Differences between identity management and access management
Almost all of us who are dedicated to information security have participated in the development of products and solutions for Identity and Access Management (IAM). We have tried to convince our clients on more than one occasion about how IAM can help to comply with the regulations, obtain cost savings, improve the customer experience, and so on. Sometimes we describe these things using acronyms and complicated protocols and products’ names. However, on the contrary, we do not often have clear concepts such as identity and access management, usually confusing and merging both terms. That is why we are going to try to clarify them a bit.
What is identity?
We all have an identity. More specifically in the digital world, our identities are manifested in the form of attributes, entries in a database that define us within a given system. The trend of online services is to collect all these attributes to be more useful, for example, to create a personalized user experience, based on the data gathered about our static attributes, defined at the time of registration, or dynamic during the use of the service.
Attributes differentiate us from other users within the same system. These attributes could be an email address, a phone number, and such. We can catalog in a general way two types of attributes that will be treated differently: the static ones that generally do not change, such as gender, ethnic origin, and so forth. Also, the dynamic attributes that do change over time, such as job position, postal address, marital status, age, and so on.
The digital identity of a person is established when registered in a system. During this process, specific attributes are collected and stored in the database. The registration process and the number of attributes to process can be entirely different depending on the type of digital identity that is intended to be granted. The electronic identity issued by an official center will use a complex process of compilation and treatment, while the registration in a social network can be done with utterly false identity attributes and therefore not verified.
The process of identity management aims to deal with the attributes that define the individual. Therefore, those responsible for creating, updating or even deleting attributes related to our registry can be profiles as diverse as the director of human resources of the company, the IT administrator, the service manager of an e-commerce site, and such positions.
Is Attribute equal to authorization?
An attribute or set of attributes can be used to trigger an authorization evaluation process, but at no time should they represent an authorization in itself. Since the latter is the result of the evaluation of the attributes and is granted based on rules that can vary depending on other parameters, such as other attributes and/or authorizations. Therefore, it is quite crucial that the attributes that empower the user are handled and maintained carefully, since the capabilities that are granted to the user within the system depend on it.
What do we mean by “access”?
Access decisions are decisions of binary type Yes / No. When access control is implemented, it must decide to allow or not allow a user to enter the system or consume a resource.
Usually, there are several access control points within a system or service. For example, it may be necessary to determine whether or not the user can identify himself; later it could be decided what operations it can perform and, therefore, some of the visual access control points are established for the user, which require actions on his part. The most basic example would be basic authentication, and the most extreme case would be a second or third-factor authentication.
What do we mean by “authentication”?
Authentication is a process where the user’s identity is established. There are many different ways to authenticate the user. At the lowest level, the user can authenticate with a basic login process by using their name. At the other end of the spectrum, the user could log into the service using their electronic identity issued by the government (Electronic Identification Card or similar). Among these examples, there is a wide range of processes and technologies for authentication.
Finally, access management
At this point we might be asking: “when the user’s identity is established, can he access the service?” The answer is no. In no case will authentication be equal to authorization: as we will discuss below, they are different but complementary concepts.
In previous points, we have seen that the result of authentication are specific user attributes that we will call identity. By contrast, the authorization is the result of the evaluation of said identity based on established rules and should only return a binary value.
An authorization policy is a tool that can be used to create a formal and unique decision point. In the IAM world, the authorization policy can be implemented in both a centralized service or locally. The role of an identity provider is to make a good collection of available identity attributes and make high-level access decisions in the name of the service or identity that requests it.
Given the above, it is not advisable to create an authorization policy framework at the service level, since it establishes complexities, general maintenance costs, it is difficult to modify quickly and, worst of all, it can be prone to errors. So finally we could determine the difference between identity management and access management such as:
- Identity management: it deals with the management of attributes related to the user.
- Access management: It tries to evaluate the attributes based on defined policies and make binary decisions.
José Luis Juárez / IT Security Consultant / vintegrisTECH