a good thing!
- ARTICLE -
Authentication, Authorization, Account Management & Audit Logging
As users, applications and devices leave the safety of the enterprise and move toward the Cloud, identity becomes key to maintaining security, visibility and control. In this distributed environment, it’s essential for applications to authenticate the user’s identity, understand what that user is authorized to do, create or update an account and audit their activities. These Four A’s represent the critical components of a cloud identity management strategy and provide portability and extensibility beyond enterprise boundaries.
Authentication is the process for confirming the identity of the user. The typical authentication process allows the system to identify the user (typically via a username), and then validate their identity through user-provided evidence such as a password. There are stronger methods of authenticating the user, including x.509 certificates, one-time passwords, and device fingerprinting. These can be combined to provide a stronger combination of authentication factors.
Federated identity allows a user to access an application in one domain, such as a Software-as-as-Service (SaaS) application, using the authentication that occurred in another domain, such as a corporate Identity Management (IdM) system.
Authorization—determining what the user is allowed to do—is the second step. This is typically handled by the application being accessed, but there is now consideration for centralizing the authorization policy decisions regardless of the location of the user or the application. Authorization can be determined based on the user identity alone, but in most cases requires additional attributes about the user, such as role or title.
At the application, commonly for licensing or for audit purposes, users are required to have an account. When an employee arrives at a service provider with a SAML assertion, sometimes an account should have already been created for the user. Account management refers to mechanisms and standards such as SCIM that keep such cloud accounts synchronized with existing enterprise systems. Federated Single Sign-On (SSO) removes some of the urgency of account de-provisioning when employees leave the enterprise (because their ability to access cloud services ends when they can no longer log in to the enterprise), but it is still prudent to maintain a schedule for account removal.
The ability for an enterprise to track what applications users are accessing (and when) is a concern from both a security and regulatory perspective. But this has becomes a serious challenge since users and applications are no longer staying within the enterprise and working instead within the Cloud. Multiple failed authentication events or authenticated users attempting unauthorized application access will highlight potential security and fraud related activities. In addition, regulated industries require audit trails to prove that only authorized users have accessed or attempted to access certain confidential systems. Federation solutions provide the central gateway for users accessing cloud apps, whether from their desk or remote, via the company computer, personal computer or mobile device. This central point of access also provides a central point of auditing and reporting.
Ping Identity and the 4A's
While the 4 A’s are standard lingo in the identity management world, every company applies their flavor, including Ping Identity. We think of them as Access, Control and Intelligence.
Authentication: Ping Identity provides “first mile” integration kits for almost every authentication system, including popular strong auth vendors. In addition, PingOne includes a cloud-based user store for authenticating users. Both basic (password vaulting) and federated Single Sign-on techniques are supported once users have been authenticated.
Access Policy Management: Adaptive Federation allows you to create rules based upon where a user is located, the device they are using and virtually any other criteria, including an external data source, to determine whether a user is allowed to access a resource. Attributes can be collected from multiple data sources to create a complete profile of the user. Automated User Provisioning: Support for both identity provider account synchronization using proprietary and standards-based SCIM protocol and just in time provisioning is supported for service providers.
Audit: Monitor usage for cloud security and compliance through our cloud-based dashboard or send log data to SIEM vendors, such as ArcSight, Envision and Logrhythm or to a database such as Oracle, Microsoft SQL Server or MySQL, allowing enterprise IT and security organizations to create dashboard views and reports for monitoring usage.
Ping Identity Solutions provide access, control and intelligence for consumers, customers, partners and your workforce across mobile, API, cloud and data center applications.