An Executive Guide to Identity Access Management - 2nd Edition

Chapter 1 - An Executive IAM Overview

Identity: the fact of being whom or what a person or thing is. The sameness in all that constitutes the objective reality of a thing: oneness.

Identity management is a core concept in IT security as it is the way that we manage who can access what. Traditionally, IT has approached this through knowledge-based authentication, for example, something that the user knows, such as their password. This has served IT very well in the past, although for more security applications IT has often required identification to be supplemented with a form of two-part authentication, with the user having something in their possession – something they have – such as a keycard or token. High security applications have required stringent authentication techniques – something you are – I.E. a biometric indicator such as a fingerprint or an iris scan or through some form of speaker or facial recognition.

These techniques have served IT well over the decades when it was only people from a fixed location on a predetermined workstation or computer that required to be identified and authorized. However, mobility has changed all that, now IT has to manage who can access what, when, how and from where. Indeed, IT is no longer just authenticating users but also devices, as BYOD (Bring Your Own Device) has become not only an acceptable but also the prevalent business model. IT therefore must be able to identify smartphones, tablets, laptops and other user owned devices that they will use to access the network.

Additionally, it is not just people and devices that require identification and authorization it is also sensors and appliances – anything that connects and interacts with the network - because in the age of the IoT (Internet of Things), all these components will also have to be screened and authenticated before being allowed access to the network.

Consequently, identity and access management has become a technology in its own right, as IT cannot manage the scope manually. Subsequently, vendors have rushed to fill the niche in the market with IdM (Identity Management), AM (Access Management) or IAM (Identity and Access Management) products. And, there lies our first problem, making sense of the identity and access management alphabet soup.

Identity Management vs. Access Management

To consider what the term Identity Management means, we have to look at what is its definition. In the purest sense, Identity Management is about authentication, and verification. Identity Management is all about authenticating and verifying that you are, or the device is, who you claim to be, and then assigning the user or device a category or role, which is solely the function of identity management. However, you will often hear the term used by many experts and vendors, to address their products in the broadest sense, which encompasses in addition to authentication another function that of authorization.

Identity management (IdM) and access management (AM) work so closely together that sometimes their different responsibilities become blurred. At a high level, there shouldn't be any confusion as identity management focuses on authentication, whereas access management is aimed at authorization. 

However, what is authorization and authentication?

Authentication – is about determining the person or entity is genuine, they are who or what they claim to be.

Authorization – is applying policy to permit or refuse access to an authenticated entity

Therefore, we can say that:

IdM is responsible for authentication it creates an identity record, an account, which has several attributes. These attributes are meaningful and specific to the organization maintaining the records. IdM then assigns the identity, the record, to a relevant category (group, role) for ease of administration. However IdM only provides authentication of the entity, it has no control over subsequent authorization that is the domain of access management.

Access Management is different as it only applies access policy. Access management plays no role in authentication; it deals solely with authorization of already authenticated entities. Access management enforces policy on the groups and roles created by IdM.

So where does the confusion arise?

Identity Management

An IdM system provisions an identity – creates an account with meaningful attributes - at the beginning of the process and de-provisions the account once it is no longer required – such as when a person leaves the company or a smartphone is lost or stolen.

IdM assigns attributes to help it classify people or devices by setting them in a group or a role. For example, an accountant might be placed in the finance group with the role of accountant. IdM will also, when creating the identity (account) stipulate the method used for authentication, which could be a password, biometrics, or passkey.

Access Management

Proving an identity and matching it to an account is not much use on its own if there is no assigned authorization policy attached to that account. Access management consequently is responsible for creating and enforcing access policy. Access management provides granularity of policy, it applies rules based on roles, and enforces authorization policy (what the authenticated user can do) to the groups and user accounts created by IdM. This is termed Role Based Access Control (RBAC).

Vendors, engineers and consultants will often use the term Identity Management almost as an acronym for the full suite of methods/technologies that provide a complete identification and authorization system. An example is Oracle's IAM 11g platform, which has many modules that address identity, authorization, compliance and auditing. Even though Identification Management is but a single component of that suite, it is still referred to as Oracle Identification Management (OIM).

IAM

Identity Management (IDM) has become more than just a method of authentication. Several vendors will portray their products as being IDM or identity and access management (IAM), when in essence they are a suite of products that determine a user/device authenticity and then apply authorization rules.  Some of these IDM products do not address governance, auditing or have a reporting facility. To be truly considered to be a modern IAM solution, such as Oracle's OIM a product must incorporate; authentication, policy/rule based authorization, governance, regulatory compliance, with robust reporting and auditing functions.

Why is IDM so Important?

Identification management is very important, as it is the basis of all security, especially when applying authorization to users, devices, things and roles. After all, you cannot apply policy unless you can identify a role or an entity. IDM is extremely important for applying granular security policy because it creates the roles and groups on which access management applies role based access control.

The Role of IdM

Businesses having growing numbers of web based and cloud hosted applications each with their own user communities. Furthermore, a user in one community might have a different role in another, which could lead to potential separation of duties (SoD) issues.

Typically, business applications are deployed as separate autonomous projects without a common user identity repository. This results in many separate identity silos, provisioning mechanisms, management interfaces and security controls. Furthermore, the administration of the applications may fall under different internal or external groups.

Companies that operate with disparate identity management sources tend to have inconsistent approaches to organizing identity attributes, security and access control, and other important aspects of identity management. This often leads to security and compliance decisions being made in an ad-hoc manner by developers and system administrators.

Consequently, there will be no consistency of policy across the company with regards the management of the identity lifecycle. For example, there may be no enforceable or common process or procedure for creating or terminating a user identity record, let alone maintaining consistency of attributes per user account.

This can result in inconsistent identity data being stored throughout the company, which leads to inefficiency and increased operating costs. At worst, there are serious security risks and compliance issues.

Furthermore, from the user's perspective the migration to client/server applications within the business and the cloud has greatly increased the number of identities they must remember. Multiple identities leads to inefficiency and increased burden on helpdesk support as users frequently require password resets. However, IAM does a lot more than just manage passwords.

What does Identification & Access Management do?

An Identification management system such as Oracle (OIM) works on several levels that transcend the pure definition:

In the purest definition of the identity function, we can consider identity management to be the automation of the creation, management and deletion of identities, (user/device accounts). Additionally, identity management is also responsible for applying categorization to users/devices within roles or groups. In broader terms, an IAM system will require additional control of the user/role based permissions that will enable it to apply authorization policy, (access management). By applying RBAC, authenticated entities will gain authorization to access the specific services and functions within their role – and no other.  

Additionally, an IAM system will provide regulatory compliance and auditing. This is a very important component of an IAM as it provides automatic audits and reporting which is essential in IT governance and compliance management. Furthermore, an IAM should manage the device inventory in so much as it will provide detailed reports on assets and fixtures (inventory management). In short an IAM is much more than single-sign-on and user management.

IdM can assist IT in mitigating some of the challenges facing a modern medium to enterprise companies by:

Maintaining consistency of user identity across many applications

Providing Single-sign-on password mechanisms

Control access to network resources using RBAC

Manage several identities or roles; the same person could be a super user on one system and have read only (guest) access on another.

Provide batch and automated