Unit-2

Identity and Access

Management (IAM)
Prepared By- Prof. Neha Chankhore
Table of Content

 Trust Boundaries and IAM, IAM Challenges,

 IAM Architecture and Practice,
 Relevant IAM Standard and Protocols for cloud services,
 Security Management standards,
 Availability Management: SaaS Availability Management, PaaS Availability
Management, IaaS Availability Management.
Virtualization

Refer following links-

 Visual Slides - Unit 7- Cloud Virtualization Technology - Google Slides
 What is Virtualization? - Cloud Computing Virtualization Explained – AWS
Trust Boundaries and IAM
 In a typical organization where applications are deployed within the
organization’s perimeter the “trust boundary” is mostly static and is monitored
and controlled by the IT department.
 In that traditional model, the trust boundary encompasses the network,
systems, and applications hosted in a private data center managed by the IT
department (sometimes third-party providers under IT supervision). And access
to the network, systems, and applications is secured via network security
controls including virtual private networks (VPNs), intrusion detection systems
(IDSs), intrusion prevention systems (IPSs), and multifactor authentication.
 With the adoption of cloud services, the organization’s trust boundary will
become dynamic and will move beyond the control of IT. With cloud
computing, the network, system, and application boundary of an
organization will extend into the service provider domain. (This may already
be the case for most large enterprises engaged in e-commerce, supply chain
management, outsourcing, and collaboration with partners and
communities)
Why IAM?

 Improve operational efficiency: Properly architected IAM technology and

processes can improve efficiency by automating user on-boarding and
other repetitive tasks (e.g., self-service for users requesting password resets
that otherwise will require the intervention of system administrators using a
help desk ticketing system).
 Regulatory security compliance management: Regulatory security
compliance means to protect systems, applications, and information from
internal and external threats and to comply with various regulatory, privacy,
and data protection requirements. Almost, organizations implement an “IT
general and application-level controls” framework derived from industry
standard frameworks such as ISO 27002 and Information Technology
Infrastructure Library (ITIL).
 Cloud Cases Supported by IAM
Cloud Service Providers require IAM support from many cases that include:
• Employees and on-site contractors of an organization accessing a SaaS
service using identities and credentials.
• IT administrators accessing the CSP management console to provision
resources and access for users using a corporate identity.
• Developers creating accounts for partner users in a PaaS platform.
• End users accessing storage service in the cloud (e.g., Amazon S3) and
sharing files and objects.
• An application residing in a cloud service provider (e.g., Amazon EC2)
accessing storage from another cloud service.
IAM Definitions

The basic concepts and definitions of IAM functions for any service:
 Authentication: Authentication is the process of verifying the identity of a
user or system . Authentication usually suggest a more robust form of
identification.
 Authorization: Authorization is the process of determining the privileges the
user or system is entitled to once the identity is established. In the context of
digital services, authorization usually follows the authentication step and is
used to determine whether the user or service has the necessary privileges
to perform certain operations—in other words, authorization is the process
of enforcing policies.
 Auditing: Auditing is the process of review and examination of
authentication, authorization records, and activities to:
 determine the adequacy of IAM system controls,
 verify compliance with established security policies and procedures (e.g.,
separation of duties)
 detect breaches in security services (e.g., privilege escalation), and -
recommend any changes that are indicated for countermeasures.
IAM Architecture and Practice

 IAM is an aspect of architecture as it is a collection of technology

components, processes, and standard practices.
 Standard enterprise IAM architecture encompasses several layers of
technology, services, and processes.
 At the core of the deployment architecture is a directory service (such as
LDAP or Active Directory) that acts as a repository for the identity,
credential, and user attributes of the organization’s user pool. The directory
interacts with IAM technology components such as authentication, user
management, provisioning, and identity services that support the standard
IAM practice and processes within the organization.
IAM Processes
The IAM processes that support the business can be broadly categorized as
follows:
 Authentication management: These are activities for the effective
governance and management of the process for determining that an
entity is who or what it claims to be.
 User management: These are activities for the effective governance and
management of identity life cycles.
 Authorization management: These are activities for the effective
governance and management of the process for determining entitlement
rights that decide what resources an entity is permitted to access in
accordance with the organization’s policies.
 Access management : These are activities that enforce policies for access
control in response to a request from an entity (user, services) wanting to
access an IT resource within the organization.
 Data management and provisioning : These are activities that propagate
identity and authorization data to an IT resource via automated or manual
processes.
 Monitoring and auditing: Monitoring, auditing, and reporting compliance
by users regarding access to resources within the organization based on
the defined policies.
Relevant IAM Standard and Protocols
for cloud services
IAM standards and specifications will help organizations implement effective
and efficient user access management practices and processes in the cloud.
These sections are ordered by four major challenges in user and access
management faced by cloud users:
1. How can I avoid duplication of identity, attributes, and credentials and
provide a single sign-on (SSO) user experience for my users? Use SAML.
2. How can I automatically provision user accounts with cloud services and
automate the process of provisioning and deprovisioning? Use SPML.
3. How can I provision user accounts with appropriate privileges and manage
entitlements for my users? Use XACML.
4. How can I authorize cloud service X to access my data in cloud service Y
without disclosing credentials? Use OAuth.
Security Assertion Markup Language (SAML)

 SAML, Security Assertion Markup Language is an XML-based, open-

standard data format for exchanging authentication and authorization
data between parties, in particular, between an identity provider (IdP) and
a service provider (SP).
 Principles
 The SAML specification defines three roles: the principal (typically a user), the
Identity provider (IdP), and the service provider (SP).
 In the use case addressed by SAML, the principal requests a service from the
service provider. The service provider requests and obtains an identity assertion
from the identity provider. On the basis of this assertion, the service provider can
make an access control decision – in other words it can decide whether to
perform some service for the connected principal.
 Before delivering the identity assertion to the SP, the IdP may request some
information from the principal – such as a user name and password – in order to
authenticate the principal.
 SAML specifies the assertions between the three parties: in particular, the
messages that assert identity that are passed from the IdP to the SP.
 In SAML, one identity provider may provide SAML assertions to many service
providers. Similarly, one SP may rely on and trust assertions from many
independent IdPs.
 Use
 The primary SAML use case is called
Web Browser Single Sign-On (SSO),
where a user using a user agent
(usually a web browser) requests a
web resource protected by a SAML
service provider.
 The service provider, who is wishing
to know the identity of the
requesting user, issues an
authentication request to a SAML
identity provider through the user
agent. The resulting protocol flow is
depicted in the following diagram.
Request the target resource at the SP
 The principal (via an HTTP user agent) requests a target resource at the service
provider: https://sp.example.com/myresource
 The service provider performs a security check on behalf of the target resource. If
a valid security context at the service provider already exists, skip steps 2–7.
Redirect to the SSO Service at the IdP
 The service provider determines the user's preferred identity provider and
redirects the user agent to the SSO Service at the identity provider:
https://idp.example.org/SAML2/SSO/Redirect?SAMLRequest=request
 The value of the SAMLRequest parameter is the encoding of a deflated
<samlp:AuthnRequest> element.
Request the SSO Service at the IdP
 The user agent issues a GET request to the SSO service at the identity provider where the
value of the SAMLRequest parameter is taken from the URL query string at step 2.
 The SSO service processes the AuthnRequest and performs a security check. If the user does
not have a valid security context, the identity provider identifies the user (details omitted)
Respond with an XHTML form
The SSO service validates the request and responds with a document containing an XHTML
form:
<form method="post" action="https://sp.example.com/SAML2/SSO/POST" ...>
<input type="hidden" name="SAMLResponse" value="response" />
...
<input type="submit" value="Submit" />
</form>
The value of the SAMLResponse parameter is the encoding of a <samlp:Response> element.
 Request the Assertion Consumer Service at the SP
The user agent issues a POST request to the assertion consumer service at the
service provider. The value of the SAMLResponse parameter is taken from the
XHTML form at step 4.
 Redirect to the target resource
The assertion consumer service processes the response, creates a security
context at the service provider and redirects the user agent to the target
resource.
 Request the target resource at the SP again
The user agent requests the target resource at the service provider (again):
https://sp.example.com/myresource
 Respond with requested resource
Since a security context exists, the service provider returns the resource to the
user agent.
Service Provisioning Markup Language
(SPML)
 SPML is an XML-based framework being developed by OASIS for
exchanging user, resource, and service provisioning information among
cooperating organizations. SPML is an emerging standard that can help
organizations automate provisioning of user identities for cloud.
 When SPML is available, organizations should use it to provision user
accounts and profiles with the cloud service.
 If SPML is supported, software-as-a-service (SaaS) providers can enable
“just-in-time provisioning” to create accounts for new users in real time (as
opposed to preregistering users). In this case, the CSP extracts attributes
from the SAML token of a new user, creates an SPML message on the fly,
and hands the request to a provisioning service which in turn adds the user
identity to the cloud user database.
SPML aims to achieve a couple of things:
 Automated IT provisioning tasks: By standardizing the job of provisioning
and making it easier to encapsulate the security and auditing requirements
of provisioning systems.
 Interoperability between different provisioning systems: Different
provisioning systems can now expose standard SPML interfaces to each
other and interoperate with each other.
Components
 A provisioning system is made
up of three essential
components:
 The Requesting Authority (RA),
 The Provisioning Service Point
(PSP), and
 The Provisioning Service Target
(PST).
Requesting Authority (RA):
 This is the client in the SPML scheme. It creates well-formed SPML massages
and sends them as requests to the SPML service point. These requests
describe an operation to be performed at specific provisioning service
points (PSP).
 For an RA to issue a request to a PSP, a trust relationship must exist between
the RA and the SPML service point (PSP). Even an SPML service point can
act as an RA when it issues an SPML request to another service point.
Provisioning Service Point (PSP):
 This is the component that listens to the request from the RA, processes it, and
returns a response to the RA. Any component that listens and processes well-
formed SPML documents is called a Provisioning Service Point.

Provisioning Service Target (PST):

 This is the actual resource on which the action is taken. For example, it could be
an LDAP directory that stores all of an organization's user accounts, or it could
be a ticketing system that is used to issue access tickets.
 So as you can see, the architecture is essentially a client (RA), a server (PSP),
and resources (PSTs) that SPML manages.
eXensible Access Control Markup
Language (XACML)
 XACML is an OASIS, general-purpose, XML-based access control language
for policy management and access decisions. It provides an XML schema
for a general policy language which is used to protect any kind of resource
and make access decisions over these resources.
 The XACML context also specifies the request/response protocol that the
application environment can use to communicate with the decision point.
The response to an access request is also specified using XML.
 Most applications (web or otherwise) have a built-in authorization module
that grants or denies access to certain application functions or resources
based on entitlements assigned to the user.
 In a centrally managed IAM architecture, application-specific authorization
models make it difficult to state the access rights of individual users across
all applications.
XACML Goal
 The goal of XACML is to provide a standardized language, a method of
access control, and policy enforcement across all applications that
implement a common authorization standard.
 These authorization decisions are based on various authorization policies
and rules centered on the user role and job function.
 In short, XACML allows for unified authorization policies (i.e., the use of one
consistent XACML policy for multiple services).
The figure illustrates the interaction among various health care participants
with unique roles (authorization privileges) accessing sensitive patient records
stored in a health care application.
The figure illustrates the following steps involved in the XACML process:
1. The health care application manages various hospital associates (the
physician, registered nurse, nurses’ aide, and health care supervisor)
accessing various elements of the patient record. This application relies on
the policy enforcement point (PEP) and forwards the request to the PEP.
2. The PEP is actually the interface of the application environment. It receives
the access requests and evaluates them with the help of the policy
decision point (PDP). It then permits or denies access to the resource (the
health care record).
3. The PEP then sends the request to the PDP. The PDP is the main decision
point for access requests. It collects all the necessary information from
available information sources and concludes with a decision on what
access to grant. The PDP should be located in a trusted network with strong
access control policies, e.g., in a corporate trusted network protected by a
corporate firewall
4. After evaluation, the PDP sends the XACML response to the PEP.
5. The PEP fulfills the obligations by enforcing the PDP’s authorization decision.
The interaction takes place using a request-response protocol with the
XACML message as the payload.

In this way, XACML is used to convey the evaluation of policies against access
decision requests.
Open Authentication (OAuth)

 OAuth is an open standard for token-based authentication on the Internet.

OAuth, which is pronounced "oh-auth," allows an end user's account
information to be used by third-party services, such as Facebook, without
exposing the user's password.
 OAuth is an emerging authentication standard that allows consumers to
share their private resources (e.g., photos, videos, contact lists, bank
accounts) stored on one CSP with another CSP without having to disclose
the authentication information (e.g., username and password).
 OAuth and Login OAuth, login must be separately understood. Assume we
have a company where employees gain access to its building using their
employee ID card. Now assume that an external guest needs to visit the
company. If login stands for an employee accessing the building, OAuth
stands for a guest receiving a visitor card and accessing the building.
 See the following example.
 An external Guest A says to the reception desk that he wants to meet Employee
B for business purposes.
 The reception desk notifies Employee B that Guest A has come to visit him.
 Employee B comes to the reception desk and identifies Guest A.
 Employee B records the business purpose and identity of Guest A at the
reception desk.
 The reception desk issues a visitor card to Guest A.
 Employee B and Guest A go to the specified room to discuss their business.
 The figure beside
illustrates the sequence of
interactions between
customer or partner web
application, Google
services, and end user.
1. Customer web application contacts the Google Authorization service,
asking for a request token for one or more Google service.
2. Google verifies that the web application is registered and responds with an
unauthorized request token.
3. The web application directs the end user to a Google authorization page,
referencing the request token.
4. On the Google authorization page, the user is prompted to log into his
account (for verification) and then either grant or deny limited access to his
Google service data by the web application.
5. The user decides whether to grant or deny access to the web application.
If the user denies access, he is directed to a Google page and not back to
the web application
6. If the user grants access, the Authorization service redirects him back to a
page designated with the web application that was registered with
Google. The redirect includes the now-authorized request token.
7. The web application sends a request to the Google Authorization service to
exchange the authorized request token for an access token.
8. Google verifies the request and returns a valid access token.
9. The web application sends a request to the Google service in question. The
request is signed and includes the access token.
10. If the Google service recognizes the token, it supplies the requested data.
Security Management standards

 Depending on your industry, your business may be required to adhere to

different compliance laws and regulations. Privacy laws such as the
GDPR, HIPAA, CCPA, and others require your business to protect consumer
data and privacy.
 For example, the HIPAA Privacy Rule requires organizations to block
employee access to PHI (protected health information) as soon as the
employee leaves the organization or is terminated.
 Similarly, the GDPR and CCPA laws require businesses to maintain access
management and strong authentication methods to protect data related
to their customers.
 Therefore, an IAM standard such as the AAA framework detailed above will
ensure customer data is protected and confidential.
SaaS, PaaS, IaaS Availability
Management
 Prepare the Availability Management table for all cloud services.