adam's notes

Guidelines for Implementing Identity and Access Management

  • Assess the design requirements for confidentiality, integrity, and availability given the context for the authentication solution
    • e.g., private network, public web, VPN gateway, or physical site premises
  • Determine whether multifactor authentication (MFA) or passwordless authentication is required, and which hardware token or biometric technologies would meet the requirement:
    • Ownership factors include smart cards, OTP keys/fobs and security keys, and OTP authenticator apps installed on a trusted device.
    • Biometric technologies include fingerprint and face with efficacy determined by metrics such as FAR, FRR, CER, speed, and accessibility.
    • Two-step verification can provide an additional token to a trusted device or account via SMS, phone call, email, or push notification.
    • Password managers can provide better security for password authentication.
  • Establish requirements for access control between discretionary, mandatory, role-based, and attribute-based models and whether the scope must include federated services (on-premises and cloud, for instance).
  • Configure accounts/roles and resources with the appropriate permissions settings using the principle of least privilege.
  • Configure account policies to protect integrity:
    • Credential policies to ensure the protection of standard and privileged accounts, including secure password selection.
    • Account policies to apply conditional access based on location and time.
  • Establish provisioning procedures to issue digital identities and account credentials securely.
  • Establish deprovisioning procedures to remove access privileges when employees or contractors leave the company.
  • Implement SAML or OAuth to facilitate single sign-on between on-premises networks and cloud services/applications.

Graph View

Backlinks