Identity management and access management are often combined into identity and access management (IAM). IAM is intended to improve security by ensuring that only authorized entities (such as people, computers, applications) have access to corporate resources, and that they are permitted to access only the resources they need to accomplish their tasks.
But it’s worth exploring each of the two components of IAM separately. Read on to learn more about the difference between identity management and access management.
Understanding Identity Management and Authentication
Identity management focuses on the creation and management of digital identities in an enterprise. It enables organizations establish a foundation for controlling access to resources by defining who has the right to access what, based on their roles, responsibilities and organizational policies.
Identity management includes two key components:
- Identity lifecycle management — This involves establishing a single identity for each user, computer or other entity, including defining its attributes and roles. It also involves keeping identity data accurate throughout the identity’s lifecycle, from onboarding a new user, through any role changes and transfers, to offboarding when the user leaves the organization.
- Authentication —This is the process of verifying that an entity is who they claim to be before they are granted access to business data or systems. This normally happens during the login process and involves providing information specific to the individual. While a user ID and password is the most common authentication method, there are other options that can be used. They include:
- Biometric authentication — Biometric solutions use retinal scans, facial recognition, voice recognition, eye scans, fingerprints and similar information to authenticate users.
- Token-based authentication — This requires the user to supply a code from a physical token device. Normally, the code is valid only for a short period of time.
- Device-based authentication — As devices become more secure and portable, they are also becoming a common means of identifying users. The best example of device-based authentication is sending a one-time passcode through SMS.
- Certificate-based authentication — An identity can also be authenticated using a digital certificate: an electronic document that contains a user’s digital identity, a public key and a digital signature from a certification authority (CA).
For stronger security, two or more of these methods can be required, in a process called multifactor authentication (MFA). For example, a user might be required to provide both their credentials and biometric data like a fingerprint or retinal scan.
Understanding Access Management and Authorization
Access management involves ensuring that each authenticated identity is granted access to only the appropriate data and systems, both on premises and in the cloud. Access management includes:
- Privilege management — This involves ensuring that each employee has exactly the access rights they need to perform their tasks, no more and no less..
- Authorization — This is the process of allowing or denying access to requested resources based on a user’s permissions and other access control mechanisms, such as Group Policy.
- Access request and approval workflows — Organizations can implement processes for enabling users to request access to additional resources or elevated permissions and empowering appropriate personnel, such as data owners, to approve or deny those request.
Access management technologies
Companies use different services and tools to ensure accurate access management, including the following:
- Role-based access control (RBAC) helps organizations enforce the least privilege principle by granting access rights based on a user’s roles in the organization.
- Attribute-based access control (ABAC) enables dynamic access decisions based on policies and conditions that consider various characteristics of users and the IT environment .
- Relationship-based access control (ReBAC) assigns access based on a user’s relationship with a given resource. ReBAC helps ensure that only users who need access to a resource have access to it.
- Access control lists (ACLs) are used to store information about access rights that can be used in denying or granting access to resources. Networking ACLs are ACLs that tell switches and routers what kind of traffic can access the network and what activity is permitted.
How Identity Management and Access Management Work Together
As we have seen, a key component of identity management is authentication, and a key component of access management is authorization. Here’s how they work together:
- When a user or other entity attempts to access a system, it must be authenticated to verify that it is who it claims to be.
- If the entity is successfully authenticated, the authorization process checks whether it has the appropriate access rights for the requested IT resource.
For example, suppose a member of the accounting team tries to log in. They provide their credentials or perhaps even complete MFA and are authenticated. If they attempt to use the accounting software, the request will be authorized, since their role in the organization grants them access to that application. But if they attempt to access the company’s HR database or the CEO’s mailbox, the authorization process will deny the request.
How Can Netwrix Help?
As we have seen, managing your digital identities and controlling access are important for ensuring user productivity while maintaining both security and compliance. But choosing the right identity and access management tools is critical for the success of your IAM program.
With Netwrix IAM software, you get a full suite of advanced IAM capabilities. In particular, you can:
- Discover and classify your sensitive data — Find out where your sensitive data resides, both on premises and in the cloud, and know exactly who has access to which information.
- Understand your AD and Azure AD groups — Active Directory and Azure AD groups play a vital role in the authorization process. Discover exactly what groups you have, what permissions they have, who their members are and who owns each of them.
- Discover privileged accounts — Protect your sensitive data and critical systems by identifying all human and non-human privileged accounts across your IT environment.
- Enable just-in-time privileged access — Replace risky standing privileged accounts with ephemeral accounts that provide just enough access for the task at hand, without hurting administrator productivity.
- Enforce least privilege — Manage user permissions easily and accurately: Simplify provisioning to get new users productive quickly, prevent users from retaining unwarranted access when they change roles, and immediately remove access from employees when they leave the organization.
- Strengthen password practices — Automatically identify insecure passwords and reset them to secure values. Prevent users from choosing new passwords that do not comply with your policies. Further reduce risk by storing user and admin credentials in a secure vault.
