Identity and Access Management Protocols
Identity and Access Management protocols are designed specifically for the transfer of authentication information and consist of a series of messages in a preset sequence designed to protect data as it travels through networks or between servers. By using third-party authentication, IAM protocols eliminate the necessity of storing login credentials within the system for which they’re used, providing a solution for organizations and institutions seeking to prevent the misuse or abuse of login credentials and reduce the risk of data breaches.
Breakdown of Identity and Access Management Protocols
Ensuring data confidentiality and integrity is critical in an era where many organizations rely on cloud services, Internet of Things (IoT) connectivity, Artificial Intelligence (AI) and machine learning. Users must be properly identified, authenticated and authorized to access data and applications without compromising the security of login credentials.
Common identity management standards handle user requests for access to data or applications and deliver responses based on the information a user provides. If the format of the information, such as a password or biometric identifier, is correct, the protocol allows the level of access assigned to the user within the system.
Several IAM protocols exist to support strong IAM policies by securing data and ensuring its integrity during transfer. Generally known as “Authentication, Authorization, Accounting” or AAA, these identity management protocols provide standards for security to simplify access management, aid in compliance, and create a uniform system for handling interactions between users and systems.
The Lightweight Directory Access Protocol (LDAP) is an open-source protocol not associated with any specific vendor, although it does provide the basis for Microsoft’s Active Directory. LDAP was established as an industry standard in the 1990s and is among the oldest identity and access management protocols. It runs above the TCP/IP stack and is most often used in modern organizations as a tool to handle authentication for on-premise applications.
As the name suggests, LDAP is associated with directory access. When a user wants to connect to a directory, search its contents or modify the directory itself, LDAP relays the information necessary for authentication and subsequent authorization. The protocol is flexible and can be customized to the needs of systems to make locating and interacting with resources on a network easier and more secure.
The Security Assertion Markup Language (SAML) protocol is most often used in systems employing the Single Sign-On (SSO) method of access control. In SSO, one set of credentials allows users to access multiple applications. This method is most beneficial when users must move between applications during sessions. Instead of requiring individual logins for each application, SSO makes use of data already authenticated for the session to streamline the switch between applications. The resulting increase in efficiency helps prevent bottlenecks in the authorization process.
SAML is an open standard, making it available to any organization. However, it can’t be used to authenticate or authorize device connections and isn’t popular for supporting access to internal applications. This effectively limits the protocol to third-party applications, such as the cloud tools used by most modern businesses. As Software-as-a-Service (SaaS) continues to grow in popularity, SAML is an integral part of corporate IAM.
Like SAML, OpenID is used for web applications and can be seen in practice when interacting with products from Google and Yahoo! Implementation of this protocol is less complicated than implementation of SAML, making it more accessible for a variety of applications.
Part of the benefit of OpenID for consumer applications is the ability for users to maintain a consistent identity across platforms. It supports the use of a single identifier and password to connect with every service a user is authorized to access. In a web environment, this means the user’s avatar and profile remain the same between services. This makes users easier to recognize and preserves the continuity sought by those working to become influencers and thought leaders.
Businesses are beginning to make use of OpenID in cloud applications to leverage the benefit it offers in terms of efficiency. It provides the same advantage as SAML in its ability to streamline workflows involving multiple applications and helps to maintain the integrity of individual user identities within complex systems.
Large customer-facing platforms like Facebook, Google and Twitter rely on OAuth to connect third-party applications with the permission of users. OAuth works by allowing approved applications to use login credentials from one service or platform to provide access to additional applications without requiring separate logins. Authorization may be granted or revoked by the user at any time.
When credentials are sent using this protocol, OAuth works to authenticate the identity of the initial user and authorize connections between applications. This type of authorization is known as “secure, third-party, user-agent, delegated” authorization and doesn’t require the initial credentials to be transferred between applications in order for a user to gain access.
OAuth is similar to OpenID in its applications and has some of the same functionality as SAML. Because it grants access without creating another point at which access credentials can be compromised, OAuth can benefit organizations using or building applications for which such extended access is required.
This free open protocol was developed at the Massachusetts Institute of Technology (MIT) and uses a system of tickets and authenticators to verify user identities. Kerberos isn’t in wide usage except by Microsoft Windows applications, in which is aids in the automatic sign-in process for Microsoft products and resources.
In systems using Kerberos, a “Kerberos realm” is created to encapsulate all the resources to which a user may request access. This realm also houses the Key Distribution Center (KDC), in which resides the authentication server (AS) and the ticket granting server (TGS). When authentication credentials are provided using the SSO method, it triggers a series of actions in which the user’s information is located, encrypted keys are sent back and forth between the user and the server and, if the access credentials are correct, a ticket is granted for the session. In this client-server identification scenario, information is verified back and forth between the user and the system to establish authenticity of credentials and proof of identity.
The benefit of this complex system of servers, keys and tickets is the user’s password doesn’t have to be stored on a local server or sent over the network connection. Instead, the entire process is handled within the Kerberos realm. This makes Kerberos identity management protocols particularly useful for the transfer of information over non-secure networks. Keys and tickets provide security for authorization data, thereby protecting credentials from hackers.
Once used to authenticate users on dialup connections, the Remote Authentication Dial-In User Service (RADIUS) is now employed mostly for network services, such as wireless connections, VPNs and network infrastructure.
RADIUS works by encrypting authentication credentials within a packet and is sometimes used with a LDAP server to increase the level of security and provide a greater degree of access control. RADIUS is best suited for applications requiring general authorization, but due to shortcomings in the protocol, it has largely been replaced by updated AAA standards.
When RADIUS was in common use, it functioned to store user profiles in a central database, allowing remote servers to share the information and organizations to implement improved security measures by housing all user data in one place.
Named as a bit of a play on words, Diameter evolved out of RADIUS and is now replacing the older protocol with a message-based authentication system. Diameter works over TCP and Stream Control Transmission Protocol (SCTP) to exchange positive and negative messages between the user and the system, resulting in access being granted to authorized users and denied those without proper credentials.
Diameter is built on peer-to-peer architecture and functions using three nodes:
- The client node receives access requests from users
- The server node is responsible for processing information from access requests
- The agent node acts as an intermediary between the client and the server
This protocol improves upon RADIUS by allowing more dynamic rules for handling authentication, increased security for message exchanges and better control over the details of access control policies. Encryption prevents packets of information from being intercepted and decoded, and improved service quality ensures all packets are exchanged instead of some being dropped as can occur with RADIUS.
With many businesses relying heavily on SaaS for information exchange, collaboration and customer service tasks, it’s essential to have a protocol with the ability to support dynamic shifts in access requirements. The System for Cross-domain Identity Management (SCIM) protocol fills this role as an open standard capable of automating the exchange of identification data from one IT system to another.
SCIM makes lifecycle management easier by giving organizations the power to automatically provision or deprovision users as they come into or leave a system. By sharing attribute information, SCIM is able to aid in the management of user permissions and maintain unity in data.
Failing to revoke access once a user no longer requires entry into a system leaves the system vulnerable to insider and third-party threats. Organizations adopting SCIM as part of an access management strategy can greatly reduce the risk posed by accounts belonging to former users by ensuring users leaving the system are unable to log in after they no longer require access.
Unlike most other common identity and access management standards, the Terminal Access Controller Access Control System (TACACS) is owned by Cisco. It was originally developed for the U.S. Department of Defense as a protocol to simplify the process of authentication and authorization so that users could move between machines within a complex infrastructure without the need for multiple logins.
Using TCP, user credentials are sent from a remote access server to a central authentication server to complete the authentication process. Authentication packets are fully encrypted to protect the information as it travels between devices and servers.
TACACS has since been updated to TACACS+ and is among the most popular AAA protocols. Most commonly used in UNIX networks, TACACS provides large organizations with granular control over command authorization. This supports the level of security necessary to protect sensitive, confidential and classified information from being accessed by unauthorized users.
The blockchain is often associated with cryptocurrency such as Bitcoin, but this unique “digital record” also has powerful applications for IAM security. It consists of “blocks” of information containing details about users; their identifying attributes, what they can access and what they own. Unlike databases handled by an administrator or organization, the blockchain has no single owner and operates more like a network of multiple databases, each a replica of the other. Information within the databases is synchronized for uniformity and can be accessed by users within a particular blockchain network.
Using the blockchain for authentication could change the way users interact with systems and the framework on which organizations base their access control policies. Since blockchain networks eliminate the need for intermediary gateways or software, using the technology for authentication not only reduces costs but also increases security. Intermediaries are no longer necessary due to the availability of information to trusted parties in blockchain networks, and no information found in the blockchain need ever be stored on a traditional server. Instead, identification attributes and login credentials are hashed and stored in the blockchain and can be accessed directly as the basis for authorization.
Because each of these identity and access management standards has different applications, IAM professionals must work with organizations and institutions to implement appropriate protocols to ensure data security.
Standards have been updated in the past to address changes in technology and the new vulnerabilities presented by an increased influx of data. As the IoT, AI and machine learning all evolve, protocols will continue to change. Timely updates will keep systems secure and continue to provide the protection necessary for integrity of credentials and the security of sensitive data. Maintaining security standards ensures compliance with regulations and allows systems to continue operating without unauthorized interference.