We develop products and solutions for Identity and Access Management, IAM. We also talk about how IAM can help your organization comply with regulations, create cost savings, help the lives of your customers and improve customer experience etc. We sometimes tell these things using fancy three letter acronyms and wizardly sounding protocol names. As an information security professional with over 15 years of experience, I tend to jump headfirst to the deep end of the pool expecting the reader to follow. My head is buzzing with ideas and concepts trying to get out and on the back seat there’s a ton of accumulated silent knowledge – something that I’ve learned during the years, but somehow managed to put it somewhere to the nether regions of my brain.
So, let’s get back to basics and start from the beginning.
What Do We Mean By “Identity”?
We all have identities. In the digital world our identities manifest themselves in the form of attributes, entries in the database. The tendency for online services is to collect these attributes so that they can serve us better, or create a unique user experience based on the data collected about our static and dynamic attributes.
A unique attribute differentiates us from other online users. Such an attribute could be an email address, phone number, or a social security number. We get attributes from our employers in the form of titles, in which business unit we belong to, roles that we have in projects, or in the organization hierarchy. Attributes pertaining our private and working life are different and change over time as we change jobs, move, get married etc.
Your online identity is established when you register. During registration, some attributes are collected and stored in the database. The registration process can be quite different depending on what kind of digital identity you will be issued. The government issued electronic identity uses a very thorough process, whereas you can register to social media sites with completely bogus (and therefore unverified) identity attributes.
Identity management is all about managing the attributes. You, your supervisor, your company HR person, the IT admin, the eCommerce site service desk person are only a handful of examples who can be responsible for creating, updating, or even deleting attributes related to you.
Attribute = Authorization?
Some of the identity attributes that we have are powerful. They allow us to do things online. A role attribute that describes a position within a company, a purchase manager for example, can tell an online site what the person is allowed to do on that specific site. Therefore, it is quite crucial that attributes granting power to the user are carefully managed and maintained.
What Do We Mean By “Access”?
Access decisions are Yes/No decisions. When an access control is deployed it will be tasked with making the Yes/No decision when an online user tries to enter or use the resource. There can be and usually are, multiple access control points within an online service. On the top level there’s an access control point trying to determine if the user is allowed to enter the site at all. Then in the lower level the access control point reaches the individual files located somewhere on the hard drive. Some of the access control points are visual to the end user, requiring actions. The most basic example would be the authentication.
What Do We Mean By “Authentication”?
Authentication is a process where the identity of the user will be established. There are tons of different ways to authenticate the user. In the lowest level the user could claim that he is who he says he is by simply writing his name as an answer to the question “Who are you?” On the other end of the spectrum the user could sign in to the service using his government issued electronic identity (eID). Between these two examples you can find a wide array of different processes and technologies for authentication.
So when the user identity is established he can access the service? Wrong. Authentication != Authorization (!= is nerd language and means “not equal”). After authentication there needs to be an access control decision. The decision is based on the information available about the user. This is where the attributes come into play. If the authentication process can deliver the required set of attributes to the access control decision point, the process can then evaluate the attributes and make the Yes/No decision.
Authorization policy is a tool that can be used to create a formalized decision point. In the world of Identity and Access Management (IAM), the authorization policy can be implemented in a centralized service, or at the local level, or at both locations. The role of an identity provider is to do the heavy lifting of collecting the identity attributes available and making the high level access decisions on behalf of the online service. Creating an authorization policy framework at the service level is not advisable as it creates complexities, maintenance overhead, is hard to change quickly and can be error prone.
The difference between identity management and access management is thus:
- Identity Management is about managing the attributes related to the user
- Access Management is about evaluating the attributes based on policies and making Yes/No decisions
Ubisecure Customer IAM products are tools for implementing a comprehensive, adaptable, secure and flexible identity and access management infrastructure. Over the years our products have evolved into award winning solutions helping our customers reach their strategic goals, increase customer satisfaction and loyalty, reduce cost and create the world firsts. Contact us now if you want to take your business to a new level.