This document lays out best practices for identity and access management systems. These systems may be deployed in a variety of contexts -- corporate, customer-facing, partner-facing, etc. These deployment patterns are also described.
Identity and Access Management
Identity and access management is a term often used by different industry participants -- software vendors, integrators, customers and analysts -- to mean different things. It makes sense, therefore, to start with some definitions:
Following are the most basic definitions relating to identity and access management systems:
- Identity -- A digital representation of a person or a purely virtual entity which is managed similarly to a person.
- Account -- The representation of an identity on a single system or application.
- Credential -- Something used by a person or virtual entity to prove his identity to a system or application. For example, a password, answers to security questions, a hardware token, a soft token, etc.
- Entitlement -- An access right assigned to an account, typically within the context of a single system or application. Most commonly entitlements are group memberships or application roles.
- Account repository -- A database, either published (e.g., as a directory) or internal to a single system or application, which enumerates accounts, along with related credentials and entitlements for each account.
An identity and access management system (IAM for short) is a system which automates the management of identities, accounts, entitlements and credentials. These artifacts are managed where they already exist, on one or more account repositories. Automation in the context of IAM refers to the execution of clearly defined business processes, which have inputs -- data feeds or user requests; implement policies; execute workflows to interact with people and have outputs -- integrations to account repositories.
Identity management is prerequisite to account management, which in turn is prerequisite to the management of entitlements and credentials. In most cases, it is the management of entitlements and credentials that is of interest and which yields value to an organization. The management of identities and accounts is a necessary prerequisite, but not very valuable in and of itself.
Other names for the same type of system
Just as the term identity and access management is sometimes used to refer to other types of systems, so too are other terms sometimes used to refer to IAM. These include:
- Identity management (as though access rights are not also managed).
- User provisioning (as though onboarding, but not change management or deactivation, is the only objective).
- Access governance (as though routine administration is excluded).
- Identity and access governance.
Technically, products in this space are used for administration and governance of identities, entitlements and credentials, but nobody calls these systems "identity, entitlement and credential administration and governance."
Related, but distinct types of systems
People new to IAM systems sometimes confuse them with related, but nonetheless distinct types of systems:
- Directories -- Contain lists of users and other objects, such as groups and computers. Publish this information via a standard interface, such as the Lightweight Directory Access Protocol (LDAP). Directories do not embody any business process -- they simply house and make accessible a set of data.
- Authentication systems -- Used to provide either more convenient or more secure mechanisms for users to sign into systems, as compared to the passwords built into most account repositories. They may include hardware tokens, biometrics, smart cards or apps on mobile phones. Authentication systems do not manage any existing identities, credentials or entitlements. Rather, an IAM system should manage the directory that underpins each authentication system, and users should be able to sign into the IAM system itself using business-appropriate authentication methods.
- Federated access -- A form of single sign-on where a user is authenticated by one service (the identity provider or IdP) before being able to interact with another service (the service provider or SP). Typically based on an XML document standard for assertions about user identities and entitlements, such as the security assertion markup language (SAML). IAM systems should manage the directory that underpins the IdP and users should be able to sign into the IAM system using federated assertions.
- Web single sign-on (Web-SSO) -- Older forms of single sign-on, strictly into web applications, which either install an agent on each web application or proxy connections between users and web sites. Just like federated IdPs, Web SSO systems normally rely on a directory, which should be managed by the IAM system.
- Password management -- Self-service systems allowing users to synchronize multiple passwords to a single value, clear intruder lockouts and reset forgotten passwords. Some IAM systems incorporate self-service password management, while others may integrate with (e.g., to share integrations to account repositories) or simply co-exist. Whereas an IAM system mainly manages identities, accounts and entitlements, password management systems mainly manage credentials.
- Enterprise single sign-on (E-SSO) -- Systems which detect login IDs and passwords typed by users, store these and replay them on subsequent logins to the same application. Normally based on "screen scraping" technology on the user's endpoint device. Require a secure way to store credentials (a password wallet) and may integrate with authentication systems prior to unlocking this storage. IAM systems may have to inject passwords for newly created accounts into these systems.