Identity Management (also known as Identity and Access Management, or IAM) is a set of systems and processes for managing how people in an organization authenticate themselves to IT systems and what resources they can access. Identity management is usually undertaken by IT staff specialising in user management and security.
The main facets of identity management are:
- Digital identity
- A digital construct which represents a human being (or other entity) and holds information about them.
- How a person identifies themself to the system to prove they are the same person represented by the digital identity.
- Access control
- Once a person has been authenticated, managing what systems or resources they are allowed to access.
- Provisioning and De-provisioning
- Adding users to IT systems and authorizing access as appropriate to their affiliate/role and de-provisioning access when their affiliation/role chances or they leave the organization
Within an organisation, each person has a unique identifier by which they are known. This may be a Globally Unique Identifier (GUID), username or an email address. Associated with this identifier there may be a variety of attributes associated with the person, including their name, other identifiers (eg. Employee number), department, etc. People may be assigned roles (such as "administrator", "manager" or "editor") which have certain capabilities such as adding new users, viewing restricted documents, or uploading content to a website.
When logging in to a system, users generally authenticate themselves using a password and/or other credentials. These credentials might include a standard password, a one-time password delivered by text message or generated by an app, biometrics such as fingerprint or facial recognition, or a physical key which plugs into their computer. Users can also be authenticated by having them sign in to another trusted Identity Provider, which confirms their identity. This could include a federated identity, in which a consortium of organisations agree to permit each others' members to login to their systems. The trusted third party may also include social login, which authenticates with a “social” networking system such as Google, Microsoft, LinkedIn, or Twitter.
Many software applications provide their own identity management system, allowing administrators to create users, set passwords, and specify access. In a large organisation, it can become unwieldy when there are too many systems with their own identity management. Users become frustrated by keeping track of multiple passwords, and administrators struggle to update all the systems when people join or leave the organisation.
A common solution to this is Single Sign-On (SSO) in which multiple enterprise applications integrate with a single authentication service for the organization. User credentials are typically stored in a single enterprise Identity Provider (IdP), though organizations can use an identity provider proxy to support Single Sign-On with multiple Identity Providers. Most enterprise applications support SSO, using protocols such as SAML to share information between them.
The main challenges for identity management in large enterprises are:
- Ensuring that all applications can talk to the Single Sign-On service
- Providing access to external or affiliated systems (eg. with partner organisations)
- Providing access to users who do not have accounts in the organization’s Identity management system such as guests, incoming applicants, users who have left the organization, etc.
- Streamlined, intuitive user provisioning and onboarding
- Deactivating users when they leave to ensure systems security, while still providing access to such things as payroll records or alumni networks.
Identity management systems, whether managed on-site or cloud based, can address all these challenges. Cirrus Identity's suite of hosted identity products can address many of these challenges independently or as a platform solution.