SECURITY LEARNING CENTER
What is Identity and Access Management?
Controlling access to information and resources is the foundation of security.
Learn about Identity & Access Management (IAM)
Accurately controlling access to data, resources, and services is the foundation of security.
At its foundation, cybersecurity is about controlling who can access what technology resources, whether it’s data or files or services. The who hinges on accurately verifying the identity of a user. As security vulnerability is often predicated on inadvertently revealing too much access, the what is determined through a framework of policies and rules intended to minimize exposure of resources.
In access management as a whole, step one is to identify who is accessing a resource. This is a seemingly simple but critical step upon which every action that comes after hinges on.
Most users of technology encounter products and services every day that leverage Identity as the foundation for usage. Whether a username, a profile, or an account – these things all assume that a single user or identity is the actor or consumer of the service.
Since so much hinges on the Identity— the data stored about the Identity must be correct. Steps are taken to ensure data accuracy, such as collecting from trusted sources of authority like HR. This is followed by enforcing data integrity: validating presented data against other known good sources (identity proofing), as well as additional, sometimes redundant steps to make sure that the Identity Repository is a “Source of Truth.”
Identity validation is an important element to security of Identity, the most common usage of which is called authentication – verifying that a user seeking access is who they claim to be. This comes in the form of the accessing user providing some critical piece of secret information or using a key. The adage is “something you know or something you have.” This often comes in the form of a password, a private key, or a device, such as in Two-Factor Authentication.
Storing all data in a single Identity Repository conveniently makes it a single source of authentication, but also an extremely critical asset, meaning we need to protect that data.
Governance, privacy, and security are all necessary methods of protecting Identity data, making sure that only systems with the appropriate access can view the data.
In contrast to authentication, which verifies an identity, authorization is the concept of granting specific access to an identity.
Access Management can be considered as three discrete areas of consideration:
- Setting up access – Also called provisioning, this step includes both traditional provisioning (setting up data in applications) and setting up the data and policies for data driven access (centralized authorization services, attributed-based access control, etc.)
- Enforcing access – Single Sign-On, proxy, Web Access Management, authentication (traditional password and multi-factor), analytics, and dynamic policy
- Visibility to access – Governance, reviews, reports, certifications.