Overview
Overview of concepts within the Keycard platform.
At the core of the Keycard platform is a powerful identity and access management (IAM) system. Keycard products and SDKs aim to make IAM simple and understandable for developers and administrators. Deeper knowledge of the underlying concepts allows a person to take full advantage of the platform and its capabilities. This guide provides those details.
Identity & Access
Section titled “Identity & Access”Identity as a concept has deeply philosphical connotations. In the realm of technology, this is reflected in recursive contructs that depend on one another, creating an infinite regress. This can make dicussions about identity and access challenging, and to practitioners seeking to solve problems, frustrating.
While this guide seeks to explain identity concepts in detail, those details present inherent complexity. This guide takes a pragmatic approach, explaining how to apply concepts in practice, solving problems faced by users, administrators, and developers. We hope this helps, at least in part, to reduce frustration.
To start, the three fundamental capabilities an IAM system must deliver are:
- Authentication
- Authorization
- Accounting (a.k.a. Auditing)
These three capabilities, often abreviated AAA, ensure that the proper access controls are in place across the systems we collectively build and operate.
Capabilities
Section titled “Capabilities”Authentication
Section titled “Authentication”Authentication is the process of verifying who or what is accessing protected systems. The “who” is people - human users who are accessing resources. The “what” is software - applications that people use and, increasingly, agents that people delegate tasks to.
Authentication entails verifing credentials.
People authenticate using credentials that they know, such as a password, or have, such as a passkey on their device or a dedicated hardware security key.
Applications authenticate as well. Commonly, albeit problematically, applications are configured with static secrets and API keys. Increasingly, applications can authenticate using cryptographic assertions which attest to the cloud platform or device on which the software is running.
Authorization
Section titled “Authorization”Authorization is the process of controlling what actions users and applications are allowed to take when accessing protected systems. These protected systems are known as resources.
Authorization involves evaluating policy, which checks attributes of the user (including which groups they are a member of or which roles they have been assigned), the application (including delegated authority and software attestation), and other context (such time of day and network location).
The result of evaluating policy is decision regarding which actions, if any, are permitted. If no actions are permitted, access is denied.
Accounting
Section titled “Accounting”Accounting is the process of collecting information about the actions that users and applications take on protected resources.
Accounting supplies the data necessary for a variety of purposes, including auditing access, ensuring compliance with regulations, and billing and capacity planning.
Access Management
Section titled “Access Management”Access management encompasess authentication, authorization, and accounting.
In order to effectively administer how access is managed, distinct security domains known as zones are created. Zones allow for separating different departments and divisions within a company or isolating applications and environments that are operated as part of providing a product or service.