Identity and Access Management
Identity and Access management (IAM) is the process of managing the identity of people or systems and their permissions on systems.
IAM is a three-way process. In an IAM solution, users or systems first announce who they are (identification – they provide their name), then their claimed account is checked (authentication – they provide for instance a password, which is checked), and then the account is granted the permissions related to their identity and the groups they belong to (authorization – they are allowed into the system).
Most systems have a way to connect identities and their permissions. For instance, the kernel of an operating system owns an administration of users and a list of user rights that describes which identities are allowed to read, write, modify, or delete files.
IAM is not only used on the operating system level, but also in applications, databases, or other systems. Often these systems have their own stand-alone IAM system, which leads to users logging in to each and every system they use. With Single sign-on (SSO), a user logs in once and is passed seamlessly, without an authentication prompt, to applications configured with it. SSO provides user friendliness, but does not necessarily enhance security – when the main login credentials are known, an attacker gains access to all systems. SSO is typically implemented using LDAP, Kerberos, or Microsoft Active Directory.
Federated identity management extends SSO above the enterprise level, creating a trusted authority for digital identities across multiple organizations. In a federated system, participating organizations share identity attributes based on agreed-upon standards, facilitating authentication from other members of the federation and granting appropriate access to systems.
Users can be authenticated in one of three ways:
- Something you know, like a password or PIN
- Something you have, like a bank card, a token or a smartphone
- Something you are, like a fingerprint or an iris scan
Many systems only use a username/password combination (something you know), but more and more systems use multi-factor authentication, where at least two types of authentication are required. An example is an ATM machine, where a bank card is needed (something you have) and a PIN (something you know).
Typically, users are members of one or more groups (typically named after their roles in the organization) and, instead of granting permissions to individual users, these groups are granted permissions. And since groups can be nested (a group is member of another group), this so-called Role Based Access Control (RBAC) is very powerful.
This entry was posted on Friday 01 April 2016