Additional use cases across IAM categories #7
Conversation
Created a slurry of use cases for each significant category of IAM services and capabilities required in an enterprise today. It's late and I can't think of any others in the "normal" categories of use cases for "normal" enterprises, but I will submit another PR with more advanced security specific related ones.
If you liked what I did the first time, you'll probably hate these new additions. Given the work our team does with FedRAMP and the DoD, these are the common ones we work with B2B SaaS vendors on to help ensure security compliance and mitigate risk, while effectively spreading the security responsibilities with the enterprise customers and enabling them to help themselves.
Update ipsie-v1-draft.md with advanced security stories
|
Meh, I don't like how I did it with the additional new security updates PR and probably should have submitted them separately. I'll accept my flogging next time we're in person. |
| --- | ||
|
|
||
| ### **1. Secure Authentication Mechanisms** | ||
| 1. **As a developer, I want to force re-authentication of the user with a stronger credential during privileged actions, so that my customers have an additional layer of security during their tenant configuration changes.** |
There was a problem hiding this comment.
There is an implied requirement here - we have to be able to classify credential strength and communicate that classification in a manner that they can be compared easily.
| ### **2. Session and Token Management** | ||
| 1. **As a developer, I want to store tokens securely and prevent long-lived token usage, so that stolen tokens cannot be exploited.** | ||
| 2. **As a developer, I want to implement short-lived access tokens and automatic refresh token rotation, so that token misuse is minimized.** | ||
| 3. **As a developer, I want to detect and terminate sessions from suspicious IP addresses, so that session hijacking is prevented.** |
There was a problem hiding this comment.
Can we expand this further to "... I want to detect changes, such as the use of suspicious IP addresses, non-compliance with device management practices, or the presence of malware on the end user's device, so that I may terminate sessions..."
My thought here is that we really want the ability to detect material changes which would force either re-authN or terminate a session entirely, depending on the nature/severity of the state change.
| --- | ||
|
|
||
| ### **5. Advanced Identity Management** | ||
| 1. **As a developer, I want to support non-person entity (NPE) authentication, so that services and APIs can securely access resources.** |
There was a problem hiding this comment.
We have not actually discussed whether this is in/out of scope. Flagging this for further discussion with @aaronpk.
|
Thanks for this @topperge. It looks like this is both expanding some of the things in the current list, as well as adding some new things to the scope. Would you mind re-creating this PR separately, one PR for adding the new topics, and another PR for the reorganization of the existing things in the list? Thanks! |
3 participants
First commit was just some spelling updates, second commit is ~5 use cases per IAM category to focus on merging a list I had with the one Aaron created.