Identity management
Identity management (IdM), also known as identity and access management (IAM or IdAM), is a framework of policies and technologies for ensuring that the proper people in an enterprise have the appropriate access to technology resources. IdM systems fall under the overarching umbrellas of IT security and data management. Identity and access management systems not only identify, authenticate, and authorize individuals who will be utilizing IT resources, but also the hardware and applications employees need to access.[1][2] Identity and access management solutions have become more prevalent and critical in recent years as regulatory compliance requirements have become increasingly more rigorous and complex.[3]
It addresses the need to ensure appropriate access to resources across increasingly heterogeneous technology environments and to meet increasingly rigorous compliance requirements.[4]
The terms "identity management" (IdM) and "identity and access management" are used interchangeably in the area of identity access management.[5]
Identity-management systems, products, applications and platforms manage identifying and ancillary data about entities that include individuals, computer-related hardware, and software applications.
IdM covers issues such as how users gain an identity, the roles and, sometimes, the permissions that identity grants, the protection of that identity and the technologies supporting that protection (e.g., network protocols, digital certificates, passwords, etc.).
Definitions
Identity management (ID management) is the organizational process for identifying, authenticating and authorizing individuals or groups of people to have access to applications, systems or networks by associating user rights and restrictions with established identities. Identity management (IdM) is the task of controlling information about users on computers. Such information includes information that authenticates the identity of a user, and information that describes data and actions they are authorized to access and/or perform. It also includes the management of descriptive information about the user and how and by whom that information can be accessed and modified. In addition to users, managed entities typically include hardware and network resources and even applications.[6]
Digital identity is an entity's online presence, encompassing personal identifying information (PII) and ancillary information. See OECD[7] and NIST[8] guidelines on protecting PII.[9] It can be interpreted as the codification of identity names and attributes of a physical instance in a way that facilitates processing.
Function
In the real-world context of engineering online systems, identity management can involve four basic functions:
- The pure identity function: Creation, management and deletion of identities without regard to access or entitlements;
- The user access (log-on) function: For example: a smart card and its associated data used by a customer to log on to a service or services (a traditional view);
- The service function: A system that delivers personalized, role-based, online, on-demand, multimedia (content), presence-based services to users and their devices.
- Identity Federation: A system that relies on federated identity to authenticate a user without knowing their password.
Pure identity
A general model of identity can be constructed from a small set of axioms, for example that all identities in a given namespace are unique, or that such identities bear a specific relationship to corresponding entities in the real world. Such an axiomatic model expresses "pure identity" in the sense that the model is not constrained by a specific application context.
In general, an entity (real or virtual) can have multiple identities and each identity can encompass multiple attributes, some of which are unique within a given name space. The diagram below illustrates the conceptual relationship between identities and entities, as well as between identities and their attributes.
In most theoretical and all practical models of digital identity, a given identity object consists of a finite set of properties (attribute values). These properties record information about the object, either for purposes external to the model or to operate the model, for example in classification and retrieval. A "pure identity" model is strictly not concerned with the external semantics of these properties.
The most common departure from "pure identity" in practice occurs with properties intended to assure some aspect of identity, for example a digital signature[4] or software token which the model may use internally to verify some aspect of the identity in satisfaction of an external purpose. To the extent that the model expresses such semantics internally, it is not a pure model.
Contrast this situation with properties that might be externally used for purposes of information security such as managing access or entitlement, but which are simply stored, maintained and retrieved, without special treatment by the model. The absence of external semantics within the model qualifies it as a "pure identity" model.
Identity management, then, can be defined as a set of operations on a given identity model, or more generally as a set of capabilities with reference to it.
In practice, identity management often expands to express how model content is to be provisioned and reconciled among multiple identity models.
User access
User access enables users to assume a specific digital identity across applications, which enables access controls to be assigned and evaluated against this identity. The use of a single identity for a given user across multiple systems eases tasks for administrators and users. It simplifies access monitoring and verification and allows the organizations to minimize excessive privileges granted to one user. User access can be tracked from initiation to termination of user access.[10]
When organizations deploy an identity management process or system, their motivation is normally not primarily to manage a set of identities, but rather to grant appropriate access rights to those entities via their identities. In other words, access management is normally the motivation for identity management and the two sets of processes are consequently closely related.[11]
Services
Organizations continue to add services for both internal users and by customers. Many such services require identity management to properly provide these services. Increasingly, identity management has been partitioned from application functions so that a single identity can serve many or even all of an organization's activities.
For internal use identity management is evolving to control access to all digital assets, including devices, network equipment, servers, portals, content, applications and/or products.
Services often require access to extensive information about a user, including address books, preferences, entitlements and contact information. Since much of this information is subject to privacy and/or confidentiality requirements, controlling access to it is vital.[12]
Identity federation
Identity federation comprises one or more systems that share user access and allow users to log in based on authenticating against one of the systems participating in the federation. This trust between several systems is often known as "Circle of Trust". In this setup, one system acts as the Identity Provider (IdP) and other system(s) acts as Service Provider (SP). When a user needs to access some service controlled by SP, they first authenticate against the IdP. Upon successful authentication, the IdP sends a secure "assertion" to the Service Provider. "SAML assertions, specified using a markup language intended for describing security assertions, can be used by a verifier to make a statement to a relying party about the identity of a claimant. SAML assertions may optionally be digitally signed."[13]
System capabilities
In addition to creation, deletion, modification of user identity data either assisted or self-service, Identity Management controls ancillary entity data for use by applications, such as contact information or location.
- Authentication : Verification that an entity is who/what it claims to be using a password, biometrics such as a fingerprint, or distinctive behavior such as a gesture pattern on a touchscreen.
- Authorization : Managing authorization information that defines what operations an entity can perform in the context of a specific application. For example, one user might be authorized to enter a sales order, while a different user is authorized to approve the credit request for that order.
- Roles : Roles are groups of operations and/or other roles. Users are granted roles often related to a particular job or job function. Roles are granted authorizations, effectively authorizing all users which have been granted the role. For example, a user administrator role might be authorized to reset a user's password, while a system administrator role might have the ability to assign a user to a specific server.
- Delegation : Delegation allows local administrators or supervisors to perform system modifications without a global administrator or for one user to allow another to perform actions on their behalf. For example, a user could delegate the right to manage office-related information.
- Interchange: The SAML protocol is a prominent means used to exchange identity information between two identity domains.[14] OpenID Connect is another such protocol.
Privacy
Putting personal information onto computer networks necessarily raises privacy concerns. Absent proper protections, the data may be used to implement a surveillance society.[15]
Social web and online social networking services make heavy use of identity management. Helping users decide how to manage access to their personal information has become an issue of broad concern.[16][17]
Identity theft
Identity theft happens when thieves gain access to identity information - such as the personal details needed to get access to a bank account.
Research
Research related to the management of identity covers disciplines such as technology, social sciences, humanities and the law.[18]
Decentralized identity management is identity management based on decentralized identifiers (DIDs).[19]
European research
Within the Seventh Research Framework Programme of the European Union from 2007 to 2013, several new projects related to Identity Management started.
The PICOS Project investigates and develops a state-of-the-art platform for providing trust, privacy and identity management in mobile communities.[20]
PrimeLife develops concepts and technologies to help individuals to protect autonomy and retain control over personal information, irrespective of activities.[21]
SWIFT focuses on extending identity functions and federation to the network while addressing usability and privacy concerns and leverages identity technology as a key to integrate service and transport infrastructures for the benefit of users and the providers.[22]
Ongoing projects
Ongoing projects include Future of Identity in the Information Society (FIDIS),[23] GUIDE<[24] and PRIME.[25]
Publications
Academic journals that publish articles related to identity management include:
Less specialized journals publish on the topic and for instance have special issues on Identity such as:
- Online Information Review.[26]
Standardization
ISO (and more specifically ISO/IEC JTC1, SC27 IT Security techniques WG5 Identity Access Management and Privacy techniques) is conducting some standardization work for identity management (ISO 2009), such as the elaboration of a framework for identity management, including the definition of identity-related terms. The published standards and current work items includes the following:
- ISO/IEC 24760-1 A framework for identity management—Part 1: Terminology and concepts
- ISO/IEC 24760-2 A Framework for Identity Management—Part 2: Reference architecture and requirements
- ISO/IEC DIS 24760-3 A Framework for Identity Management—Part 3: Practice
- ISO/IEC 29115 Entity Authentication Assurance
- ISO/IEC 29146 A framework for access management
- ISO/IEC CD 29003 Identity Proofing and Verification
- ISO/IEC 29100 Privacy framework
- ISO/IEC 29101 Privacy Architecture
- ISO/IEC 29134 Privacy Impact Assessment Methodology
Organization implications
In each organization there is normally a role or department that is responsible for managing the schema of digital identities of their staff and their own objects, which are represented by object identities or object identifiers (OID).[27] The organizational policies and processes and procedures related to the oversight of identity management are sometime referred to as Identity Governance and Administration (IGA). Commercial software tools exist to help automate and simplify such organisational-level identity management functions.[28] How effectively and appropriately such tools are used falls within scope of broader governance, risk management, and compliance regimes.
Since 2016 Identity and Access Management professionals have their own professional organization, IDPro. In 2018 the committee initiated the publication of An Annotated Bibliography, listing a number of important publications, books, presentations and video's.[29]
See also
- Access control
- Authentication
- Authorization
- Claims-based identity
- Computer security
- Digital card
- Digital identity
- Directory service
- Dongle
- Federated identity management
- Hardware security module
- Identity assurance
- Identity driven networking
- Identity management systems
- Identity verification service
- Identity provider
- Identity-based security
- Information privacy
- Initiative For Open Authentication
- List of single sign-on implementations
- Loyalty card
- Mobile identity management
- Mobile signature
- Multi-factor authentication
- Mutual authentication
- OAuth
- Online identity management
- OpenID
- Password management
- Personally Identifiable Information
- Privileged identity management
- RBAC
- SAML 2.0
- SAML-based products and services
- Security token
- Self-sovereign identity
- Service provider
- Single sign-on
- Software token
- Two-factor authentication
- User modeling
- Web service
- Workflow application
References
- Stroud, Forrest. "What Is Identity and Access Management (IAM)? Webopedia Definition". www.webopedia.com. Retrieved 27 February 2019.
- Silva, Edelberto Franco; Muchaluat-Saade, Débora Christina; Fernandes, Natalia Castro (1 January 2018). "ACROSS: A generic framework for attribute-based access control with distributed policies for virtual organizations". Future Generation Computer Systems. 78: 1–17. doi:10.1016/j.future.2017.07.049. ISSN 0167-739X.
- "IdenTrust Home | IdenTrust". www.identrust.com. Retrieved 27 February 2019.
- Compare: "Gartner IT Glossary > Identity and Access Management (IAM)". Gartner. Retrieved 2 September 2016.
Identity and access management (IAM) is the security discipline that enables the right individuals to access the right resources at the right times for the right reasons. [...] IAM addresses the mission-critical need to ensure appropriate access to resources across increasingly heterogeneous technology environments, and to meet increasingly rigorous compliance requirements.
- "identity management (ID management)". SearchSecurity. 1 October 2013. Retrieved 2 March 2017.
- "What is identity management (ID management) ? - Definition from WhatIs.com". SearchSecurity. Retrieved 20 December 2019.
- Functional requirements for privacy enhancing systems Fred Carter, OECD Workshop on Digital Identity Management, Trondheim, Norway, 9 May 2007 (PPT presentation)
- Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) Archived 13 August 2009 at the Wayback Machine, Recommendations of the National Institute of Standards and Technology, January 2009
- PII (Personally Identifiable Information) Archived 28 April 2009 at the Wayback Machine, The Center For Democracy & Technology, 14 September 2007
- "IBM Cloud Docs". console.bluemix.net. Retrieved 3 December 2018.
- "What is identity management (ID management) ? - Definition from WhatIs.com". SearchSecurity. Retrieved 3 December 2018.
- Networks, Institute of Medicine (US) Committee on Regional Health Data; Donaldson, Molla S.; Lohr, Kathleen N. (1994). Confidentiality and Privacy of Personal Data. National Academies Press (US).
- Burr, William E.; Dodson, Donna F.; Polk, W. Timothy (2006). "Information Security" (PDF). NIST Special Publication. CiteSeerX 10.1.1.153.2795. doi:10.6028/NIST.SP.800-63v1.0.2. OCLC 655513066. Retrieved 10 October 2015.
- "Working Groups | Identity Commons". Idcommons.org. Retrieved 12 January 2013.
- Taylor, Lips & Organ 2009.
- Gross, Acquisti & Heinz 2005.
- Taylor 2008.
- Halperin & Backhouse 2008.
- "Decentralized Identifiers (DIDs)". World Wide Web Consortium. 8 June 2020. Retrieved 22 June 2020.
- PICOS
- "PrimeLife - Privacy and Identity Management in Europe for Life".
- "www.ist-swift.org".
- FIDISCoord (DR). "Home: Future of IDentity in the Information Society".
- "Creating a Europian Identity Management Architecture for eGovernment". istrg.som.surrey.ac.uk. Archived from the original on 8 May 2009.
- "PRIME - Privacy and Identity Management for Europe". Portal for the PRIME Project. 28 September 2006. Archived from the original on 10 October 2007.
- "Special Issue: Special section on: Digital identity management". Online Information Review. Bradford: MCB University Press. 33 (3). 19 June 2009. ISSN 1468-4527. OCLC 807197565, 676858452. Retrieved 29 January 2021.
- Object Id's (OID'S), PostgreSQL: Introduction and Concepts, in Bruce Momjian, 21 November 1999
- Canner, Ben (24 July 2018). "The 17 Best Identity Governance and Administration Platforms of 2018". Solutions Review. Retrieved 17 December 2019.
- "An Annotated Bibliography" (PDF). Retrieved 6 September 2019.
Sources
- Gross, Ralph; Acquisti, Alessandro; Heinz, J. H. (2005). "Information revelation and privacy in online social networks". Workshop On Privacy In The Electronic Society; Proceedings of the 2005 ACM workshop on Privacy in the electronic society. pp. 71–80. doi:10.1145/1102199.1102214. ISBN 978-1595932280. S2CID 9923609.
- Halperin, Ruth; Backhouse, James (2008). "A roadmap for research on identity in the information society". Identity in the Information Society (published 2009). 1 (1): 71. doi:10.1007/s12394-008-0004-0.
- Lusoli, Wainer; Miltgen, Caroline (2009). "Young People and Emerging Digital Services. An Exploratory Survey on Motivations, Perceptions and Acceptance of Risks". JRC Scientific and Technical Reports (published March 2009) (EUR 23765 EN). doi:10.2791/68925.
- ISO, IEC (2009). "Information Technology—Security Techniques—A Framework for Identity Management". ISO/IEC WD 24760 (Working draft). Cite journal requires
|journal=
(help) - Pohlman, M.B. (2008). Oracle Identity Management: Governance, Risk and Compliance Architecture. Auerbach Publications. ISBN 978-1-4200-7247-1.
- Pounder, C. N. M. (2008). "Nine principles for assessing whether privacy is protected in a surveillance society". Identity in the Information Society (published 2009). 1: 1. doi:10.1007/s12394-008-0002-2.
- Taylor, John A.; Lips, Miriam; Organ, Joe (2009). "Identification practices in government: citizen surveillance and the quest for public service improvement". Identity in the Information Society. 1: 135. doi:10.1007/s12394-009-0007-5.
- Taylor, John A. (2008). "Zero Privacy". IEEE Spectrum. 45 (7): 20. doi:10.1109/MSPEC.2008.4547499.
- Williamson, Graham; Yip, David; Sharni, Ilan; Spaulding, Kent (1 September 2009). Identity Management: A Primer. MC Press. ISBN 978-1-58347-093-0.
- Bernal Bernabe, Jorge; Hernandez-Ramos, Jose L.; Skarmeta, Antonio (2017). "Holistic Privacy-Preserving Identity Management System for the Internet of Things". Mobile Information Systems. 2017 (6384186): 1–20. doi:10.1155/2017/6384186.
External links
- General Public Tutorial about Privacy and Identity Management
- Identity Management Overview (Computer Weekly)
- Secure Widespread Identities for Federated Telecommunications (SWIFT)
- Identity management and information sharing in ISO 18876 Industrial automation systems and integration
- 50 Data Principles for Loosely-Coupled Identity Management: SlideShare
- Stop Remembering Password and Switch to Identity Management: Business Insider