Identity & Access Management Assignment:1

Question 1: What is Identity and Access Management? Define its perspective and scope. Answer 1: Identity and Access Management (I&AM) has recently emerged as a critical foundation for realizing the business benefits in terms of cost savings, management control, operational efficiency, and, most importantly, business growth for eCommerce. IAM comprises of people, processes and products to manage identities and access to resources of an enterprise. Additionally, the enterprise shall have to ensure the correctness of data in order for the IAM Framework to function properly. The ultimate goal of I&AM Framework is to provide the right people with the right access at the right time. The scope of I&AM includes 4 major components. These are: 1. Authentication: This area is comprised of authentication management and session management. Authentication is the module through which a user provides sufficient credentials to gain initial access to an application system or a particular resource. It includes services like user ID and password. Single Sign-On service so that the user needs not logon again when accesses another application or system governed under the same IAM Framework. 2. Authorization: Authorization is the module that determines whether a user is permitted to access a particular resource. Authorization is performed by checking the resource access request, typically in the form of an URL in web-based application, against authorization policies that are stored in an IAM policy store. 3. User Management: User management requires an integrated workflow capability to approve some user actions such as user account provisioning and de-provisioning. This area is comprised of user management, password management, role/group management and user/group provisioning. User management module defines the set of administrative functions such as identity creation, propagation, and maintenance of user identity and privileges. 4. Central User Repository: Central User Repository stores and delivers identity information to other services, and provides service to verify credentials submitted from clients. The Central User Repository presents an aggregate or logical view of identities of an enterprise. Directory services adopting LDAPv3 standards have become the dominant technology for Central User Repository.
1|Page

Question 2: What is an identity and how it is different from digital identity? Answer 2: The dictionary meaning of identity is condition of being a specified person or thing. It can be defined as the unique sense of personhood held by each person in their own right or a collective sense of belonging to a group, identifying themselves as having something in common with other group members. Digital Identity: Digital identity is a psychological identity that prevails in the domains of cyberspace, and is defined as a set of data that uniquely describes a person or a thing (sometimes referred to as subject or entity) and contains information about the subject's relationships to other entities. The social identity that an internet user establishes through digital identities in cyberspace is referred to as online identity.

Question 3: What do you understand by access control list and how it is implemented in Windows and Linux? Answer 3: An access control list (ACL) is a table that tells a computer operating system which access rights each user has to a particular system object, such as a file directory or individual file. Each object has a security attribute that identifies its access control list. The most common privileges include the ability to read a file or all the files in a directory, to write to the file or files, and to execute the file. Access lists can be configured for all routed network protocols to filter those protocols' packets as the packets pass through a router. Implementation In Windows: In Windows NT/2000, an access control list (ACL) is associated with each system object. Each ACL has one or more access control entries (ACEs) consisting of the name of a user or group of users. For each of these users, groups, or roles, the access privileges are stated in a string of bits called an access mask. Generally, the system administrator or the object owner creates the access control list for an object. Implementation In Linux: Most of the Linux and Unix based operating system support POSIX i.e. Portable Operating System Interface. It is a simple yet powerful file system permission model and standard. Traditionally, a file object in Linux is associated with three sets of permissions. These sets includes the read (r), write (w), and execute (x) permissions for each on of three types of users -- the file owner, the group, and other users. In addition to that, it is possible to set the set user id, set group id, and the sticky bit.
2|Page

Question 4: What are the access control models? What are its type and application? Answer 4: Access control models are mathematical representation of abstract machines that describe how a monitor is designed to operate and help evaluators determine if the implementation meets the design requirements. The following are some of the more commonly used models: 1. Bell-La Padula Model: It is a confidentiality model intended to preserve the principal of least privilege. The model defines a secure state and access between subjects and objects in accordance with specific security policy. 2. Biba integrity Model: The Biba model covers integrity levels, to cover inappropriate modification of data and prevent unauthorized users from making modifications to resources and data. 3. Clark & Wilson: This proposes Well Formed Transaction. It requires mathematical proof that steps are performed in order exactly as they are listed, authenticates the individuals who perform the steps and define separation of duties. 4. Noninterference: Covers way to prevent subjects operating in one domain from affecting other in violation of security policy. 5. State Machine Model: An abstract Mathematical model consisting of state variables and transaction functions. 6. Access Matrix Control: A state machine model for discretionary access control environment. 7. Information Flow Model: Simplifies analysis of covert channel. A covert channel is a communication channel that allows two cooperating processes of different security levels to transfer information in a way that violates a system security policy.

Submitted By: Watika Gupta Enroll No: IMS2011012

3|Page