Identity and access management (IAM) involves three simple tasks:
- Protect sensitive resources
- Authenticate a user
- Restrict access of a resource based on a set of authorized users
If IAM is comprised of three simple tasks, how does it get so complex:
- Role Based Functionality - Different users want (and need) different functionality from the same resource
- Federation/Partnerships/Trust – Many time we are authenticating a user (or application) based on an established trust relationship
- Securing communications – Keeping data and transactions secure
- Encryption - Secure from being viewed
- Signature – Secure from modifications
- Transport Layer - At what transport layer(s) should security be imposed
- Authentication Schemes – There are many ways to authenticate, some are more secure than others. Some authentications are not available in all environments. Most Authentication Schemes need maintenance (password policies, replacement certs and tokens, CRLs, software vulnerabilities, etc.).
- Data – There is many types of data. There is different specifications, regulations and procedures that dictate how data should/must be handled. Even when an individual is allowed access to data, they should be restricted to only the data that is needed for the given task.
- Personal Data
- Corporate Data
- Intellectual Property Data
- Public Data
- Transnational Data
I find that identity and access management gets complex as a company grows and expands. You can move that complexity around, but there will be complexity.
I find the essential parts of a manageable solution are:
- Planning – Here we can capture the requirements and capabilities of the components that make up a solution.
- Architecting
- Documenting – This step is crucial; you will keep returning to the documentation in future steps and modifications to the solution.
- Implementation – Implementing the solution
- Educating – The people using your infrastructure need to be a part of the security solution.
- Repeat - Repeat process as needed to improve and deal with additional changes/needs
Each one of these is just a bullet point and could be expanded on, but I wanted to give a general outline. The main point here is security can no longer be neglected in today’s corporate, government or educational institutions. Just reading the news daily; you will find security breaches, and their costs, are having a real negative impact.