Compliance issues in the United States and abroad dictate that organizations maintain tight control effort, organizations are turning to identity and access management or IAM. This article will define the scope of IAM, discuss the drivers for an IAM program, implementation of IAM systems and policy and the competing IAM technologies on the market today.

Identity and Access Management Defined

Identity and access management or IAM seeks to actively audit users and permissions on a distributed enterprise network. User accounts function to authenticate, authorize and account for user activity. Permissions grant privileges and access rights to users and groups utilizing network resources such a files, folders, databases both locally and in some cases remotely. Although this system is the de facto standard for business class networks and systems, there are flaws that present major security issues. Namely, it can be a tedious process to ensure that user accounts are current and assigned to valid employees. Furthermore, users can be given too many rights to perform their job role and the auditing of file permissions is often overlooked by overworked system/network administrators. Therefore, it is common that terminated employees can still have active user accounts well after leaving the company. In addition, temporary permissions may be assigned to a user to perform a project but those privileges may never be reviewed or revoked for prolonged period of time. Identity and access management systems are used to streamline the audit process. IAM encompasses both technology and policy to further strengthen the efforts of information technology teams to harden this overlooked portion of networked systems. In summary, identity and access management systems seek to perform the following tasks:

  • Authentication – This functional area involves session management with resources in a network environment. Typically this involves generating unique usernames and passwords to provide access to those resources.
  • Authorization – This area determines whether a user has been assigned the rights to access the network or resource. This can be done by assigning a user to a particular group or groups or by allowing that one individual certain rights to file, folder or network resource.
  • User management – I&AM architectures seek to define the processes by which system administration functions are performed. These can include password resets, user account creation and what privileges users have.
  • Centralized user repositories – This technology seeks to show the relationship between user accounts, applications and network resources.

Drivers for IAM systems and implementation

Typically, identity and access management systems are used by organizations to track data flows, network resources and user activity on the network. This can be done to improve the organization’s overall security posture and in the case of publicly traded companies can assist in compliance and privacy initiatives. In particular, the legislation below needs special attention and is often the key driver behind an IAM investment:

  • Gramm-Leach-Bliley Act or GLBA – This legislation requires that organizations implement and maintain safeguards to protect customer data.
  • United States Health Insurance Portability and Accountability Act or HIPAA – This regulation stipulates standards to ensure the security of electronically stored health information.
  • Payment Card Industry Data Security Standard or PCI-DSS – This standard was developed in 2005 by several credit card issuing companies that dictated that customer credit card and personal information must be proactively protected.

This can be in addition to regulations mandated by various countries and groups including Japan and the European Union. All privacy regulations must be examined with companies that have multi-national operations.

Goals of Identity and Access Management

There are specific measurements that can gauge the success of an identity and access management implementation. Various metrics can be put in place within a specific organization that is a coordinated effort between the information technology department and upper management. The main goals below can be the foundation of IAM policy. It should be noted that when used with risk management and analysis, financial goals can align with the following goals that adhere to a company’s fiscal policies:

  • Cost Reduction – This can be achieved because of decreased calls to an internal help desk from employees that have forgotten passwords. By implementing an IAM system, there is also a cost savings from potential security breaches. Proper risk analysis can determine exactly how much savings the organization can realize with a properly implemented system
  • Improved Security – This is the most obvious benefits of an IAM system. Improved security can be achieved by the collection of user data in a centralized location where trends can be noted and corrected if necessary.
  • Achieving Compliance – Compliance regulations dictate proper archiving of data and a recording of all user activity. IAM systems provide a system to assist with compliance efforts.
  • Improving Efficiency through Automation – IAM systems can automate some system administration activities thus providing efficiency and consistency. This can provide time for other security and compliance related tasks. This ties into the eventual cost savings of implementing an IAM system.

Phases of Identity and Access Management

Identity and access management systems and policy need to be implemented in phases to be successful. These phases align with the goals of identity and access management implementation and are outlined below

  • Password management – Since one of the goals of IAM is cost reduction, a password management policy is especially useful in limiting the calls to an internal helpdesk for forgotten passwords. This can be done by offering a means for users to securely reset passwords over the phone or online obviating the need for a helpdesk call.
  • Password policy enforcement – It is common for users not to be security conscious when creating and maintaining passwords. Therefore it is critical that password enforcement be part of an IAM program. This phase seeks to set passwords that are a minimum length and have a combination of upper and lower case letters, numbers and special symbols. It is important however to ensure that user productivity is not burdened down with excessive policy or it will tip the spear away from cost reduction and improved efficiency.
  • User de-provisioning – This process ensures that when an employee leaves an organization that their credentials are disabled. This needs to encompass items such a disabling user accounts to various systems as well as disabling and archiving emails for future use. The procedure then should call for the permanent deletion of the user account and associated email within a prescribed period of time.
  • User provisioning – This involves the process by which user accounts, email and permissions are established during a new employee on boarding. By establishing a set procedure, there is little latitude given in account creation and this maintains an improved security posture in the organization. Tied into this phase is identifying roles within the organization and establishing user permissions and rights based on those roles. To make this quicker (especially in a large organization) role based user templates within a system such as Active Directory can be filled in with basic user information with rights pre-assigned.
  • Rights management – When a user needs their rights reviewed or upgraded, a system needs to be put in place that allows for this. This can involve a centralized repository of the rights needed to perform a set job role or what rights may need to be assigned in support of special project. There are systems in which a user can request certain rights and the approval process can be automated so that the request can be reviewed and signed off by a designated approving authority depending on the role of the user.
  • Metadirectory creation – A metadirectory system is used to consolidate data flows between multiple sources. This is implemented in IAM systems to synchronize changes to users and permissions across LDAP-based directories thus reducing system administration time which ultimately affects the bottom line.
  • Enterprise single sign-on – With multiple systems in the enterprise, password management become problematic. With the completion of step six, a single sign-on system can be implemented that allows for passwords that can be used across disparate systems thus saving time in administration and increasing overall productivity.
  • Authentication Services – This phase is subject to the discretion of the organization, depending on how secure they want to be. There are three authentication factors that are available for this purpose. The typical trifecta identifies who a user is, what the user knows and what the user has. In most environments, a user name and password answers the “who the user is” and “what the user knows” questions and is sufficient security. In the case of highly secure environments, a smart card, network dongle or biometric information can be used to satisfy the “what the user has” role.
  • Enterprise access management – This phase deals with access control for web based applications. Namely, this is a detailed examination of what web applications are being used in the organization, the testing of those applications for security flaws and determining what access identified users will have to the application.
  • Federated identity management – This phase need not necessarily be phased into the enterprise. Federated management enables a user to login to their company’s network and have those credentials allow access to all other trusted networks outside the parent organization.

As stated, the implementation of an identity and access management system is performed in phases that build on each other to be successful.

Identity and Access Management Solutions

Most organizations will typically hire a consulting organization to assess their current environment and then suggest and implement a solution. However, in performing due diligence, an organization needs to research what IAM vendors are in the market and how they compare to each other. One resource to research vendors is Forrester who recently ranked Oracle, Computer Associates and IBM as the industry leaders in this field. All these vendors offer similar IAM architectures that can be implemented in diverse distributed networks. It is up to the organization to research what vendor feature sets can best be used within their enterprise.


Identity and access management or IAM can be used to ensure compliance and increase an overall security posture in the enterprise. It is important to note that IAM is not just the technology but also the enforcement of overall security policy. There are four goals that need to be met when implementing IAM systems namely: cost reduction, improved security, achieving compliance and improving efficiency through automation. Typically, IAM needs to be phased in ten steps that build on each other to be successful.



QR Code
QR Code identity_and_access_management (generated for current page)