So before we begin let’s check if you are familiar with what we are going to talk about down here – Identity and Access Management.
Okay,answer few questions and if your answer to any of the below questions is Yes, then you have been part of this technology knowingly or unknowingly.
- Do you have an Identity Card that you use to establish your Identity, such as Social Security Number or Passport Number etc etc?
- Have you ever had an Employee Number in a company?
- Have you ever been granted access to some building using a swipe card?
- Have you ever been granted access to some online application\portal?
- Have you ever registered yourself to create an account for you like for Facebook, Gmail, Yahoo-mail, Twitter etc?
- Have you ever used any ‘user name’ and ‘password’ to login in any application?
- Have you ever changed your password by using the security questions that you answered during time of registering for an application account?
I bet that you would have answered Yes to at least one of these questions.
Congratulations!! You are not new to this and have been part of the IAM world in one way or the other.
Let’s try to define it: –
As stated on the Wikipedia, the concept Identity and Access Management can be defined as “The management of individual principals, their authentication, authorization and privileges within or across system and enterprise boundaries, with the goal of increasing security and productivity while decreasing cost, downtime and repetitive tasks.”
We define Identity and Access Management as a blend of technology and business driven processes to manage existence and accesses of unique units of data, systems, servers, applications, permissions, entitlements and human beings.
A comprehensive Identity and Access Management System that aims to cater end to end IAM needs of an organization should have the following key features:
- Management of Roles
- Identity Life-cycle Management
- Password Management
- User Access Reviews
- SOD Policies
- Analytics and Reporting
- User Provisioning
Origination of concept of I&AM products:
The need of managing user identities, servers, applications and databases has been there since the beginning. This was managed using huge codes. Over the time organizations realized that this is a common need and they realized that effort is getting wasted for developing the same logic again and again. So this was taken as a common business need and specialized products were developed to meet this requirement. Now a days there are many organizations offering such products. As per the Gartner IAM report Courion, Oracle ,SailPoint and RSA Eveska (EMC), have qualified as the Leaders and Hitachi ID Systems, Omada and NetIQ , AlertEnterprise, CA Technologies, CrossIdeas, Dell and IBM are among the Challengers and visionaries.
Let us try to see the problem and solution in a bit detailed way:
All modern day organizations run a mix of Simple and complex IT infrastructure such as
- Applications running on different types application servers and web servers,
- Different type of databases,
- Mainframe servers hosting legacy applications,
- Email servers
- CRM applications
- ERP applications and much more can be added on this list.
Now there are different types of users that access these
Creation, maintenance and termination of these identities and managing their access to different applications throughout their life-cycle while complying with standards is a great challenge for the organizations. And this is what the IAM products come to rescue by making this work easier.
There are many relevant products that play a very important role along with specific IAM products
- Microsoft Active Directory.
- Novell eDirectory.
- IBM Directory (formerly Tivoli Directory).
- Oracle Internet Directory (OID).
- Single Sign On Systems
- Enterprise SSO
- Web SSO
- Federated SSO
- Password Management Systems
Here are a few basic terminologies that are used in the IAM world:
Identity is the fundamental concept of uniquely identifying an object (person, computer, etc.) within a context.
Authentication is the process of gaining confidence in a claimed identity. Once identities are issued, whenever they are used, there is the requirement that the person using the identity is the person that is qualified to use it. This is to minimize identity theft.
Revocation is the process of rescinding(withdrawing or drawing) an identity that has been granted. This is a process that must be properly recorded for audit purposes. All systems and processes with which identity has been established must now be notified that identity was revoked. This is required to prevent continued use of the identity under potentially false and insecure contexts.
Multiple authoritative sources may exist in an organization (HR feeds, systems providing financial data services, directories, etc.). From a best practices and manageability perspective, it is important for an organization to make one authoritative source the main source of identity information.
Authorization refers to a person or an operational entity having gained the required authority or permissions to do an operation or task. Authorization is where the system administrator translates a user’s (or a specific group or class of users) permissions to access a designated set of system resources – data files, programs, specific functions and commands, networked facilities, etc.
There are three key aspects of provisioning:
- Account provisioning, which deals with identity-related information associated with individuals, their personal attributes, affiliations, etc. Account provisioning has a number of core functions that may be performed during an identity’s lifecycle.
Adding an Identity: Initially, the identity may never have existed. As credentials of the identity are known and collected, the identity is then added, checked against the authoritative source, and the identity is then provisioned to required systems and services.
Modifying an Identity: When an identity exists within an organization in which it has been provisioned and a change (e.g., merger/acquisition) occurs, the identity’s credentials may require review and adjustment in light of changes to the provisioning system’s workflow.
Deleting an Identity: Covered under De-Provisioning below.
Suspending an Identity: Suspending the identity basically represents the temporary halt of access to systems and services provisioned to an identity.The identity(s) are then suspended, thus suspending access to respective systems and services.
Resuming an Identity: Once the identity comes back the identity’s state will be resumed and appropriate resources will be reassigned.
- Resource provisioning, which deals with business assets such as computers, databases, and applications and the management of permissions associated with those assets. Resource provisioning is the provisioning of identities to systems and services that the identity has the approved access to use.
Resources may be classified as computing and non-computing systems and services. Examples of computing systems and services include disk space on a file server, electronic mailboxes, HR system access, and so on.
Examples of non-computing systems and services may be anything from provisioning identities (e.g., employees) to physical assets (e.g., desk, telephone, mobile phone, laptop).
- Account de-provisioning, which deals with the termination of access rights to systems and services and re-allocation of those systems and services The de-provisioning of identity is the termination of the identity that had been provisioned to services and systems. De-provisioning is critical for organizations to review and assess because accounts that are not de-provisioned in an accurate and (especially) timely manner, lead to considerable risk.
This is just a glimpse of how deep it can be. The story continues.