7 Standards every Identity & Access Management professional should knowGal Helemski November 21, 2017
As discussed in a previous blog, identity and access management (IAM) can help organizations comply with a wide range of regulatory requirements and industry standards, from Sarbanes-Oxley (SOX) to the Payment Card Information Data Security Standard (PCI DSS).
Compliance, however, is not always easy — even with IAM. The reasons are two-fold.
First, many of the requirements don’t explicitly spell out how IAM, or any technical solution for that matter, can meet them. Second, compliance requirements involving technology, like technology itself, have their own language. If you don’t understand it, it’s going to be difficult to hit the target.
Fortunately, several protocols — and the terms associated with them — have been standardized across the IAM market. If you understand what they are and the role they play in various regulatory requirements or industry standards, you’ll have a better chance to use IAM for compliance.
The following are some you should know. As always when dealing with compliance matters, consult a compliance specialist to determine how IAM standards can help meet your specific requirement.
LDAP refers to Lightweight Directory Access Protocol. It’s a popular standard for communicating record-based, directory-like data between programs. “LDAP-aware” client programs ask LDAP servers to look up entries.
LDAP servers index data in their entries, and “filters” are used to select and return the information wanted. LDAP can also be used to look up encryption certificates, pointers to printers and other services on a network, and provide single sign-on (SSO). It can be used to help companies keep compliant with audit and compliance regulations and standards, including Sarbanes-Oxley, HIPAA, FFIEC and PCI DSS, for things such a password length and authentication for electronic signatures.
Security Assertion Markup Language, known as SAML, is an open standard for exchanging authentication and authorization data between identity and service providers. By using digital signatures instead of passwords for authentication and authorization of data access, this XML-based markup language improves security and compliance.
Its most important use case is for web browser single sign-on (SSO), a common way to meet many compliance requirements for identity and access management. The SAML Web Browser SSO profile was specified and standardized to promote interoperability, making it easier to extend SSO across security domains.
XACML stands for “eXtensible Access Control Markup Language” and defines a fine-grained access control policy language, architecture, and processing model to evaluate access requests. It is an Attribute-Based Access Control system (ABAC), where attributes associated with a user, action or resource help determine if a user can access a given resource.
XACML supports the separation of the access decision from the point of use. As a result, authorization policies can be updated on the fly, affecting all clients immediately. The use of
XACML is specifically noted in Department of Commerce export compliance (EC) laws and regulations, including International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR), and can be used to help meet others that require granular access control and policy transparency.
OAuth 2.0 is an open standard authorization protocol, and any developer can implement it. Designed to work with Hypertext Transfer Protocol (HTTP), it allows access tokens to be issued to third-party clients by an authorization server with the approval of the resource owner. The third party then uses the access token to access the protected resources hosted by the resource server.
There are four separate modes of OAuth called grant types. Depending on the service being built, one or more grant types may be needed. The OAuth 2 and OpenID Connect (OIDC) standards, chosen by the UK to address Open Banking authentication and authorization challenges, have become the preferred mechanisms for enforcing user consent for the initiation of payments or sharing of banking data.
The System for Cross-domain Identity Management (SCIM) is an open standard for automating user provisioning and makes managing user identities in cloud-based applications and services easier. It enables one application to create, read, update and delete well-defined identities over a REST-based protocol in target applications. For the protocol interactions, SCIM defines a client that manages the identities and a service provider that stores the identities.
SCIM can be used to share information about user attributes, attribute schema, and group membership. As a result, IT departments don’t need to constantly update custom integrations that connect company directories to external tools and apps. Employees can take advantage of single sign-on (SSO) to streamline their workflows and reduce the need for password resets.
When employees don’t have to sign on to each individual account, their companies can ensure security policy compliance. This also mitigates risks associated with using the same password across different tools and apps.
User Managed Access (UMA) is an OAuth-based protocol that defines how resource owners control protected-resource access by clients operated by arbitrary requesting parties, where the resources reside on any number of resource servers and a centralized authorization server governs access based on resource owner policies.
UMA is built on top of OAuth V2.0 and OpenID Connect, the technologies behind the consent dialog boxes seen on many websites and mobile applications. It can be used to handle user consent for API and mobile use cases and will likely have implication for user consent in terms of Internet of Thing (IoT) devices. To meet the privacy objectives of GDPR, UMA provides a framework for web applications to obtain user’s consent for use of their data.
Next Generation Access Control (NGAC) offers fine-grained authorization policy management within what is quickly becoming a perimeter-less enterprise network. It’s like XACML but has important differences.
NGAC provides access control for different types of resources accessed by various kinds of applications and users. Its infrastructure is scalable and can support policies of different types simultaneously, while remaining manageable as technologies change, data volumes grow, and organizations undergo restructuring. Its flexibility and adaptability to future states positions it to play an important role in helping organizations meet a variety of compliance requirements pertaining to access control.