Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 158

Traditionally, identity management has only been thought of in terms of human users. With the publication of the Open ID 2.0 standard, it's clear that identity management has to embrace both human users (the traditional subjects of access control and identity management) and nonhuman users such as the devices people use, autonomous mobile systems, IoT devices, bots, and other software entities. As of this writing, we do not have an “entity and identity” management lifecycle, but this will have to change as more organizations go towards zero trust architectures and their need to identify, track, and model the behavior of all entities, human or non, that are attempting to access their resources.

Identity management is often described as a set of major functions, such as provisioning, review, and revocation. These actually involve a number of more fine-grained tasks at the detailed level, by which systems administrators do the following:

 Create a new identity.

 Determine which systems and assets that identity should have access privileges to.

 Determine what authentication factors, including what security tokens or devices (company-owned, employee-owned or BYOD, or a mix of both) will be used for access and for work-related functions.

 Provision that identity into those systems.

 Review those privileges as circumstances, on-the-job duties and responsibilities, or business needs evolve.

 Add, modify, or revoke some or all privileges as required.

 Suspend or revoke an identity.

 Delete the identity from active systems.

From this list, you can see that creating and provisioning an identity creates the data that drives your authentication and authorization processes; accounting then links this new identity to the transaction-level history of access attempts and their results. Accounting data is then used during privilege review.

Previous sections in this chapter have looked at authentication in greater detail. Let's look further at some of the other identity management tasks and processes.