Identity and Access Management (IAM)

Why have enterprises started to implement IAM?

IAM has emerged as a critical foundation for realizing the business benefits in terms of cost savings, management control, operational efficiency and business growth of enterprises.  Enterprises need to manage access to information and applications scattered across internal and external application systems.  Moreover, they must provide this access for a growing number of identities, both inside and outside the organization, without compromising security or exposing sensitive information.  In addition, they shall have to ensure the correctness of data in order for the IAM Framework to function properly.

What is an IAM Framework?

An IAM Framework can be divided into four major areas: Authentication, Authorization, User Management and Central User Repository.  The IAM components are grouped under these four areas.  The ultimate goal of the IAM Framework is ‘to provide the right people with the right access at the right time‘ (see the diagram below ‘What is Identity & Access Management?’).


What is an IAM Framework?

Authentication is the area through which a user provides sufficient credentials to gain initial access to an application system or a particular resource.  Once a user is authenticated, a session is created and referred during the interaction between the user and the application system until the user logs off or the session is terminated by other means (e.g. timeout).
It usually comes with a password service module when the user ID /password authentication method is used.  By centrally maintaining the session of a user, it provides Single-Sign-On service so that the user needs not logon again on accessing another application system or resource governed under the same IAM Framework.

Authorization is the area that determines whether a user is permitted to access a particular resource.  Authorization is performed by checking the resource access request, typically in the form of an URL in web-based application, against authorization policies that are stored in an IAM policy store.
Authorization is the core area that implements role-based access control.  Moreover, the authorization model could provide complex access controls based on data or information or policies including user attributes, user roles /groups, actions taken, access channels, time, resources requested, external data and business rules.

This area comprises of user management, password management, role/ group management and user /group provisioning. It defines the set of administrative functions such as identity creation, propagation, and maintenance of user identity and privileges.  One of its components is user life cycle management that enables an enterprise to manage the lifespan of a user account, from the initial stage of provisioning to the final stage of de-provisioning.
Some of the user management functions should be centralized while others should be delegated to end users. Delegated administration allows an enterprise to directly distribute workload to user departmental units.  Delegation can also improve the accuracy of system data by assigning the responsibility of updates to persons closest to the situation and information.
Self-service is another key concept within user management.  Through self-profile management service an enterprise benefits from timely update and accurate maintenance of identity data.  Another popular self-service function is self-password reset, which significantly alleviates the help desk workload to handle password reset requests.
User management requires an integrated workflow capability to approve some user actions such as user account provisioning and de-provisioning.

Central User Repository stores and delivers identity information to other services, and provides service to verify credentials submitted from clients.  The Central User Repository presents an aggregate or logical view of identities of an enterprise. 
Directory services adopting LDAPv3 standards have become the dominant technology for Central User Repository. Both meta-directory and virtual directory can be used to manage disparate identity data from different user repositories of applications and systems.  A meta-directory typically provides an aggregate set of identity data by merging data from different identity sources into a meta-set.  It usually comes with a 2-way data synchronization service to keep the data in synchronization with other identity sources.  A virtual directory delivers a unified LDAP view of consolidated identity information, and multiple databases containing different sets of users are combined in real time behind the scene.

How an organization can benefit from implementing IAM?

Business value improves when an organization is able to appropriately protect its information assets.  IAM provides the kind of reliability and accessibility to user access control that is imperative to most e-business sites these days.
IAM can enable new users, employees or contractors to gain necessary information from applications so that they can be productive and at the same time allow the organization to keep a check on the access rights as their roles require.
The key benefits of implementing IAM are as follows: