In a recent piece, we looked at identity and access management (IAM) and its importance as an IT security layer. Whilst it would seem to make sense that IAM is simply a combination of identity management and access management, there are some very important differences between those two branches that are important to understand.
IAM is a collective term that covers products, processes, and policies used to manage user identities and regulate user access within an organisation. Not all businesses require an IAM system. For some, an identity management system will meet their requirements and for others, an access management system will help them to achieve their desired goal.
It’s important to understand the difference to let’s dive straight in.
What is identity management?
Identity management relates to authenticating users.
From a digital perspective, a user is added to the system and a digital identity is created for them. Your digital identity can be quite different depending on the service you are signing up for. A government issued digital identity uses a very thorough process, whereas a social media site requires very little verification other than an email address and password.
Traditionally, a username and password have been the easiest ways of determining a user’s identity. However, businesses are now deploying much more advanced ways of managing a digital identity and advancements in technology means that companies are now using biometric technologies such as fingerprint, retinal or facial recognition, as well as unique tokens to ensure that user information cannot be duplicated by anyone else.
When it comes to identity management, this consists of managing the identity attributes in the database and authenticating users against those attributes. An attribute could be an email address, phone number, or a social security number. We also get attributes from our employers in the form of titles, in which business unit we belong to, roles that we have in projects, or in the organization hierarchy.
As a system or company gets bigger, the problem can increase exponentially. Instead of constantly running through a lengthy list of users, identity management has moved toward assigning identities based on groups, and then assigning roles for those groups using attributes.
What is access management?
Access management relates to authorising users.
Access decisions are Yes/No decisions. When an access control is deployed it will be tasked with making the Yes/No decision when an online user tries to enter or use the resource. Additionally, access management manages the access portals via login pages and protocols, while also ensuring that the user requesting access actually belongs at all.
This is one of the key differences between identity and access management. Identity management can only determine the identity of the user but not whether they deserve access.
An access control decision is based on the information available about the user. This is where the attributes come into play. If the authentication process can deliver the required set of attributes to the access control decision point, the process can then evaluate the attributes and make the Yes/No decision.
Access management determines the identity and attributes of a user to determine what that user’s authorisation is. It evaluates the identity but does not manage that data.
Why it’s important to understand the difference
The reason these two concepts are confused is that they are two critical steps for a user who is accessing information. The information provided by identity management determines how the access management will function. Since users only enter identity information, they do not realise that there is an entirely different management system to establish their access. Identity and access are so closely tied together that it can be difficult to remember that they are not the same thing.
This misunderstanding can lead to potential security issues. If your identity management is detailed and descriptive, but your access management is not clearly defined, you are potentially opening the door for cybercriminals who can target users on your database with the kind of access they need to find the data and information they need.
Conversely, if access management is detailed, but identity management is not well defined, it can create issues for legitimate users trying to access the information they need on a day to day basis.
The difference between identity management and access management is thus:
- Identity Management is about managing the attributes related to the user
- Access Management is about evaluating the attributes based on policies and making Yes/No decisions
Simply put, identity management opens the door and access management directs the user. Identity and access management (IAM) systems provide the best of both worlds.