Identity Management, or IdM, is a set of practices that help to manage user identities within an enterprise setting. The goal of IdM is to ensure that each person in the organization has a secure digital identity and that this identity has the appropriate access permissions.
What is the Purpose of Identity Management?
Internal systems are governed by permissions. Each person that accesses a system, such as a database, must have the appropriate permission: read permissions if they wish to view data; read-write permissions if they want to make changes to data; admin permissions if they're going to make structural changes.
Permission requirements change over time. Sometimes, people need additional permissions to perform their roles. Other times, the person's responsibilities might change, which means that they no longer need certain permissions, in which case those permissions should be revoked.
IdM can be handled on a per-user basis, with each person assigned a unique set of permissions. In larger organizations, it is often done on a per-role basis. For example, a business might have a Sales role, an HR role, and a Customer Service role. Each individual person is matched to their relevant role. When, for example, salespeople need an additional permission, the Sales role is updated accordingly.
IdM is about ensuring that everyone has the permissions they need, and no more. To do this, administrators create secure profiles that are matched to each individual. IdM keeps these profiles up-to-date through robust policies and the use of IdM tools.
An IdM infrastructure will be responsible for:
- Creating and managing user profiles
- Implementing security rules, such as two-factor authentication
- Managing user roles and associated permissions
- Automatically provisioning and de-provisioning of permissions
- Allowing delegation of identity management tasks, such as profile creation
- Facilitating user self-service options, such as password resets
The goal of IdM is to be as seamless as possible, providing a frictionless user experience, while also supporting the organization's data security policies.
What are the Elements of Identity Management?
Identity management consists of both policy and technology. From a technology point of view, the infrastructure requires elements such as:
- Central identity repository: This is a secure database containing individual user data and associated permissions.
- Provisioning system: This may be a stand-alone application that manages permissions on a per-role or per-user basis.
- Authentication system: This will ensure that users can only access data if they have the correct permissions. Authentication might be a simple username and password, or it may involve more secure multi-factor authentication.
- Administration module: Admins need a tool where they can modify permissions as required. Ideally, this module will have a simple interface, allowing for quick and accurate updating of roles.
- Auditing tools: Identity management is a critical element of data security policy. For that reason, organizations much have tools that allow them to analyze all activities and ensure that policy is being correctly implemented.
Technology exists to help implement IdM policy. This policy must answer questions such as:
- How does IdM affect the user experience? IdM, like most areas of infosec, is a balance between security and usability. This policy should attempt to create data security without slowing down productivity or making it hard for users to log in.
- Who is responsible for identities? There needs to be a clear hierarchy, with a person or a team ultimately responsible for IdM decisions. Often, this person or group might be part of the organization's data governance committee.
- Who manages identities? In short, who has access to the administration module? This may be a specific team that sits within the IT function. With the right infrastructure, this role can be delegated to leaders elsewhere in the company, who can then manually amend permissions for their teams.
- Who is overseeing compliance? IdM can sometimes be a compliance requirement. For example, the New York State Department of Financial Services requires certain entities to have written policies related to access controls and identity management. Other regulations may impact an organization's IdM policy, so someone must be accountable for keeping the policy compliant.
- How is IdM being audited? Auditing is essential to ensure that the IdM policy is meeting its primary goal of ensuring that all users have appropriate permissions. Someone in the organization has to be responsible for running audits, looking for potential issues, and flagging them up to the relevant team.
- How are issues flagged? IdM is highly volatile, with users and systems in a constant state of flux. Users, managers, and system administrators may all encounter issues relating to identity management. The policy should outline how these people can flag up issues, and also specify who is responsible for dealing with any problems.
The ideal IdM structure is one that is almost invisible to users while providing a high level of data security.
What is Federated Identity Management?
The purpose of identity management is to allow the right people to access the right systems. Traditionally, this has meant that people have to log into each system they want to use. This is often inefficient – if they have verified themselves on one system, then they should be verified on all systems.
Federated identity management is one solution to this issue. Federal IdM allows users to create a portable ID in a framework such as OpenID or SAML. Once the user is logged in, they will then be automatically authenticated when using a compatible service.
Some organizations also use protocols like OAuth to allow for broader identity management. OAuth is used for authorization rather than authentication, so users can interact with services, but they are not formally identified.
Protocols such as these can be implemented on internal systems, as well as one websites. As with all issues of identity management, it is important to focus on how such systems might impact security and compliance.