Abílio Azevedo.

IAM - Identity and Access Management

Cover Image for IAM - Identity and Access Management
Abílio Azevedo
Abílio Azevedo

Identity and access management (IAM) refers to the processes and technologies used to manage user identities and control access to resources and applications within an organization. As companies adopt cloud services and flexible work models, effective IAM has become critical for security, compliance, and efficient operations. This article provides an overview of IAM solutions and some of the leading vendors in the space.

Key Components of IAM

IAM solutions typically include capabilities for:

  • Identity governance - Managing digital identities throughout their lifecycle, from onboarding to offboarding. This includes workflows for provisioning, reviews, certifications, and termination of access.

  • Authentication - Verifying user identities before granting access. This may involve passwords, multi-factor authentication, biometrics, etc.

  • Authorization - Determining what resources and applications a user is allowed to access based on attributes like role, location, device, etc.

  • Access management - Enforcing authentication and authorization policies across all systems and apps. Single sign-on, API gateways, and federation standards help streamline access.

  • Audit and compliance - Tracking and reporting on user activities for security monitoring and compliance purposes.

The main RFCs related to identity and access management standards

  • RFC 6749 - The OAuth 2.0 Authorization Framework. Defines the OAuth 2.0 specification for secure authorization and delegated access.

  • RFC 7519 - JSON Web Token (JWT). The JWT standard for encoding and securely transmitting claims between parties. Used extensively in OAuth and OpenID Connect.

  • RFC 6742 - Identity Assertion for OAuth 2.0 Clients. Extends OAuth for client authentication use cases.

  • RFC 7521 - Assertion Framework for OAuth 2.0. Provides an abstract framework for using assertions with OAuth 2.0.

  • RFC 7515 - JSON Web Signature (JWS). Specifies the JWS standard for signing JSON objects with digital signatures. Used with JWTs.

  • RFC 7516 - JSON Web Encryption (JWE). Defines JWE for encrypting JWTs and other content.

  • RFC 7517 - JSON Web Key (JWK). The JWK format for representing cryptographic keys in JSON. Enables JWS/JWE use.

  • RFC 7518 - JSON Web Algorithms (JWA). Registers cryptographic algorithms used with JWT/JWS/JWE.

  • RFC 7519 - JSON Web Token URI for OAuth Dynamic Client Registration. The client registration endpoint.

  • RFC 7662 - OAuth 2.0 Token Introspection. Adds API for checking status of OAuth 2.0 access tokens.

  • RFC 8705 - OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens. For OAuth over TLS 1.2.

These RFCs provide the standards foundations for OAuth 2.0, OpenID Connect, and modern identity federation schemes used in IAM systems today.

Leading Solutions and Vendors

The IAM market features solutions tailored for organizations of different sizes and needs:

  • Microsoft Active Directory - The standard for enterprise IAM, integrated with Windows Server domains. Provides single sign-on across Microsoft apps and robust access controls.

  • Okta - A popular cloud-based IAM platform offering single sign-on, multifactor authentication, Lifecycle Management and more. Focuses on ease of use and automation.

  • ForgeRock - Full-featured platform for Consumer and Workforce IAM. Emphasizes identity orchestration and intelligent adaptive authentication.

  • Ping Identity - Provides IAM solutions focused on enterprise single sign-on and API/app security. Supports standards like SAML, OAuth and OpenID Connect.

  • IBM Security - Longstanding vendor offering identity governance and administration tools for on-prem and cloud environments. Also provides MFA and identity proofing capabilities.

  • CyberArk - Specializes in privileged access management for securing accounts with elevated permissions. Features discovery, vaulting, and monitoring of high-risk users.

  • Keycloak - Open source IAM solution focused on web single sign-on and token-based authentication. Supports standards like OpenID Connect and OAuth 2.0. Provides adapters to secure apps and services.

  • Auth0 - Cloud-based identity platform emphasizing developer productivity and JSON/REST APIs. Makes it easy to integrate SSO, user management, and MFA.

  • ZITADEL - Open source identity and access management developed by the German company Causality. It offers user management, authentication, authorization and more through a single integrated system.

  • Amazon Cognito - IAM service from AWS for securing web and mobile apps. Provides user sign-up, sign-in, and access control for AWS resources. Integrates with API Gateway, AppSync and Amazon S3.

The IAM market continues to grow and evolve with new standards and capabilities. Organizations must balance features, complexity, and cost when choosing solutions to meet their specific needs and use cases. With the right IAM foundation, companies can securely embrace digital transformation and emerging technologies.

Access Control

Role-Based Access Control (RBAC)

  • Access to resources is determined by the role a user has within the organization. Roles have predefined permissions associated with them.
  • Users are assigned to roles based on their job duties and responsibilities.
  • Examples of roles include manager, employee, system admin, etc.

Attribute-Based Access Control (ABAC)

  • Access to resources is determined by attributes of the user, environment, and resource. Attributes can include user department, time of day, IP address, etc.
  • Policies define which attribute combinations are allowed access to a given resource.
  • More flexible than RBAC as attributes can be combined in various ways to define access.
  • Attributes can change dynamically, allowing access to change in real-time.

The main differences:

  • RBAC is based on static user roles, ABAC is based on dynamic attributes.
  • RBAC roles tend to be coarse-grained, ABAC can provide fine-grained control.
  • ABAC provides more flexibility but can be more complex to manage than RBAC.
  • RBAC policies tend to be simpler and easier to understand.

In practice, many systems use a hybrid approach with roles and attributes.


More posts

Cover Image for CI/CD - Lint - Checks

CI/CD - Lint - Checks

Comprehensive guide to continuous integration and continuous delivery. Explains key concepts, tools like GitHub Actions and Drone, benefits of linting, integrating ESLint and Prettier, and using Git hooks for automation.

Abílio Azevedo
Abílio Azevedo
Cover Image for ReWork

ReWork

Unconventional, straight-to-the-point advice on how to run a business. Instead of focusing on fast growth, Rework encourages entrepreneurs to start small, stay agile, and focus on what's essential.

Abílio Azevedo
Abílio Azevedo

NewsLetter

I will send the content posted here. No Spam =)