Identity and Access Management (IAM) is a framework of policies and technologies for ensuring that the right individuals have access to the right resources at the right times for the right reasons.
Identity Management (IdM) is a subset of Identity and Access Management (IAM) focused specifically on the administration of user identities and their attributes within an organization. It involves the processes and technologies used to manage the lifecycle of digital identities, ensuring that they are accurate, up-to-date, and properly controlled.
1.1.1. Identity Governance and Administration (IGA)
IGA encompasses the policies, processes, and technologies used to manage and ensure the visibility and control of identities and access rights across an organization.
1.1.1.1. Identity Lifecycle Management
Managing the creation, updating, and deletion of identities throughout their lifecycle.
1.1.1.2. Access Requests
Enabling users to request access to resources and automating the approval process.
1.1.1.3. Certification and Attestation
Regularly reviewing and certifying access rights to ensure compliance with policies.
1.1.1.4. Role Management
Defining and managing roles and associated permissions to streamline access control.
1.1.2. Authentication
1.1.2.1. Single Sign-On (SSO)
Allowing users to authenticate once and gain access to multiple applications without re-entering credentials.
1.1.2.2. Multi-Factor Authentication (MFA)
Requiring multiple forms of verification to enhance security.
1.1.2.3. Password Management
Managing user passwords, including self-service password resets and enforcing strong password policies.
1.1.3. Directory Services
Directory Services are specialized software applications or platforms used to store, organize, and manage information about users, resources, and network devices within an organization. They provide a centralized repository for identity-related data and enable efficient access management, authentication, and authorization across an enterprise network.
1.1.3.1. LDAP Directories
Lightweight Directory Access Protocol (LDAP) directories for managing user information and authentication.
1.1.3.2. Active Directory (AD)
Microsoft's directory service for managing identities and access within Windows environments.
1.1.3.3. Azure Active Directory (AAD)
1.1.3.4. Federated Identity Management
Enabling users to access resources across multiple domains or organizations using a single identity.
1.2. Access Management
1.2.1. Access Control
1.2.1.1. Policy Management
Defining and enforcing access control policies to ensure consistent and secure access management.
1.2.1.2. Privileged Access Management (PAM)
PAM focuses on securing, managing, and monitoring access by privileged users who have elevated permissions.
1.2.2. Authorization
Authorization ensures that authenticated users have access to the resources they are entitled to based on predefined policies.
1.2.2.1. Role-Based Access Control (RBAC)
Role-Based Access Control (RBAC) is a method of managing user access to systems, networks, or resources based on their role. RBAC allows IT administrators to identify the necessary level of access for all users with a particular job function and assign those users a role with the appropriately configured set of permissions. This gives IT teams the ability to easily add, modify, and remove permissions for all users in a group at once, or quickly change a single user’s access level by assigning or removing a role.
Attribute-Based Access Control (ABAC) is an access control model that grants or denies access to resources based on attributes associated with users, resources, and the environment. ABAC provides fine-grained access control by evaluating policies that consider multiple attributes and conditions.
1.2.2.2. Discretionary Access Control (DAC)
Discretionary Access Control (DAC) is an access control model in which access rights and permissions are assigned based on the discretion of the owner of the resource. This model allows resource owners to control who can access their resources and what actions they can perform. DAC is commonly used in systems where flexibility and user-level control over resources are important.
1.2.2.2. Mandatory Access Control (MAC)
Mandatory Access Control (MAC) is a highly restrictive access control model where access to resources is controlled by a central authority based on security policies and classifications. In MAC, the users and owners of the resources have no discretion in defining access permissions, instead, permissions are determined by system-enforced rules.
1.3. Secret Management
Secret Management refers to a tool or service that securely stores and manages sensitive information, such as API keys, passwords, and credentials. It provides a centralized and secure way to handle secrets, ensuring that they are encrypted, access-controlled, and can be easily rotated. Secret Management enhance security by preventing sensitive data from being hard-coded in code repositories or configuration files, reducing the risk of exposure.
Components and Features
Secret Storage
Involves secure storage of sensitive information such as API keys, passwords, and cryptographic keys.
Access Control
Defines and enforces policies to control who can access stored secrets. Utilizes Role-Based Access Control (RBAC), and fine-grained access control.
Dynamic Secret Generation
Generates secrets dynamically, reducing the risk associated with static secrets. Involves automated secret generation, short-lived secrets.
Secret Rotation
Involves periodic changing of secrets to enhance security. Involves automated rotation, and policy-driven rotation.
Audit Logging
Records and logs activities related to secret access and management for monitoring and compliance.
Integration with Identity Management
Seamless integration with Identity and Access Management (IAM) systems for centralized control.
Tools and Frameworks
HashiCorp Vault
Open-source tool for managing secrets and protecting sensitive data. Features encryption, dynamic secret generation, and access control policies.
AWS Secrets Manager
Amazon Web Services service for securely storing and managing sensitive information. Features automated rotation, and integration with AWS services.
Google Cloud Secret Manager
Google Cloud service for securely storing API keys, passwords, and certificates. Features versioning, audit logging, and IAM integration.
Azure Key Vault
Microsoft Azure service for safeguarding cryptographic keys and secrets. Features key management, secret rotation, and access control policies.
Docker Secrets
Part of Docker Swarm for managing sensitive data in Docker applications. Features swarm-based secret distribution, and encrypted secrets.
Lyft Confidant is a open source secret management service that provides storage and access to secrets.
1.4. Credential Management
Credential Management involves securely storing, organizing, and controlling access to authentication credentials such as usernames, passwords, and API keys. It includes practices like encryption, access controls, and secure storage mechanisms to prevent unauthorized access or misuse of sensitive information.
Components and Features
Password Management
Involves secure storage, generation, and retrieval of passwords. Implements policies for password complexity, expiration, and resets.
Access Control
Regulates user access to systems or resources based on their credentials. Utilizes Role-Based Access Control (RBAC) or other access management models.
Key Management
Handles encryption keys used for securing data in transit or at rest. Involves key generation, distribution, rotation, and secure storage.
Authentication Protocols
Defines methods for verifying the identity of users or systems. Examples include OAuth, OpenID, and SAML.
Multi-Factor Authentication (MFA)
Enhances security by requiring multiple forms of identification. Combines factors like passwords, biometrics, and security tokens.
Identity Management
Manages user identities throughout their lifecycle. Encompasses user provisioning, de-provisioning, and identity verification.
Certificate Management
Handles digital certificates used for secure communication. Includes tasks like issuance, revocation, and renewal of certificates.
API Key Management
Manages access to APIs through secure generation and distribution of API keys. Monitors and controls usage to prevent abuse.
Single Sign-On (SSO)
Enables users to access multiple systems with a single set of credentials. Improves user experience and reduces the need for multiple logins.
Audit and Monitoring
Tracks and logs credential-related activities for security auditing. Monitors for suspicious behavior or unauthorized access attempts.
Tools and Frameworks
HashiCorp Vault
Open-source tool for secret management and data protection. Provides secure storage and dynamic retrieval of sensitive information.
AWS Secrets Manager
Amazon Web Services service for managing sensitive information. Handles credentials, API keys, and other secrets used in AWS environments.
Google Cloud Secret Manager
Google Cloud service for storing and managing API keys, passwords, and other secrets. Integrates with other Google Cloud services for secure access.
Azure Key Vault
Microsoft Azure service for secure key management. Safely stores secrets, encryption keys, and certificates.
LastPass
Password management tool for individuals and enterprises. Stores encrypted passwords and supports secure password sharing.
Keycloak
Open-source Identity and Access Management (IAM) solution. Offers features like Single Sign-On (SSO), user authentication and authorization.
CyberArk Conjur automatically secures secrets used by Privileged Access Management (PAM) solution. Secures and manages privileged credentials to prevent unauthorized access.
Shibboleth
Open-source federated identity solution. Enables Single Sign-On (SSO) and Attribute-Based Access Control (ABAC) in web applications.
2. Terminology
Authentication
The process of verifying the identity of a user or system attempting to access a resource.
Authorization
Granting or denying access to resources based on the authenticated identity and its associated permissions.
Credentials
Information used to verify the identity of a user, including usernames, passwords, cryptographic key, API keys, and digital certificates.
Identity
The digital representation of an individual, system, or service within a system.
Authentication Factor
A piece of information used to verify a user's identity, such as a password, biometric data, or security token.
Secret Rotation
The process of periodically updating or changing sensitive information, such as passwords, encryption keys, or API tokens, to mitigate the risk of unauthorized access due to compromised or outdated secrets.
Dynamic Secret
A temporary and dynamically generated credential or access token issued by a secret management system on-demand, typically with a limited lifespan, to minimize exposure and enhance security.
Access Control
The process of regulating and managing user access to resources, systems, or data based on predefined policies, permissions, and authentication mechanisms.
Least Privilege
The principle of restricting access rights for users to only those permissions necessary to perform their job functions, reducing the risk of unauthorized access or misuse.
Single Sign-On (SSO)
A mechanism that allows users to authenticate once and gain access to multiple systems or applications without needing to log in again.
Multi-Factor Authentication (MFA)
A security measure that requires users to provide multiple forms of authentication, typically combining something they know (password), something they have (security token), and/or something they are (biometric data).
OAuth
An open standard for authorization that allows users to grant third-party applications limited access to their resources without revealing their credentials.
OpenID
An open standard for decentralized authentication that allows users to use a single set of credentials to access multiple websites.
SAML (Security Assertion Markup Language)
An XML-based standard for exchanging authentication and authorization data between identity providers and service providers.
Secret Management
The practice of securely storing, managing, and accessing sensitive information such as passwords, API keys, and cryptographic keys.
Key Management
The process of generating, storing, distributing, and revoking cryptographic keys used for encryption, decryption, and authentication.
Password Policy
A set of rules and requirements governing the creation, use, and storage of passwords within an organization.
Tokenization
The process of replacing sensitive data with unique identifiers called tokens, which can be securely stored and transmitted without exposing the original data.
Encryption
The process of encoding data in such a way that only authorized parties can read it, typically using cryptographic algorithms and keys.
Certificate Authority (CA)
A trusted entity that issues digital certificates used for authenticating the identities of users, systems, and services.
Certificate Revocation List (CRL)
A list of digital certificates that have been revoked by the certificate authority before their expiration date.
Digital Signature
A cryptographic technique used to verify the authenticity and integrity of digital documents or messages.
Identity and Access Management (IAM)
A framework for managing digital identities and controlling access to resources based on predefined policies and roles.
Privileged Access Management (PAM)
A set of security strategies and technologies used to control and monitor access to privileged accounts and sensitive resources.
Credential Rotation
The practice of periodically updating or changing authentication credentials to mitigate the risk of unauthorized access due to compromised or outdated credentials.
Audit Logging
The process of recording and monitoring events related to authentication, authorization, and access control for security and compliance purposes.
Audit Trail
A record of all credential-related activities, including authentication attempts, access grants, and changes to permissions, used for security monitoring and compliance purposes.
sentenz
commented
5 months ago
Identity and Access Management (IAM)
Identity and Access Management (IAM) is a framework of policies and technologies for ensuring that the right individuals have access to the right resources at the right times for the right reasons.
1. Category
1.1. Identity Management
Identity Management (IdM) is a subset of Identity and Access Management (IAM) focused specifically on the administration of user identities and their attributes within an organization. It involves the processes and technologies used to manage the lifecycle of digital identities, ensuring that they are accurate, up-to-date, and properly controlled.
1.1.1. Identity Governance and Administration (IGA)
IGA encompasses the policies, processes, and technologies used to manage and ensure the visibility and control of identities and access rights across an organization.
1.1.1.1. Identity Lifecycle Management
Managing the creation, updating, and deletion of identities throughout their lifecycle.
1.1.1.2. Access Requests
Enabling users to request access to resources and automating the approval process.
1.1.1.3. Certification and Attestation
Regularly reviewing and certifying access rights to ensure compliance with policies.
1.1.1.4. Role Management
Defining and managing roles and associated permissions to streamline access control.
1.1.2. Authentication
1.1.2.1. Single Sign-On (SSO)
Allowing users to authenticate once and gain access to multiple applications without re-entering credentials.
1.1.2.2. Multi-Factor Authentication (MFA)
Requiring multiple forms of verification to enhance security.
1.1.2.3. Password Management
Managing user passwords, including self-service password resets and enforcing strong password policies.
1.1.3. Directory Services
Directory Services are specialized software applications or platforms used to store, organize, and manage information about users, resources, and network devices within an organization. They provide a centralized repository for identity-related data and enable efficient access management, authentication, and authorization across an enterprise network.
1.1.3.1. LDAP Directories
Lightweight Directory Access Protocol (LDAP) directories for managing user information and authentication.
1.1.3.2. Active Directory (AD)
Microsoft's directory service for managing identities and access within Windows environments.
1.1.3.3. Azure Active Directory (AAD)
1.1.3.4. Federated Identity Management
Enabling users to access resources across multiple domains or organizations using a single identity.
1.2. Access Management
1.2.1. Access Control
1.2.1.1. Policy Management
Defining and enforcing access control policies to ensure consistent and secure access management.
1.2.1.2. Privileged Access Management (PAM)
PAM focuses on securing, managing, and monitoring access by privileged users who have elevated permissions.
1.2.2. Authorization
Authorization ensures that authenticated users have access to the resources they are entitled to based on predefined policies.
1.2.2.1. Role-Based Access Control (RBAC)
Role-Based Access Control (RBAC) is a method of managing user access to systems, networks, or resources based on their role. RBAC allows IT administrators to identify the necessary level of access for all users with a particular job function and assign those users a role with the appropriately configured set of permissions. This gives IT teams the ability to easily add, modify, and remove permissions for all users in a group at once, or quickly change a single user’s access level by assigning or removing a role.
1.2.2.2. Attribute-Based Access Control (ABAC)
Attribute-Based Access Control (ABAC) is an access control model that grants or denies access to resources based on attributes associated with users, resources, and the environment. ABAC provides fine-grained access control by evaluating policies that consider multiple attributes and conditions.
1.2.2.2. Discretionary Access Control (DAC)
Discretionary Access Control (DAC) is an access control model in which access rights and permissions are assigned based on the discretion of the owner of the resource. This model allows resource owners to control who can access their resources and what actions they can perform. DAC is commonly used in systems where flexibility and user-level control over resources are important.
1.2.2.2. Mandatory Access Control (MAC)
Mandatory Access Control (MAC) is a highly restrictive access control model where access to resources is controlled by a central authority based on security policies and classifications. In MAC, the users and owners of the resources have no discretion in defining access permissions, instead, permissions are determined by system-enforced rules.
1.3. Secret Management
Secret Management refers to a tool or service that securely stores and manages sensitive information, such as API keys, passwords, and credentials. It provides a centralized and secure way to handle secrets, ensuring that they are encrypted, access-controlled, and can be easily rotated. Secret Management enhance security by preventing sensitive data from being hard-coded in code repositories or configuration files, reducing the risk of exposure.
Components and Features
Secret Storage
Access Control
Dynamic Secret Generation
Secret Rotation
Audit Logging
Integration with Identity Management
Tools and Frameworks
HashiCorp Vault
AWS Secrets Manager
Google Cloud Secret Manager
Azure Key Vault
Docker Secrets
Confidant
1.4. Credential Management
Credential Management involves securely storing, organizing, and controlling access to authentication credentials such as usernames, passwords, and API keys. It includes practices like encryption, access controls, and secure storage mechanisms to prevent unauthorized access or misuse of sensitive information.
Components and Features
Password Management
Access Control
Key Management
Authentication Protocols
Multi-Factor Authentication (MFA)
Identity Management
Certificate Management
API Key Management
Single Sign-On (SSO)
Audit and Monitoring
Tools and Frameworks
HashiCorp Vault
AWS Secrets Manager
Google Cloud Secret Manager
Azure Key Vault
LastPass
Keycloak
Okta
1Password
Conjur
Shibboleth
2. Terminology
Authentication
Authorization
Credentials
Identity
Authentication Factor
Secret Rotation
Dynamic Secret
Access Control
Least Privilege
Single Sign-On (SSO)
Multi-Factor Authentication (MFA)
OAuth
OpenID
SAML (Security Assertion Markup Language)
Secret Management
Key Management
Password Policy
Tokenization
Encryption
Certificate Authority (CA)
Certificate Revocation List (CRL)
Digital Signature
Identity and Access Management (IAM)
Privileged Access Management (PAM)
Credential Rotation
Audit Logging
Audit Trail
3. References