infosafe ah iam 2013

Identity and Access Management

Data modeling

Alain Huet

2

Summary

Data modeling : back to basics

IAM data model

IAM management functions

IAM implementation / service issues

IAM paradigms

3

Summary


IAM data model



IAM paradigms

4

Global reality

Cadastral administration

Commercial business


————————————————————————————————————

————————————————————————————————————

5

Summary


IAM data model



IAM paradigms

6

IAM

Identity and Access Management

Issues

User authentication

Access management

IAM data model (1)

General objective

7

Identity management

Credential : something that allows an end user to prove his identity

Credentials identity management authorities

Credential level = trust level

• Technology : password ... crypto certificate

• Quality of the identity authority : zero-trust ... diplomatic

credentials

At run time

Credential checked authentication of the user

Credential level checked access to resource

IAM data model (2)

User authentication

8

Improvements

Grouping of technical resources logical function

Grouping of users profile (same access rights)

# Stability + ― +

IAM data model (3)

Access management

9

# Stability + + +

IAM data model (4)

Grouping of technical resources

10

# Stability + ― + –/+ +

IAM data model (5)

Grouping of users

11

# Stability + ― + –/+ + + +

# Stability + ― +

IAM data model (6)

Result of improvements

12

The owning department manages the list of user departments

entitled to the owned logical function

The user department gets the catalog of logical functions

granted by the owning departments

IAM data model (7)

Ownership of logical functions Catalog management

13

The user department establishes the adequate profiles according

to the catalog of granted logical functions

IAM data model (8)

Profile management

14

IAM data model (9)

User management

The user department assigns the needed profile(s) to his users

15

IAM data model (10)

Global

16

IAM data model (11)

Enhancements

Mandates

Assertion (civil servant, notary, doctor, etc.) management

Etc.

Logical

17

Summary


IAM data model



IAM paradigms

18


Ownership management

Catalog management

Profile management

Identity / credential management

User management (user profile)

Technical resources

Logical functions

Profiles

User access rights

19

Summary


IAM data model



IAM paradigms

20


Enforcement of the model (on the long run)

Mapping : model ICT features

Cross platform

Consolidated administration tool

Quality of management (ownership, profile, etc.)

Training / motivation of the managers

21

Summary


IAM data model



IAM paradigms

22

IAM paradigms (1)

Discretionary Access Control (DAC)

23

IAM paradigms (2)

Mandatory Access Control (MAC)

e.g. : Bell - LaPadula

High assurance level

Resource security labels

User clearance levels

User clearance levels ≥ Resource security labels

24

IAM paradigms (3)

Role Based Access Control (RBAC)

+ Constraints (user/role + session) separation of duties

– Ownership

[Wikipedia : art. "Role-based access control"]

25

IAM paradigms (4)

Organization Based Access Control (OrBAC)

• Permissions depending on context (time, location, intention, etc.)

• Coding of complex rules conflict risk validation tool

[www.orbac.org]

26

[email protected]

+ 32 2 212.96.77