That’ll learn ya: Identity and Access Management 101
Why the 411 on the 101 you ask? As a number of smaller IT shops at customer sites come up to speed the need for a primer gets requested often (along with best practices). As a service to our fellow man (and woman) feel free to take a gander if you are researching what exactly IAM is. Oh, and then sign up for Twitter and follow our Tweets (letting you know when we post another blog entry).
Identity Administration and Provisioning
Identity Administration and Provisioning services provide a set of processes and an underlying infrastructure to support the creation and maintenance of identity—including attributes, credentials, and entitlements and the secure facilitation of access to IT assets for various user populations from different channels, including intranet, extranet, Internet, mobile devices, etc. It is critical to the health of the overall IAM infrastructure that the identity and entitlements information held in authoritative identity repositories be accurate and of high quality. Identity and policy administration services include centralized, delegated, and self-service administration, as well as workflow approval. These services also include the ability to programmatically update identity information from existing authoritative sources of data or to make arrangements to obtain just-in-time identity assertions from a third party.
The following describes sub-capabilities of an Identity Administration and Provisioning Service:
– Delegated Administration – Provides a mechanism for administrators to push privileged activities to managers and end users securely through tailored interfaces and work-flows.
– Self Registration and Self-Service – Provides an interface for users to manage credentials and profile information and to request access to IT assets; anonymous users may also register through this interface.
– User & Group Management – Provides administrative tools and services that Information Security professionals utilize to administer user identity and group entries throughout the enterprise, including privileged and application / service accounts.
– Identity Registration and Proofing – Provides on-boarding and verification of new users; identity proofing may prescribe call-outs to external services such as credit agencies, utilities, and government agencies to provide a level of assurance that the subject matches a valid person.
– Identity Storage and Publication – Provides repositories for identity / account data; typically includes services to routinely scan IT systems for discrepancies in expected and discovered accounts and fires configurable processes which can notify application and business owners, disable / delete unknown accounts, create missing accounts, revert or reapply authorizations, etc.
– Rules & Access Policies – Provides for the application of business logic and policy in how and which assets are provisioned and how data is processed and transformed as it flows through the identity system.
– Connector Framework – An extensible package of adapters that leverage standard and vendor proprietary APIs to manage various account repositories and provide a generic interface to a provisioning system for managing account identifiers, profile attributes, credentials, and authorization information, such as group memberships; some connectors provide the capability to directly manage generic data objects such as physical assets in LDAP stores.
– Identity Attribute Mapping – Provides meta-directory capability of mapping account attribute names to the same identity attribute, e.g. such as last name to “sn” and “surname”.
– Approval Workflow – Provides multi-step approval flows to automate request processes that require review and sign-off from authorized parties, such as managers, data owners, system owners, information security, etc., facilitating delegation to end users while still enforcing security policy controls.
– Provisioning Workflow – Provides multi-step account provisioning to accommodate dependencies between accounts and to increase reliability, e.g. supporting creation of accounts in a specific order, performing retries / rollback in case of failure, sending notification of down systems, etc.
Authentication management represents the process through which a subject provides valid credentials to satisfy the access requirements of the application, service or system to which the subject is trying to access. Reduced sign-on technologies centralize or seek to rationalize these authentication mechanisms in such a manner that multiple applications, services, and systems may rely on a central store for authentication or provides for synchronization of the subjects credentials so as to limit the number of credentials per user and improve the end-user experience.
The following describes sub-capabilities of an Authentication Management service:
– Authentication Protocols – Standards which prescribe how to present an authenticated subject; includes Kerberos, SAML / Liberty, WS-*, LDAP and application-specific standards, such as Windows NTLM.
– Verification and Validation – Mechanisms to verify a subject’s credentials and provide a level of assurance as to the validity of the credential; also concerned with authentication policies and password policies.
– Credential Lifecycle Management – Concerned with creation of credentials and the management of the credential lifecycle.
Traditionally, IT systems and applications each have their own implementation for authorization management or, more precisely, Access Control. This means that a user has an account for each system/application he or she uses and each system/application has its own permission structure and method of permission assignment.
The following sub-capabilities comprise an Authorization Management service:
– Resource Identification and Management – Provides for centralized inventorying, labeling, and general management of IT assets.
– Role-Based Authorization – Provides for modeling of access to IT assets based on information about the user, e.g. department, job function, location, etc., to automate access provisioning and validate the appropriateness of entitlements that are granted.
– Rule-based Authorization – Provides a service for consolidating security decisions traditionally hard-coded in disparate applications into an external, centrally-managed and audited repository, allowing applications to focus on business logic and outsource authorization management in a repeatable, consistent way.
– User Mapping – Supports assignment of users to entitlements or sets of entitlements, e.g. roles.
– Periodic Authorization Review – Processing of periodically reviewing access granted to users by managers and application owners as part of a GRC program.
Access Management is the security enforcement component of an Identity and Access Management (IAM) infrastructure. The access management component enforces access control against predefined security policies established to govern access to network resources. These resources are typically Web-based applications (also known as web single-sign on or SSO). The categories of Identity Administration and Provisioning, Authentication Management, and Authorization Management all directly impact Access Management.
The following sub-capabilities comprise an Access Management service:
– Web Access Management Protects access to web accessible services available within the enterprise through centrally defined authentication and authorization policies through the use of policy decision points (PDPs) and distributed or proxy-based policy enforcement points (PEPs); provides session management and domain single sign on (SSO) for web applications.
– Enterprise SSO Minimizes the number of times a user must authenticate to disparate applications by maintaining a secured store of credentials for each application that are submitted transparently upon access an application.
– Identity Federation Enables sharing of IT assets across domains, e.g. between partners, where claims- or federation-aware applications hosted by a service provider or relying party are made available to users managed and authenticated by a trusted identity provider or asserting party; as users request access to the service provider’s applications, a token is provided to the service provider which allows the service provider to obtain claims from the identity provider about the user upon which authorization decisions can be made.
Data Management as it pertains to Identity and Access Managements pertains to the use of directory stores for storing and making identity information available to the enterprise.
Data Management in the context of IAM is comprised of the following sub-capabilities:
– LDAP Directory – Provides a source of identity accessible through a standard protocol, LDAP; also provides a repository for authentication credentials and authorization data such as group memberships.
– White Pages – Provides a single, public resource for searching and viewing profile information on enterprise users.
– Virtual Directory – Provides a mechanism for abstracting multiple identity repositories to look like a single LDAP-compliance repository, which is particularly useful in environments where multiple sources of identity exist for different user constituencies and a WAM and/or federation solution backed by such a repository is desired.
– Data Synchronization – Provides automated, high-throughput services to move data between directories while applying attribute mappings and transformation rules.
– Policy Store – Provides a repository for rules and policy definitions, typically required by access management services.
Supporting Technology Capabilities
– System Information and Event Management (SIEM) – Provides a secure, centralized store of event logs across multiple systems with a single, consistent front end; can generate immediate alerts and notifications of significant events across systems for ensuring proactive compliance and, because logs are archived, is invaluable for forensic analysis; provides dashboards and other reporting tools.
– Business Rule Definition – The creation and management of business rules for workflows, content delivery, etc. to deliver the appropriate content to the appropriate person via the appropriate channel