In this article, we will look at a very high-level overview of what exactly is identity and access management.
Access controls are the collection of techniques, processes, and mechanism that helps to protect the assets of an organization. An access control around a resource is a way to limit the actions that can be performed by some personnel on it. It allows only authorized personnel to take possession of the resource and perform actions on it.
There are 3 terms around IDAM which one should know thoroughly to understand the topic better. These terms are Identification, Authentication, and Authorization.
Identification is the starting point for all access control as without proper identification it will not be possible to grant resources to any identity. The main objective of identification is to bind a user to appropriate controls based on the identity.
Authentication is the process of verifying the identity of a user. During the Authentication process, the user provides some way of proving their identity to assert that the user is whom they are claiming to be. The information provided by the user to authenticate itself is a secret known to the user only. Once authenticated, a trust established between user and system.
Authorization is the final step in the process, and it allocates appropriate controls, privileges based on the identity in the system. This is where in big organizations users are divided into roles and groups to manage access, privileges smoothly. So, authorization is the process of defining what resources a user needs and type of access to those resources.
Physical Access involves accessing a building for which physical access controls are installed like a card reader or biometric inspection.
Logical Access involves accessing system and information within them. Logical access controls are deployed to restrict users from utilizing access modes. Common access modes are:
- Read Only: This access mode gives the user the capability to view, copy, etc. but not to do anything to alter it like delete, etc.
- Read and Write: This access mode gives users the ability to read and write only.
- Execute: This access mode gives users the ability to execute the program.
CIA with Access Controls
Access controls play a major to achieve CIA triad (Confidentiality, Integrity, Availability) in information security for systems and resources. Access controls revolve around resources controls, who can access the object to achieve confidentiality, which in turn play a role to ensure integrity. With access controls, availability of resources is also somewhat ensured since they reduce the likelihood that malicious user can access and harm the system (bring down the service). Thus, access management specifies:
- Which users can access a system or other facilities?
- What resources can those users access?
- What operations can those users perform on the resources?
- How are users accountable for their actions on the resources?
Concept of Subject & Object
In Identity and Access management domain, the most important thing is to identify subject and object. A subject is an entity which is performing some action on the object. For example, if a user ‘A’ is deleting file ‘B,’ it means that A is the subject and B is an object. So, to control such actions, there are various authorization mechanisms being developed which are discussed in the next section.
Role-Based Access Control (RBAC): Controls following this model maps the subject access on an object based on the roles of the subject within the organization. From object perspective, as to what roles can access the object is defined by owner, or with other mechanisms like Mandatory Access Control (MAC) and Discretionary Access Control(DAC). There are several approaches to RBAC:
- Limited RBAC: Users are mapped to roles based on application and not organization-wide.
- Hybrid RBAC: User are mapped to multi-application roles
- Full RBAC: Users are mapped to the organization-wide role.
- Rule-based Access Control: Access is granted to users based on some rules rather than roles. For example, a user can access the file but only after a certain time of day.
- Mandatory Access Control: Under MAC, the system manages itself by organization-wide policies. It is based on the interaction with system owner and information owner. Access should be granted not only on authorization but also on need to know basis. It is typically used for systems and data that are highly sensitive.
- Discretionary Access Control: Under DAC, controls are pushed by the owner of the data. Almost all mainstream OS supports DAC these days to give data owner the control to select which user can access the data based on the need. Also, the owner has the privilege to dissect organization policy (and not ignore them) and modify them to suit the needs of the underlying system.
Ethical Hacking Training – Resources (InfoSec)
Identity Management Implementation
A typical organization will have many users, and those users have varied access requirements on a diverse collection of resources. Identity management exercise aims to simplify the administration of distributed data about users of the organization. Following are some of the technologies utilized in identity management solutions
Password Management: Password management system is designed to manage password consistently across the enterprise with the help of a centralized tool. Other common features password management systems include a self-registration process that incorporate personal questions/answers that allow users to self-manage the passwords like change password.
- Account Management: This aims to streamline the administration of users across multiple systems. Accounts should be managed from a centralized facility to achieve consistency across systems.
- Profile Management: Profiles are a collection of identity information such as ID, password and other personal information. It can also contain information about privileges and rights. Whenever any change in the profile is done, it should be propagated to other identity and management systems.
- Directory Management: A typical directory will contain data about users, groups, systems, etc. Directory service provides centralized management of user data that can be used by many applications and take the burden of the applications to manage user data at their end.
So in this article, we have seen a very high overview of what is identity and access management is, how they are implemented and their modes.