Shulou(Shulou.com)06/01 Report--

IDaaS implementation based on zero trust architecture is how, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

SaaS delivery of IAM

Authentication as a Service (Identity as a Service; IDaaS), IAM+SaaS=IDaaS

The range of users has gone beyond the boundaries of the organization; customers, suppliers, distributors, and others outside the organization can now access enterprise applications. Assigning and managing access to these users is not always associated with internal directories or human resources processes. Identity authentication and identity management systems are very complex and expensive, but IDaaS brings the cost advantage of SaaS for identity authentication. Associated with authentication, managing two-factor authentication and merging mobile devices is also time-consuming. It is really a good choice to transfer these to the service provider.

Behavioral analysis (UEBA), continuous check

Due to the ambiguity of the scope and boundary of the user, the user's behavior is analyzed in the single sign-on and identity management under IDaaS, the user's behavior is analyzed based on the machine learning algorithm, and the user's behavior is checked continuously when the user's behavior changes through the identity management system.

Standard Protocol (OAuth,OIDC,SAML)

IDaaS needs to develop standards to provide authentication capabilities of standard authentication protocols.

Multi-factor authentication

Rich multi-factor authentication capabilities become the necessary capabilities of IDaaS, which can be classified as follows:

1. Traditional UKey, OTP, CA certificates

two。 Biometric face, fingerprint, voice print, palmprint

3. The latest standard FIDO and so on.

Zero trust architecture

In the best practice of identity-based zero-trust architecture, a secure and efficient overall enterprise digital platform is built around the identity management system centering on trusted terminals, security agents, fine-grained authorization and other related components. The following functional services need to be added to the traditional IAM functions:

CARTA

Consistent continuous adaptive risk and trust assessment (continuous adaptive risk and trust assessment, CARTA) method; continuously assess the risk in the user's life cycle, and combine API authentication and multi-factor capabilities to require users to carry out secondary authentication or multiple authentication, so as to achieve a more comprehensive protection capability that can reduce user risk. When carrying out high-value data, service and API operations, according to real-time risk calculation combined with multi-factor system, the visiting subject can re-show his identity or show a higher security authentication mode, so as to avoid active or passive risk attacks, so as to protect the customer's system security, network security and data security as a whole.

CASBs

Cloud access Security Agent (CASBs) is a tool that monitors and manages traffic between cloud applications and users to help protect the cloud environment. The "four pillars" of CASB include visualization, compliance, data security, and threat protection; "access" is part of CASB, which provides threat protection and strengthens access and authentication controls for cloud data applications. In many cases, CASB can monitor business activities and enforce rules by interacting with existing IDaaS. One of the advantages of CASB is its ability to integrate with existing security infrastructure

UEM

Unified Endpoint Management (UEM) to manage the entire lifecycle of any endpoint: mobile (Android, iOS), desktop (Windows 10, macOS, Chrome OS), rugged devices and even IoT (Linux and others); collect terminal hardware, operating system, application, data, behavior and other information for terminal security assessment

Fine-grained authorization

Finer-grained session management functions, based on the scope of individual resources, resource groups, user accounts and resource directories, authorize users, groups, organizations, roles and positions to control their access and data access capabilities; and establish a role mutual exclusion model

Session management

Token unifies the control strategy of logout and reauthentication to dynamically control users' authenticated sessions, adjusts the risk level of the generated Token according to the continuous risk assessment engine, and carries out risk calculation according to user context and historical data to prevent high-risk behavior.

BYOI

BYOI (Social Media identity Integration), which manages customer identities on digital, customer-facing, multi-channel sites (Web, Mobile, IoT), where the source of the user is unknown (before registration) and may create multiple false accounts without assuming identity. And can integrate different social media and different identity information, clean and merge multi-source identities, and manage user identity portraits and tags.

API Auth

Authentication and authorization of API (using OAuth/OIDC), in the zero-trust architecture, all services and API facing the access subject must be managed by a trusted agent. In the access agent, the access request of the access object is uniformly authenticated and authorized by API technology, and the basic access of API is dynamically controlled by the risk engine, and the access API can be controlled with fine-grained authorization ability.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.