
• Authorization Management
IAM practices and processes are applicable to cloud services; they need to be adjusted to the
cloud environment. Broadly speaking, user management functions in the cloud can be
categorized as follows:
• Cloud identity administration, Federation or SSO
• Authorization management
• Compliance management
Cloud Identity Administration: Cloud identity administrative functions should focus on life
cycle management of user identities in the cloud—provisioning, deprovisioning, identity
federation, SSO, password or credentials management, profile management, and administrative
management. Organizations that are not capable of supporting federation should explore
cloudbased identity management services. This new breed of services usually synchronizes an
organization’s internal directories with its directory (usually multitenant) and acts as a proxy IdP
for the organization.
Federated Identity (SSO): Organizations planning to implement identity federation that enables
SSO for users can take one of the following two paths (architectures):
• Implement an enterprise IdP within an organization perimeter.
• Integrate with a trusted cloud-based identity management service provider.
Both architectures have pros and cons.
Enterprise identity provider: In this architecture, cloud services will delegate authentication to
an organization’s IdP. In this delegated authentication architecture, the organization federates
identities within a trusted circle of CSP domains. A circle of trust can be created with all the
domains that are authorized to delegate authentication to the IdP. In this deployment architecture,
where the organization will provide and support an IdP, greater control can be exercised over
user identities, attributes, credentials, and policies for authenticating and authorizing users to a
cloud service.
IdP deployment architecture