Identity and Access Management (IAM) is a foundational element of cybersecurity today. In the early days of computing, user accounts constituted identity and group membership was used to manage access. In the decades since, the concepts, principles, and technologies of IAM have evolved and become increasingly specialized. User accounts and group memberships are still important constructs, but the tools for authenticating, authorizing, auditing, and protecting identities have proliferated.
As a set of technologies, IAM encompasses user and entitlement provisioning, identity repositories, authentication mechanisms, authorization systems, web access management (WAM), federation and Single Sign-On (SSO), identity governance, access reconciliation, risk management, and many interfaces to other security systems.
Many of the components of IAM have become standardized and even commoditized. To interoperate with other solutions and be successful in the marketplace, IAM products generally support the following standards:
- Provisioning: SCIM
- User identity storage: LDAP, sometimes NoSQL databases for CIAM implementations.
- Authentication: Kerberos, RADIUS, PKI/x.509 including SmartCards, FIDO U2F/UAF/2.0, and more
- Federation: OAuth, OpenID, OpenID Connect (OIDC), and SAML
- Authorization: JSON, JWT, UMA, and XACML
Commonly, IAM is split into three major parts:
- Identity Management: The management of identity lifecycles and their governance. This is commonly referred to as Identity Provisioning (Lifecycle Management) and Access Governance, or as IGA (Identity Governance and Administration),
- Access Management: Enabling access of users, i.e. supporting authentication, identity federation, and authorization.
- Privileged Access Management (PAM): These technologies focus on highly privileged users and the specific requirememts around these users, plus shared accounts. Capabilities include management of passwords for shared accounts and of privileged user sessions.
Access Management, also referred to as Web Access Management & Identity Federation, as one of the major disciplines is focused on providing access for users to services. They can deliver a SSO (Single Sign-On) experience to users, by authenticating the users on behalf of the target applications.
Integration can work either via standards for identity federatin or – for legacy web applications that do not support modern identity federation standards – with methods such as password injection and providing authentication information as part of modified https headers. Authentication should integrate with the authentication standards listed above.
Access Management should support a range of applications from modern SaaS services to legacy web applications. While deployment models are shifting towards cloud-based delivery of Access Management, there is still a need and place for on premises solutions, specifically for B2E and B2B use cases, or B2C use cases that work against backend systems within the enterprise.
A specific requirement for all types of Access Management is scalability and high availability. Access of users to services depends on the availability of these services, and specifically in B2C scenarios, massive workloads and peaks can arise.
ForgeRock is a leading, venture-backed IAM vendor, headquartered in the US but with many offices around the world. ForgeRock supports most major IAM standards and is a significant contributor to several international standards organizations. Their overall Identity Platform serves both B2E and B2C markets. ForgeRock Access Management can be used to manage access to on-premise and cloud-based resources. ForgeRock provides the tools that their clients can use to build robust access management.