Identity and access management

Last updated

Identity and access management (IAM or IdAM) or Identity management (IdM), is a framework of policies and technologies to ensure that the right users (that are part of the ecosystem connected to or within an enterprise) have the appropriate access to technology resources. IAM systems fall under the overarching umbrellas of IT security and data management. Identity and access management systems not only identify, authenticate, and control access for individuals who will be utilizing IT resources but also the hardware and applications employees need to access. [1]

Contents

The terms "identity management" (IdM) and "identity and access management" are used interchangeably in the area of identity access management. [2]

Identity-management systems, products, applications and platforms manage identifying and ancillary data about entities that include individuals, computer-related hardware, and software applications.

IdM covers issues such as how users gain an identity, the roles, and sometimes the permissions that identity grants, the protection of that identity, and the technologies supporting that protection (e.g., network protocols, digital certificates, passwords, etc.).

Definitions

Identity management (ID management) – or identity and access management (IAM) – is the organizational and technical processes for first registering and authorizing access rights in the configuration phase, and then in the operation phase for identifying, authenticating and controlling individuals or groups of people to have access to applications, systems or networks based on previously authorized access rights. Identity management (IdM) is the task of controlling information about users on computers. Such information includes information that authenticates the identity of a user, and information that describes data and actions they are authorized to access and/or perform. It also includes the management of descriptive information about the user and how and by whom that information can be accessed and modified. In addition to users, managed entities typically include hardware and network resources and even applications. [3] The diagram below shows the relationship between the configuration and operation phases of IAM, as well as the distinction between identity management and access management.

Fig-IAM-phases.png

Access control is the enforcement of access rights defined as part of access authorization.

Digital identity is an entity's online presence, encompassing personal identifying information (PII) and ancillary information. See OECD [4] and NIST [5] guidelines on protecting PII. [6] It can be interpreted as the codification of identity names and attributes of a physical instance in a way that facilitates processing.

Function

In the real-world context of engineering online systems, identity management can involve five basic functions:

Pure identity

A general model of identity can be constructed from a small set of axioms, for example that all identities in a given namespace are unique, or that such identities bear a specific relationship to corresponding entities in the real world. Such an axiomatic model expresses "pure identity" in the sense that the model is not constrained by a specific application context.

In general, an entity (real or virtual) can have multiple identities and each identity can encompass multiple attributes, some of which are unique within a given name space. The diagram below illustrates the conceptual relationship between identities and entities, as well as between identities and their attributes.

Identity-concept.svg

In most theoretical and all practical models of digital identity, a given identity object consists of a finite set of properties (attribute values). These properties record information about the object, either for purposes external to the model or to operate the model, for example in classification and retrieval. A "pure identity" model is strictly not concerned with the external semantics of these properties.

The most common departure from "pure identity" in practice occurs with properties intended to assure some aspect of identity, for example a digital signature or software token which the model may use internally to verify some aspect of the identity in satisfaction of an external purpose. To the extent that the model expresses such semantics internally, it is not a pure model.

Contrast this situation with properties that might be externally used for purposes of information security such as managing access or entitlement, but which are simply stored, maintained and retrieved, without special treatment by the model. The absence of external semantics within the model qualifies it as a "pure identity" model.

Identity management can thus be defined as a set of operations on a given identity model, or more generally, as a set of capabilities with reference to it.

In practice, identity management often expands to express how model content is to be provisioned and reconciled among multiple identity models. The process of reconciling accounts may also be referred to as de-provisioning. [7]

User access

User access enables users to assume a specific digital identity across applications, which enables access controls to be assigned and evaluated against this identity. The use of a single identity for a given user across multiple systems eases tasks for administrators and users. It simplifies access monitoring and verification and allows the organizations to minimize excessive privileges granted to one user. Ensuring user access security is crucial in this process, as it involves protecting the integrity and confidentiality of user credentials and preventing unauthorized access. Implementing robust authentication mechanisms, such as multi-factor authentication (MFA), regular security audits, and strict access controls, helps safeguard user identities and sensitive data. User access can be tracked from initiation to termination of user access.

When organizations deploy an identity management process or system, their motivation is normally not primarily to manage a set of identities, but rather to grant appropriate access rights to those entities via their identities. In other words, access management is normally the motivation for identity management and the two sets of processes are consequently closely related. [8]

Services

Organizations continue to add services for both internal users and by customers. Many such services require identity management to properly provide these services. Increasingly, identity management has been partitioned from application functions so that a single identity can serve many or even all of an organization's activities. [8]

For internal use identity management is evolving to control access to all digital assets, including devices, network equipment, servers, portals, content, applications and/or products.

Services often require access to extensive information about a user, including address books, preferences, entitlements and contact information. Since much of this information is subject to privacy and/or confidentiality requirements, controlling access to it is vital. [9]

Identity federation

Identity federation comprises one or more systems that share user access and allow users to log in based on authenticating against one of the systems participating in the federation. This trust between several systems is often known as a "circle of trust". In this setup, one system acts as the identity provider (IdP) and other systems act as service providers (SPs). When a user needs to access some service controlled by SP, they first authenticate against the IdP. Upon successful authentication, the IdP sends a secure "assertion" to the SP. "SAML assertions, specified using a markup language intended for describing security assertions, can be used by a verifier to make a statement to a relying party about the identity of a claimant. SAML assertions may optionally be digitally signed." [10]

System capabilities

In addition to creation, deletion, modification of user identity data either assisted or self-service, identity management controls ancillary entity data for use by applications, such as contact information or location.

Privacy

Putting personal information onto computer networks necessarily raises privacy concerns. Absent proper protections, the data may be used to implement a surveillance society. [12]

Social web and online social networking services make heavy use of identity management. Helping users decide how to manage access to their personal information has become an issue of broad concern. [13] [14]

Research

Research related to the management of identity covers disciplines such as technology, social sciences, humanities and the law. [15]

Decentralized identity management is identity management based on decentralized identifiers (DIDs). [16]

European research

Within the Seventh Research Framework Programme of the European Union from 2007 to 2013, several new projects related to Identity Management started.

The PICOS Project investigates and develops a state-of-the-art platform for providing trust, privacy and identity management in mobile communities. [17]

SWIFT focuses on extending identity functions and federation to the network while addressing usability and privacy concerns and leverages identity technology as a key to integrate service and transport infrastructures for the benefit of users and the providers. [18]

Ongoing projects

Ongoing projects include Future of Identity in the Information Society (FIDIS), [19] GUIDE, [20] and PRIME. [21]

Publications

Academic journals that publish articles related to identity management include:

Less specialized journals publish on the topic and, for instance, have special issues on identity such as:

Standardization

ISO (and more specifically ISO/IEC JTC 1, SC27 IT Security techniques WG5 Identity Access Management and Privacy techniques) is conducting some standardization work for identity management ( ISO 2009 ), such as the elaboration of a framework for identity management, including the definition of identity-related terms. The published standards and current work items includes the following:

Organization implications

In each organization there is normally a role or department that is responsible for managing the schema of digital identities of their staff and their own objects, which are represented by object identities or object identifiers (OID). [23] The organizational policies and processes and procedures related to the oversight of identity management are sometimes referred to as Identity Governance and Administration (IGA). How effectively and appropriately such tools are used falls within scope of broader governance, risk management, and compliance regimes.

Since 2016 identity and access management professionals have their own professional organization, IDPro. In 2018 the committee initiated the publication of An Annotated Bibliography, listing a number of important publications, books, presentations and videos. [24]

Management systems

An identity-management system refers to an information system, or to a set of technologies that can be used for enterprise or cross-network identity management.

The following terms are used in relationship with "identity-management system": [25]

Identity management, otherwise known as identity and access management (IAM) is an identity security framework that works to authenticate and authorize user access to resources such as applications, data, systems, and cloud platforms. It seeks to ensure only the right people are being provisioned to the right tools, and for the right reasons. As our digital ecosystem continues to advance, so does the world of identity management.

"Identity management" and "access and identity management" (or AIM) are terms that are used interchangeably under the title of identity management while identity management itself falls under the umbrella of IT security [26] and information privacy [27] [28] and privacy risk [29] as well as usability and e-inclusion studies. [30] [31]

Standards

See also

Related Research Articles

<span class="mw-page-title-main">OSI model</span> Model of communication of seven abstraction layers

The Open Systems Interconnection (OSI) model is a reference model from the International Organization for Standardization (ISO) that "provides a common basis for the coordination of standards development for the purpose of systems interconnection." In the OSI reference model, the communications between systems are split into seven different abstraction layers: Physical, Data Link, Network, Transport, Session, Presentation, and Application.

Simple Network Management Protocol (SNMP) is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior. Devices that typically support SNMP include cable modems, routers, network switches, servers, workstations, printers, and more.

Authorization or authorisation is the function of specifying rights/privileges for accessing resources, which is related to general information security and computer security, and to IAM in particular. More formally, "to authorize" is to define an access policy during the configuration of systems and user accounts. For example, user accounts for human resources staff are typically configured with authorization for accessing employee records, and this policy gets formalized as access control rules in a computer system. Authorization must not be confused with access control. During usage, access control enforces the authorization policy by deciding whether access requests to resources from (authenticated) consumers shall be approved (granted) or disapproved (rejected). Resources include individual files or an item's data, computer programs, computer devices and functionality provided by computer applications. Examples of consumers are computer users, computer software and other hardware on the computer.

Data security means protecting digital data, such as those in a database, from destructive forces and from the unwanted actions of unauthorized users, such as a cyberattack or a data breach.

A federated identity in information technology is the means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.

A digital identity is data stored on computer systems relating to an individual, organization, application, or device. For individuals, it involves the collection of personal data that is essential for facilitating automated access to digital services, confirming one's identity on the internet, and allowing digital systems to manage interactions between different parties. It is a component of a person's social identity in the digital realm, often referred to as their online identity.

Information assurance (IA) is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information. Information assurance includes protection of the integrity, availability, authenticity, non-repudiation and confidentiality of user data. IA encompasses both digital protections and physical techniques. These methods apply to data in transit, both physical and electronic forms, as well as data at rest. IA is best thought of as a superset of information security, and as the business outcome of information risk management.

Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. Digital authentication, or e-authentication, may be used synonymously when referring to the authentication process that confirms or certifies a person's identity and works. When used in conjunction with an electronic signature, it can provide evidence of whether data received has been tampered with after being signed by its original sender. Electronic authentication can reduce the risk of fraud and identity theft by verifying that a person is who they say they are when performing transactions online.

Security controls or security measures are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the confidentiality, integrity and availability of information.

ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), titled Information security, cybersecurity and privacy protection — Information security controls.

The ISO/IEC 27000 family comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

Information technology risk, IT risk, IT-related risk, or cyber risk is any risk relating to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.

Cloud computing security or, more simply, cloud security, refers to a broad set of policies, technologies, applications, and controls utilized to protect virtualized IP, data, applications, services, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security.

In computer security, general access control includes identification, authorization, authentication, access approval, and audit. A more narrow definition of access control would cover only access approval, whereby the system makes a decision to grant or reject an access request from an already authenticated subject, based on what the subject is authorized to access. Authentication and access control are often combined into a single operation, so that access is approved based on successful authentication, or based on an anonymous access token. Authentication methods and tokens include passwords, biometric scans, physical keys, electronic keys and devices, hidden paths, social barriers, and monitoring by humans and automated systems.

Enhanced Privacy ID (EPID) is Intel Corporation's recommended algorithm for attestation of a trusted system while preserving privacy. It has been incorporated in several Intel chipsets since 2008 and Intel processors since 2011. At RSAC 2016 Intel disclosed that it has shipped over 2.4B EPID keys since 2008. EPID complies with international standards ISO/IEC 20008 / 20009, and the Trusted Computing Group (TCG) TPM 2.0 for authentication. Intel contributed EPID intellectual property to ISO/IEC under RAND-Z terms. Intel is recommending that EPID become the standard across the industry for use in authentication of devices in the Internet of Things (IoT) and in December 2014 announced that it was licensing the technology to third-party chip makers to broadly enable its use.

WebUSB is a JavaScript application programming interface (API) specification for securely providing access to USB devices from web applications.

System and Organization Controls as defined by the American Institute of Certified Public Accountants (AICPA), is the name of a suite of reports produced during an audit. It is intended for use by service organizations to issue validated reports of internal controls over those information systems to the users of those services. The reports focus on controls grouped into five categories called Trust Service Criteria. The Trust Services Criteria were established by The AICPA through its Assurance Services Executive Committee (ASEC) in 2017. These control criteria are to be used by the practitioner/examiner in attestation or consulting engagements to evaluate and report on controls of information systems offered as a service. The engagements can be done on an entity wide, subsidiary, division, operating unit, product line or functional area basis. The Trust Services Criteria were modeled in conformity to The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control - Integrated Framework. In addition, the Trust Services Criteria can be mapped to NIST SP 800 - 53 criteria and to EU General Data Protection Regulation (GDPR) Articles. The AICPA auditing standard Statement on Standards for Attestation Engagements no. 18, section 320, "Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting", defines two levels of reporting, type 1 and type 2. Additional AICPA guidance materials specify three types of reporting: SOC 1, SOC 2, and SOC 3.

References

  1. Silva, Edelberto Franco; Muchaluat-Saade, Débora Christina; Fernandes, Natalia Castro (1 January 2018). "ACROSS: A generic framework for attribute-based access control with distributed policies for virtual organizations". Future Generation Computer Systems. 78: 1–17. doi:10.1016/j.future.2017.07.049. ISSN   0167-739X.
  2. "identity management (ID management)". SearchSecurity. 1 October 2013. Retrieved 2 March 2017.
  3. "What is identity management (ID management) ? – Definition from WhatIs.com". SearchSecurity. Retrieved 20 December 2019.
  4. Functional requirements for privacy enhancing systems Fred Carter, OECD Workshop on Digital Identity Management, Trondheim, Norway, 9 May 2007 (PPT presentation)
  5. Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) Archived 13 August 2009 at the Wayback Machine , Recommendations of the National Institute of Standards and Technology, January 2009
  6. PII (Personally Identifiable Information) Archived 28 April 2009 at the Wayback Machine , The Center For Democracy & Technology, 14 September 2007
  7. "What is IAM? Identity and access management explained". CSO Online. Retrieved 24 April 2024.
  8. 1 2 "What is identity management (ID management) ? – Definition from WhatIs.com". SearchSecurity. Retrieved 3 December 2018.
  9. Networks, Institute of Medicine (US) Committee on Regional Health Data; Donaldson, Molla S.; Lohr, Kathleen N. (1994). Confidentiality and Privacy of Personal Data. National Academies Press (US).
  10. Burr, William E.; Dodson, Donna F.; Polk, W. Timothy (2006). "Information Security" (PDF). NIST Special Publication. CiteSeerX   10.1.1.153.2795 . doi:10.6028/NIST.SP.800-63v1.0.2. OCLC   655513066 . Retrieved 10 October 2015.
  11. "Working Groups | Identity Commons". Idcommons.org. Retrieved 12 January 2013.
  12. Taylor, Lips & Organ 2009.
  13. Gross, Acquisti & Heinz 2005.
  14. Taylor 2008.
  15. Halperin & Backhouse 2008.
  16. "Decentralized Identifiers (DIDs)". World Wide Web Consortium . 8 June 2020. Retrieved 22 June 2020.
  17. PICOS
  18. "ist-swift.org".
  19. FIDISCoord (DR). "Home: Future of IDentity in the Information Society".
  20. "Creating a European Identity Management Architecture for eGovernment". istrg.som.surrey.ac.uk. Archived from the original on 8 May 2009.
  21. "PRIME – Privacy and Identity Management for Europe". Portal for the PRIME Project. 28 September 2006. Archived from the original on 10 October 2007.
  22. "Special Issue: Special section on: Digital identity management". Online Information Review. 33 (3). Bradford: MCB University Press. 19 June 2009. ISSN   1468-4527. OCLC   807197565, 676858452 . Retrieved 29 January 2021.
  23. Object Id's (OID'S), PostgreSQL: Introduction and Concepts, in Bruce Momjian, 21 November 1999
  24. "An Annotated Bibliography" (PDF). Retrieved 6 September 2019.
  25. "What is identity management (ID management)? Definition from SearchSecurity". Security. Retrieved 16 April 2023.
  26. "Identity management as a component of IT Security".
  27. Rannenberg, Kai; Royer, Denis; Deuker, André, eds. (2009). The Future of Identity in the Information Society. Berlin, Heidelberg: Springer Berlin Heidelberg. doi:10.1007/978-3-642-01820-6. ISBN   978-3-540-88480-4. S2CID   153140099.
  28. Fritsch, Lothar (March 2013). "The Clean Privacy Ecosystem of the Future Internet". Future Internet. 5 (1): 34–45. doi: 10.3390/fi5010034 .
  29. Paintsil, Ebenezer; Fritsch, Lothar (2013), "Executable Model-Based Risk Analysis Method for Identity Management Systems: Using Hierarchical Colored Petri Nets", Trust, Privacy, and Security in Digital Business, Springer Berlin Heidelberg, pp. 48–61, doi:10.1007/978-3-642-40343-9_5, ISBN   978-3-642-40342-2
  30. Fritsch, Lothar; Fuglerud, Kristin Skeide; Solheim, Ivar (1 December 2010). "Towards inclusive identity management". Identity in the Information Society. 3 (3): 515–538. doi: 10.1007/s12394-010-0075-6 . ISSN   1876-0678.
  31. Røssvoll, Till Halbach; Fritsch, Lothar (2013). "Trustworthy and Inclusive Identity Management for Applications in Social Media". In Kurosu, Masaaki (ed.). Human-Computer Interaction. Users and Contexts of Use. Lecture Notes in Computer Science. Vol. 8006. Springer Berlin Heidelberg. pp. 68–77. doi: 10.1007/978-3-642-39265-8_8 . ISBN   978-3-642-39265-8.

Sources

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.