I am frequently asked, “What is identity management?” Those of us on the inside of Identity and Access Management (IAM) technology know exactly what it is, but the impact of IAM technologies is pervasive and many constituents lack a clear understanding, often not realizing the lack of clarity.
The first place to start is to define what it is not. With the amplification of security threats in cyberspace, many technologies have become mainstream, even in the consumer sector, that appear as and sound like “Identity Management” but they are either not related or loosely related to the important foundational infrastructure that is Identity and Access Management.
IAM is NOT
- Identity Protection: services that monitor credit and financial transactions, inquiries and wellbeing to alert a person to suspicious activities related to their financial identities (bank accounts, credit arrangements, home mortgages, etc.)
- Multi-factor Authentication (MFA) which is a security system that requires more than one form of authentication to verify the legitimacy of a transaction. MFA combines two or more independent credentials: what the user knows (password), what the user has (security token) and what the user is (biometric verification). [TechTarget]
- Facility Access Control, Aka. Physical Access Control, which is a system, usually computer controlled that allows access to facility or premises based on some kind of PhotoID Card access system, digital/physical security key, or biometric identification (finger/hand print, voice recognition, retina scan, etc).
- Privileged [account | identity | access] Management, which is a specific application of access management and identity management together to control highly secured accounts within an enterprise usually IT but could also be HR and finance systems.
Identity and Access Management IS, as the name implies, a discipline and associated technologies that support two areas of digital user identity concern for an enterprise: Identity Lifecycle Management and Access Management. The distinction is very important and a lot of confusion exists in the understanding of the differences between these two IAM technologies, especially by those who are not close to the digital security requirements of an enterprise, even though their involvement in the enterprise is of paramount relevance in the selection, implementation and use of the IAM.
While they are tightly related, they are independent and interdependent. Clearing this confusion will help stakeholders in understanding how their interests are protected and furthered by the implementation, configuration and utilization of Identity and Access Management technologies. My presentation here will specifically refer to the use of IAM in Education.
Identity Lifecycle Management (commonly referred to as Identity Management or IdM) primarily encompasses the creation and removal of accounts in digital resources or applications required by a user to perform their tasks in the institution based on their association (student, faculty, staff, contractor, etc.) with the institution as determined by their enrollment or hiring event. This event is usually triggered by the user first appearing in some “source of record or authority” like the Student Information System (SIS – e.g. enrollment) or the Human Resources system (HR – e.g. hiring/firing). Once the IdM senses the addition, change or deletion of the user’s information, account information is sent to the appropriate target applications, customized to each user’s circumstances. The IdM will then keep the applications that are required by these users in synchronization. Common applications for IdM are:
- Account provisioning (creating and maintaining the target system accounts) and the associated de-provisioning of those accounts when no longer needed.
- Synchronization of information across accounts with the authoritative source.
- Synchronization of password and user name across all user’s resources, which provides “reduced sign on: (single sign on is address below).
- Help desk application to manage user’s accounts through delegated administration for authorized individuals.
- Self service applications for enterprise wide account management, forgotten password reset.
- Account management workflows including on boarding (account claim), requests, recertification and attestation and associated approvals
- Audit of account provisioning and attestation activities and associated reporting
- Support for Access Management to keep users in sync and authorized access data kept up to date for highest security.
- Support for Privileged [account | identity | access] Management to ensure the account information is added and revoked based on the source of authority.
Access Management and Single Sign On involves the control of credentials and their use to log into digital resources as well as what the user is allowed to do. Access Management is concerned with two important elements, authentication (AuthN) and authorization (AuthZ). Authentication is known to most of us when we use a user name and a password (or our “credentials”) to gain access to an application we want to use . The application checked an authentication storage to determine if the user name and password combination matches what the original user entered there. Notice that the application can’t possibly know if the person entering the user name and password is the one who is supposed to be using those credentials (that’s why we protect them). The “proofing” of the user is out of scope of my blog so we’ll talk about that later. In addition to checking whether the user name and password are correct (AuthN) there may be some indication as to whether the user identified is supposed to have access and to what extent. For example, a student might see one thing and a faculty member might see a different thing. This is Authorization.
Single sign on is a technology within access management that centralizes the authentication and authorization information into one place while providing a single place to log in that will attest to all the participating applications that the user credentials and information have already been tested against the authentication store. All of the applications have to be aware of the single authentication process and they use that system instead of their internal authentication. Federation is a implementation of this technology that allows unrelated groups to tie their authentication information together. More on that in another blog. Common applications for Access Management:
- Single sign on
- Support for physical access control systems
- Support for multi factor authentication systems
- Access control audit and reporting
- Forensic tracking
- Support for Privileged [account | identity | access] Management to track high risk accounts more closely and provide high granularity (lots of choice) for authorization.
Now you know enough to ask the right questions and understand the concepts as you embark on selection, implementation and utilization of IAM in your College, University, or School District!
Ames Fowler, Solutions Engineering Manager at Aegis Identity Software, Inc.