The Topology of Identity and Access Management E037A Bit of Security for September 25, 2024
Today we’re going to look into the relationships between two major axes of identity and access management. Our goal is to establish a conceptual foundation for identity-centric security.
In a previous talk I discussed the evolution of computing from dealing with numbers to things to people. Now we are looking at the finer structure of identification and authentication.
Let’s distinguish between identification and authentication. Identification cannot be modified but can be copied. Authentication must be expirable – you must be able to cancel and replace an authentication token/device etc. But you must not be able to modify a credible identification token.
The perimeter isn’t dead, but it’s shrinking. The end state is one person and their trusted devices: Me and my trusted devices. The old saw about something you know, or have, or are, conflates two separate concepts – who you are (ultimately biometric authentication) is all about identification. The other stuff – what you know or have or where you are etc. that’s all about authentication.
Here’s the topology of identity:
1. There is a user: an individual attempting to interact with an IT-enabled resource (in the most general sense).
2. An identifiable user is someone who someone enrolled into an identification system, usually with a photo, a signature, and some form of credential – a birth certificate, a passport, or a recent utility bill. Note that the enrollment process is trustworthy only because we trust the individual who is doing the enrolling to do their job diligently. So we have the transitive trust issue.
3. An identifiable user who possesses a secure device (security is a relative term) and that becomes the minimal set for an authenticable user.
4. An authenticated user is an identified user with an authenticable device validated by an authentication mechanism provided by a tool or service.
[The process of authentication can be diagrammed thus:}
There is a hierarchy of authentication. Consider an automobile – the authentication token is the car key – there is no identification of the user at all., If you have the key, you can use the car. Or consider the deli counter – if you have the slip of paper with the right number on it, you can get your boloney before I get mine. Again, no identification involved. Possession of the token is sufficient. Contrast this with the complexity of getting on an airplane.
The other process regarding identity and access management, is the lifecycle of the user – from initial enrollment, through various transformations during the individual’s participation in the authenticating entity, to their eventual separation from the entity. The key point is that when a user changes something, the change is usually not an atomic transaction. Some permissions will persist indefinitely – your name, perhaps); some will persist for a defined time period – until you complete a report for a task force, perhaps); some will drop instantly; others will be granted immediately; while others may not be granted until completion of training or a background check. In other words, there is a transition process involving multiple uncorrelated steps.
[This lifecycle can be diagrammed thus:]
Note that vulnerabilities populate the edges and transitional points.
These process models, taken together, show the access points for exploits. By evaluating these orthogonal processes, you can readily identify weaknesses in your identity management structure, and better protect your people, your critical resources, and your intellectual property.
A Bit of Security for September 25, 2024
Identity and Access Management coordinates two asynchronous processes: the user lifecycle, and the authentication hierarchy. Understanding the vulnerabilities at the many vertices of these processes enables effective identity-centric security. Listen to this -
Let me know what you think in the comments below or at wjmalik@noc.social
#cybersecuritytips #idm #iam #identitymanagement #perimeter # #BitofSec
Музыка
Фильмы
ТВ Шоу
Категории видео
