Introduction to Guidance and Standards

Hi, and welcome to Section 5 our course on Identity and Access Management. During Section 5, we’re looking at guidance and standards. These are defined as existing approaches that we can use as part of our approach. And this helps us, because we can reuse best practise that’s been established and peer reviewed, rather than reinventing our own approach. It also gives us a common language and a common approach that others will understand when we’re interfacing with third parties. And typically, this becomes a recognized and a trusted approach, as well. We can become accredited to some of these standards or operate in accordance with them. So with the first standard, we are looking at ISO 27001.

ISO 27001 has 14 control domains and Section A.9, one of those 14 domains, relates directly to access management. Within Section A.9, we have access control, the access control policy, access to networks and network services, user access management, all defined. This includes provisioning, the management of privileged access rights, the review of user rights, and the adjustment of access rights. It also covers something really important, which is the responsibilities of the user. So the user has a responsibility here, as well, in the active management and the maintaining of the security. We look at, in Section A.9, as well, system and application control, the use of a password management system, and also, access control to program source code.

So this seeks to make users accountable for safeguarding their own authentication information. And also, the system and application control is covered, helping to prevent unauthorized access to systems and applications. So this gives us a great starting point for our approach and ISO 27000 is also based around a risk-based approach to security. So part of ISO 27000 encourages the use of a risk assessment and risk management to define, actively, our response to each of these control areas. We also have ISO 24760. This is more recent. This was developed, one of the standards was developed in 2011, with parts two and three following, up to 2015.

So part one of the standard covers the terminology and the key standards, and key concepts, and it considers the key processes and terms. Interestingly, ISO 24760 also recognizes an identity and something we call a partial identity. So partial identities consist of identities that may be distributed over different partners, that collectively can form an identity. So it’s a very interesting approach. The standard also identifies five lifecycle phases for an identity. And this is helpful. This complements Good Practise Guide 45 and some of the NIST documents very well. The five lifecycle stages are starting at unknown. We have an unknown identity. We’ve not established any degree of trust or evidence.

We don’t have an established identity, but then, can move into becoming active, before ultimately becoming suspended, and possibly becoming archived.

Part two references the architecture and the requirements that we need. And this includes some key terms that we will revisit later in section 11, when we look at the technologies around identity and access management. Terms like reline party and the identity information provider, the IDP, are terms that we see recurring when we look at standards like SAML. Helpfully, it also references and recognizes the importance of importance of stakeholders within the identity management process, the use of use cases, and also, ongoing audit. Once we’ve established accountability, we need to review access, as well.

So this provides the guidelines for the implementation of systems, for the management of identity information, and it specifies the requirements for the implementation and the operation of a framework for identity management. Part three looks at the practise. This is the practical way in which we can comply with the first two parts of this standard. And here, this standard also links to two other useful standards that we should be aware of, ISO 29003 for identity proofing, and ISO 29115 for assurance levels around establishing identities. ISO 24760 also establishes an identity profile with some terms. We have the entity. An entity may have many profiles. Each profile may contain many attributes. And we have a profile and the attributes.

The identifiers allow unique and unambiguous ability to discern between different entities. So we need some way of defining the entities. So this is the unique ID.

We have some great NIST documentation, as well. NIST published special publications, DSP. So we have SP800-63 for Digital Identity Guidelines. We have Digital Authentication Guidelines, 63-3. 63A, the Enrollment and Identity Proofing. 63B, Authentication and Lifecycle Management, and 63C, Federation and Assertions. And this covers, as well, Knowledge Based Authentication, so these are great documents and they’re available free online, as well. And this covers things like minimum password lengths, comparing new passwords to a dictionary, and lots of really interesting stuff on here, and a great source of information that we can use. So NIST recommends using out-of-band authentication to provide two-factor authentication, so using separate channels for our factors.

The NIST guidelines, as well, state that SMS is deprecated for out of bound authentication. So this predated the issues that Google saw with their staff’s SMS messages being compromised. This was a news article in 2018, where Google had problems with some of the SMS messages used as a form of a second factor, used as part of a 2FA solution. And SMS messages, firstly, are plain text when they’re sent across the telephone networks and secondly, if somebody can compromise your device, increasingly, we see SMS messages replicated between devices, onto laptops, tablets, then we have a problem, in terms of the second factor becoming compromised.