Identity and Access Management (IAM)
(OBJ 4.6)
Identity and Access Management (IAM)
- Critical component of enterprise security, focusing on managing access to information
- Systems and processes used to manage access to information in an organization
- Ensures the right individuals have access to the right resources at the right times for the right reasons
Four Main IAM Processes
- Identification
- User claims an identity using a unique identifier (e.g., username or email address)
- Ensures user legitimacy and accuracy of provided information
- Example:
- Ensure billing and shipping address are correct
- Authentication
- Verifies the identity of a user, device, or system
- Typically involves validating user credentials against an authorized user database
- Methods
- Passwords
- Biometrics
- Multi-factor authentication
- Authorization
- Determines the permissions or access levels for authenticated users
- Ensures users have access only to appropriate resources
- Role-based access control often used
- Accounting (Auditing)
- Tracks and records user activities
- Logins
- Actions
- Changes
- Helps detect security incidents, identify vulnerabilities, and provide evidence in case of breaches
- Tracks and records user activities
Key IAM Concepts
- Provisioning and Deprovisioning of User Accounts
- Provisioning
- Creating new user accounts, assigning permissions, and providing system access
- Example:
- Hiring a new employee and performing the onboarding process which includes provisioning of user account, etc.
- Deprovisioning
- Removing access rights when no longer needed (e.g., when an employee leaves)
- Provisioning
- Identity Proofing
- Process of verifying a user's identity before creating their account
- May involve checking personal details or providing identification documents (e.g., driver's license or passport)
- Interoperability
- Ability of different systems, devices, and applications to work together and share information
- In IAM, it can involve using standards like SAML or OpenID Connect for secure authentication and authorization
- Attestation
- Process of validating that user accounts and access rights are correct and up-to-date
- Involves regular reviews and audits of user accounts and their access rights