We develop Identity and Access Management ( IAM ) products and solutions . We also talk about the benefits of IAM for your business. Access and Identity Management can be useful in many ways: regulatory compliance , cost savings , simplifying your customers' lives, improving the customer experience ... To address these topics, we sometimes use mysterious three-letter acronyms and other esoteric protocol names. With over 15 years of experience in computer security, I have a tendency to dive directly into the big bath and expect the reader to do the same. In my head, ideas and concepts jostle and try to come out, while in the background, tons of knowledge accumulated in silence - all these things learned over the years, but that I buried in the depths of my brain.
Let's go back to basics and start over again from the beginning.
What is meant by "Identity"?
We all have identities. In the digital world, our identities take the form of attributes and entries in a database. The trend for online services is to collect these attributes to provide us with a better service or create a unique user experience from the collected data on our static and dynamic attributes.
A unique attribute differentiates us from other online users. It can be an e-mail address, a telephone number or social security. We receive attributes from our employers: our function, the department or division to which we belong, the roles we play in projects or in the corporate hierarchy. The attributes that affect our private lives and our professional lives are not the same and change over time, when we take on a new job, we move, we get married, and so on.
Identity Management
Your online identity is created when you register. During registration, certain attributes are collected and stored in the database. The registration process may vary depending on the type of digital identity that will be issued to you. For an electronic identity issued by a government (type "electronic identity card"), the procedure is exhaustive, while registration on social networking sites can be done with identity attributes completely dummy (and therefore unverified).
Identity management is primarily a question of managing attributes. You, your line manager, your HR manager, the IT administrator, the customer advisor of the e-commerce site ... All these people, and many others, can be responsible for creating, updating or even removing the attributes that concern you.
Attribute = Authorization?
Some of our identity attributes are powerful. They allow us to do things online. A "role" attribute that describes the function of a person in the company - a purchasing manager, for example - can tell an online site that person's field of action on that site. Attributes that give the user his "powers" must therefore be managed and maintained with the utmost care.
What is meant by "access"?
Access decisions are decided decisions of the "yes / no" type. Once deployed, access control is responsible for deciding whether "yes" or "no", the user who tries to access or use a resource can do so. An online service may have multiple checkpoints - which is usually the case. At the top level, an access control point tries to determine if the user has the right to enter the site. At the lower level, the access control point reaches the individual files located somewhere on the hard disk. Some of the access control points are visual for the end user, and require action. Authentication is the simplest example.
What is "authentication"?
Authentication is the process that establishes the identity of the user. The user can be authenticated in several ways. At the lowest level, the user could say that he is the person he says he is simply writing his name in response to the question "Who are you? ". At the other end of the spectrum, the user could register for the service using his electronic identity card (eID). Between these two extremes, there is a multitude of authentication processes and technologies.
Access management
When the identity of the user is established, he can access the service? False. Authentication! = Authorization (in "geek" language, the symbol "! =" Means "not equal to"). After authentication, a decision must be made at the level of access control. The decision is based on the information available about the user. This is where the attributes come into play. If the authentication process can pass the necessary set of attributes to the access control decision point, the process can then evaluate the attributes and decide whether "yes" or "yes" no "[access is allowed].
An authorization policy is a tool for creating a formal decision point. In the Access and Identity Management (IAM) universe, the authorization policy can be implemented in a centralized service, at the local level or both. The identity provider takes care of the substantive work on behalf of the online service, that is, collecting identity attributes and making decisions for top-level access. It is inadvisable to create a service-level authorization policy because of the complexities and maintenance costs that this generates. Such a framework would be difficult to change quickly and vulnerable to errors.
The difference between identity management and access management can be summarized as follows:
- Identity management is about managing attributes associated with the user.
- Access management focuses on the evaluation of attributes on the basis of rules and the making of decided "yes" / "no" decisions.
0 Comments