Re the 'real-life' scenarios and 'practices'
Would it be beneficial to use a common, general structure for each Area (Identity, Management,Authentication, Authorization)?, eg something like
Given the current discussion, that would allow a sorting like
below
I first placed 'Protocols' in the 'Technology' Ring, but I think it make sense to use the same idea here as we have for the other layers (Operations, Implementation/Align-Plan-Organize). That would allow us to simple 'short-describe' the protocols and let the 'TechnologyRing' serve as a placeholder.
T.
The could be one Sub heading in the Implementation Sub-section for each implementation. Subsections in each implementation could be a description of the implementation and lessons learned (positive and negative) from the implementation. I believe that this type of information would be valuable for IdPros to know because it provides real life examples of what has and has not worked.
Ken
Hmmm... I'm not sure I follow on the 'implementations' idea...
Could you give some example sub-headings?
What kinds of practices should ID Pros know about? What facts/knowledge should they have?
andrew.
Andrew Hughes CISM CISSP
Independent Consultant
In Turn Information Management Consultingo +1 650.209.7542
m +1 250.888.9474
1249 Palmer Road,
Victoria, BC V8P 2H8
AndrewHughes3000@gmail.com
ca.linkedin.com/pub/andrew-hughes/a/58/682/
Identity Management | IT Governance | Information Security
On Mon, Jan 23, 2017 at 10:58 AM, Ken Dagg <kendaggtbs@gmail.com> wrote:
Andrew,
Great work!
Suggestions:- Would the Considerations section be better as a sub section under Authorization Models. I believe that each model should have considerations.- Should there be an Implementations sub-section that identifies where Authorization models have been implemented. This could include lessons learned.
Ken
_______________________________________________Hi folks, here's my imperfect taxonomy for 'areas related to authorization and access control that an ID Pro should know about'.
Please help to put the items in the right spots and correct errors!
- Authorization
- Authorization policy evaluation
- Proofs of assertion (tokens, tickets, cookies, cryptographic methods)
- Bearer methods v proof of possession methods
- Access control policy, authorization policy,
- Static evaluation, dynamic evaluation
- Is there an ‘authorization equation’ for policy evaluation?
- e.g. Given an identified entity and a requested resource, select the correctly-scoped authorization policy, evaluate the policy, grant || deny || require trust elevation for the resource access, log the events
- Relationship to Identification, Authentication, Access Control
- The characteristics of each
- The 'cross-over' aspects of each (e.g. OAuth-style authentication via proof of resource access - is this related to an ‘authorization equation’ approach?)
- Authorization models, processes, protocols
- SAML, OAuth, UMA
- Directories, decentralized models
- Access control models
- RBAC
- ABAC
- Trust Elevation (e.g. re-authentication, step-up authentication, claims gathering)
- Considerations for choosing specific models, protocols
- Risk
- Authorization model matching to credential characteristics, identification method, available authenticators
- Centralized v decentralized
- Degree of independence of authorization policy decision v access control decision
Andrew Hughes CISM CISSP
Independent Consultant
In Turn Information Management Consultingo +1 650.209.7542
m +1 250.888.9474
1249 Palmer Road,
Victoria, BC V8P 2H8
AndrewHughes3000@gmail.com
ca.linkedin.com/pub/andrew-hughes/a/58/682/
Identity Management | IT Governance | Information Security
DG-IDPro mailing list
DG-IDPro@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/dg-idpro
--
Kenneth Dagg
Independent Consultant
Identification and Authentication
613-825-2091
kendaggtbs@gmail.com
--
Kenneth Dagg Independent Consultant Identification and Authentication 613-825-2091 kendaggtbs@gmail.com
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro