Identity-based security

Identity-based security is an approach to control access to a digital product or service based on the authenticated identity of an individual. This allows organizations to grant access to specific users to access a variety of digital services using the same credentials, ensuring the accurate match between what users are entitled to and what they actually receive,[1] while also permitting other access constraints such as company, device, location and application type (attributes).[2] Underpinning the identity-based security approach is the Identity-Based Access Control (IBAC),[3] (or identity-based licensing[4][5]) concept.

NIST defines identity-based security policies as policies "based on the identities and/or attributes of the object (system resource) being accessed and of the subject (user, group of users, process, or device) requesting access."[6]

Some of the advantages of the identity-based security approach include the ability to exercise very fine-grained control over who is allowed to use which services and which functions those users can perform,[7] and that it is device-agnostic, offering the possibility to enforce access control policy across a variety of devices, such as smartphones, tablets, and PCs.[8]


Identity-based security models

Cyberoam’s approach

The identity-based security network security approach put forward by Cyberoam includes security components that provides visibility and control over user activity in a particular network. It offers a network security system which includes a user's human identity as a part of the firewall rule matching criteria.[9]

The concept includes treating a user's identity as the 8th Layer (also known as the human layer) in the network protocol stack, thus attaching user identity to security while authenticating, authorizing and auditing the network. This takes a different step from conventional security appliances, which bind security to IP-addresses. Such an approach allows organisations to create security policies that align to users and groups rather than to IP addresses which ultimately gives them more precise control over who can access the network—and what they can access.[10]

Identity-based security prevents systems against address spoofing attacks by combining the point of encryption, authentication, and access control into a single unit.[11]

See also

References

  1. "Identity and Access Management: Pillars for effective Personalisation" (PDF). 10duke.com. 2016-02-08. Archived (PDF) from the original on 2017-07-05. Retrieved 2017-11-14.
  2. Linthicum, David (2014). "Analyst Report: Identity-based security and the cloud". Gigaom. Archived from the original on 2016-06-24. Retrieved 2017-11-14.
  3. "Glossary: Identity-Based Access Control". Computer Security Resource Center. NIST. Retrieved 2017-11-14.
  4. "What is identity-based licensing?". 10duke.com. 2016-02-02. Archived from the original on 2017-11-14. Retrieved 2017-11-14.
  5. "Adobe Flash Media Rights Management Server 1.0 Overview for Microsoft Windows, Linux, and UNIX" (PDF). Workflows - Identity-based licensing. Adobe Systems. 2008-05-01. Archived (PDF) from the original on 2017-08-29. Retrieved 2017-11-14.
  6. SP 800-33 - Underlying Technical Models for Information Technology Security, Gary Stoneburner, p. 21, December 2001, NIST Computer Security Publications - NIST Special Publications (SPs), doi:10.6028/NIST.SP.800-33. Retrieved 4 April 2017.
  7. Enrico, Sabbadin (2003-12-23). ".NET Identity and Principal Objects". informIT. Pearson Education. Archived from the original on 2017-11-14. Retrieved 2017-11-14.
  8. Powell, James E. (2012-07-16). "Q&A: Addressing BYOD with Identity-Based Security". Enterprise Systems Journal. Archived from the original on 2017-11-14. Retrieved 2017-11-14.
  9. Identity based security, cyberoam.com.
  10. Identity-Based Firewall Security, cisco.com.
  11. Identity-Based Security, arubanetworks.com
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.