Infosafe ah iam 2013
-
Upload
alain-huet -
Category
Technology
-
view
249 -
download
5
description
Transcript of Infosafe ah iam 2013
Identity and Access Management
Data modeling
Alain Huet
2
Summary
Data modeling : back to basics
IAM data model
IAM management functions
IAM implementation / service issues
IAM paradigms
3
Summary
Data modeling : back to basics
IAM data model
IAM management functions
IAM implementation / service issues
IAM paradigms
4
Global reality
Cadastral administration
Commercial business
Data modeling : back to basics
————————————————————————————————————
————————————————————————————————————
5
Summary
Data modeling : back to basics
IAM data model
IAM management functions
IAM implementation / service issues
IAM paradigms
6
IAM
Identity and Access Management
Issues
User authentication
Access management
IAM data model (1)
General objective
7
Identity management
Credential : something that allows an end user to prove his identity
Credentials identity management authorities
Credential level = trust level
• Technology : password ... crypto certificate
• Quality of the identity authority : zero-trust ... diplomatic
credentials
At run time
Credential checked authentication of the user
Credential level checked access to resource
IAM data model (2)
User authentication
8
Improvements
Grouping of technical resources logical function
Grouping of users profile (same access rights)
# Stability + ― +
IAM data model (3)
Access management
9
# Stability + + +
IAM data model (4)
Grouping of technical resources
10
# Stability + ― + –/+ +
IAM data model (5)
Grouping of users
11
# Stability + ― + –/+ + + +
# Stability + ― +
IAM data model (6)
Result of improvements
12
The owning department manages the list of user departments
entitled to the owned logical function
The user department gets the catalog of logical functions
granted by the owning departments
IAM data model (7)
Ownership of logical functions Catalog management
13
The user department establishes the adequate profiles according
to the catalog of granted logical functions
IAM data model (8)
Profile management
14
IAM data model (9)
User management
The user department assigns the needed profile(s) to his users
15
IAM data model (10)
Global
16
IAM data model (11)
Enhancements
Mandates
Assertion (civil servant, notary, doctor, etc.) management
Etc.
Logical
17
Summary
Data modeling : back to basics
IAM data model
IAM management functions
IAM implementation / service issues
IAM paradigms
18
IAM management functions
Ownership management
Catalog management
Profile management
Identity / credential management
User management (user profile)
Technical resources
Logical functions
Profiles
User access rights
19
Summary
Data modeling : back to basics
IAM data model
IAM management functions
IAM implementation / service issues
IAM paradigms
20
IAM implementation / service issues
Enforcement of the model (on the long run)
Mapping : model ICT features
Cross platform
Consolidated administration tool
Quality of management (ownership, profile, etc.)
Training / motivation of the managers
21
Summary
Data modeling : back to basics
IAM data model
IAM management functions
IAM implementation / service issues
IAM paradigms
22
IAM paradigms (1)
Discretionary Access Control (DAC)
23
IAM paradigms (2)
Mandatory Access Control (MAC)
e.g. : Bell - LaPadula
High assurance level
Resource security labels
User clearance levels
User clearance levels ≥ Resource security labels
24
IAM paradigms (3)
Role Based Access Control (RBAC)
+ Constraints (user/role + session) separation of duties
– Ownership
[Wikipedia : art. "Role-based access control"]
25
IAM paradigms (4)
Organization Based Access Control (OrBAC)
• Permissions depending on context (time, location, intention, etc.)
• Coding of complex rules conflict risk validation tool
[www.orbac.org]