What is it?
Identity and Access Management (IAM) has a core objective to provide one digital identity per individual. Organisations deploy IAM to provide administrators with the ability to manage digital identities through their lifecycle including changing user roles, tracking activities and enforcing access policies across systems and services. The technology consolidates distributed digital identities and federates access across heterogeneous systems.
IAM can be applied to internal users, partners, system identities and customers (CIAM). Regardless of digital identity type, it is a security practice and the principles in implementation for each type remains the same.
Value proposition of the capability
The key value in IAM is in the consolidation of identities across an organisation and the inherent savings in being able to centrally administer a single federated identity. In broader terms the benefits of an IAM deployment can be seen in:
- Better customer and user experience
- Reduced risk of exposure and improved security
- Improved business intelligence through insights
- Greater control over users and data
- Reduce business administration costs
- Reduce development complexity in Digital Transformation initiatives
Common uses or use cases
Identity and Access Management is a necessity for nearly all organisations, the variation is in how much attention it is given and the overall maturity of the capability. Any organisation that needs to compete on a customer experience level, industries such as retail and banking, will likely have CIAM at the core of any transformation initiative.
At a more granular level there are likely to be initiatives on a smaller scale in most organisations, driven by immediate needs such as scaling customer bases, more flexible authentication requirements or new security directives.
Federation and needs for single sign-on are fast becoming the most popular use cases with technologies such as Forgerock, Okta and WSO2 Identity Server rising in popularity. These technologies facilitate integration of identity providers such as Google, Facebook, Microsoft and Salesforce using common standards such as SAML, Oauth2.0 and OpenID connect, enabling single sign-on across multiple devices.
Aside from a greatly improved Customer experience, a strong CIAM/IAM capability can be born out of the desire to have increased analytics and intelligence on customer or user behaviours. In order to truly understand the customer journey and habits, it must be possible to uniquely identify the customer’s identity across multiple systems and services.
Implementation Best Practices
An IAM solution should support standard protocols for single sign-on and federation. Most of the technologies in the market follow these standards, although there will be some differences. The key standards and protocols to look out for are :-
- LDAP (Lightweight Directory Access Protocol) – This is a communication standard for record-based, directory-like data such as User, Group or Role. Solutions need to be LDAP-aware in order to communicate with directory services such as AD (Active Directory)
- SAML (Security Assertion Markup Language) – SAML is an open standard for exchanging authentication and authorisation data between identity and service providers. It is an XML based language that uses digital signatures as opposed to passwords for increased security and compliance
- XACML (eXtensible Access Control Markup Language) – This language is used as a fine-grained access control language. This effectively allows Attribute-Based Access Control (ABAC). Put simply it provides the granularity to allow access to resources based on simple attributes such as “location” or “clearance level”
- Oauth 2.0 – This is an authorization protocol designed to work with HTTP. It allows access tokens to be issued to 3rd party clients in order to access resources.
- SCIM (System for Cross-domain Identity Management) – This is an open standard for automating user provisioning It enables one application to create, read, update or delete identities over a REST-based protocol in target applications. This is a key component for SSO (Single Sign-on)
How do technologies differ?
Traditionally, an IAM or CIAM system has four key components :-
- A directory service or repository in which individuals users are defined
- A set of tools for administering that data
- A system that controls user access to other systems for both authentication and authorisation
- An auditing and reporting system
In today’s environments however there is a need to expand on these offerings in order to facilitate seamless access control across multiple internal and external boundaries as well as across many different devices.
Most technologies in this space will deliver on the core capability for Identity and Access Management, however, there will be differences across the products and technologies.
A fundamental difference in the technologies will be down to the use cases that the product is trying to support. There are many solutions focussed solely on B2E (Business to Employee) in which clearly the priority for the solution lies in the internal access to internal resources. Other products however may focus more on external access management such as B2B (Business to Business), B2C (Business to Customer) or G2C (Government to Citizens). Increasingly products in this space are focusing on non-human types of identity such as bots and IoT devices.
Another difference between solutions in this space is the attention to security. Whilst all the solutions should have a foundation in security, some will have a more specialised approach, focussing on areas such as fraud detection.
Pricing models can vary in this space, with some solutions offering subscription-based pricing either based on users or in some cases devices, others are more feature based, such as whether you want analytics, identity gateway or just internal access control for example. Server or core-based pricing is also an option with some solutions. Open Source is also an option, though it is worth bearing in mind the true overall cost in terms of implementation and support.
Procuring an IAM solution is not a simple undertaking. There are a plethora of different options available, each with their own strengths and weaknesses. As with any technology choice, thought should be given to the overall capability first in terms of the people, process and technology required. It is recommended to employ some form of capability maturity model in order to understand the current maturity of IAM within the organisation and help balance this against organisational priorities.
Once at the point of investigating solutions the difficulty can be understanding what requirements are needed for your organisation. It is important here to engage an Identity and Access Management specialist in order to understand what features may be required from a solution. Common areas to explore are :-
- Administration of Identities
- API Access Controls
- Authorization and Adaptive Authorization
- Bring your Own Identity
- Directory and Identity Synchronisation
- Event Logging and Reporting
- Non-Standard Application Requirements
- Standard Application Requirements
- User Authentication Methods
- Self-Service Requirements
It is important to understand the need for these capabilities from an internal and external perspective as they may differ.
You May Be Interested In…
Further information and reading on subjects related to this page.
Anticipate identity theft in your company Protecting the access to our systems is one of the most important tasks in a business That´s why we have
The main goal of Adaptive Authentication is to adapt the security measures on the account to the risk-level of the user Adaptive Authentication is