Identity and Access Management (IAM) is a foundational element of cybersecurity today.
As a set of technologies, IAM encompasses user and entitlement provisioning, identity repositories, authentication mechanisms, authorization systems, web access management (WAM), federation and Single Sign-On (SSO), identity governance, access reconciliation, risk management, and many interfaces to other security systems.
Commonly, IAM is split into three major parts:
- Identity Management: The management of identity lifecycles and their governance. This is commonly referred to as Identity Provisioning (Lifecycle Management) and Access Governance, or as IGA (Identity Governance and Administration),
- Access Management: Enabling access of users, i.e., supporting authentication, identity federation, and authorization.
- Privileged Access Management (PAM): These technologies focus on highly privileged users and the specific requirememts around these users, plus shared accounts. Capabilities include management of passwords for shared accounts and of privileged user sessions.
Many of the components of IAM have become standardized and even commoditized. To interoperate with other solutions and be successful in the marketplace, IAM products generally support the following standards:
- Provisioning: SCIM
- User identity storage: LDAP
- Authentication: Kerberos, RADIUS, PKI/x.509 including SmartCards, FIDO U2F/UAF/2.0, W3C WebAuthn, and more
- Federation: OAuth, OpenID, OpenID Connect (OIDC), and SAML
- Authorization: JSON, JWT, UMA, and XACML, with OAuth and OIDC also serving authorization use cases
Access Management, also referred to as Web Access Management & Identity Federation, as one of the major disciplines is focused on providing access for users to services. They can deliver a SSO (Single Sign-On) experience to users, by authenticating the users on behalf of the target applications.
Integration can work either via standards for identity federation or – for legacy web applications that do not support modern identity federation standards – with methods such as password injection and providing authentication information as part of modified https headers. Authentication should integrate with the authentication standards listed above.
However, there also is increasing demand for providing federation and authorization services to digital services that are custom-built, with tight integration into these services. Again, this is about standards support and platforms that enable efficient delivery of these capabilities to developers, at the API level. This is essential when new digital services are created, where the client apps utilize APIs to connect to API providers, which again might utilize backend services. Common scenarios are in the Finance industry, e.g., around Open Banking and standards such as PSD2 (EU Payment Services Directive). The challenge here is that apps of, e.g., FinTechs, might require also access to backend services of other providers such as banks.
Managing access in such complex environments benefits from specialized solutions that can handle API access and authorization in an efficient manner. A provider of such a specialized solution is Authlete.