Identity and access management consists of four distinctive principles and practices. They are Identification, Authentication, Authorization, and Accountability. Sometimes, the last three are together referred to as access control. In centralized access control systems, such as radius and TACACS, they are identified as the Triple A of access control based on the starting letter of each practice.
Observe the following illustration. The core principles and practices in identity and access domains are layered into three groups. The first layer is called the Identity layer and consists of identification principles and practices. The subsequent layer is called the access layer and consists of authentication and authorization principles and practices. The third and the last layer consists of accountability principles and practices such as auditing, audit trail, and monitoring.
Accountability is common and applicable to identity as well as the access layer:
The identity layer consists of distinctive principles and practices termed as identity management. Consider the following example. John Edwards requires multiple identities in an organization. While his core identity, in other words his principle identity, is John Edwards, he needs access to other systems such as a directory system, a database, and web applications.
Observe the following illustration:
John has multiple identities.
Each identity may have one or more credentials associated with it. For example, a combination of passwords and a digital certificate.
Hence, managing identities requires few processes in the identity management domain.
All the activities are to be performed in accordance with corporate security policies, such that identity is not misused to commit fraud or unauthorized access to systems.
In the preceding illustration, a single primary identity (John Edwards) spans to multiple identities in different systems; and the requirement of each identity for access to applications is also different. For example, an active directory account may be used for a domain logon, while Unix system access is through a specific terminal.
Hence, identity management includes some or all of the following:
- Enrollment of user identifiers
- Provisioning of user identities to different systems
- Whenever there is a change in user information, updating all or some of the associated accounts
- If the user no longer needs access, retire, and then deprovisioning accounts