Identity and Access management (IAM or IdAM) - IT Security Pundit
ads header

Monday, January 31, 2022

Home Digital Identity Identity Identity and Access Management Identity Management ISO NIST Standards Identity and Access management (IAM or IdAM)

Identity and Access management (IAM or IdAM)


Identity management (IdM), also known as identity and access management (IAM or IdAM), is a framework of policies and technologies to ensure that the right users (that are part of the ecosystem connected to or within an enterprise) have the appropriate access to technology resources. IdM systems fall under the overarching umbrellas of IT security and data management. Identity and access management systems not only identify, authenticate, and control access for individuals who will be utilizing IT resources but also the hardware and applications employees need to access.

IAM is not just for employees anymore. Organizations must be able to provide secure access for contractors and business partners, remote and mobile users, and customers. With digital transformation, identities are also assigned to Internet of Things (IoT) devices, robots, and pieces of code such as APIs or microservices. Multicloud hybrid IT environments and software-as-a-service (SaaS) solutions further complicate the IAM landscape.

Because it stands between users and critical enterprise assets, identity and access management is a critical component of any enterprise security program. It helps protect against compromised user credentials and easily cracked passwords which are common network entry points for criminal hackers who want to plant ransomware or steal data.


Identity Management vs Access Management

Identity Management


A digital identity is the key to access. Identities contain information and attributes that define a role, specifically provide or deny access to a given resource, and inform others in the organization who or what that identity belongs to, how to contact them if a person, and where they fit in the overall enterprise hierarchy. Creating an identity can have ripples throughout the organization, for example by creating an email account, setting up an employee record, or generating an entry in an organization chart. Identities are living things in that they can change over time, for example, if an employee takes a new role or moves to a new work location.

Identity Management’s role is to track and manage the changes to all the attributes and entries that define identity in the corporate repository. Typically these changes can be made only by a select few individuals in the organizations, such as a human resources representative who notes an adjusted pay grade, or an application owner granting a group of employees such as customer service representatives access to a new CRM system feature.

Access Management


Access management is the authentication of an identity that is asking for access to a particular resource, and access decisions are simply the yes or no decision to grant that access.

This can be a tiered process, with access services that determine whether a user is authorized for any access on the network at all, and lower tiers of access that authenticate where the identity in question should be granted access to specific servers, drives, folders, files, and applications.

Remember that authentication is not the same thing as authorization. Although an identity (user) may be authorized to be on the corporate network and has an account in the directory, that does not automatically grant that identity the ability to access every application enterprise-wide. Authorization for any given application or resource will be determined by the identity’s attributes, such as which group(s) it belongs to, its level in the organization or a specific role that was previously assigned.

As with authentication, the granting of authorization can occur in multiple tiers within the organization, for example, both as a centralized service and again locally for a given application or resource, although authenticating at the resource or service level is frowned upon as central authentication provides more consistent control.

The difference between Identity and Access Management

The difference between identity management and access management can be simplified like this:

IDENTITY management is all about managing the attributes related to the USER, group of users, or another identity that may require access from time to time.

ACCESS management is all about evaluating those attributes based on existing policies and making a yes or no access decision based on those attributes.

What is the need for Identity Management?

Companies need IAM to provide online security and to increase employee productivity.

  1. Security. Traditional security often has one point of failure - the password. If a user's password is breached - or worse yet, the email address for their password recoveries - your organization becomes vulnerable to attack. IAM services narrow the points of failure and backstop them with tools to catch mistakes when they're made.
  2. Productivity. Once you log on to your main IAM portal, your employee no longer has to worry about having the right password or proper access level to perform their duties. Not only does every employee get access to the perfect suite of tools for their job, but their access can also be managed as a group or role instead of individually, reducing the workload on your IT professionals.

What are the functions of Identity Management?

IAM systems provide this core functionality: 

 #   

 TASK

 TOOLS

 1

 Identity Management

 IAM systems can be the sole directory used to create, modify, and delete users, or it may integrate with one or more other directories and synchronize with them. Identity and access management can also create new identities for users who need a specialized type of access to an organization's tools.

 2

 Provisioning/Deprovisioning Users

 Specifying which tools and access levels (editor, viewer, administrator) to grant a user is called provisioning. IAM tools allow IT departments to provision users by role, department, or another grouping in consultation with the managers of that department. Since it is time-consuming to specify each individual’s access to every resource, identity management systems enable provisioning via policies defined based on role-based access control (RBAC). Users are assigned one or more roles, usually based on job function, and the RBAC IAM system automatically grants them access. Provisioning also works in reverse; to avoid security risks presented by ex-employees retaining access to systems, IAM allows your organization to quickly remove their access.

 3

 Authentication

 IAM systems authenticate a user by confirming that they are who they say they are. Today, secure authentication means multi-factor authentication (MFA) and, preferably, adaptive authentication.

 4

 Authorization

 Access management ensures a user is granted the exact level and type of access to a tool that they're entitled to. Users can also be portioned into groups or roles so large cohorts of users can be granted the same privileges.

 5

 Reporting

 IAM tools generate reports after most actions are taken on the platform (like login time, systems accessed, and type of authentication) to ensure compliance and assess security risks.

 6

 Single Sign-On

 Identity and access management solutions with single sign-on (SSO) allow users to authenticate their identity with one portal instead of many different resources. Once authenticated, the IAM system acts as the source of identity truth for the other resources available to the user, removing the requirement for the user to remember several passwords.

IAM Standards and Protocols

An IAM system is expected to be able to integrate with many different systems. Because of this, there are certain standards or technologies that all IAM systems are expected to support: Security Access Markup Language, OpenID Connect, and System for Cross-domain Identity Management.

Security Access Markup Language (SAML)

SAML is an open standard used to exchange authentication and authorization information between an identity provider system such as an IAM and a service or application. This is the most commonly used method for an IAM to provide a user with the ability to log in to an application that has been integrated with the IAM platform.

OAuth

OAuth (Open Authorization) is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords. This mechanism is used by companies such as Amazon, Google, Facebook, Microsoft, and Twitter to permit users to share information about their accounts with third-party applications or websites.

OpenID

OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation. It allows users to be authenticated by cooperating sites (known as relying parties, or RP) using a third-party identity provider (IDP) service, eliminating the need for webmasters to provide their own ad hoc login systems, and allowing users to log into multiple unrelated websites without having to have a separate identity and password for each. Users create accounts by selecting an OpenID identity provider and then use those accounts to sign onto any website that accepts OpenID authentication. Several large organizations either issue or accept OpenIDs on their websites.

OpenID Connect (OIDC)

OIDC is a newer open standard that also enables users to log in to their application from an identity provider. It is very similar to SAML but is built on the OAuth 2.0 standards and uses JSON to transmit the data instead of XML which is what SAML uses.

System for Cross-domain Identity Management (SCIM)

SCIM is standard used to automatically exchange identity information between two systems. Though both SAML and OIDC can pass identity information to an application during the authentication process, SCIM is used to keep the user information up to date whenever new users are assigned to the service or application, user data is updated, or users are deleted. SCIM is a key component of user provisioning in the IAM space.

IAM Solutions

Solutions that fall under the category of identity management may include:

Management of identities

  • Identity lifecycle management
  • Provisioning/De-provisioning of accounts
  • Workflow automation
  • Delegated administration
  • Password synchronization
  • Self-service password reset

Access control

  • Password manager
  • Single sign-on (SSO)
  • Web single sign-on (Web SSO)
  • Role-based access control (RBAC)
  • Attribute-based access control (ABAC)
  • Privileged Access Management
  • Risk-Based Authentication
  • Adaptive Authentication
  • Zero Trust Solutions

Directory services

  • x.500 and LDAP
  • Microsoft Active Directory
  • NetIQ eDirectory
  • Identity repository (directory services for the administration of user account attributes)
  • Metadata replication/Synchronization
  • Directory virtualization (Virtual directory)
  • e-Business scale directory systems
  • Next-generation systems - Composite Adaptive Directory Services (CADS) and CADS SDP

Governance

  • Identity and Access Governance
  • Data Access Governance 

Other Categories

  • Federation of user access rights on web applications across otherwise untrusted networks
  • Directory-enabled networking and 802.1X EAP

Standardization

ISO (and more specifically ISO/IEC JTC1, SC27 IT Security techniques WG5 Identity Access Management, and Privacy techniques) is conducting some standardization work for identity management (ISO 2009), such as the elaboration of a framework for identity management, including the definition of identity-related terms. The published standards and current work items include the following:

  • ISO/IEC 24760-1 A framework for identity management—Part 1: Terminology and concepts
  • ISO/IEC 24760-2 A Framework for Identity Management—Part 2: Reference architecture and requirements
  • ISO/IEC DIS 24760-3 A Framework for Identity Management—Part 3: Practice
  • ISO/IEC 29115 Entity Authentication Assurance
  • ISO/IEC 29146 A framework for access management
  • ISO/IEC CD 29003 Identity Proofing and Verification
  • ISO/IEC 29100 Privacy Framework
  • ISO/IEC 29101 Privacy Architecture
  • ISO/IEC 29134 Privacy Impact Assessment Methodology

IAM Technology Vendors

  • Oracle with Oracle Identity Manager, Oracle Access Manager
  • IBM with  IBM Security Identity Manager,  IBM Security Access Manager
  • Microsoft with Active Directory, AzureAD
  • MicroFocus with NetIQ Suite(eDirectory, Identity Manager, Access Manager etc)
  • OneLogin
  • Okta
  • Ping Identity
  • Auth0

Tags
Author Image

About Ashish Shrivastava
22 years of diversified experience in the space of Cyber Security and Application Development with accelerated growth and varied roles starting from developer, architect, consultant, pre-sales, delivery, transitions, innovation, automation and transformations, program management, business development, competency development and business leadership roles. At present heading the market development team focused on “Identity and Access Management Solutions” globally.

By at
Labels: , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)