SABSA Practitioner: Architecture & Design

 

 

Module PT1: SABSA Identity and Access Management Architecture - Course Content

 

 

1. Basic Concepts and Components for I&AM from the SABSA Matrix

  • Naming schemes and standards: Unique names; aliases; X.500 and LDAP; authorisation and the concept of credentials
  • Cryptographic concepts and services for I&AM: ciphers; symmetric and asymmetric algorithms; keys, encryption; data authentication and integrity protection techniques; digital signatures and non-repudiation
  • Authentication exchange mechanisms; cryptographic key management principles and models; cryptographic services architectures; relative strengths of cryptographic algorithms; concept of information entropy
  • Personal authentication: passwords, tokens and biometrics; multi-factor strong authentication; matching password entropy to cryptographic key entropy in client systems; password management good practice
  • Security lifetimes and deadlines applied in I&AM: time-outs, passwords, cryptographic keys and certificates; time-stamps and currency of data
  • Finite state machines: modelling entity interactions; applications in the design of access management protocols; application for cryptographic, handshaking and authentication protocols

2. Identity and Access Management (I&AM) Strategy

  • Goals of I&AM; business drivers for I&AM
  • SABSA Business Attributes Profiling for I&AM
  • Control objectives for I&AM

3. Entity Relationships and Trust

  • Security entities, relationships and trust; SABSA trust modelling; one-way, two-way and transitive trust models; SABSA analysis of complex trust models; trust broker models
  • Protecting trust-relationships: applying public key technology to I&AM; trusted third party registration and certification; the components of a PKI; planning a PKI strategy
  • Registration and enrolment: registration authorities and policies; strength of registration processes; authorisation and role assignment; levels of trust

4. I&AM Policy

  • Goals of I&AM policy; SABSA security policy architecture related to I&AM policy; I&AM policy principles
  • Security domains, domain owners and domain policies; security domain policy authority; sub-domains, super-domains; inter-domain relationships and shared policy negotiation; isolated domains, independent domains. Interaction rules, agreed security services and mechanisms
  • Security policies and classification applied to I&AM: classification of information and of systems; access policy management; owners, users and custodians; I&AM policy management in outsourcing
  • Trust in domains: security associations; trusted entities; conditional and unconditional trust, transitive trust; logical and physical domains; multi-domain environments; domain interaction; applying the security domain concepts to application security and network security; VPNs and firewalls; extended application domains

5. Conceptual logical and physical I&AM architectures

  • I&AM in the SABSA layered infrastructure reference architecture. I&AM services; SABSA I&AM service management architecture: managing I&AM services and securing service management
  • High-level overview of XML and related security standards for I&AMt: web services architecture; XML schema, XML encryption and digital signature; SOAP and its extensions;.S2ML and SAML; WS-security; XACML; XML security issues; XML firewalls
  • Access control: concepts and architectures; role-based access control; SABSA central access management architectures; decoupling the user from the target application using roles; context based access control
  • Overview of discretionary and mandatory access control; formal access control models; controlling access to files, file directories and databases; user account management; default user accounts; system-level privilege management; third party access management; emergency access management
  • Entity authentication exchange: concepts and logical architecture models as in ISO/IEC 10181; authentication of users, devices, sessions and messages. Non-repudiation
  • Overview of access management technologies and standards: SSL & TLS; SecureID; Kerberos; Project Sesame; IPSec; DNSSec; SASL and SASL2
  • Federated I&AM: SAML2; Liberty Alliance Project; WS-Federation; federated PKI
  • Security administration and provisioning: access monitoring and audit trails; physical access controls; personnel security management; segregation of duties

6. Directory services architecture

  • SABSA directory services reference model; directory services management; directory objects, entities and entity classes; entity attributes; directory hierarchical structures, inheritance and transitivity; security equivalence
  • SABSA reference architectures for a directory and associated access management services
  • Directory service information model; naming model; functional model; security model
  • Entity schemas; role associations; authorisation, privilege profiles; credentials; certificates and tickets