Introducing Identity and Access Management (IDAM) to people who are not familiar with it often provokes questions around capability, terminology, benefits, scope and, ultimately, “why should I care”? Hopefully I can shed some light on the world of IDAM and why it is so important to running a government department.
What is Identity and Access Management?
Identity and Access Management (IDAM) is a key technology that enables an organisation to realise core business benefits, specifically with regards to cost savings, management control, operational efficiency, security, compliance and business growth.
An enterprise, regardless of scale, needs to manage access to information and applications which are scattered, quite often, across a number of internal and external systems. Over time, enterprises must provide controlled access for an increasing number of identities. Identities could be internal and/or external, and one individual can quite often be represented through multiple identities; the key is to ensure both security and data integrity are maintained.
Robust models of IDAM implementation require three essential elements, namely people, processes and products (technologies) in order to manage identities and access to the assets of an enterprise. An assumption in these models is a high level of quality with regards to the data to ensure the IDAM framework functions appropriately.
IDAM components can be classed into four distinct categories, namely:
- user management
- central user repository (commonly referred to as 'directory services')
The figure below illustrates the four key components of IDAM, along with capabilities within each component:
This covers functionality that enables a user to provide sufficient credentials to gain controlled access to a system / resource / asset. In short, once a user is authenticated (they are who they claim to be), a session is created and referenced throughout the interaction between the user and the end resource until such time as the session is terminated (e.g. via a timeout, logging off, etc.). Very often, authentication takes the form of providing a set of credentials, such as a username and password. The central maintenance of a session allows, for example, the ability to enable single sign-on i.e. no further login is required by the user in order to gain access to multiple resources and assets.
This functionality follows on from authentication, i.e. once you are confirmed as ‘you’ (authentication), this is what are you allowed to do (authorisation). This is typically performed by analysing the access request (such a web Uniform Resource Identifier or URI) against predefined policies stored within the IDAM policy store. Role-based access (RBAC) is key functionality to enable this; it can be overlayed by controls that may additionally look at attributes associated with the user such as groups, user roles, nature of action taken, channels, time, resource types, business rules, security policies, compliance and regulatory requirements etc. to determine the level of access. (Note: an alternative to RBAC is the use of Access Control Lists (ACL), and this, in turn, can be translated to XACML (eXtensible Access Control Markup Language) - but that’s another story.)
User provisioning (and deprovisioning), password management, and role / group management are some of the functions of this area. The focus of this capability within IDAM is primarily administrative in nature and involves the lifecycle of an identity: creation, propagation, maintenance, de-provisioning, etc. Some functionality can be centralised, some can be delegated to end users (or groups), e.g. self-service, password resets. In practice, delegation can often improve accuracy of data within the IDAM primarily due to the end user becoming ‘closer’ to the system; trust between the user and the enterpise is also increased.
Central user repository
Features within this component allow identity information to be exposed to other services. In addition, credential verification to/from other systems becomes available. The central user repository typically exposes an aggregated (logical) view of identities across an enterprise; quite often this depends on what the enterprise wishes to aggregate. Directory services such as Lightweight Directory Access Protocol (LDAP), Active Directory (AD), OpenLDAP (an open source implementation of LDAP) are common meta-directory and virtual directory services which can be used to manage disparate pieces of identity information from a variety of user repositories. In typical implementation, there is a 2-way synchronisation set up to ensure data is always in sync across multiple identity sources.
Identity and access management lifecycle
An IDAM solution in essence manages the lifecycle of an identity in an organisation. A typical lifecycle is illustrated below:
1 - The lifecycle (relationship) begins with the identity being provisioned within the system (1b) e.g. created
2 - The identity is authenticated (i.e. the individual says who they say they are) and authorised (i.e. what are they allowed to access)
3 - The individual (may) be allowed to access Self-Service to manage a given subset of credentials themselves, and may choose to delegate their role (for example, to a personal assistant)
4 - The password associated with the identity may be changed / updated /reset during the course of its life
5 - The access associated with an identity may vary depending on their role(s) within an organisation which may evolve through the lifecycle
6 - Access to resources / assets may (often) be managed through the application of group policies in accordance with compliance and regulatory requirements
7 - As part of managing the lifecycle, reporting and analytics are essential (for example, for security and audit purposes)
8 - If the identity is no longer required (for example, if an individual leaves an organisation), their identity is deprovisioned from the system (8b) thereby ending their relationship
What is Federated IDAM?
In today’s world, there is an increasing need to utilise the same set of credentials to access multiple systems / services / resources. Examples of this are using Google, Microsoft or Facebook credentials (username and password) to log into a variety of websites without needing to create an identity specifically for each website.
An extended capability that IDAM systems introduce is the ability to manage identities and access that span multiple domains (e.g. organisations) and systems in a trusted manner. This is called federated IDAM, and often mitigates against identity replication and security administration in multiple locations. Typically, a group of organisations are able to share identity attributes (based upon security frameworks, trust, standards, policies, etc.) thereby enabling authentication from other users of an organisation and as such granting access to assets.
Federated IDAM delivers the ability for organisations to leverage Single Sign On, interoperability across disparate systems, integration with legacy systems, centralised management of users and identities across multiple locations (domains), reducing security exposure of multiple user credentials, and increasing automation across multiple domains.
Key Benefits of IDAM
The full range of benefits IDAM brings to an organisation are extensive. However, some key technical and business benefits of a correctly implemented solution include (not exclusive):
- enabling a consistent user experience across multiple systems and domains
- giving users quick and secure access to resources they need
- automating joiner and leaver processes and associated access to resources
- reducing the need to remember multiple complex passwords
- making it easier to control access to resources (and automation)
- allowing for easier regulatory compliance and auditing
- enabling centralised controlling and monitoring of users and behaviours
- enabling secure 'Bring / Choose Your Own Device' (BYOD / CYOD)
- allowing for automated (centralised) management of user provisioning and deprovisioning
- centralised management of a user identity across multiple systems (external and internal)
- enable audit, security and access policies to be managed centrally
- consolidating multiple identities and reducing multiple ways to identify one user across an estate or across heterogeneous organisations
- reducing workload due to introduction (and refinement) of role-based administration and group policies
- enhancing physical security
- improving / enabling disaster recovery and business continuity processes
In summary, a well-executed IDAM solution can increase user productivity, drive an enhanced user experience (and, in turn, satisfaction), reduce administrative load (e.g. lowering of calls to HR and Help Desk), minimise manual processes, improve risk and security compliance and enable tracking and management of accountability. All of which will ultimately reduce the costs of running an enterprise.
In my next blog post, we’ll look at the basic functionality of a typical IDAM solution.
I would be interested in hearing of people’s experiences around IDAM, especially with regards to any unusual challenges faced in different sectors and industries.
Follow Jagdeep on Twitter.