Identity and Access Management (IAM)

---

Identity and access management (IAM) is a security process that provides identification, authentication, and authorization mechanisms for users, computers, and other entities to work with organizational assets such as networks, operating systems, and applications.

• aka identity management (IdM), and access management
• helps organizations protect digital assets by ensuring only authorized users can access them
• is about managing user identities, authentication, and access control

4 Main Processes

• Identification
  • process by which a user account (and its credentials) is issued to the correct person
  • aka enrollment
  • creating an account or ID that uniquely represents the user, devices or process on the network
• Authentication
  • A method of validating a particular entity’s or individual’s unique credentials
  • Proving that a subject is who or what it claims to be when it attempts to access the resource
  • authentication factor determines what sort of credential the subject can use
    • e.g.,
      • people may be authenticated with a password
      • computer system could be authenticated using a token (e.g., digital certificate)
• Authorization
  • process of determining what rights and privileges a particular entity has
  • determining what rights the subjects should have on each resource and enforcing those rights
  • an auth model determines how these rights are granted
    • e.g., discretionary model, mandatory model
• Accounting
  • tracking authorized usage of a resource or use of rights by a subject by alerting when unauthorized use is detected or attempted

Example

Setting up IAM for an e-commerce site.

• to enroll users, need to select the appropriate controls to perform each function:
  • identification
    • ensure that customers are legitimate
      • e.g., ensure billing and delivery addresses match
        • ensure legit payment methods
  • authentication
    • ensure that customers have unique accounts
      • only they can manage their orders and billing info
  • authorization
    • rules to ensure customers can place orders only when they have valid payment mechanisms in place
    • might operate loyalty schemes or promotions
      • authorize only certain customer to view unique offers or content
  • accounting
    • system must record the actions a customer takes
    • nonrepudiation
• processes should apply to both people and systems

Identity Management

Identity management is the process whereby individuals are given access to system resources by associating user rights with a given identity.

• provisioning
  • subject is issues a unique identity assertion
  • user is issued a password for use in authenticating the identity assertion

Access Management

Access management is the process that controls access to resources once they have been granted.

• identifies who a user is and what they’re allowed to access
• Components:
  • Authentication
    • establishes identity with identity proofing and authentication factor
  • Authorization
    • evaluates access rights after authentication
    • e.g., comparing identity assertion against an ACL
  • Policy Management
    • serves as the enforcement arm of authentication and authorization
    • established based on business needs and management decisions
  • Federation
    • an association of organizations that facilitate the exchange of information about users and access to resources
    • allows resource sharing across multiple organization using identities and authentication established at home organization
      • without requiring separate credentials
  • Identity Repositories
    • directories services for the administration of user accounts and associated attributes