News

More than 30 IDM realisations in the Czech Republic and abroad

AMI Praha Cyber law requirements – IdM series part 5.
Cyber law requirements – IdM series part 5.

Cyber law requirements – IdM series part 5.

In the last part of this series, we went over two areas: access management, which is closely related to identity management, and managing SSH key distribution for Linux users. Thus, we learned about user authentication and authorization, single sign-on and sign-off – SSO, solutions for sharing identities between partner systems – federation and related BYOID, and security risks of access management along with the RAdAC standard solution.

In this episode, we will first learn about selected Cyber Law requirements that can be implemented using identity and access management tools and ISO 27001. We will then look at technical solutions for identity managers – what options the market offers for implementation and how to navigate them.

Cyber law

Full name “Zákon č. 181/2014 Sb., o kybernetické bezpečnosti” (CZ) defines the requirements for the operator or administrator of a critical information infrastructure or a significant information system according to Act 432/2010 Coll. Simplistically, a critical infrastructure element is the one whose disruption causes:

  • more than 250 deaths or 2500 people hospitalized for 1 day,
  • a loss of more than 0.5% of GDP,
  • intervention in daily life for more than 125,000 people.

A significant information system is one whose disruption will significantly jeopardise the exercise of public authority.

How IdM can help with ZoKB requirements

Identity management can help address the requirements for role management, access control and policy setting. Let’s take a look at specific examples of the benefits (for a more detailed introduction to each area, see the previous parts of this series).

Role management

Using Identity Manager, we can set rules for assigning permissions. Using roles, we can control who occupies what role, what permissions cannot be held at the same time.

Cyber law requirement

Requirement for a permanent cast of roles and incompatibility of roles.

Access control and secure user behaviour

  • The organization allocates and removes access rights according to the methodology.
  • The organisation shall periodically review access rights and their allocation.

Access Permission Control Tool

  • Access control at the level of individual applications and parts of the data in the application.
  • Read-Write-Delete access control.

Recording of technical accounts

Program and application accounts can be registered in Identity Manager and, for example, exempted from password expiration.

Cyber law requirement

Access control and secure user behaviour

  • applications that log into the critical infrastructure must have their own program/application account.

Identity management

With IdM, we can control the use of shared accounts.

Cyber law requirement

Access control and secure user behaviour

  • there must be no shared accounts (each individual must have a different identifier under which they log in and work on the CI).

Managing privileged accounts

Privileged accounts can be managed using both Identity Manager and the key distribution management tool.

Cyber law requirement

Access control and secure user behaviour

  • the organisation also manages privileged accounts.

Security policies

Rules are set and enforced in Identity Manager. Policies can be applied, for example, to passwords.

Cyber law requirement

Access control and secure user behaviour

  • A tool that enforces password policy.

A tool for authenticating user identity

  • Requirements for password complexity and length, password change policies, and special policies for privileged accounts.
  • Passwords must be a minimum of 8 characters, valid for a maximum of 100 days, contain uppercase, lowercase, numeric, and special characters, and may not be changed more than once every 24 hours. For administrators, it must be a minimum of 15 characters.

Key distribution

The purpose of key distribution management is to securely manage the issuance and distribution of keys as login credentials for (mostly privileged) accounts.

Cyber law requirement

Cryptographic resources

  • The possibilities of the ciphers used are specified.
  • Requirement to have a key management system to ensure the generation, distribution, storage, archiving, modification, destruction, control and audit of keys.

Access Management

AM as an active element in user access control will help where it is necessary to monitor user activity in real time, but also in cases where we need to record user activity over information systems (in cooperation with the systems).

Cyber law requirement

Access Permission Control Tool

  • Record logins on critical infrastructure.

Audit and reporting

Recording important events in Identity Manager and subsequent auditing and reporting is one of the essential functionalities of IdM.

Cyber law requirement

Managing cyber security events

  • Processes on how to detect, conduct and report security incidents.

Figure 1 – Audit points of the Cyber Law requirements from the perspective of IdM, AM and KDM

ISO 27001

From the perspective of ISO standards, the most significant contribution of identity management to ISMS is information security management, in the Czech version as CSN ISO/IEC 27001. Here are the reasons for its introduction linked to the fulfilment of the requirements in chapters:

  • Organizational requirements for access control – to restrict access to information and information processing equipment (A.9.1.1-2).
  • User access control – to ensure authorised user access and prevent unauthorised access to systems and services. (A.9.2.1-6)
  • User responsibilities – to make users responsible for protecting their authentication information. (A.9.3.1)
  • Access control to systems and applications – to prevent unauthorised access to systems and applications. (A.9.4.1-5)
  • Cryptographic measures – to ensure the proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. (A.10.1.1-2)

So much for the legislative and regulatory requirements. Let us now look at some aspects of the implementation of identity management in terms of the requirements we might have for such a system.

Technical solution

Within the physical implementation of identity management, there are two interrelated areas to be described:

  • architecture – what we will connect to what and what we will make available to users,
  • implementation capabilities – what tool we will use to implement.

Solution architecture

Integration with enterprise systems

An identity management system must first and foremost be able to communicate with the enterprise applications whose users it is intended to manage. In general, the more specialised the software, the more expensive the solution.

Therefore, it is easiest to connect systems with well-known interfaces – LDAP and database servers, text files, web services. Next in line are widely deployed systems such as Active Directory, Exchange, SAP, Solaris OS. For the rest, you then need to develop code to connect, which can be the most expensive. These are mostly systems not supported by the identity manager vendor or developed in-house.

User interface

Identity manager provides information for different types of users, typically:

  • Configurators – they take care of the correct configuration of IdM and its functionalities.
  • Administrators – manage users and permissions, run reports and audits.
  • Approvers – depending on the level of integration with the Helpdesk, perform approvals of role requests.
  • End users – access the user self-service where they can request roles, change passwords and view their information.

This user interface can then be displayed to these types of users in different ways:

  • As a standalone application, running on its own web address – the most common use case, administrators and configurators typically work in this mode.
  • Integration into a portal or Helpdesk – this way the user has an interface integrated with the one they are used to. Especially suitable for end users.
  • Mobile and tablet interface – any type of user can access the identity manager from a computer, tablet or mobile. This is achieved either by a responsive design of the chosen user interface or a native application for the mobile platform (Android, iOS and others).

Implementation options

In the implementation talk we will discuss the following areas:

  • Proprietary solutions.
  • Closed source versus open source.
  • On-premises versus cloud.
  • IDaaS and IAMSaaS.
  • Custom solutions

The most straightforward option to implement identity management is to create your own proprietary solution. Either on a peer-to-peer basis with direct peer-to-peer interconnection of information systems, or via an enterprise ESB bus. Such an in-house solution can be inexpensive, and certainly quick to deploy in the beginning. However, it carries the following risks:

  • With each system added, complexity grows exponentially.
  • Depending on the formality and level of documentation of such work, it is difficult to manage in the future (for example, after the author has left).
  • Advanced features may become more expensive to complete (role management, auditing of company policies).

Leaving aside the development of Identity Manager in-house, we can find a number of identity managers on the market. How do these solutions differ in terms of implementation?

Closed versus Open source

One consideration is whether the code is open source (open source project) or whether the code is closed and only the producer has access to it (closed source, proprietary software). Open source solutions bring the following advantages:

  • the possibility to check the implementation of key functionalities (for example, working with Active Directory),
  • development by the community – faster response to current topics and faster release of new versions,
  • the possibility to develop the product on your own.

more about this topic

 

Figure 2 – On-premises Identity Manager, principle

On-premises versus Cloud

The second view of Identity Managers looks at how the solution is operated for the customer:

  • On-premises – the solution is run on customer-owned infrastructure; this is the traditional, and today still dominant, way of deploying IdM. Even in terms of vendor offerings, this solution still dominates. However, it can be expected that it will gradually be replaced by IdM in the cloud.
  • Cloud – IdM is offered here in service mode, available as a hosted solution. We are talking here about

SaaS, Software as a Service – a model in which the running of the software is outsourced to a cloud server. The software and the data associated with it are hosted in the cloud. Sometimes this model is also referred to as on-demand software. One of the first Czech flagships in this direction is SkyIdentity.

 

Figure 3 – Cloud Identity Manager, principle

IDaaS and IAMaaS

In the area of identity and access management in the cloud, we can encounter the terms IDaaS and IAMaaS. What do these terms mean?

  • IDaaS, Identity as a Service – a solution from the IAM area, in which a company outsources authentication and SSO to a service provider, who then manages this part of the infrastructure.
  • IAMaaS, Identity and Access Management as a Service – a way of managing IT resources in which a company outsources IAM to a service provider that manages it. Here, the provider is responsible for the physical security of the solution.

Figure 4 – Identity as a Service (IDaaS), principle

Conclusion

The last part of the series was dedicated to the Cyber Law, ISO standard 27001 and technical solutions. We discussed the relevant requirements from an identity and access management perspective for both this new legislation and the information security standard, and looked at where identity management can help and how. In the technical solution section we discussed the architecture design for Identity Manager and compared the options for its implementation.

And that concludes the whole “What is IdM” series.

Author: Petr Gašparík