Identity and Access Management (IdM, IAM)

Definitions

Identity Management (IdM) solutions are designed to centralize and automate the management of user accounts and access rights to enterprise information systems, as well as increase control over the use of IT infrastructure. The integration of such solutions with the corporate personnel accounting system allows you to automate business processes for managing access to employment of employees, their transfer to another position, during vacation, as well as in case of dismissal.

Identity and Access Management (IdM, IAM) is a solution that is a kind of kernel that combines all information about an employee in an organization: not only a full name and a unique identifier, but also when he settled, what position he holds, what rights he has, and, accordingly, to which systems he can access. They can be very different, from Active Directory, where the employee's account is located, to the systems that are necessary for his daily work. Access to all information systems is controlled by IdM. If there is no such system, there is often duplication of functions, that is, an employee, going to a new job, is forced to form several requests for access to various information systems, and the administrator creates several accounts. This entails both time and labor costs. At the same time, access rights may not be formed until a week, a certain temporary lag is obtained that causes losses to the organization in view of the impossibility of the employee fulfilling his official duties. If we talk about password protection, then an employee without using Access Management solutions is forced to remember several passwords to log into each of these systems, which entails security risks. Of course, a person is not able to remember all passwords, he begins to write them down, and he can put a piece of paper under the keyboard or glue it to the monitor, which is a potential threat to the organization's information security.

The complexity of the tasks, the solution of which is entrusted to these funds, led to the creation of specialized systems - Identity and Access Management (IAM, identity and access management systems, or IMS, we will use this abbreviation later). A couple of years ago, they appeared on the market as independent products, although any information and computing resource, even before the advent of specialized SUID, had the means to provide and control access to it. This primarily applies to resources such as OS, DBMS, complex applications of the ERP, CRM, SCM class, etc. ^[1]

The market for UID solutions in the world is growing at a faster pace than the IT market, as is the information security tools of market as a whole. According to the forecast of the IDC analytical group, by 2010 the global turnover of solutions based on SUID will exceed $5 billion. According to IDC research, worldwide in 2005, 23% of the total financial costs of information security were allocated for the purchase of UID software.

2024: Rosstandart approves national standard for automated account and access rights management systems

On October 31, 2024, it became known that the Federal Agency for Technical Regulation and Metrology approved the new national standard GOST R "Systems for Automated Management of Accounts and Access Rights." The document, developed with the participation of 27 leading information security companies, will enter into force on December 20, 2024. Read more here.

2018: HID Global: Identity Technology Trends

HID Global highlights the top five trends of 2018 that will have a significant impact on how organizations use trusted identifiers.

Go to the Clouds

• The ease of cloud deployment, flexibility, connectivity, and performance benefits all contribute to active cloud adoption. Cloud-based access control platforms with an API and SDK will drive the proliferation of new software solutions that empower organizations to maximize ROI. The release of cloud-based maps will also grow the industry thanks to simplicity, solution security and an optimized spending structure: governments across countries are increasingly tasked with how to complement physical identifiers with citizens' cloud mobile IDs.
• Cloud authentication and credential management will continue to contribute to the integration of mobile devices, tokens, maps and machine-to-machine workstations. Digital certificates in the IoT ecosystem will be based on trusted cloud services to deliver and manage certificates for thousands of devices.

Related devices and environments focus on IoT protection

• Digital certificates will become a major component of trust in the IoT ecosystem. Unique digital identifiers for printers and encoders, mobile phones, tablets, video cameras and building automation systems will begin to be released, and a wider range of facilities such as network-enabled cars and medical devices will appear.
• The read feature support NFC Apple iOS in 11 will facilitate the implementation of IoT-based applications such as brand protection loyalty programs and other uses, further increasing the need for security in the IoT ecosystem.

The turning point in the development of mobile access: the adoption of technology in the mass market

• 2017 was the year of mobile access, and the active introduction of this technology will continue in 2018. The maturity of mobile solutions and their integration into other systems, combined with the capabilities of mobile devices to improve user convenience, increase operational efficiency and ensure a higher level of security, will lead to accelerated growth and widespread adoption of mobile access.
• Card emulation, the NFC mode most desirable for mobile access control, is supported exclusively for Apple Pay; thus, Bluetooth remains the communication standard for cross-platform mobile access. However, organizations will invest in readers and other infrastructure supporting NFC and BLE to be ready for the future.

Convergence of Physical and Digital Security

• The concept of physical identity and access control (PIAM) will lead to the convergence of physical and digital security on a single identifier, putting identity at the forefront. Government, finance, power and other regulated markets will be the first to use solutions for secure access to buildings, email, websites and VPNs.
• There are new converged identity models using cloud authentication and mobile devices. For example, the ability to check the presence of a person in a certain place, mobile identifiers that check the physical IDs of citizens, and smart cards that authenticate users on corporate resources.

Data analytics will drive risk management for predictive models and the development of new capabilities

• Devices, access control systems, IoT applications, and other cloud-related solutions provide reliable data for advanced analytics. Analysis of this data can be used to optimize operational solutions and provide more convenient access for end users.
• Predictive analytics and biometrics will play a crucial role in keeping people safe, meeting all the demands of employees in providing high-end individual services in the workplace. Analytics will also help reduce enterprise downtime, drive production automation, and improve compliance with legal requirements by monitoring production health based on real-time location solutions.

Features of the IT infrastructure of a large enterprise

• Many information systems of users: employees, contractors, customers
• End-to-end business processes pass through multiple information systems
• Users work in different IT systems and perform different functions in them
• Each information system has its own access rights settings and its own authentication procedure

Access Rights Management Objectives

• Reduce risks associated with improper or untimely issuance or revocation of user access rights
• Reduce the cost of managing access rights
• Increase the efficiency of rights management processes: fast issuance of temporary rights, minimal downtime during rights configuration, etc.

Main tasks of the LMS and its place in the overall safety management structure

The allocation of CID funds into a separate system reflects the need of users to combine the functions of the CID under one "umbrella"; true, experts assess the size of this umbrella in different ways.

Accounting and Use of Standards and Regulations in the Construction of LMS

It is reasonable to use standards in the construction of any systems, since they summarize the best national and international experience. It is reasonable to follow technological standards, and regulatory rules and legislative acts are necessary. Therefore, both developers of certain systems and their users should know the rules that regulate the scope of their activities.

SUID in this sense is no exception. All experts interviewed during the preparation of the review unanimously agreed that these systems should be based on standards, and only open ones. The main ones are the general standards for IT management and information security organizations, such as COBIT, ISO 17799:2005 (BS 7799), ISO 27001:2005. To them, experts add requirements aimed at combating business abuses, which were developed on the basis of the practice of recent years: HIPAA (Health Insurance Portability and Accountability Act), SOX 2002 (Sarbanes - Oxley Act, which defines the requirements for the internal control and audit system to prevent fraud), BASEL II (risk management in financial institutions) and the Bank of Russia standard STO BR IBBS for organizations of the banking system of the Russian Federation.

Of the technological standards, according to experts, the creators of SUID should first of all adhere to the following:

• general information security standards - XKMS, PKI, XML-SIG, XML-ENC, SSL/TLS, PKCS, S/MIME, LDAP, Kerberos, X.509, etc.;
• standards for the exchange of user identification data - SAML, WS-Fed, XACML, SPML, etc.;
• integration standards - WSDL, WSRP, JSR-115, JCP, SOAP, etc.
• Web service standards - WS-Security, WS-Fed, WS-Policy, WS-Trust, etc.;
• directory service standards - X.500, DSML, LDAP, JDBC, etc.

Prior to implementation of MMS

Most modern enterprises regarding information security issues are very immature: corporate users are at the very first, basic level out of four accepted in the classification of this company. Therefore, it will not be superfluous to remind you of the main measures that experts recommend to carry out before the introduction of SUID.

Before starting such a project, the company should conduct a survey of the resources to which access is planned to be streamlined; classify these resources by purpose; describe the business tasks of specific employees and departments; formalize the actual procedure for coordination and access technology; Develop a role model for access to resources and appropriate processes for its coordination and provision. After that, specific technologies can be "tried on" for existing and newly developed processes and models. Among them may well be elements of the inherited IT infrastructure, such as address books or other databases containing user profiles.

Functional composition of ASHS

Experts highlight the following basic capabilities that should be implemented within the framework of the SIDS:

• unified management of accounts in various systems (with the possibility of delegating part of rights to structural divisions of the company), which makes it possible to automate the implementation of the security policy adopted in the organization in the field of access control (including mobile) to various information resources, applications and services;
• support for modern authentication tools (including multifactor, including biometrics) with the ability to register once in the system;
• control of the user's life cycle in enterprise systems from the moment of hiring an employee to his dismissal;
• automatic synchronization of user accounts of all connected systems (primarily personnel accounting systems) in accordance with corporate policies and rules;
• flexible and understandable means of creating policies and regulating data flows from the UMDS to connected systems and vice versa;
• a user-friendly end-user interface that provides access to the corporate address book and self-service tools for password recovery, requesting access to the required resources, and monitoring their passage;
• tools for design, deployment, configuration, administration and monitoring of the system operation;
• Logging and independent audit tools
• Integration with external monitoring, security audit, and support systems
• scalability.

Processes and Steps for Building Access Rights Systems

• Hiring, transfer, dismissal
• Leave/Decree, Leave/Decree
• Change of duties
• Changes in IT infrastructure
• User participation in information security incidents
• Connecting/Disconnecting External Users
• Audit and recertification of access rights ^[2]

Steps to Build an Access Control System

Permit System

Permitting Tolerance System Issues

Role Model (RBAC)

• Formalization of access objects
• Obtaining a list of access subjects
• Audit of current access rights
• Business Role Allocation
• Define a basic permission set for each role
• Formalize access roles, build access matrices
• Building the Access Rights Management Process
• Process regulation (document development)

Growth Diseases RBACPresentation ^[3]

• In its pure form, the model is not flexible enough, since it does not take into account:
  • user action context
  • user attributes
  • settings for the environment in which users work

• For a large number of users, job responsibilities require the creation of unique roles
• It is difficult to maintain the current status of access rights during organizational changes

RBAC: Variation and Development

• "Classic" RBAC-static privileges
  • Manager Role=View Orders + Change Orders
  • if (user.hasPrivilege(‘view_order’)) …
  • Disadvantage: Does not support object attribute cut

• Dynamic Validation of Object Attributes
  • Role Store Manager 123=Display Store Orders 123 + Change Store Orders 123
  • if (user.hasPrivilege(‘view_order_’ + order.branch) …
  • Disadvantage: Causes "role explosion" to create a role for each attribute value

• Dynamic validation of subject attributes
  • Role "Store Manager"="Display Orders of a Swiegophilial" + "Change Orders of a Swiegophilial"
  • if (user.hasPrivilege(‘view_order’) && user.branch==order.branch))

• Logical continuation of -ABAC (Attribute-Based Access Control)

Centralizing Management: Identity Manager

• Brings all role management options to a single model
• Centrally manages rights in enterprise IT systems
• Implements business scenarios: hiring, dismissal, leave, etc.

Identity Manager bottlenecks

• Operates within RBAC model
• Does not take into account business object attributes
• Limited to existing IT roles

Attribute Access Model (ABAC)

• Access rights are defined by Boolean rules in terms of business attributes
• Attributes are possessed by subjects (users), resources (objects), actions and environment
• Model standardized under XACML 3.0 (first version -2003)

ABAC: Access Management Scheme

Access Control Approaches (Standard and Hybrid)

IDM / IAM

Results

• It should be possible to quickly check who has access to where (had access on some date in the past)
• Defining a basic set of access rights and building a role model requires many hours of interaction with the business units
• A register of resource owners is required
• IDM and other automation tools are a tool, not an end in itself
• The ultimate goal is to improve efficiency and mitigate risks associated with excess access

CID functions in OS, DBMS and application systems

As noted above, corporate information resources have their own mechanisms for identifying and granting users access rights at the OS, DBMS or application level. Experts note that the AID tools implemented in modern information and computing resources are increasingly approaching specialized systems in terms of their capabilities, and they are borrowing procedures and functions.

For some specialists, the latest advances in access control in products such as,, cause favorable impressions. SAP NetWeaver Oracle Application Server e-Business Suite Others note that although class solution providers ERP have advanced with their products in the direction of UID much further than operating systems developers, their problem is that ERP solutions are often built as separate data stores (silo), and therefore they do not provide proper integration with corporate UID policies: ERP are responsible for identifying and authorizing users only for their modules.

Directions of SIDS development

According to experts, taking into account the requirements for IMS such as scalability, hierarchy and support of territorial distribution, the most suitable for these systems today is a three-level architecture with three basic components: implementing business logic (workflow) of the IMS identity storage, server and console of centralized management of the IMS.

The separation between personal and work accounts is erased

Although you are unlikely to be able to log into a corporate VPN network under your Facebook account (at least so far), six out of ten surveyed IT managers (63%) believe that the authentication methods used in the consumer world can also be used to securely access corporate applications. Moreover, according to about the same number of respondents, their security services experience certain difficulties in trying to provide users with the same intuitive way to log in as used in these services, and a little more than half of the respondents (52%) believe that within three years, employees will use the same accounts as for accessing corporate online resources, and to access your personal data in public ^[4]

And this turn may seem somewhat unexpected, especially given the huge number of consumer websites offering free OTP applications, OTP password delivery via SMS, and even promoting push authentication technology. We all know the option "Remember me on this device" - the simplest form of contextual authentication, in which the second factor is involved only when logging in from an unknown browser and device pair and which most IT managers (63%) consider as future two-factor authentication.

Offer employees new tools for mobile work? Maybe...

The good news is that only 35% of organizations completely prohibit access to work resources from mobile devices - smartphones and tablets, and the majority (56%) allow such access, albeit with some restrictions. This may mean that Chief information officer restrict access from mobile devices are not fully confident in the access control methods used to allow employees to use mobile devices more actively. At the same time, these same leaders in the next two years intend to significantly expand the scope of two-factor authentication on mobile devices (from 37% today to 56% in two years). We still have to see if this increased security will contribute to the development of mobile technologies in the corporate environment. But be that as it may, innovations based on Bluetooth Smart, biometrics and push technologies can contribute to more active adoption of two-factor authentication.

While the vast majority of IT executives surveyed acknowledge that there are barriers to increasing mobile technology use in their organizations, the nature of these complexities can vary greatly, ranging from security concerns (50%), the added burden on IT management (48%), increased costs (43%) to other complexities, including the desire for IT transparency (30%) and the need for regulatory compliance.

Cloud: Explosive Growth, Single Sign-on (SSO), and Access Control

The explosive growth in the number of cloud applications in the corporate environment explains the desire to solve the so-called "password fatifue" problem once and for all - user fatigue from passwords, when employees in their daily activities have to keep in memory 10-25 pairs of logins and passwords. From this point of view, in almost half of the respondent organizations (49%), it is planned to implement a solution providing single sign-on (SSO) in cloud applications, and about the same number of respondents (47%) agreed that such a need is brewing in their organizations.

Today, password management technology is the most common method of controlling access to cloud applications, which is used in organizations by 53% of respondents. Other methods used include IDaaS (28%), cloud SSO solutions (28%) and IAM solutions on their own infrastructure (23%).

Almost all IT managers surveyed (95%) see single sign-on to cloud applications as a tool to improve employee mobility and productivity in their organization.

The state of the market for SUID in Russia

In Russia, an increase in demand for SUID has recently been outlined, and Russian companies spend only 2% of the information security budget on UID funds. According to experts, this is largely due to the fact that the introduction of UID technologies requires a package of regulatory and methodological documents in the company that ensure a strict formalization of the process of providing users with access to information resources. It is due to the lack of comprehensive documentation support in the field of information security that many Russian enterprises are not yet ready to implement SUID.

Experts call the high price of $60 to $100 per user as a deterrent to the distribution of these products, as well as the fact that these solutions are at the intersection of the functions of the IT department and the security department (which makes it difficult to take and implement organizational and administrative measures on the IDM). To date, only a few SUIDs have been introduced in Russia. However, it can be assumed that in the near future a breakthrough will be made in this direction. It is now that large and interesting projects are being launched that provide for the phased deployment of UIDs within one to two years.

Today in Russia, SUID is of interest to large enterprises and organizations with a developed IT infrastructure, such as large telecom operators, banks, insurance companies, industrial holdings, oil and gas corporations and government agencies. Estimating the annual volume of purchases on the Russian SUID market for the next few years, our experts bring a wide fork - from five to several tens of millions of dollars. At the same time, they take into account that the number of potential customers for the next three to five years will be about a hundred companies with a project cost of $1 million.

IDM/IAM Systems and Projects

• The IDM/IAM Systems and Projects Catalog is available on TAdviser
• Enterprise Information Resource Identification and Control Systems - IDM (Russian Market)

Notes