Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Bücher
Zeitschriften
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
SLX-Digitalkonferenz: Zukunftswerkstatt 2024

Mehr Umsatz mit Top-Kontakten

Am 7. Mai erfahren Sie, wie Vertriebsteams Leadgenerierung, Leadnurturing und Leadstrategien effizient steuern können.
Erweiterte Suche
Anmelden
nach oben

2018 | Buch

Introduction Kapitel lesen Erstes Kapitel lesen

Securing the Perimeter

Deploying Identity and Access Management with Free Open Source Software

verfasst von: Michael Schwartz, Maciej Machulak

Verlag: Apress

Enthalten in: Springer Professional "Wirtschaft+Technik" , Springer Professional "Technik" , Springer Professional "Wirtschaft"

Einloggen, um Zugang zu erhalten
insite
SUCHEN

Über dieses Buch

Leverage existing free open source software to build an identity and access management (IAM) platform that can serve your organization for the long term. With the emergence of open standards and open source software, it’s now easier than ever to build and operate your own IAM stack.

The most common culprit of the largest hacks has been bad personal identification. In terms of bang for your buck, effective access control is the best investment you can make. Financially, it’s more valuable to prevent than to detect a security breach. That’s why Identity and Access Management (IAM) is a critical component of an organization’s security infrastructure. In the past, IAM software has been available only from large enterprise software vendors. Commercial IAM offerings are bundled as “suites” because IAM is not just one component. It’s a number of components working together, including web, authentication, authorization, cryptographic, and persistence services.

Securing the Perimeter documents a recipe to take advantage of open standards to build an enterprise-class IAM service using free open source software. This recipe can be adapted to meet the needs of both small and large organizations. While not a comprehensive guide for every application, this book provides the key concepts and patterns to help administrators and developers leverage a central security infrastructure.

Cloud IAM service providers would have you believe that managing an IAM is too hard. Anything unfamiliar is hard, but with the right road map, it can be mastered. You may find SaaS identity solutions too rigid or too expensive. Or perhaps you don’t like the idea of a third party holding the credentials of your users—the keys to your kingdom. Open source IAM provides an alternative. Take control of your IAM infrastructure if digital services are key to your organization’s success.

What You’ll Learn

Understand why you should deploy a centralized authentication and policy management infrastructure

Use the SAML or Open ID Standards for web or single sign-on, and OAuth for API Access ManagementSynchronize data from existing identity repositories such as Active Directory

Deploy two-factor authentication services

Who This Book Is For

Security architects (CISO, CSO), system engineers/administrators, and software developers

Inhaltsverzeichnis

Frontmatter
Chapter 1. Introduction
Abstract
The goal of this book is to demystify Identity and Access Management (IAM). There are thousands of professionals around the world helping companies with IAM, but that’s not enough. In this book we aim to increase the supply of IAM engineers by sharing some of the techniques and strategies developed over the last 20 years in a wide range of industries. Whether you are starting a small organization or deploying an IAM solution for a huge enterprise, the techniques presented in this book should help you deploy a solution based on Free Open Source Software (FOSS) to meet your needs. Nothing in this book is hard, and if you put the time into it, you can be an IAM professional too!
Michael Schwartz, Maciej Machulak
Chapter 2. LDAP
Abstract
Directory services are a critical part of your identity infrastructure. Many components in the identity stack need to either read or write data. While any database could work, a popular choice for many identity projects is LDAP. This chapter is not a comprehensive guide to LDAP. If you are deploying LDAP in your environment, study the documentation for your LDAP Server of choice. Like other chapters in this book, the goal here is to give an overview of the technology and brief descriptions of some open source software tools.
Michael Schwartz, Maciej Machulak
Chapter 3. SAML
Abstract
By the late 1990s, people were starting to get tired of entering the same username and password on different websites. LDAP helped organizations implement “single-password,” but didn’t enable web “single sign-on” (SSO). While some vendors were offering solutions for web SSO, SAML—the Security Assertion Markup Language—emerged as one of the first standards to enable a person to authenticate once and access websites both inside and outside their organization. The use case of a person accessing websites outside their home domain came to be known as identity federation. And the protocols that enable this are known as federation protocols.
Michael Schwartz, Maciej Machulak
Chapter 4. OAuth
Abstract
OAuth 2.0 (or simply as “OAuth” because OAuth 1.0 is now irrelevant) defines a mechanism for using bearer tokens to make authorized HTTP requests. Simple possession of a bearer token enables access. For example, a long time ago in New York City, if you had a “subway token,” you inserted it into the turnstile and entered the subway station. No questions asked—you have the token, you get in. Bearer tokens are also called “access tokens”.
Michael Schwartz, Maciej Machulak
Chapter 5. OpenID Connect
Abstract
Despite OAuth’s close association with authentication, if you want to use it for web or mobile login, you’ll should use OpenID Connect. Both a profile and extension of OAuth, OpenID Connect defines some of the features necessary to use OAuth for federated identity.
Michael Schwartz, Maciej Machulak
Chapter 6. Proxy
Abstract
A proxy is a web server middle-man. It receives an HTTP request from a client, forwards it to another web server, and after receiving a response, returns it to the client (see Figure 6-1). Proxies should be "transparent," meaning they don’t impact either the client or the backend web service.
Michael Schwartz, Maciej Machulak
Chapter 7. Strong Authentication
Abstract
Wouldn't you rather stop a security breach than detect it? So why do organizations have a love affair with intrusion detection systems and neglect strong authentication? While an IDS system can detect a breach, the authentication may stop it entirely. Numerous surveys done over the years have shown that passwords are the most common cause of information security breaches. Upgrading authentication may be the best investment you can make in enterprise security in terms of effectiveness.
Michael Schwartz, Maciej Machulak
Chapter 8. User-Managed Access
Abstract
Today, you use OAuth 2.0 to authorize software to access your own stuff, but what if you want to let someone else access your stuff? We call this "Alice to Bob sharing". This is one of the primary use cases for the User-Managed Access (UMA) protocol. Alice and Bob don’t have to be humans—either can be a non-person entity (NPE), such as a software process or company. With UMA, Alice can use any authorization server to share data with Bob. It's up to Bob and the clients he is using, to interact with the authorization servers of Alice's choosing. Moreover, Alice can choose to use the same authorization server for different protected information that she wants to share with Bob—this data can be distributed, yet access to it can be centralized with UMA. An interesting property of UMA is that it also handles asynchronous authorization. For example, Bob may request access to something, and Alice may not approve the request until she's online. Likewise, Alice can also create a policy at the authorization server that gives access to some data to Bob—she does not have to be online for access to be granted.
Michael Schwartz, Maciej Machulak
Chapter 9. Identity Management
Abstract
Although this book is primarily about IAM, not IDM or IAG, it would have been a missed opportunity not to provide a short overview of some of the free open source software tools for IDM: Evolveum MidPoint, Apache Syncope, Wren:IDM, and Gluu Casa.
Michael Schwartz, Maciej Machulak
Chapter 10. Multiparty Federation
Abstract
Federated identity protocols like SAML and OpenID Connect enable us to authenticate people in other domains, but trust issues quickly surface. For example, if your organization operates a website with valuable content and someone you authenticated at another domain steals the content, what recourse do you have? If your organization operates an OpenID Provider (OP), and a relying party website (RP) is hacked, potentially exposing your account holders' personal information, do you expect to be notified? What rights do you have to update your personal information at identity providers or websites that you use? These related federated trust considerations are aptly described by Scott David, a legal identity scholar, as the "triangle of trust" (see Figure 10-1).
Michael Schwartz, Maciej Machulak
Backmatter
Metadaten
Titel
Securing the Perimeter
verfasst von
Michael Schwartz
Maciej Machulak
Copyright-Jahr
2018
Verlag
Apress
Electronic ISBN
978-1-4842-2601-8
Print ISBN
978-1-4842-2600-1
DOI
https://doi.org/10.1007/978-1-4842-2601-8