Sunday, March 3, 2013

Identity and Access Management (IAM)

Identity and Access Management (IAM) comprises of people, processes and products to manage identities and access to resources of an enterprise. The ultimate goal of IAM Framework is to provide the right people with the right access at the right time.

IAM components can be classified into 4 major categories: authentication, authorization, user management and central user repository (Enterprise Directory)

This area is comprised of authentication management and session management.  Authentication is the module through which a user provides sufficient credentials to gain initial access to an application system or a particular resource.  Once a user is authenticated, a session is created and referred during the interaction between the user and the application system until the user logs off or the session is terminated by other means (e.g. timeout).  The authentication module usually comes with a password service module when the userid / password authentication method is used.  By centrally maintaining the session of a user, the authentication module provides Single Sign-On service so that the user needs not logon again when accesses another application or system governed under the same IAM Framework.

Authorization is the module that determines whether a user is permitted to access a particular resource.  Authorization is performed by checking the resource access request, typically in the form of an URL in web-based application, against authorization policies that are stored in an IAM policy store.  Authorization is the core module that implements role-based access control.  Moreover, the authorization model could provide complex access controls based on data or information or policies including user attributes, user roles / groups, actions taken, access channels, time, resources requested, external data and business rules.

User Management
This area is comprised of user management, password management, role/group management and user/group provisioning.  User management module defines the set of administrative functions such as identity creation, propagation, and maintenance of user identity and privileges. One of its components is user life cycle management that enables an enterprise to manage the lifespan of a user account, from the initial stage of provisioning to the final stage of de-provisioning.

Central user repository (Enterprise Directory)
Central User Repository stores and delivers identity information to other services, and provides service to verify credentials submitted from clients.  The Central User Repository presents an aggregate or logical view of identities of an enterprise.  Directory services adopting LDAPv3 standards have become the dominant technology for Central User Repository.

Oracle, Microsoft and IBM are pioneers in IAM technology.

No comments:

Post a Comment