IAM (Identity & Access Management) is the security discipline that enables the right individuals to access the right resources at the right times for the right reasons. These resources could be tools required to complete a job, access a database with mission-critical data, or services and applications hosted in the cloud.
While IAM encapsulates a very broad range of solutions, there is, however, a distinct difference between identity management and access management.
Identity management looks to confirm that an accessing user is who they say they are, by examining the information presented during the access request against an identity management database. Access management, on the other hand, uses the information regarding users’ identity to determine which resources they are entitled to access, and what actions can be completed onto those resources.
IAM components can be classified into four major categories: authentication, authorisation, user management, and central user repository.
Authentication is the module through which a user provides sufficient credentials to gain initial access to an application system of a particular resource. Once a user is authenticated, a session is created and referred to during the interaction between the user and the application system, until the user logs off, or the session is terminated by other means (such as a timeout). The authentication module usually comes with a password service module when the user ID/password authentication method is used.
By centrally maintaining the session of a user, the authentication module provides SSO service, so that the user need not logging on again when accessing another application or system governed under the same IAM framework.
Authorisation is the module that determines whether a user is permitted to access a particular resource. Authorisation is performed by checking the resource access request, typically in the form of a URL in a web-based application, against authorisation policies that are stored in an IAM policy store. Authorisation is the core module that implements role-based access control.
Furthermore, the authorisation model could provide complex access control based on data or information or policies including user attributes, user roles/groups, actions taken, access channels, time, resources requested, external data and business rules.
This area is comprised of user management, password management, role/group management and user/group provisioning. User management modules define the set of administrating functions such as identity creation, propagation, and maintenance of user identity and privileges. One of its components is user lifecycle management, which enables an enterprise to manage the lifespan of a user account, from the initial stage of provisioning to the final stage of deprovisioning.
Some of the user management functions should be centralised, while others should be delegated to end users. Delegated administration allows an enterprise to directly distribute workload to user departmental units. Delegation can also improve the accuracy of system data by assigning the responsibility of updates to the people closest to the situation and information.
Central User Repository
Central user repository stores and delivers identity information to other services, and provides service to verify credentials submitted from clients. The central user repository presents an aggregate or logical view of the identities of an enterprise. Directory services adopting LDAP (Lightweight Directory Access Protocol) standards have become the dominant technology for central user repository.
Both meta-directory and virtual directory can be used to manage disparate identity data from different user repositories of applications and systems. A meta-directory typically provides an aggregate set of identity data by merging data from different identity sources into a meta set. Usually, it comes with a two-way data synchronisation service to keep the data in sync with other identity sources. A virtual directory delivers a unified LDAP view of consolidated identity information, behind the scenes, multiple data cases containing different sets of users are combined in real-time.
- What is the Need for IAM?
- The IAM Framework
- Emergence of SaaS
- Market Forecast Summary
► Identity & Access Management Market Research
Our latest research found:
- Global spend on identity & access management solutions will rise from $16 billion in 2022 to $26 billion by 2027; representing total growth of 62% over the next five years.
- Subscription models will enable identity & access management vendors to provide regular updates and offer agile development methodologies; providing faster deployment and post-launch support to customers.
- Annual spend on identity and access management solutions by small businesses via subscription models will surpass $370 million by 2027, up from $178 million in 2022.
- Small businesses were previously excluded from the identity & access management market, owing to higher upfront fees and structured product offerings under the term licence model. Therefore, small businesses must capitalise on the flexible pricing models, bespoke feature integration and ease of access afforded by subscription models, in order to effectively safeguard corporate assets.
- Total spend on identity and access management solutions via subscription models in the US will surpass $5 billion by 2027; increasing from $2 billion in 2022.
- As enterprise adoption of cloud computing infrastructure increases, so too will the demand for effective cybersecurity policies in order to prevent revenue losses. Identity & access management solutions will represent a significant cornerstone of corporate cybersecurity initiatives; driving market growth.