Show Menu
Cheatography

IAM Cheat Sheet (DRAFT) by

Some IAM concepts, tools and basic notios that I don't want to forget. :)

This is a draft cheat sheet. It is a work in progress and is not finished yet.

What is...

What is Identity and Access Management ? IAM is about making sure that the right person has access to the right resources and inform­­ation within the organi­­za­tion, through the combin­­ation of systems, policies, processes and techno­­lo­gies.

Granting or denying access requires 3 things: object, request and identi­fic­ation.

Related acronyms

ACL
Access Control List
Defines who can access an object­/do­cum­ent­/info and what operations they can perform
AD
Active Directory
Directory servicce by Microsoft
API
Applic­ation programing interface
Set of rules and protocols that allow different software applic­ations to commun­icate and interact with each other. They specify how softwrae components should interact, enabling the exchange of data and functi­onality between systems.
AS
Authen­tic­ation server
Server respon­sible for authen­tic­ating users in a network, often part of a centra­lized authen­tic­ation system
BaaS
Backoffice as a service
BaaS provid­esc­lou­d-based backend services, such as databases and storage.
BYOD
Bring your own device
Policy that allows employees to use their personal devices for work-r­elated tasks
BYOID
Bring your own identity
Allows users to use their existing digital entities from external soruces to access applic­atios and services
BYOC
Bring your own credential
Allows users to bring their own authen­tic­ation creden­tials, often associated with federated identity management
CICD
Continuous integr­ationg, continuous deployment
Practice that involves automa­tically testing and deploying code changes to improve develo­pment effici­ency.
CAPTCHA
Completely automated public turing test to tell computers and humans apart
Security measure to distin­guish between human and automated access by requering users to solbe a challenge
CIAM
Customer identity and access management
Subset of IAM that focuses on managing customers' identities
CIP
Customer inform­ation programme
Processes and procedures for verifying identity of customers, ofen mandated by regulatory requir­ements
CORS
Cross-­origin resource sharing
Security feature implem­ented by web browsers to control how web pages in one domain can request and interact with resources hosted on another domains
CSP
Cloud service provider
Company that delivers cloud computing services (including IAM solutions)
CSPM
Cloud security posture management
Continuous monitoring and management of an organi­zat­ion's cloud security posture (including IAM config­ura­tions)
CTF
Centra­lized token federation
Centra­liz­ation of authen­tic­ation tokens to enable seamless authen­tic­ation across multiple applic­ations. A token is a piece of data that represets author­ization granted for a specific action (it's like a digital key that allows access to certain resour­ces­/ac­tions; a proof of author­iza­tion)
DLP
Data loss prevention
Set of techno­logies and strategies designed to preven­tun­aut­horized access, sharing, and distri­bution of sensitive data
EAC
Enrerprise access control
Contro­lling access to an organi­zat­ion's resources and data, ofthen through a combin­ation of policies and techno­logies
EAL
Evaluation assurance level
Numerical ratign assigned to IT produc­ts/­systems to indicate the level of trustw­ort­hiness as evaluated by common criteria
EIAM
Enterprise identity and access management
IAM solutions designed to meet the needs of large complex enterprses
FIDO
Fast identity online
Open standard for oline authen­tic­ation that promotes the use of passwo­rdless and strong authen­tic­ation methods
FIM
Federation identity management
Approach that enables the portab­ility of digital identities across multiple identity management systems or domains. Relies on methods like biometric authen­tic­ation, securiy keys and mobile­-based authen­tic­ation
IaaS
Infras­tru­cture as a service
Provides virtua­lized computing infras­tru­cture
IAG
Identity and access governance
Processes and tehcno­logies used to manage and audit user access across an oraniz­ation's IT systems
IAMaas
Identity and access management as a service
Tipically cloud-­based service that provides IAM management functi­ona­lities
IAMCP
Identity and access management compliance program
Complaince program that ensures IAM solution adhere to industry standards and regula­tions
IAMN
Identity and access management network
Network archit­ecture specif­ically designed for IAM purposes
IAMU
Identity and access management unit
IAM dedicated unit or team within an organi­zation
IDaaS
Identity as a service
Cloud-­based services thta provide IAM management functi­ona­lities
IdP
Identity provider
System respon­sible for athent­icating and providing identity inform­ation for users, tipically used n the contex of federated identity manage­ment, in which they may issue security tokens containing user attributes
IDV
Identity verifi­cation
Process of verfying the identity of a indivi­dual, typically thorugh the use of various authen­tic­ation methods and checks
JML
Joiners, movers and leavers
Key HR process of handling employees.
KBA
Knowledge based authen­tic­ation
Asking the individual to provide specific pieces of inform­ation that only legitimate owners of the identity would know (eg: personal detials, answers to security questions)
KYB
Know your business
Processes and checks used by organi­zations to verify and understand the business they are delaing with, often related to anti-fraud and compliance efforts
KYC
Know your customer
Regulatory process that involves verifying the identity of customers to prevent fraud, money laudeting and other illicit activiies
MDM
Mobile device management
Monito­ring, managing and securing mobile devices within an organi­zation
MFA
Multi factor authen­tic­ation
Extra layer of security that requires users to provide multiple forms of identi­fic­ation before granting access
OTP
One time password
Password that is valid for one login session transa­ction, commonly used in 2 fatcor authen­tic­ation
Paas
Platform as a service
Provides a platform allowing cusotmers to develop, run and manage applic­ations
PAM
Privileged access management
Managemen of accounts that have unusual or elevated access
PII
Personally identi­fiable inform­ation
Info thta can be used to identify a specific individual (name, address, social security n.,..)
PKI
Public key infras­tru­cture
Framework that manages digital keys and certif­icates, enabling secure commun­ication and authen­tic­ation in a network
RFID
Radio-­fre­quency identi­fic­ation
Uses radio waves to identify and track objects equipped with RFID tags, often used for asset tracking and access control.
Saas
Software as a service
Software applic­ations delivered over the internet on a subscr­iption basis, allowing users to access the software wihtout the need for local isntal­lation and mainte­nance
SCIM
System for cross-­domain identity management
Standard for automating the exchange of user identity info between systems, simpli­fying user provis­ioning and management
SIEM
Security inform­ation and event management
Approach to security management that combines security inform­ation management (SIM) and security event management (SEM) to provide real-time analysis of security alerts
SOD
Segreg­ation of duties
Security concept thta involves distri­buting task and privileges among multiple indivi­duals to prevent conflicts of interest and reduce the risk of fraud
SP
Service provider
Entity that host services or resources. Rely on IdPs to grant access
SS
Service server
Serer thta provides a specific service, often in the context of IAM, where it may handle authen­tic­ation, author­iza­tion, or other identi­ty-­related functions
SSA
Security standards and agreements
Defininf and implem­enting security standards and agreements related to IAM within an organi­zation
SSO
Single sign on
Authen­tic­ation process that allows a user to access multiple applic­ations with a single set of login creden­tials
TGS
Ticket granting server
Server that issues TGTs for user authen­tic­ation. Component of Kerberos authen­tic­ation.
TGT
Ticket granting ticket
Ticket obtained from the AS used to request a service ticker from the TGS. Part of the Kerberos authen­tic­ation system.
UBA
User behavior analytics
Analyzing patterns of user behaviour to detect and respond to anomalies that may indicate security threats
UEBA
User and entity behavior analytics
Advanced form of UBA that includes the analysis of both user and entity behaviour to identify potencial security incidents
U2F
Universal 2nd factor
Open authen­tic­ation standard that strengths and simplifies two-factor authen­tic­ation using specia­lized security keys

Concepts

Identi­fic­ation
•Estab­lishing an identity (applicant > claim identi­ty> assured identity). •It may not need to identify who you are, but if you're human. •Offers assurance, we're looking to control access and establish accoun­tab­ility (there's a need to define what level of assurance do we need (there are 4). e.g.: shared keys or tokens offer a low level of unique­ness.•An account isn't the same as an identiy! An identity may have multiple accounts!
Identi­fic­ation proofing
•Is the process of validating an identity to ensure they are who they claim to be.•Helps to tailor the level of assurance (How do we know you are who you say you are?). •Also known as identity verifi­cation •Common methods include document verifi­cation (passp­orts, driver's licenses, id cards...), biometric authen­tic­ation (finge­rpr­ints, facial or voice recogn­iti­on...), knowldge based authen­tic­ation (answers to security questions or personal detail­s...), social authen­tic­ation (verifying an indivi­dual's identity through their social media or other online presence), mobile authen­tic­ation (one-time codes, mobile apps...).
4 levels of identity assurance
1- there's no need for the identity to be proven; user gives at least one unique identi­fier. 2- Claim identity with evidence that supports real world existence (real person); the evidence is protected using crypto­graphic methods sporting integrity and authen­ticity. 3- same as n2 + physically identi­fying the person to ensure that it's a real person AND the owner of the identity; e.g.: financial identity checks: the name of the claimed identity must match the personal name. 4- al requir­ements of the others + subjected to other evidences such as biometrics or photograph to establish the identity
Authen­tic­ation
•Process of confirming the identity of an individual when access to a restricted security zone is attemped. •Authen­tic­ation factors depend on the requir­ements: single (username, pin), dual (usern­ame­+pa­ssw­ord), MFA (usern­ame­+pa­ssw­ord­+mobile device). •Authen­tic­ation reuse:non-r­eusable authen­tic­ation, such as one time passwords (sms, soft token, hard token), reusable authen­tic­ation (tradi­tional passwo­rds). •Authen­tic­ation common methods: MFA, system to system authen­tic­ation, identity federa­tion, token-­based authen­tic­ation, biometric authen­tic­ation, session management (handling of the duration and termin­ation of user sessions), risk-based authen­tic­ation.• Strong authen­tic­ation involves the use of a minimum of 2FA in combin­ations with an OTP. FIDO attempts to standa­rdize strong authen­tic­ation.
Adapta­tiv­e/R­isk­-based authen­tic­ation
•Adapts authen­tic­ation measures absed on contextual factors such as location, device or behaviour.
Biometric authen­tic­ation
•Uses finger­prints, facial recogn­ition, or other biometric data for user identi­fic­ation. •Important consid­era­tions: FAR (false acceptance rate), FRR (false rejection rate), privacy and tracking, biometric data sharing, biometric federa­tion. Positive points: univer­sality, uniueness, measur­abi­lity, perfor­mane, accept­abi­lity, circum­ven­tion. Check the table on the type of biometric authen­tic­ation and it's accuraccy, invasi­veness, accept­ability adn throuhput from CIAP.
Tokens
•Is a piece of data that represents the author­ization grated for a specific action. It's like a house key (digital key): is proof of your author­ization to certain resources or actions•Types: soft tokens (generated through software applic­ati­ons), hard tokens (generated by physical devices), RFDI (allows the tagging of physical devices; passive vs active tags; can be combined with other authen­ication factors; privacy and tracking concerns)
Author­ization
•Process of granting or denying access­/pr­ivilges to a subject (someone who is authen­ticated and is now trying to access an object), based on the authen­ticated identity and the associated permis­sions. •After an user has been succes­sfully authen­tic­ated, author­ization determines what actions or operations that entity is allowed to perform within the system. •Is about permis­sions and access control (see access control system types such as: LBAC, TCSEC, MAC, RBAC, RAC, ABAC...). Relies in access policies. •It's important to do periodic access reviews and auditing processes.
Adaptative author­ization
•Autho­riz­ation changes based on posture. •Linked to adaptative authen­tic­ation. •e.g.: network access control (when someone connects by vpn, the levels of permis­sions may change
Inherited permis­sions
•Used in some forms of access control models. •Permi­ssions can be inherited through toles or hierar­chical structures
Privilege granul­arity
•Level of detail and precision at whihc access privileges or permission are defined and managed wihin a system. •Involves breaking down access rights into smlaler, more specific ocmpon­ents, allowing fine-g­rained acceess control (e.g.: instead of granting broad read and write access to a DB, fine-g­rained access control might allow a user to read specific columns or rows of data) •Tradi­tionl access models lack granul­arity: you either have access or not. Granular access models are more flexible, you have individual levels of access.
Condit­ional access policies
•Allow organi­zation to define access rules based on specific condit­ions, such as location, device type, or time of the day. e.g.: deny access if the user is trying to log in from an unreco­gnized or high-risk location.
Delegation of authority
•Allows admins­itr­ators or users to grant limited access rights to others without disclosing sensitive inform­ation. e.g.: manager delegates authority to approve certain requests without giving full admini­stratve access
Data visibility
• Different from data access­ibi­lity! • Granular access: read, write, list/e­num­era­te,... • Approa­ches: data hiding and encaps­ula­tion; process and memory isolation; interface custom­isa­tion.n
Access control system types
•Three party model: subject requests to read/e­nue­rat­e/w­rit­e/d­ele­te/etc an object (requestor + action + object). If any transa­ction manages to avoid this process, the IAM is compro­mised. There's transa­ction level enforc­ement of author­ization and access policies. •Tradi­tional vs granular access models. •Types:LBAC (Label­-based access control), TCSEC (trusted computer system evaluation criteria; replaced by Common Criteria [ISO 15408]), MAC (mandatory access control), DAC (discr­eti­onary access control), RBAC (role-­based access control), RAC (rule based access control), ABAC (attribute based access cotnrol).
Accoun­tab­ility
End goal of identi­fic­ation, authen­tic­ation an author­ization efforts! Requires unique­ness, defining the accoun­tab­ility scope, protecting accoun­tab­ility data (log retention, capability to remove logs, log timestamp, preserving log integraty, securing logging confid­ent­ial­ity).
SSO (Single Sign On)
Use of a single credential to access multiple systems. • Consid­era­tions: if there will be a user reposi­tory, where is it going to be? Where is going to be the ultimate identit provid­er?­Which applic­ations that we have support this? If we have low security interfaces maybe we don't extend SSO to them, or we eplace­/update them, trusting another system, privacy and tracking. •Not every system will be able to support SSO, butmost modern systems will support APIs orpre-­built connec­tores. • Adv: less creden­tiasl to manage = - costs, + user capabi­lity. Disd: keys to the kigdom, latency risks, strong authen­tic­ation for trivial access, connec­tivit issues, resili­ence, integr­ation comple­xity.
FIM (Feder­ation Identity Manage­ment)
Use of a single credential to access multiple systems. Usually across multiple security domains. • One set of creden­tials & no need for separate accounts! • Involves identity providers, service providers and trust relati­onship between them, establ­lished by standards such as SAML or OAuth. • The line between FIM and SSO is blurry, but they adress different aspects of user authen­tic­ation and access control: FIM is the same set of creden­tials to access different resources across multiple domains while SSO is a mechanism thta allows a user to log in once and gain access to multiple applic­ations without having to log in again. Scope: SSO focuses on providing seamless login experience within a single organi­zaiton or domain and FIM extends the concept to enable users to access resources across different organi­zations or domains. Authen­tic­aiton model: SSO centra­lizes authnt­ication within a single domain;FIM allows athent­ication across federated domains. Use acses: SSO commonly used within a single organi­zat­ion's ecosystem and FIM iwhen users from different organi­zations need to collaborat and access shared documents. Both rely on standards. Fim often involves the implem­ent­ation of SSO as part of its broader framework. • Consid­era­tions: trusting another system, multiple secrity domaisn, business logic: if someone updates their phonen­umber in the intranet phonebook and in the hr system with a different number which will win out? Which direction will the info flow go?, 3rd party Idp, network archit­ecture. • Adv:fewer creden­tials to manage, custom­er/­sup­plier integr­ation, policy enforc­ement. Disd: keys to the kingdom, internet based systems, integr­ation comple­xity.

Access Control Systems Types

TCSEC
Trusted computer system evaluation
Was replaced by Common Criteria (ISO 15408). •DAC • MAC
MAC
Mandatory access control
Strictest of all models. Difficult to mantain in complex enviro­nments due to constant changes. •System controls access. • Subjects
DAC
Discre­tionary acces control
Resource owner confers access (it's up to thier judgem­ent). More flexible, but challe­nging in large scale. • NTFS files system
LBAC
Label based access control
Assigns labels to both te subject and the objects based on certain security attrib­utes. Access decisions are then mde by comparing the labels of subjects with the labels of the objects (lists the subject on one side, the object on the other and you plot using a matrix for compar­ison). Simple approach. • subjects cross referenced to objects. • grid or lattice.
RBAC
Role based access control
Assigns permis­sions to users based on their roles. Associates users with predefined roles and then grants permis­sions to those roles. Widely used. •Works well where multiple instances of roles exist, but enviro­nments with a high number of roles might become complex.
RAC
Rule based access model
Rules define access (access decisions are made by evaluating rules or policies that aredefined and enforced by the system.). Allows fine-g­rained access control by specifuing conditions or criteria that must be satisfied for access to be granted. • Central management of all rules.
ABAC
Attribute based access control
Determines access based on attributes associated with users, resources and the enviro­ment. Flexible. • Policy based access control • Strongly relates to XACML standard • User attrib­uttes such as roles, depart­ment, location, clearance level... Resource attributs such as sensit­ivity level, data classi­fic­ation, type...
HBAC
History based access control
Considers the user's historical behaviour (past actions and behaviour patterns) to determ­ine­current access permis­sions.
RiskBAC
Risk based access control
Assesses the risk associated with a particular access request before granting or denying access. Considers factors such as user behaviour, location, and the sensit­ivity of the requested resource.
TBAC
Temporal based access control
Restricts access based on secific time intervals or temporal condit­ions. • Time-based policies, such as granting access only during business hours.
HABAC
Hierar­chical attribute based access control
Extends ABAC by introd­ucing a hierar­chical structure to attrib­utes. Allows for more complex access control policies based on the hierar­chical relati­onships between attrib­utes.
CUI
Contrained user interface
Restricts the functi­onality or user interface elements available to a user based on their access permis­sions. •Often used to limit actions within an applic­ation
UCON
Usage control
Integrates access cotnrol decisions with ongoin usage monito­ring. Allows dynameic changes to access permis­sions based on the user's behaviour during the course of intera­ction with the system
P2PAC
Peer to peer access control
Enables access control decisions in peer to peer networks. It defines how access permis­sions are determined in decent­ralized and distri­buted systems

IAM Processes

Process approval
• Designated approv­er(s) - some processes may require multiple approvers. • Latency vs Security. • Manual vs Automated. • Bulk approval
Monitoring
• What do we check? How do we check? • Do we perform sample checks (request vs actual), monitor all of the requests in detail or something else? This might depend on the type of account. Privilege users we might want to monitor more • What will be the frequency of checks? This should be linked to the privileges and the risk. • Vulner­ability assessment
Review
Reviwes often refer to the checkign of the request.
Access reviews
Are necessary! • Who?Wh­at?­Whe­n?How? • point in time assessment • sample checking • check for dormanr accounts, who is using what, privilege users... • management confir­mation and review
Reporting
• What? To whom? How often? • sanitize sensitive info
Credential selection
Process for selecting approp­riate creden­tials. • username • physical • logial
Credential Issuance
• Secure channel of issuance • do we need in person verifi­cation? • single or multi channel if issuance? • are additional enrolment requir­ements, such as biomet­rics, needed? • Consid­era­tions: speed vs costs vs security
Provis­ioning process
Activities and workflow involved in managing the lifecycle of users. Includes the user onboarding (creation and config­uration of users accounts), account modifi­cation (updates to reflect changes on roles, respon­sab­ilities or attrib­utes). • Everything should be auditable! • there's a need to understand the scope and the scale required • scripting and automation mght be useful • Consid­era­tions: duration of access, account cloning, cross system standa­rdi­zation.
Self service
Improve the user experince and reduce costs by giving users their own tools to manage IAM. Involves self-s­ervice password reset, SSO to access, request and approval, device enroll­ment, profile manage­men­t,... •Makes provision faster •
Managing change
Managin changes such as when people move in the organi­zation and permis­sions have to change. • Do we need to revoke already exiting accesses before giving more privil­eges? • Processes for exigent ciscum­stances like suspension or revocation are needed since the revoke needs to be done instantly.
Deprov­isi­oning
Activities and workflow needed to manage the end of a user's lifecycle. Includes a series of actions to deacti­vate, delete or transition accounts when an individual leaves the organi­zaiton or no longer requires specific access or privilege. Includes user offboa­rding (deact­ivating or deleting user accounts when indivi­duals leave an organi­zat­ion), account deacti­vation (tempo­rarily disabling user accounts in cases such as leaves of absence), revoking access (removing access rights and roles), data archiving or transfer . • What's the trigger (manag­ement notifi­cation, removal from the hr systems, lack of activi­ty...) • Needs to be auditable! • How are wegoing to manage everything from access to service accounts to door codes and router passwords? • Sometames disablign an user first and then deprov­isi­oning is better • PII is very important, as well as thinhs like emails on the mailbox • documents that need passwords should also be taken into consid­eration
IAM processes in an organi­zation can be solely manual or/and have some degree of automa­tion. Example: there can be an manually reviewd pre approval area for accounts thta has been automa­tically provis­ioned.

Standards and Guidelines

ISO 27001
• 14 control domains: A.9 relates to access management (access control, access control policy, access to network and network services, user access management which includes provision, PAM, adjustment of access rights, review of access rights... Also coevrs the respon­sab­ilities of the user. Considers systems and applic­ation access control.
ISO/IEC 24760
•A framework for identity management. • Part 1: termin­ology and concepts. Considers key processes and terms. Recognized identity and Partial identity (identity distri­butted over dif. partners that collec­tivly form an identity). Identifies the lifecycle of an identity (unknown- no degree of trust or evidence-, establ­ished, active, suspended, archived). • Part 2: refere­nce­arc­hit­ecture and requir­ements for the implem­ent­ation of idendity manage­ment. Includes key terms like relying part, ITP, etc. Recognizes the importance of stakeh­olders, the use of use cases and ongoing audits. • Part 3: practice. The practical way to comply with the first 2 parts of the standards. Links to ISO 29003 for proofing (identity proofing) and ISO 29115 for assurance levels.
NIST SP800-63
•EUA•D­igital identity guidelines • 800-63-3: digital authen­tic­ation guideline overview • 800-63A: enrolment and identity proofing • 800-63B: authen­tic­ation and lifecycle management • 800-63C: federation and assert­ions. • Knowledge based authen­tic­ation. Covers things like minimum passwords lengths, comparing newpas­swords to a dictio­nary... Recomm­enrds authoband authen­tic­ation to provide 2FA, so using separate channels. States that SMS is deprecated for autoth­anand authen­tic­atio.
National Strategy for Trustd Identities in Syberspace
•EUA, 2011• Attempt to create trust and a standa­rdized identity on the interet. Privacy, secure, intero­prable, cost effectve.
NIST Cybers­ecurty Practice Gide 1800-2
•EUA •IAM for electric utilities
NGBMS
• Research for Next generation measur­ements and standards for identity management
Export of crypto­graphy
• Different countries have different approa­ches. Typically there are restri­ctions on the export of strong crypto­graphy.
Data laws
• EU= GDPR, EU-US Privacy shield,
Some trends: Russia - data locali­sation law, South Africa - protection of personal inform­ation, Privacy legisl­ation - austria and New Zealanf in 1993 and Honk Kong in 1995, APEC Privacy framework - directive for pacific counti­ries, China in 2021 -non bidin, focus on protec­tiong nation.
There's a trend to increase regulation regarding data privacy.

Standards and Guidelines

ISO 27001
• 14 control domains: A.9 relates to access management (access control, access control policy, access to network and network services, user access management which includes provision, PAM, adjustment of access rights, review of access rights... Also coevrs the respon­sab­ilities of the user. Considers systems and applic­ation access control.
ISO/IEC 24760
•A framework for identity management. • Part 1: termin­ology and concepts. Considers key processes and terms. Recognized identity and Partial identity (identity distri­butted over dif. partners that collec­tivly form an identity). Identifies the lifecycle of an identity (unknown- no degree of trust or evidence-, establ­ished, active, suspended, archived). • Part 2: refere­nce­arc­hit­ecture and requir­ements for the implem­ent­ation of idendity manage­ment. Includes key terms like relying part, ITP, etc. Recognizes the importance of stakeh­olders, the use of use cases and ongoing audits. • Part 3: practice. The practical way to comply with the first 2 parts of the standards. Links to ISO 29003 for proofing (identity proofing) and ISO 29115 for assurance levels.
NIST SP800-63
•EUA•D­igital identity guidelines • 800-63-3: digital authen­tic­ation guideline overview • 800-63A: enrolment and identity proofing • 800-63B: authen­tic­ation and lifecycle management • 800-63C: federation and assert­ions. • Knowledge based authen­tic­ation. Covers things like minimum passwords lengths, comparing newpas­swords to a dictio­nary... Recomm­enrds authoband authen­tic­ation to provide 2FA, so using separate channels. States that SMS is deprecated for autoth­anand authen­tic­atio.
National Strategy for Trustd Identities in Syberspace
•EUA, 2011• Attempt to create trust and a standa­rdized identity on the interet. Privacy, secure, intero­prable, cost effectve.
NIST Cybers­ecurty Practice Gide 1800-2
•EUA •IAM for electric utilities
NGBMS
• Research for Next generation measur­ements and standards for identity management
Export of crypto­graphy
• Different countries have different approa­ches. Typically there are restri­ctions on the export of strong crypto­graphy.
Data laws
• EU= GDPR, EU-US Privacy shield,
Some trends: Russia - data locali­sation law, South Africa - protection of personal inform­ation, Privacy legisl­ation - austria and New Zealanf in 1993 and Honk Kong in 1995, APEC Privacy framework - directive for pacific counti­ries, China in 2021 -non bidin, focus on protec­tiong nation.
There's a trend to increase regulation regarding data privacy.

Standards and Guidelines

ISO 27001
• 14 control domains: A.9 relates to access management (access control, access control policy, access to network and network services, user access management which includes provision, PAM, adjustment of access rights, review of access rights... Also coevrs the respon­sab­ilities of the user. Considers systems and applic­ation access control.
ISO/IEC 24760
•A framework for identity management. • Part 1: termin­ology and concepts. Considers key processes and terms. Recognized identity and Partial identity (identity distri­butted over dif. partners that collec­tivly form an identity). Identifies the lifecycle of an identity (unknown- no degree of trust or evidence-, establ­ished, active, suspended, archived). • Part 2: refere­nce­arc­hit­ecture and requir­ements for the implem­ent­ation of idendity manage­ment. Includes key terms like relying part, ITP, etc. Recognizes the importance of stakeh­olders, the use of use cases and ongoing audits. • Part 3: practice. The practical way to comply with the first 2 parts of the standards. Links to ISO 29003 for proofing (identity proofing) and ISO 29115 for assurance levels.
NIST SP800-63
•EUA•D­igital identity guidelines • 800-63-3: digital authen­tic­ation guideline overview • 800-63A: enrolment and identity proofing • 800-63B: authen­tic­ation and lifecycle management • 800-63C: federation and assert­ions. • Knowledge based authen­tic­ation. Covers things like minimum passwords lengths, comparing newpas­swords to a dictio­nary... Recomm­enrds authoband authen­tic­ation to provide 2FA, so using separate channels. States that SMS is deprecated for autoth­anand authen­tic­atio.
National Strategy for Trustd Identities in Syberspace
•EUA, 2011• Attempt to create trust and a standa­rdized identity on the interet. Privacy, secure, intero­prable, cost effectve.
NIST Cybers­ecurty Practice Gide 1800-2
•EUA •IAM for electric utilities
NGBMS
• Research for Next generation measur­ements and standards for identity management
Export of crypto­graphy
• Different countries have different approa­ches. Typically there are restri­ctions on the export of strong crypto­graphy.
Data laws
• EU= GDPR, EU-US Privacy shield,
Some trends: Russia - data locali­sation law, South Africa - protection of personal inform­ation, Privacy legisl­ation - austria and New Zealanf in 1993 and Honk Kong in 1995, APEC Privacy framework - directive for pacific counti­ries, China in 2021 -non bidin, focus on protec­tiong nation.
There's a trend to increase regulation regarding data privacy.

Commons Issues

Privilege creep
Gradual accumu­lation of rights beyond necessary. • Occurs by employee moving on the organi­zation and gets more privileges without having the old one's removed, by excessive privilege assign­ement, by accumu­lation of rights...
Mobile computing trend
Istead of focusing on the corporate network, now it's about trying to secure all inform­ation across a variety o networks. Also, IAM stretches across corporate and personal devices.
Presumer devices in the enterprise trend
Bring your own devices trend creates a prioblem.
Rate of change
BYOD (DLP, MDM); Cloud (BYOC), BYOID (IDaaS)
Asset management
Mangement of physical assets its easier. Its more difficult when there's cloud services and virtua­lis­ation. Inform­ation as an asset is also difficult to manage.

Cloud & blockchain

 

Protocols

 

Techno­logies