In the world of enterprise IT, it’s not uncommon for people to incorrectly refer to the terms identity management with access management while in conversation. In reality, the two terms cover completely different areas. The main reason people get confused about an identity and access management framework is that the two processes work in tandem with each other in the field of enterprise IT. The platform that combines the two is known as identity and access management. To understand IAM, we need to explore both parts of what makes IAM work– identity management as well as access management.
Identity management is a method used to classify a user, group or device on a network. The primary purpose is to be able to place those identified resources into categories so network and security policies can be applied. The most common way to identify resources on a network is to assign a username and password. The username is the identification tag — while the password is only known to the resource. Upon successful authentication, IT can be sure users are who they say they are — assuming that the account hasn’t been compromised. Other methods of identification include distinguishing resources based on domain name system names, IP address and media access control address — although these methods aren’t necessarily secure. Blockchain is one of the latest and most secure methods to ensure the identity of connected devices.
Applying access policies is the next step
We’re not done with enabling the identity and access management framework once we have our resources identified. We now need to apply access policy to those resources. Access management essentially lets IT determine who or what on a network has the right to connect to a particular resource. That can mean, yes, no or to what degree. This is referred to as access control. For example, identified users in the accounting department will be granted access to the company’s payroll application while users in all other business departments will not. Networked surveillance cameras are another example of the need for policy. Only the physical security staff would be given permission to view surveillance video footage.
It is common practice to group multiple identities together by business function or device type. This is known as role-based access control (RBAC). This way, a single access policy can be applied to a group of identities instead of creating a new policy for every identity. With RBAC, fewer access policies need to be created and managed with your identity and access management framework.