by Prajwal Thippeswamy
I am new to the world of Nulli and the field of Identity and Access Management (IAM), also often referred to as simply Identity Management.
Identity and Access Management is a critical discipline that focuses on managing user identities, controlling access to resources, and ensuring secure authentication and authorization processes. It plays a pivotal role in enhancing security, meeting compliance requirements, and streamlining user management in organizations.
In this blog, I will explore the need for IAM, its impact on security and compliance, the terminology used in IAM, and current trends like Zero Trust, Artificial Intelligence, Biometric Authentication, and Blockchain in IAM.
I chose this career path after having my interest peaked by my Graduate school certifications in Security and Cloud (SaaS) applications. I am now focussing on ForgeRock’s Identity Platform with an aspiration to gain a comprehensive understanding of ForgeRock's product suite, with the intention of gaining a deep understanding of the business needs met by the Identity Management field. I look forward to becoming a ForgeRock expert.
Please join me on my journey as I unravel the world of IAM and its evolving landscape.
Identity Management has a lot of technical jargon. The following is a sample of the terms that I have come across in these early days of my journey:
Identity: An unique digital representation of a user or an entity.
Authentication(AuthN): Verifying by comparing the identity information found in the data store to the information that the identity provides.
Authorization(AuthZ): Defines the granting or denying of access to resources and the actions that the identity can perform on the resource.
Access Controls: Mechanisms that regulate and enforce restrictions on accessing resources or performing actions within a system.
Privileges: The specific rights or permissions granted to a user or an entity to access certain resources or perform specific actions.
Federation: Establishing trust and enabling users to access resources across multiple domains or organizations without requiring separate authentication. ie., like Single Sign On (SSO) between 2 different domains.
Directory Service: A centralized repository that stores and manages user identities, attributes, and access controls.
Active Directory (AD): A directory service provided by Microsoft for managing identities and access in a Windows environment.
Light-weight Directory Access Protocol (LDAP): Lightweight Directory Access Protocol, is a protocol for accessing and managing directory services. LDAP is a protocol and AD is a service that uses LDAP protocol for querying the datastore.
Security Assertion Markup Language (SAML): XML-based framework for exchanging authentication and authorization data between identity providers and service providers.
OAuth2: An authorization framework that allows third-party applications to access resources on behalf of a user without sharing their credentials. i.e., This is all about AUTHORIZATION
OpenID Connect (OIDC): OpenID Connect, is an identity layer built on top of OAuth2 that enables clients to verify the identity of end-users and obtain their basic profile information. This does AUTHENTICATION + AUTHORIZATION.
Single Sign On (SSO): A mechanism that allows users to authenticate once and access multiple systems or applications without re-entering their credentials.
Multi-factor Authentication (MFA): A security measure that requires users to provide multiple forms of authentication to gain access, such as a password and a unique code from a mobile app.
Role-Based Access Control (RBAC): A method of granting access permissions based on predefined roles that align with job responsibilities and functions.
Attribute-Based Access Control (ABAC): An access control model that uses attributes (user attributes, resource attributes, environmental attributes) to make access decisions.
Relationship-Based Access Control (RelBAC or ReBAC): RelBAC uses the relationships between Subject and Resource nodes in a graph database (eg. Neo4j) to determine access. It generally involves path-finding: access is granted if a path, or a combination of paths, exists in the data between a subject node and the node representing the resource they’re trying to access. RelBAC can implement many authorization schemes, including Fine-grained Access Control (FGAC), RBAC, or any arbitrary scheme that involves relationships between data elements, at any desired granularity.
Identity Management (IdM): The discipline of managing digital identities and associated attributes, encompassing user authentication, authorization, provisioning, and directory services.
Access Management (AM): The practice of managing user access to resources and enforcing access policies, including authentication, authorization, and audit controls.
Privilege Access Management (PAM): The practice of managing and securing privileged accounts with elevated access privileges and control over critical systems and data.
IAM is a key factor in the security of the cloud. All cloud providers use their IAM service to manage the security of identities, providing the cloud admins the ability to configure fine-grained access controls (RBAC), and meeting compliance and regulation.
