IDENTITY MANAGEMENT (IdM) refers to the process of analyzing end users to either grant or deny them access to an application, system and/or network. By extension, said identities could also belong to software-level processes, like bots and automated workflows, which may require access to the same resources.
The framework for an identity management system is usually comprised of one or more of the following capabilities:
The first two, however, are absolute must-haves for enterprise architecture. The technologies and security policies of an ID management system will authenticate any process attempting to gain access by first verifying its authenticity. This is usually done by analyzing a data set (like a username and password), but can also employ the likes of smart card and fingerprint scanning. If verified successfully, authorization to access the resource follows. Failed authentication usually results in redirecting the process to try again, or redirecting it to an entirely different resource.
Technically speaking, the focus of identity management is user authentication, while access control management is responsible for authorization. But in IT Security circles, ID management is a blanket term and may even be used interchangeably with the phrase “identity and access management.”
Authentication (AuthN) refers to the verification process. Here, the identity management system determines that the user or process “is who they say they are.” At minimum, it ensures that qualifying information has been provided to access the requested resource.
As previously noted, the most common method for authenticating a process is through the use of a username and password. Authentication is completed once a matching token, or password, is provided. The token, in this scenario, is known as the authentication factor. An authentication factor can be a single piece of data or combination of multiple factors, and can change depending on the type of authentication being employed.
The types of authentication processes include the following:
- Single factor authentication
- Two factor authentication
- Three or Multi-factor authentication
- One Time Password
- Biometric authentication
- Continuous authentication
- API authentication
On older devices, the authentication process was handled by the same resource the user was requesting to access. This means that passwords and other authentication factors were managed and hosted locally. This has since changed with the proliferation of shared architecture and web-based applications. Stateless authentication in which the process becomes token-based is conducted at he beginning of each session, and can be seen in the likes of HTTPS (Hypertext Transfer Protocol Secure) and oAuth v2.
Once the identity of a user is verified (or at minimum, each authentication factor supplied is matched in the appropriate data table), Authorization (AuthZ) to access the requested resource is granted. This is where other capabilities, like Roles and Delegation, come into play. While the process of Authentication is a form of system security, Authorization, by itself, is not. In many ways, it is just a means to an end.
It’s probably never a good idea to let a user roam freely once you’ve granted them access to your system or network. There are certain resources that are best left to System Administrators (Sysadmins) and higher-priority roles in the digital hierarchy. The delegation of Roles are a way to handles this. Here, Sysadmins are required to set the boundaries for each type of user in the system. These permissions, as they are often called, range from system to system, but are usually based on the four (4) basic functions of persistent storage: Create, Read, Update and Delete (CRUD).
Lower-level users may only have read-only access to the system (or an area within the system). Someone with a mid-level role might be assigned the rights to create and/or update records or entities within the system. Root access, as well as full CRUD operations, are usually reserved for Sysadmins and Superusers. Other times, capabilities like Delegate Access may be necessary for allowing technical expertise to indirectly access a less technical, superuser’s account.
Challenges with Identity Management
The importance of identity management is fairly obvious given the onslaught of identity theft on the Internet. A robust ID management suite will provide a suitable framework that incorporates AuthN, AuthZ, as well as other user management capabilities and directory service tools.
Still, there are other challenges to ID Management, like the increased failure of single factor authentication that utilizes username and password combinations. Even biometric verification, like fingerprint, iris and facial recognition systems, have their limitations. For these reasons, organizations have begun implementing multifactor authentication to make systems more secure.
Implementation is also a challenge. It is described as a “logistical nightmare” that needs seamless collaboration across all units within an organization. This is especially difficult for smaller organizations, and by extension, larger unstructured ones. Factors like passwords must be managed with policies that define expiry periods, while encryption and hashing adds to the costs of traditionally expensive IT solutions. As systems and networks grow, they become more ingrained with our daily workflows and necessitate the use of more advanced identity management tools.