I’m pretty sure you’ve already heard of Identity and Access Management IAM expression in your tasks if you are working as an engineer in IT development industry. If not, I hope you will at the end of reading this article. Handling of identities, users, services or any kind of accounts and the automation of related tasks could be considered as a core activity of this field.
In this article I’d like to present some basic understanding of IDM and where it stands in terms of Identity Governance and Administration IGA. You can take this blog as an intro class, if you are just starting in this field of security.
The pillars of cloud security - where is IAM exactly?
Cloud security is too broad of a term. Although, we can roughly divide it into 6 main pillars. Together, they form the whole complex industry.
From the picture above, IAM would stand right on the Identity pillar. All pillars are equally important, because even without one of them, we’d open a hole for a breach in a size of the ozone hole. At least all major cloud providers agree on this. That spoken, Identity cannot work without data protection, infrastructure security cannot work without detective control, etc.
Now, we know we are talking about cloud security. Why do we even want it? Well, simply speaking, we don’t want to give our precious data to someone else. Moreover, we don’t even want for just about anyone to see our data. It’s like food for cloud providers. Without the data, they wouldn’t exist. Of course they wouldn’t exist without electricity and other stuff, too.
Am I just an identity to you?
One of vital parts of IAM solution is a so called Identity Manager (IDM). It’s a subsystem aiming at managing identities. I’m sure everyone of you have been dealing with identities throughout your entire online life. Simply speaking, they are you in virtual world. So whenever you log in somewhere, you are a known identity to that system. Even if you don’t log in (so called host or guest), you are considered an individual/identity. Identities have their own attributes as well as real people. Not only people, but machines can have their own identities, too. If you’ve heard about the Sims game, you can remember that every Sim had their attributes:
- personality traits (cheerful, creative, gloomy, …)
- appearance (height, weight, age, hair color, …)
Identities have them, too! There are of course more different kinds of identities. Nevertheless, we can map them similarly, because they also have attributes:
- descriptive (name, surname, role within an organization, motto, photo)
- type (person, machine, …)
- unique ID (This is typically what you use for logging in)
- activation (Are you active or inactive?)
- password (Do you have second factor enabled? What is your password? What are security questions in case you lose your password?)
In simplistic terms, IDM system is managing identities:
- creating them
- modifying their attributes
- deleting them
- taking care of their lifecycle
- making sure they are always up to date
- resolving any inconsistencies that might come up
Ever got that email that said something along the lines “Your account has been created”? Well, that was an IDM system sending you that notification and is going to take care of your identity in the virtual space. It’s going to add you some neat privileges, so that you can access more data if you meet the requirements for it. It’s even going to delete you, if you don’t behave well.
Do my online identities live?
Yes, in a way. This is identity lifecycle. What is that? See, when you register somewhere, you are a newborn to the IDM system, typically you can log in. When you pay a subscription, you might be promoted to a privileged identity, where you have more rights, you see more data, you can do more actions. When that subscription ends, you are demoted back. And when you are not using your account, you can even become deactivated or archived and you lose all your access. We can roughly see what is going on in that nice picture below.
My identity has a role, but it’s not in a movie.
An essential integrated part of mature IDM system is also role management. Roles are used for granting more access rights (privileges) to some identity. In our example, paying a subscription granted us some new views for content on a website. This could have been done in the IDM system by simply adding a role to our identity with name “Subscriber”. One identity can have multiple roles. This allows us to apply the divide and conquer rule, which is used widely in computing. What it says is, we should divide all authorizations into many smaller roles, every specified for a specific task. This way, we can create combined roles often consisting of some basic roles. These more complicated roles are called Business roles. Those can be for example Manager, Developer, Approver, Assistant, Accountant, Compliance, Data analyst, Administrator… So if my identity is granted a role of Manager, I am typically allowed to see all my subordinates (identities) with their attributes. I can even approve if and when they should get some new privileges. For this, I should have roles Manager and Approver set. There is a whole lot to say about Roles, I’ll cover that in the next article.
Do we need another system for this?
It’s just more convenient. Having a centralized IDM system can open some new doors for us like Same Sign In on multiple sites, having the control of identities in one system, in case we need to disable someone quickly, handling changes in the identity (password reset), automating processes, granting and denying of authorizations and many more. One of the biggest advantages is having IDM integrated as an authoritative source of identities for other systems. This means that I can use many services with only one identity. There are certainly more pros than cons. One of the main cons is, someone has to take care of it. But that is the case of any complex system. Of course IDM systems are not suitable for every organization. If you are under a hundred employees, you can manage identities with their authorizations swiftly yourself. But it can be more time and resource consuming when you are growing bigger. More on that later…