Authentication & Authorization
It is not just Who You Are that matters.
It is What You Are that matters too.
Identity And Access Solutions implements capabilities for your organization to properly authenticate entities and grant them only the needed authorization to access your systems, data, and applications. Proper Authentication will control the point of access while well planned Authorization will enforce the rules of what can be done post the granting of access.
The process of Authentication requires a subject successfully providing valid credentials to satisfy the access requirements of an application, service, or system to which the subject is trying to access. The addition of single sign-on (SSO) technologies allow for the centralization and/or the reduction of these authentication mechanisms in such a manner that multiple applications, services, and systems may rely on a central store for authentication or provides for synchronization of a subject's credentials in order to limit the number of credentials per user, thus improving the end-user experience. Multi-Factor Authentication (MFA) should be considered to additionally secure assets through the requirement to provide two or more verification factors to gain access to a resource (often online applications, elevated privilege account accesses, VPNs, and/or mission critical services and systems).
Standards which prescribe how to present an authenticated subject; includes Kerberos, SAML / Liberty, WS-*, OAuth, LDAP, and application-specific standards, such as Windows NTLM.
VERIFICATION AND VALIDATION
Mechanisms to verify a subject’s credentials and provide a level of assurance as to the validity of the credential; also concerned with authentication policies and password policies.
CREDENTIAL LIFECYCLE MANAGEMENT
Concerned with creation of credentials and the management of the credential lifecycle.
As an access control, Information Technology systems and applications typically have their own implementation for authorization management or allow for the utilization of a centralized management engine (such as Azure or on-premises Active Directory (AD) Groups). This means that a user or entity has an account for each system/application used and each system/application has its own permission structure and method of permission assignment.
RESOURCE IDENTIFICATION AND MANAGEMENT
Provides for centralized inventorying, labeling, and general management of IT assets.
ATTRIBUTE BASED AUTHORIZATION
Provides for granting resource access to a specific user to granting access based on the value of a user or entity’s attributes. While user authentication is still required, the access is no longer granted via a specific Access Control List (ACL). Instead, at the point of authentication a decision is made based on the value of specific attributes whether or not access should be granted.
Provides for modeling of access to IT assets based on information about the user, e.g. department, job function, location, etc., to automate access provisioning and validate the appropriateness of entitlements that are granted.
Provides a service for consolidating security decisions traditionally hard-coded in disparate applications into an external, centrally-managed and audited repository, allowing applications to focus on business logic and outsource authorization management in a repeatable, consistent way. Policy may be based on rules utilizing Attribute values across multiple, disparate sources.
Supports the assignment of users/entities to entitlements or sets of entitlements, e.g. roles. One user/entity can be mapped to multiple entitlement sets as required.
PERIODIC AUTHORIZATION REVIEW
Processing of periodically reviewing access granted to users by managers and application owners as part of a Governance, Risk & Compliance (GRC) program.