Identity management (IdM), also known as identity and access management (IAM) ensures that authorized people – and only authorized people – have access to the technology resources they need to perform their job functions. It includes polices and technologies that encompass an organization-wide process to properly identify, authenticate, and authorize people, groups of people, or software applications through attributes including user access rights and restrictions based on their identities.

An identity management system prevents unauthorized access to systems and resources, helps prevent exfiltration of enterprise or protected data, and raises alerts and alarms when access attempts are made by unauthorized personnel or programs, whether from inside or outside the enterprise perimeter.

Identity management solutions not only protect software and data access, they also protect the hardware resources in an enterprise, such as servers, networks, and storage devices from unauthorized access which could lead to a ransomware attack. Identity management has gained importance over the past decade due to the growing number of global regulatory, compliance, and governance mandates that seek to protect sensitive data from exposure of any kind.

IdM and IAM systems generally are part of IT security and IT Data management within the enterprise, and identity and access management tools are widely available for the broad range of devices that users rely on to perform business functions from phones and tablets to desktop computers running Windows, Linux, iOS or Android.

IdM and IAM are terms often used interchangeably, however identity management is more focused on a user identity (or username), and the roles, permissions, and groups that user belongs to. IdM also focuses on protecting identities through a variety of technologies such as passwords, biometrics, multi-factor authentication, and other digital identities. This is usually achieved by the adoption of identity management software applications and platforms.

As part of an overall IAM framework which covers access management and identity management, enterprises typically utilize both user management component and a central directory component such as Active Directory for Windows or Apache Directory Studio or Open LDAP for Linux systems.

The user management component handles delegation of admin authority, tracking roles and responsibilities for each user and group, provisioning and de-provisioning user accounts, and password management. Some or all of these functions, such as password reset, are typically self-service to reduce the burden on IT staff.

The central directory is a repository off all user and group data for the enterprise. As such, a major role of this component is to synchronize the directory or repository across the enterprise, which can span on-premises and public or private cloud components. This enables a single view of the users and their permissions at anytime, anywhere in a hybrid cloud or multi-cloud infrastructure.

An IAM framework also includes two access components. Authentication addresses issues like sign-on (and single sign-on), managing active sessions, and providing strong authentication via token or biometric device. Authorization uses roles, attributes, and rules in a user record to determine whether a particular user, device, or application should be granted access to a resource.

Identity Management

A digital identity is the key to access. Identities contain information and attributes that define a role, specifically provide or deny access to a given resource, and informs others in the organization who or what that identity belongs to, how to contact them if a person, and where they fit in the overall enterprise hierarchy. Creating an identity can have ripples throughout the organization, for example by creating an email account, setting up an employee record, or generating an entry in an organization chart. Identities are living things in that they can change over time, for example if an employee takes a new role or moves to a new work location.

Identity Management’s role is to track and manage the changes to all the attributes and entries that define an identity in the corporate repository. Typically these changes can be made only by a select few individuals in the organizations, such as a human resources representative who notes an adjusted pay grade, or an application owner granting a group of employees such as customer service representatives access to a new CRM system feature.

Access Management

Access management is the authentication of an identity that is asking for access to a particular resource, and access decisions are simply the yes or no decision to grant that access.

This can be a tiered process, with access services that determine whether a user is authorized for any access on the network at all, and lower tiers of access that authenticate where the identity in question should be granted access to specific servers, drives, folders, files, and applications.

Remember that authentication is not the same thing as authorization. Although an identity (user) may be authorized to be on the corporate network and has an account in the directory, that does not automatically grant that identity the ability to access every application enterprise-wide. Authorization for any given application or resource will be determined by the identity’s attributes, such as which group(s) it belongs to, its level in the organization, or a specific role that was previously assigned.

As with authentication, the granting of authorization can occur in multiple tiers within the organization, for example both as a centralized service and again locally for a given application or resource, although authenticating at the resource or service level is frowned upon as central authentication provides more consistent control.

The difference between Identity and Access Management

The difference between identity management and access management can be simplified like this:

IDENTITY management is all about managing the attributes related to the USER, group of users, or other identity that may require access from time to time.

ACCESS management is all about evaluating those attributes based on existing policies and making a yes or no access decision based upon those attributes.