A Comparative Analysis of SecurityServices Using Identity and AccessManagement (IAM)

Muddychetty, Nithya Sree

January 2024

Background: Identity and Access Management (IAM) is a critical IT securityframework for managing digital identities and resource access. With roots datingback to ancient civilizations, IAM has evolved from basic authentication to sophisticated methods. Okta, a leading cloud-based IAM platform founded in 2009, excelsin identity management, authentication, and access control. It is recognized for itscommitment to security and adaptability to cybersecurity challenges. As of October2023, Okta maintains its prominent position in the IAM market, acknowledged byGartner’s Magic Quadrant for Access Management, worldwide. Objectives: The objective of this thesis is to conduct a comprehensive comparative analysis of security services, specifically focusing on their integration with IAMsolutions. This investigation seeks to provide an examination of security serviceslike Multi-factor authentication (MFA) and Single Sign On (SSO) and evaluate theireffectiveness in conjunction with IAM. By doing so, we aim to determine which security approach offers the most robust protection in our digitally interconnected world. Methods: The primary goal of this methodology is to create a robust, secure,and user-friendly authentication and access management system using Okta withinan IAM framework. This involves the integration of both MFA and SSO features.To kickstart the process, we establish a controlled environment that mirrors thereal-world scenarios. Okta is chosen as the IAM tool, and its deployment involvesmanaging user identities, controlling access, and handling authentication. Results: The result of the study on the comparative analysis of security servicesusing IAM reveals distinct differences in the effectiveness and features among securityservices. Key findings highlight variations in authentication methods, authorizationmechanisms, and overall security robustness. This comprehensive examination provides valuable insights into the strengths and weaknesses of different IAM-basedsecurity services, offering a foundation for informed decision-making in selecting themost suitable solution for specific organizational needs. Conclusions: This thesis conclusively demonstrates the efficacy of integrating SSOand MFA into IAM. The incorporation of Biometric Authentication and Time basedOne Time-Password (TOTP) in MFA garnered strong user preference. SSO implementation streamlined authentication, reducing steps and enhancing ease of use.The overwhelmingly positive user feedback and robust security measures validateSSO+MFA as a valuable contribution to IAM, ensuring data security and user confidence.

Access Control Lists

Identity Access Management

Multi-Factor Authentication

One time password

Single sign on

System Usability Scale

Virtual private network

Computer Sciences

Datavetenskap (datalogi)

Das Paradigma des homogenen Enterprise Access Managements sowie ein Vorschlag zur unternehmensweit konsistenten Zugriffssteuerung

Rottleb, René

13 November 2003

Bei der Umsetzung moderner Managementkonzepte wie bspw. Supply Chain Management, Customer Relationship Management und Partner Relationship Management werden Anwendungssysteme wertschöpfungskettenübergreifend eingesetzt. Das bedeutet, dass sowohl interne als auch externe Benutzer auf verschiedene Anwendungssysteme eines Unternehmens zugreifen. Die daraus resultierenden Anforderungen werden als Paradigma des homogenen Enterprise Access Managements (hEAM) beschrieben. Zur Umsetzung dieser Anforderungen wird ein Referenzmodell zur anwendungssystemübergreifend konsistenten Zugriffssteuerung (MAKS) entwickelt. Eine entsprechende Realisierungsmöglichkeit in Form eines zentralen Rollen- und Rechtemanagementsystems (ZR2MS) ergibt sich aus der Referenzarchitektur zur anwendungssystemübergreifend konsistenten Zugriffssteuerung (A2KS).

A2KS

Access Management

Benutzermanagement

MAKS

Organisationsmodellierung

Referenzarchitektur

Referenzmodell

Rolle

Rollentyp

Verzeichnis

Verzeichnisdienste

Verzeichnissystem

ZR2MS

Zugriffssteuerung

Directory

Directory Services

Directory System

Enterprise Access Management

Enterprise Application Integration

Enterprise Portal

Extranet

Web Services

ddc:330

rvk:QP 530

Wertschöpfungskette

Das Paradigma des homogenen Enterprise Access Managements sowie ein Vorschlag zur unternehmensweit konsistenten Zugriffssteuerung

Rottleb, René

08 December 2003

Bei der Umsetzung moderner Managementkonzepte wie bspw. Supply Chain Management, Customer Relationship Management und Partner Relationship Management werden Anwendungssysteme wertschöpfungskettenübergreifend eingesetzt. Das bedeutet, dass sowohl interne als auch externe Benutzer auf verschiedene Anwendungssysteme eines Unternehmens zugreifen. Die daraus resultierenden Anforderungen werden als Paradigma des homogenen Enterprise Access Managements (hEAM) beschrieben. Zur Umsetzung dieser Anforderungen wird ein Referenzmodell zur anwendungssystemübergreifend konsistenten Zugriffssteuerung (MAKS) entwickelt. Eine entsprechende Realisierungsmöglichkeit in Form eines zentralen Rollen- und Rechtemanagementsystems (ZR2MS) ergibt sich aus der Referenzarchitektur zur anwendungssystemübergreifend konsistenten Zugriffssteuerung (A2KS).

info:eu-repo/classification/ddc/330

ddc:330

New authentication mechanism using certificates for big data analytic tools

Velthuis, Paul

January 2017

Companies analyse large amounts of sensitive data on clusters of machines, using a framework such as Apache Hadoop to handle inter-process communication, and big data analytic tools such as Apache Spark and Apache Flink to analyse the growing amounts of data. Big data analytic tools are mainly tested on performance and reliability. Security and authentication have not been enough considered and they lack behind. The goal of this research is to improve the authentication and security for data analytic tools.Currently, the aforementioned big data analytic tools are using Kerberos for authentication. Kerberos has difficulties in providing multi factor authentication. Attacks on Kerberos can abuse the authentication. To improve the authentication, an analysis of the authentication in Hadoop and the data analytic tools is performed. The research describes the characteristics to gain an overview of the security of Hadoop and the data analytic tools. One characteristic is that the usage of the transport layer security (TLS) for the security of data transportation. TLS usually establishes connections with certificates. Recently, certificates with a short time to live can be automatically handed out.This thesis develops new authentication mechanism using certificates for data analytic tools on clusters of machines, providing advantages over Kerberos. To evaluate the possibility to replace Kerberos, the mechanism is implemented in Spark. As a result, the new implementation provides several improvements. The certificates used for authentication are made valid with a short time to live and are thus less vulnerable to abuse. Further, the authentication mechanism solves new requirements coming from businesses, such as providing multi-factor authenticationand scalability.In this research a new authentication mechanism is developed, implemented and evaluated, giving better data protection by providing improved authentication.

Cloud Access Management

certificate on demand

Apache Spark

Apache Flink

Kerberos

transport security layer (TLS)

Authentication

Multi Factor Authentication

Authentication for data analytic tools

certificate based Spark authentication

public key encryption

distributed authentication

short valid authentication

Computer Sciences

Datavetenskap (datalogi)