One of the challenges with identity and access management is that it means different things to different people. Some associate it with single sign-on, while others connect it to federating credentials among varied systems. Some people will argue that it’s all about creating a centralized user record. All of these capabilities are part of the IAM conversation, but they are not the conversation itself.
IAM is really about two things: first, making sure the "good guys" have ready access to the things they need to do their jobs, and, second, making sure the "bad guys" don’t. That’s it.
Determining the difference between the good guys and the bad guys is identity. Deciding when to provide access (and when not to) is access. The management part relates to the managing of those two things via a well-planned and thoughtful strategy.
So the goals of IAM should be easy to understand as an outgrowth of IAM’s core principles: to reduce overhead by streamlining user access to resources (letting the good guys in) and to decrease overall security risk by making sure that inappropriate access isn’t given to the wrong people (keeping the bad guys out). The specifics of the technical decisions and efforts that you might choose to undertake -- from federation to SSO to authentication and beyond -- will likely forward at least one of those two goals.
So if the core of IAM is so straightforward, why do discussions about it get so complicated so quickly? The primary reason has to do with the complexity of what it takes to effect IAM in an actual production infrastructure.
First, the base of resources that users need to access is large and constantly expanding over time, as is the number of users.
Second, the number of decision points (that is, the number of individual decisions that go into determining which users can gain which levels of access to which resources) is a function of number of resources (growing), number of users (growing), and the permissions available within each application/system/realm.
Third, individual resources are usually developed with a particular security (and user access) model in mind, and externally facing awareness of users and roles outside of that model isn’t usually a given. All these factors give rise to complexity, and that complexity makes the management piece of the IAM equation difficult to effect in practice.
To find out more about the key concept and basic strategies behind IAM -- including access control, multifactor authentication, federation, single sign-on, user policy, and monitoring -- download the free report on identity and access management.
Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.