Other glossary terms
In today’s world, modern organizations’ most valuable assets are their digital information, such as: confidential files, contract and plans, state secrets, health and other records which are often stored online. In this respect, IAM is a vital part of every institution’s security plan as it protects the information against the rising threats of hacking, phishing, ransomware, and other malware cyber attacks, while granting authorized people easy access to the very same data.
In order to understand how IAM works, it is important to understand identity and access management concepts, as well as the correlation between Identity and Access control.
Access control is a security technique that can be used to regulate who or what can view or use a resources environment, whereas Identity is a set of attributes related to an entity that computer systems use to represent a person, organization, application, or a device. In fact, there is a direct relationship between access control and identity management because the core function of an identity management solution is access control.
The same identity can be associated with multiple accounts (representations of a user within the system) and identifiers (how a user is labeled). For example, you may have multiple email accounts that belong to one identity (person, organization or device).
Authentication is the process used to determine whether the user is who they claim to be. Once the user is authenticated, authorization determines whether the user is allowed to access a particular resource or take a specific action.
The process of creating a user account when it’s needed.
The reverse process of deleting, archiving or deactivating of an account that is no longer needed.
The lifecycle of digital identities that have a lifecycle, just like the real-world entities they represent.
To illustrate this, let’s take the example of an employee that leaves their job. The employee’s connection to the company has changed and the account and authorizations they had will also change accordingly.
However, the identity itself remains the same and the employee will continue to be able to authenticate in the future if they later decide to come back and work for the same company again. They will be able to access all of his previous databases and confidential files. This is why it is very important that systems are such that take into account the current status of a user and able to apply the appropriate account authorization schemes accordingly when that status changes.
Another illustration of this is that when an employee leaves the company, they won’t be able to use the wireless network as before, because the system will have noted the change in status and affiliation and update authorizations accordingly.
Identity verification by using only an account ID and password access may be enough depending on the data involved because it is most convenient and it requires the least know-how. However, this way of control is stronger when supported by other controls.
For more restricted data classifications, multiple controls are more effective. The most common such solution is the two-factor authentication which uses two factors: something the subject knows, has or is.
We already mentioned an example of something the user “knows” (a password or a PIN). This control can be strengthened with something the user has (a smart card, token etc) or by something the user “is” (biometric fingerprints, facial features, eye retina etc). Using more than one control significantly increases the probability of correct identity verification.
By implementing identity and access management, companies can gain considerable advantage over their competitors and boost their own productivity.
These days, in order to run their business successfully, many companies need to give access to their internal systems to users both inside and outside of their organization.
Finally, a good identity management system means that there is better control of user access, which means there is a lower risk of external, but also of internal breaches and attacks, which are also on the rise and happen all too frequently. More than 50% of all security breaches are done by internal people, i.e. company’s own employees, of which three quarters were malicious in intent.
Get this full guide as a PDF, plus other great security content from Kisi. We're offering this guide as a free download. You will also be signed up to get content from the Kisi blog.Download Guide