Identity management (IdM), also known as identity and access management (IAM or IdAM), is a framework of policies and technologies to ensure that the right users (that are part of the ecosystem connected to or within an enterprise) have the appropriate access to technology resources. IdM systems fall under the overarching umbrellas of IT security and data management. Identity and access management systems not only identify, authenticate, and control access for individuals who will be utilizing IT resources but also the hardware and applications employees need to access.
IAM is not just for employees anymore. Organizations must be able to provide secure access for contractors and business partners, remote and mobile users, and customers. With digital transformation, identities are also assigned to Internet of Things (IoT) devices, robots, and pieces of code such as APIs or microservices. Multicloud hybrid IT environments and software-as-a-service (SaaS) solutions further complicate the IAM landscape.
Because it stands between users and critical enterprise assets, identity and access management is a critical component of any enterprise security program. It helps protect against compromised user credentials and easily cracked passwords which are common network entry points for criminal hackers who want to plant ransomware or steal data.
Identity Management vs Access Management
Identity Management
A digital identity is the key to access. Identities contain information and attributes that define a role, specifically provide or deny access to a given resource, and inform others in the organization who or what that identity belongs to, how to contact them if a person, and where they fit in the overall enterprise hierarchy. Creating an identity can have ripples throughout the organization, for example by creating an email account, setting up an employee record, or generating an entry in an organization chart. Identities are living things in that they can change over time, for example, if an employee takes a new role or moves to a new work location.
Identity Management’s role is to track and manage the changes to all the attributes and entries that define identity in the corporate repository. Typically these changes can be made only by a select few individuals in the organizations, such as a human resources representative who notes an adjusted pay grade, or an application owner granting a group of employees such as customer service representatives access to a new CRM system feature.
Access Management
Access management is the authentication of an identity that is asking for access to a particular resource, and access decisions are simply the yes or no decision to grant that access.
This can be a tiered process, with access services that determine whether a user is authorized for any access on the network at all, and lower tiers of access that authenticate where the identity in question should be granted access to specific servers, drives, folders, files, and applications.
Remember that authentication is not the same thing as authorization. Although an identity (user) may be authorized to be on the corporate network and has an account in the directory, that does not automatically grant that identity the ability to access every application enterprise-wide. Authorization for any given application or resource will be determined by the identity’s attributes, such as which group(s) it belongs to, its level in the organization or a specific role that was previously assigned.
As with authentication, the granting of authorization can occur in multiple tiers within the organization, for example, both as a centralized service and again locally for a given application or resource, although authenticating at the resource or service level is frowned upon as central authentication provides more consistent control.
The difference between Identity and Access Management
The difference between identity management and access management can be simplified like this:
IDENTITY management is all about managing the attributes related to the USER, group of users, or another identity that may require access from time to time.
ACCESS management is all about evaluating those attributes based on existing policies and making a yes or no access decision based on those attributes.
What is the need for Identity Management?
Companies need IAM to provide online security and to increase employee productivity.
- Security. Traditional security often has one point of failure - the password. If a user's password is breached - or worse yet, the email address for their password recoveries - your organization becomes vulnerable to attack. IAM services narrow the points of failure and backstop them with tools to catch mistakes when they're made.
- Productivity. Once you log on to your main IAM portal, your employee no longer has to worry about having the right password or proper access level to perform their duties. Not only does every employee get access to the perfect suite of tools for their job, but their access can also be managed as a group or role instead of individually, reducing the workload on your IT professionals.
What are the functions of Identity Management?
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IAM Standards and Protocols
Security Access Markup Language (SAML)
OAuth
OpenID
OpenID Connect (OIDC)
System for Cross-domain Identity Management (SCIM)
IAM Solutions
Management of identities
- Identity lifecycle management
- Provisioning/De-provisioning of accounts
- Workflow automation
- Delegated administration
- Password synchronization
- Self-service password reset
Access control
- Password manager
- Single sign-on (SSO)
- Web single sign-on (Web SSO)
- Role-based access control (RBAC)
- Attribute-based access control (ABAC)
- Privileged Access Management
- Risk-Based Authentication
- Adaptive Authentication
- Zero Trust Solutions
Directory services
- x.500 and LDAP
- Microsoft Active Directory
- NetIQ eDirectory
- Identity repository (directory services for the administration of user account attributes)
- Metadata replication/Synchronization
- Directory virtualization (Virtual directory)
- e-Business scale directory systems
- Next-generation systems - Composite Adaptive Directory Services (CADS) and CADS SDP
Governance
- Identity and Access Governance
- Data Access Governance
Other Categories
- Federation of user access rights on web applications across otherwise untrusted networks
- Directory-enabled networking and 802.1X EAP
Standardization
- ISO/IEC 24760-1 A framework for identity management—Part 1: Terminology and concepts
- ISO/IEC 24760-2 A Framework for Identity Management—Part 2: Reference architecture and requirements
- ISO/IEC DIS 24760-3 A Framework for Identity Management—Part 3: Practice
- ISO/IEC 29115 Entity Authentication Assurance
- ISO/IEC 29146 A framework for access management
- ISO/IEC CD 29003 Identity Proofing and Verification
- ISO/IEC 29100 Privacy Framework
- ISO/IEC 29101 Privacy Architecture
- ISO/IEC 29134 Privacy Impact Assessment Methodology
IAM Technology Vendors
- Oracle with Oracle Identity Manager, Oracle Access Manager
- IBM with IBM Security Identity Manager, IBM Security Access Manager
- Microsoft with Active Directory, AzureAD
- MicroFocus with NetIQ Suite(eDirectory, Identity Manager, Access Manager etc)
- OneLogin
- Okta
- Ping Identity
- Auth0
No comments:
Post a Comment