Hmmm... I'm not sure I follow on the 'implementations' idea... Could you give some example sub-headings? What kinds of practices should ID Pros know about? What facts/knowledge should they have? andrew. *Andrew Hughes *CISM CISSP Independent Consultant *In Turn Information Management Consulting* o +1 650.209.7542 m +1 250.888.9474 1249 Palmer Road, Victoria, BC V8P 2H8 AndrewHughes3000@gmail.com ca.linkedin.com/pub/andrew-hughes/a/58/682/ *Identity Management | IT Governance | Information Security * On Mon, Jan 23, 2017 at 10:58 AM, Ken Dagg <kendaggtbs@gmail.com> wrote:
Andrew,
Great work!
Suggestions: - Would the Considerations section be better as a sub section under Authorization Models. I believe that each model should have considerations. - Should there be an Implementations sub-section that identifies where Authorization models have been implemented. This could include lessons learned.
Ken
On Mon, Jan 23, 2017 at 11:58 AM Andrew Hughes <andrewhughes3000@gmail.com> wrote:
Hi folks, here's my imperfect taxonomy for 'areas related to authorization and access control that an ID Pro should know about'.
Please help to put the items in the right spots and correct errors!
- Authorization - - Authorization policy evaluation - - Proofs of assertion (tokens, tickets, cookies, cryptographic methods) - - Bearer methods v proof of possession methods - Access control policy, authorization policy, - Static evaluation, dynamic evaluation - Is there an ‘authorization equation’ for policy evaluation? - - e.g. Given an identified entity and a requested resource, select the correctly-scoped authorization policy, evaluate the policy, grant || deny || require trust elevation for the resource access, log the events - Relationship to Identification, Authentication, Access Control - - The characteristics of each - The 'cross-over' aspects of each (e.g. OAuth-style authentication via proof of resource access - is this related to an ‘authorization equation’ approach?) - Authorization models, processes, protocols - - SAML, OAuth, UMA - Directories, decentralized models - Access control models - - RBAC - ABAC - Trust Elevation (e.g. re-authentication, step-up authentication, claims gathering) - Considerations for choosing specific models, protocols - - Risk - Authorization model matching to credential characteristics, identification method, available authenticators - Centralized v decentralized - Degree of independence of authorization policy decision v access control decision
*Andrew Hughes *CISM CISSP Independent Consultant *In Turn Information Management Consulting*
o +1 650.209.7542 <(650)%20209-7542> m +1 250.888.9474 <(250)%20888-9474> 1249 Palmer Road, Victoria, BC V8P 2H8 AndrewHughes3000@gmail.com ca.linkedin.com/pub/andrew-hughes/a/58/682/ *Identity Management | IT Governance | Information Security *
_______________________________________________
DG-IDPro mailing list
DG-IDPro@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/dg-idpro
-- Kenneth Dagg Independent Consultant Identification and Authentication 613-825-2091 <(613)%20825-2091> kendaggtbs@gmail.com