Laying the foundation for a Better IAM System Implementation
The process of creation and maintenance of Identity information of individuals for providing the information to authorized parties as well as using it for providing access to various services is very important and has been evolving over time. In the current age of digitization, the maintenance of digital identities is a core requirement for identifying and describing the individual to other individuals, authorities and systems, providing them a means to provide or deny various services to the individual as well as providing the individual the means to authenticate himself to the different systems and avail of the services allowed to him.
Traditionally different systems would implement their own identity and authentication mechanism which forced the end user to use different credentials for each application and resulted in duplication and conflicts between user data in different applications. These issues eventually led to the creation of systems focused on maintaining and managing the user’s identities and privileges which could be used by other applications for user authentication, information and roles.
These systems are described as Identity Access Management (IAM) systems and establishing such managing such systems effectively is a very important IT function. While IAM systems are usually referred to in the context of the organization, the eventual objective is to have one IAM system for providing access to enterprise as well as third party and public applications.
At the basic level an IAM system needs to include:
• The system for creation and management of the identities including the various attributes needed to describe the individual
• The authentication system that allows an individual to “login” and establish his identity to the system.
• The systems and frameworks for managing and customizing the individual’s access to various services
• A framework for other applications to get users authenticated and query and write user attributes and privileges.
While the setup and management of IAM systems is essentially an IT function, the IAM system’s effectiveness lies in its ability to successfully the delegate the actual maintenance of the individual’s identity, attributes and privileges to the end user functions. In the context of most organizations today, the employee information and privileges are primarily owned and controlled by the HR function and some of the operational privileges are controlled by the employee’s line manager. In the underlying IT system implementation, the user attributes, credentials and privileges are often managed through a Directory system like Microsoft Active Directory or other LDAP or similar systems while the HR or Project management systems that are actually used to assign the individual’s roles are based on an HRMS or ERP application.
Therefore a successful IAM deployment needs to be able to seamlessly integrate HR, ERP and Project management systems on one side and IT infrastructure systems like directory systems that actually provide the authentication and privilege management systems on the other.
The sheer complexity, scale and diversity of the various IT applications that need to use the IAM systems require these systems and the organizations to ideally use a role based model for managing the users. The security architecture assigning required privileges to job roles should be created and implemented by the IT and functional teams in such a manner that the actual maintenance of the user’s credentials throughout its life cycle in the organization can be managed transparently by the HR and functional teams in line with the pre-defined policies with minimal intervention needed from the IT teams in the operations.
Traditionally IT Infrastructure teams have been responsible for actually administering the individual’s privileges and information based on inputs from HR, Line managers and the individual. This often leads to delays, inefficiencies, conflicts and most importantly what is known as “privilege creeps” where new privileges are assigned based on requirements but old privileges of previous job roles seldom removed due to delays in communications, understanding or lack of clear ownership. This is another reason to avoid a direct role by the IT infrastructure teams in day to day Identity Access administration.
Well known IAM tools from various vendors like Microsoft, IBM, Dell and others along with many open source tools are available to effectively provide these functions and also provide frameworks and APIs to integrate with Directory and Application systems. However the success of the IAM implementation requires the organization to think through the security architecture and framework encompassing all its applications and systems, define security roles with assigned privileges, provide the HR and line functions the ability as well the ownership for managing the user’s accounts and roles without requiring them to get into the specifics of the underlying IT implementation.
Finally the implementation needs to be able to transparently log all changes and assignments to ensure that correct audit trails are maintained.
Another important point to be kept in mind for IAM implementations is its ability to federate with other IAM systems in partner organizations. Frameworks like SAML provide mechanisms for sharing authentication and authorization information
The ISO/IEC 24760 Standard provides a framework for Identity Management and can be referenced for implementing an effective IAM system using any of the commercial or open source tools or developing an in-house implementation.