Identity management: understanding everything at IAM and the identity federation

Gestion des identités : tout comprendre à l Cybersecurity

In a business transaction, most often, the other person does not know you or who you are. But it can accept supporting documents which attest to your identity. Identity management on computer networks is structured in the same way on the following points:

  • A set of digital identifiers which can be examined by a service or an application can attest to your identity and your authorization to carry out the transaction you request;
  • An access management system can trust the results of this examination enough to give you access to documents, services or information;
  • You can personally trust the references presented by a website or web application to represent the company, institution or agency with which you intend to carry out a transaction.


Thomas Edison pointing at his work in his Menlo Park laboratory, 1921.

Data is collected about you online (and here’s how to clean it up) – there’s no denying it. The misconception we have of this is that your personal data is stored in a single, centralized database. Yes, Facebook is one of the most aggressive collectors of behavioral data.

But most of the metadata collected on everyone’s online behavior does not constitute a collective database of digital identities. Many people who claim to have their digital identity stolen are in fact among the thousands of victims of the theft of a database that contains elements of personal data, such as a credit card number. What makes collecting this data very dangerous is the possibility that a system with access to data that authenticates you can couple it with data that describes you (metadata). In this way, a hacker can collect this data from several sources to impersonate you, and transact on your behalf.

So when we talk about “digital identity”, what are we really talking about?

  • Digital identity consists of the necessary credentials to access network or online resources, in your name.
    • In an insecure system, a simple password may suffice to assume some form of digital identity.
    • In an insecure system – for example, using a web browser to read ZDNet – public servers may require only anonymous credentials. But even then, there is some sort of temporary digital identity representing the browser, which is supposed to represent you because you have accessed the client where the browser was installed.
    • A corporate network usually requires some form of authentication before you can access it – maybe two-factor authentication, or even more. These identifiers are your digital identity in the context of this network, but not outside this network.
    • On the Internet, which is a patchwork of networks linked together by gateways, sharing services requires the exchange of a digital identity in one form or another. It is the most delicate and volatile part of the entire digital identity system.
  • Personal identity is the amalgam of information necessary for you, or anyone seeking to impersonate your identity, to be recognized as valid and authenticated. Someone stealing a password from a database could get information about your driver’s license or the make and model of the car you drive. If this information is sufficient for someone else, in another transaction, to impersonate that person for you, then that person may indeed have “stolen your identity”.

Identity management therefore consists of practices and principles to which all participants in the transaction process adhere, including yourself, to protect the elements of digital identity that can be combined by a hacker to use your identity personal. Identity and Access Management (IAM) is the class of software and services that strive to fulfill their responsibilities to you in this regard.

Digital identity and personal identity

You know who you are. However, digital identity in a computer system, as you have just seen, remains a rather vague subject.

Digital identity is accredited by proof of identity

The weakest form of access management in a computer system involves a unique username associated with a unique password. Password management is not identity management.

Your digital identity is made up of credentials, which are essentially tokens of data and metadata that represent you. These are not your personal papers, nor what these papers might contain. Whenever you enter a secure building, even if you work in it, you present your credentials – probably just to operate the elevator. This card is a token attesting that someone has already authorized you to enter. And as in this example, in most cases, the digital identity is a token made up of data.

But it’s actually more complicated than that:

  • Services and software – which are clearly not people – can have some form of digital identity, because they too must access databases and resources as if they were “users”.
  • Browsing the web does not require that you, or any other user, have sufficient identity for a person or system to be able to identify you personally. You can read this article from ZDNet without having to connect to a central internet service provider. A browser can be assigned a sort of temporary “visitor ID” to establish a session with servers, but which do not exchange your IDs – which can happen as part of a separate transaction.
  • There is no single set of universally recognized and converging identification data that identifies you exclusively on the Internetwhich is not good news in many ways. This means that if someone really wants to pretend to be you – maybe to post a text to your name on social media, or to transfer your money to that person’s account – there is a small possibility that this no one can collect enough personally identifiable information about you to obtain the data necessary to get you online.

Comparison between Identity Management and Data Loss Prevention (DLP)

Businesses, especially financial institutions, store the data permettant identification personal of their customers in databases. The security service category dedicated to preventing data breaches is called data breach prevention or Data Loss Prevention (DLP). These services focus on the integrity and non-impregnability of these databases.

Data breaches seem to have skyrocketed in recent years. However, statistically speaking, their number may decrease as the damage caused increases. The February 2017 customer data breach reported by facial recognition analytics company Clearview AI is an example of malicious acquisition of personally identifiable information on a relatively small scale, but with potentially significant impact.

It takes real human effort to coordinate personally identifiable information from multiple sources – for example, to gain access to your online bank account and make purchases using your name and credit card numbers. In short, data breaches do occur, but it is not an easy process to perform.

Identity management can thwart these attempts. But its objective is to secure the data with which you identify yourself online. A person who has successfully bypassed a DLP by stealing customer data from a company can use that data to impersonate customers of that company. But your own digital identity is linked to all the references and permissions you can have to access your personal files, no matter where they are stored. Having your digital identity would be invaluable to a hacker capable of collecting and consolidating databases acquired through multiple breaches. For example, he will be able to take out a loan on your behalf.

How digital identities have been protected so far

You’ve all seen the hype around “hackers” who steal your identity, or try to steal it and sell it on the digital dark web market. These representations evoke a concept of digital identity, a large part of which is based on science fiction of the 1980s. The principle is that the Internet is a huge collective database of names, addresses, voting preferences, salary histories and social security numbers. So all you need to do to steal your data is to send phishing emails to you to steal an eight character password that you or a parent may have used to access Infonie in the 1980s .


The first corporate networks were touted as “fortresses,” and the goal of security then was to make sure that hackers couldn’t get into them. It was the model of “endpoint security” or “perimeter security – or perimeter security”, and to a surprising extent, it still exists today. It is the modern version of the “fortress defense” model, which dates back to the central computer model of the 1970s.

A modern corporate security system does not focus on securing the perimeter to prevent intrusion. The new security model is completely reversed and focuses instead on securing the entity, sometimes called in this context “identity”. This is the accredited user, who by default is not allowed to see or do anything – a condition called “zero trust” (ZT – zero trust). The objective of the system is therefore to allow this user to see or do something, in accordance with policy and permissions. In this way, in the absence of any operational security (for example, if the network is hacked and the system defeated), absolutely nothing is exposed.

Where does trust come from

In everyday life, you make transactions with other people relatively easily. Why ? Because for the most part, these people trust that you are who you say you are. You sign documents confirming your will to carry out these transactions. Even when you sign a document outside the presence of any witnesses, people can generally view your signature as an assertion that you are fully aware of what you are doing. There is an implicit trust in a transaction of this type. It can be raped, but it is not inherently volatile.

In the field of digital transactions, this implicit trust is effectively erased. Numbers are symbols and, as such, have little to distinguish them from each other. Any sequence of digits is logically as simple to falsify as a single digit. Trust must be established for each digital transaction session. The simplest way to explain how this is done is to say that each person participating in a trust transaction receives a puzzle and is given the puzzle solution. The solution solves the puzzle without revealing the mechanics of the puzzle. If the puzzle is solved, we can conclude with 99 +% confidence that the person who solved it is the one who has the solution.

With the first networked systems, you connect to a computer or server through a terminal (a command line where you type instructions). Access to resources located on this server depended on the level of protection assigned to your account. But in the absence of an IT security team, there may have been no protection at all on the server. Some who have tried to paint the best possible picture of this scenario, have called this “open architecture”, defining the principle of implicit trust.

Modern systems that use identity management operate on the basis of zero trust. Unless an access control list (ACL), policy, or other mechanism explicitly grants access to a resource, your request will be denied. In a properly administered zero trust trust system, no one has unlimited access to a resource or domain. However, you will often find some IAM systems governed by an unrestricted administrator account.

Identity and Access Management in Practice (IAM – Identity and Access Management)

An identity and access management system (IAM) establishes authorizations and accessibility for users, within a network where these users do not have trust granted a priori. The mission of the IAM is to protect access to assets and to ensure that only authorized persons have access to protected documents and services within a company. The IAM protects and encapsulates a network domain, using a single directory of users and a single directory of protected resources.

Where security policy comes into play

In February, the United States National Institute of Science and Technology (NIST) released the second version of its proposal for an official description of zero trust architecture.

Identity management: understanding everything at IAM and the identity federation

This NIST diagram describes the “route” of a requesting user, from the request for a resource to the authorization of access to this resource. When a user is the subject of an authentication request, a digital identity is built around this subject. At this point, it becomes what security engineers call a “safety principle” or simply a principle.

In the diagram, note the large rounded rectangle that groups all the relevant elements of the network. And think of the pictogram that looks like a low cost desktop PC from the 1990s. Like most software defined networks (SDN – Software Defined Network), the network represented here is divided into two levels of traffic. The control plane is separate from any part of the network to which the user can have access. From the point of view of the principal, only the data plan of this network exists. The decision whether or not to grant access to a client is made on each request, and no client does not at any time obtain permanent or undisputed access to a resource, even if that client , or another security originator assigned to the same user, has already accessed this resource.

It is in this control panel that the policy deployment point is located. In security architecture, a policy is a rule that sets the conditions under which a principle, or a group representing several principles, can be granted or denied access to a resource. Think of it as a computer program, but wrapped in a single line of instructions, with multiple lines operating simultaneously.

The PDP is subdivided into two components, one of which interprets the rules of the policy. The second (policy administrator, PA) assesses whether a policy conclusion grants the principle access to the requested resource, and until he sees a conclusion he likes, the answer is no. Due to the separation of planes, the principle never actually “sees” the PDP, so a hacker cannot knock the PDP down. In the data plane, the policy execution point (PEP) contains the low-level agent that executes the policy directive of the PA. Rather than acting as a switch directing the principal towards permanent access to the resource, it serves as an intermediary or agent, facilitating a connection to the resource, but only through it, and only for the fixed duration by the PA.

Attributes and affirmations

The creation of policies cannot be done without a means of identifying the subjects of its rules. This is done explicitly and exclusively through identity management. In the context of a local business network, NIST calls this identity governance. It is here that the definition of the identity of NIST (what we call “digital identity”) takes on its full meaning. Its most succinct version of this definition appears in a report on the federation of identities, where it calls identity, “authentication attributes and subscriber attributes” in a networked system.

We can define these terms as follows:

  • Authentication attributes are pieces of data attributable to a user that can be crossed and verified to ensure that the user has permission to assert himself as a certain entity or person.
  • Subscriber attributes is data that connects an authenticated user to the system hosting the directory to which that user, for lack of a better word, belongs – in fact, it describes the relationship of the user with the company.

In practice, the ultimate objective of corporate identity governance is to become able to restrict the vision of each user of the network exclusively to the resources to which the user is explicitly entitled, or to which an interpretation of the policy can determine that the user has legitimate access. From the user’s point of view, there is nothing but the resources to which he is entitled. Security experts say if the IAM’s access management function is reliable enough, IT security professionals can refocus their attention on the integrity of the digital identity.

A metaphor for this strategy is to defend the entrance to a fortress using hundreds of guards stationed along its perimeter, against four or five guards surrounding each assailant.

Giving meaning to identity beyond the borders of the network

In any network of networks like the Internet, single sign-on (SSO) implies the possibility for a user to transmit his credentials once and only once, generally by logging into his local operating system (side customer). Any other service or application requiring user authentication receives it from the service in which he has connected.

Identity federation is an effort to get multiple networks to agree on a single protocol to cross network boundaries, so that SSO works. In any cross-network or cloud-oriented transaction where a process on one network requires a process or resource on another network, and where both processes must appear transparently integrated to an authenticated user, federation is the system on which the two networks rely on each other to establish a certain level of trust between them.

When federation comes into play, the trick is to define the identity using something more permanent than just the attributes of the subscriber. A subscription to a resource in one network should probably not give the subscriber the right to access resources from other networks. However, for SSO to be possible, other networks connected to each other by the Internet should be able to guarantee the validity of their respective authentications.


This other diagram, still from NIST, presents the simplest form of identity federation, in the form of an exchange between three parties: a principal who claims access to a resource (the “subscriber” ), a dependent party (PR, or “resource provider” depending on who you ask) and an identity provider (IdP). To access the RP, the subscriber must first authenticate with the IdP. (If she connected to her employer’s network using SSO, this part may already have taken place). The IdP then acts as an agent for the subscriber, asserting his rights on his behalf. The RP then gives access to the subscriber, but only within the framework of an encrypted session that only the subscriber can decrypt and understand, if and only if the IdP was correct as to the identity of the subscriber.

Federation occurs in this case when several networks that can act as PR trust either a single IdP or a network of IdPs that agree to use the same protocol.

ZDNet asked cybersecurity experts at the last RSA conference how they perceive the problem of identity management on a relative priority scale. “This is a way to federate identities across a large number of different organizations,” said Hank Thomas, CEO of Security VC Strategic Cyber ​​Ventures LLC. “It is like saying that people have to work together, and trust each other. Once someone has proven that someone is someone, that other organization is going to have the same level of confidence in the same thing. There are ways to do it, it’s just that that trust isn’t necessarily there yet. It may be for compliance reasons, and for other reasons. ”

If this answer does not seem to be the clearest you have ever heard, it is because the direction that identity federation is taking is currently about as clear. Federation is a vital necessity only because digital identity is a fleeting thing. It has to be recreated – which would not be a problem if the world were just one network of companies. If human users were all carrying a digital authentication device such as, or similar to, a YubiKey U2F device – something physical that an identity provider (IdP) might assume to be on the user for hours of work – the type of cryptographic ping pong that takes place today could perhaps be radically simplified.

As long as humans are not comfortable with the idea of ​​wearing this type of electronic gadget, identity management has a bright future ahead of it. Ironically, the situation that many people fear – that their personal identity will be stolen through their digital identity – is more likely to occur, as long as there is no single source of identity.


Rate article
Add comment