Image

What is Identity Management and Access Management?

Motivation, necessity and definition of terms

What is Identity and Access Management

The collective term “Identity and Access Management”, IAM (Identity Access Management) for short, is often used, but basically consists of two different subject areas.

On the one hand "Identity Management" (IDM), the administrative aspect in this area and on the other hand "Access Management" (AM), the mechanisms of access restriction.

Depending on the situation, IAM is also only referred to as Identity Management, since the subject complexes are often considered together, i.e. points of the actual access management are counted for managing an identity.

The need for Identity Management

“The business requirements for an IT infrastructure are becoming more complex from year to year, making it more and more difficult for employees to manage identities and authorizations and to maintain a consistent level of data. In addition, there are the requirements from the audit, which require companies to be able to provide information about the authorizations of an employee in their systems at any time.

Reliable IT user management is therefore of central importance in every company today. As the company grows, so do the requirements for structured and secure management of identities and their authorizations in the company.

In order to cope with these tasks, companies today rely more and more on an automated identity management architecture. Through the use of central data storage and the corresponding software, identities and their access rights are managed and provisioned in the connected target systems or changes in target systems are reliably recorded and processed. Through the use of workflows, the company's approval processes are recorded in an audit-proof manner in the identity management system.

The central objective in Identity Management is to ensure that employees receive exactly the (but not more) authorizations they need for their work at the right time. This of course also includes the blocking / deletion of access rights when the employee leaves or if the need for authorization no longer applies (e.g. change of department).

Likewise, the effort and thus the costs for the application, approval and administration of the access rights should be as low as possible, while on the other hand various legal and company-specific regulations must be complied with. "

Source: Marcus Westen, CISSP and IAM Solution Architect

Definition of Terms

Identity Management

Identity Management deals with the management of people as digital identities and their access rights to systems and applications. It is about the authorization management of persons in a company or data network.

  • A person can have several digital identities, while a digital identity can usually only be assigned to one person.

  • The digital identity is a collection of personal attributes that individualizes the person using this identity and makes them clearly recognizable. In accordance with the GDPR, care must be taken to use as few personal attributes as possible.

  • The management of identities can be done manually, but is mainly done at IT level in order to be able to introduce automated processes. In companies in particular, it is a not insignificant task to consolidate and manage the various accounts (mail, operating system, databases, applications, Internet access, etc.) of a person.

  • Identity management involves both the assignment and the withdrawal of access rights from a person to a system or application using digital identity.

Access Management

Access management deals with the type of access to data and assumes a functioning identity management.

It includes the decision about access on the basis of user identities, roles and access rights. It describes the necessary mechanisms for access to a system as well as the control and the enforcement of the access.

Access management ...

  • authorizes authorized users to use a certain service in IT

  • prevents access for unauthorized users

  • executes specifications that have been defined in IT security

Identity

An identity is a digital representation of a person including a collection of personal attributes.

It enables clear assignment to a real person.

Person

Real human being.

Account

A user account enables a person to use an IT system (here the target system).

One person can have several user accounts for different target systems (AD account, SAP account ...).

Role

In Identity Management, roles are all objects through which people can be assigned company resources.

Entitlement / User Right

A right is the authorization to access a company resource.

Provisioning

Provisioning is the assignment of an authorization or the creation of an account in a target system.

Identity and Access Management Software

Identity and Access Management Software makes it possible to master the complex requirements of user management and authorization management in an uncomplicated manner.

Identity management software should be easy to implement and deliver a benefit as quickly as possible, e.g. through automation or reducing security risks. Of course, it has to be flexible enough to be able to grow with all future requirements.

Successful IAM projects often follow the motto "Think big, start small." - the future in view, start with the most effective steps. The selected IAM system should support this.

The wish-list with wishes that good IAM systems fulfill includes:

User LifeCycle / On- and Offboaring

Self Service for User Rights

Approvals and Workflows

Authorization Management

Auditing and follow-up

Functions for dynamic assignment of rights

Zentrales Passwort Management und Passwort Self Service

Single Sign-On (SSO)

Recertifications and attestations

Automatic provisioning

Identity-centered view with target / actual data of rights and history

Reporting and compliance functions