IAM - Identity and Access Management
Identity and access management (IAM) refers to the processes and technologies used to manage user identities and control access to resources and applications within an organization. As companies adopt cloud services and flexible work models, effective IAM has become critical for security, compliance, and efficient operations. This article provides an overview of IAM solutions and some of the leading vendors in the space.
Key Components of IAM
IAM solutions typically include capabilities for:
-
Identity governance - Managing digital identities throughout their lifecycle, from onboarding to offboarding. This includes workflows for provisioning, reviews, certifications, and termination of access.
-
Authentication - Verifying user identities before granting access. This may involve passwords, multi-factor authentication, biometrics, etc.
-
Authorization - Determining what resources and applications a user is allowed to access based on attributes like role, location, device, etc.
-
Access management - Enforcing authentication and authorization policies across all systems and apps. Single sign-on, API gateways, and federation standards help streamline access.
-
Audit and compliance - Tracking and reporting on user activities for security monitoring and compliance purposes.
The main RFCs related to identity and access management standards
-
RFC 6749 - The OAuth 2.0 Authorization Framework. Defines the OAuth 2.0 specification for secure authorization and delegated access.
-
RFC 7519 - JSON Web Token (JWT). The JWT standard for encoding and securely transmitting claims between parties. Used extensively in OAuth and OpenID Connect.
-
RFC 6742 - Identity Assertion for OAuth 2.0 Clients. Extends OAuth for client authentication use cases.
-
RFC 7521 - Assertion Framework for OAuth 2.0. Provides an abstract framework for using assertions with OAuth 2.0.
-
RFC 7515 - JSON Web Signature (JWS). Specifies the JWS standard for signing JSON objects with digital signatures. JWTs or Json Web Tokens are most commonly used to identify authenticated users and validate API requests. Part of this verification process requires the use of cryptographic keys to validate the integrity of the JWT to make sure it has not been tampered with. The set of keys used for this process is called JWKS or Json Web Key Set.
-
RFC 7516 - JSON Web Encryption (JWE). Defines JWE for encrypting JWTs and other content.
-
RFC 7517 - JSON Web Key (JWK). The JWK format for representing cryptographic keys in JSON. Enables JWS/JWE use.
-
RFC 7518 - JSON Web Algorithms (JWA). Registers cryptographic algorithms used with JWT/JWS/JWE.
-
RFC 7519 - JSON Web Token URI for OAuth Dynamic Client Registration. The client registration endpoint.
-
RFC 7662 - OAuth 2.0 Token Introspection. Adds API for checking status of OAuth 2.0 access tokens.
-
RFC 8705 - OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens. For OAuth over TLS 1.2.
These RFCs provide the standards foundations for OAuth 2.0, OpenID Connect, and modern identity federation schemes used in IAM systems today.
Leading Solutions and Vendors
The IAM market features solutions tailored for organizations of different sizes and needs:
-
Microsoft Active Directory - The standard for enterprise IAM, integrated with Windows Server domains. Provides single sign-on across Microsoft apps and robust access controls.
-
Okta - A popular cloud-based IAM platform offering single sign-on, multifactor authentication, Lifecycle Management and more. Focuses on ease of use and automation.
-
ForgeRock - Full-featured platform for Consumer and Workforce IAM. Emphasizes identity orchestration and intelligent adaptive authentication.
-
Ping Identity - Provides IAM solutions focused on enterprise single sign-on and API/app security. Supports standards like SAML, OAuth and OpenID Connect.
-
IBM Security - Longstanding vendor offering identity governance and administration tools for on-prem and cloud environments. Also provides MFA and identity proofing capabilities.
-
CyberArk - Specializes in privileged access management for securing accounts with elevated permissions. Features discovery, vaulting, and monitoring of high-risk users.
-
Keycloak - Open source IAM solution focused on web single sign-on and token-based authentication. Supports standards like OpenID Connect and OAuth 2.0. Provides adapters to secure apps and services.
-
Auth0 - Cloud-based identity platform emphasizing developer productivity and JSON/REST APIs. Makes it easy to integrate SSO, user management, and MFA.
-
ZITADEL - Open source identity and access management developed by the German company Causality. It offers user management, authentication, authorization and more through a single integrated system.
-
Amazon Cognito - IAM service from AWS for securing web and mobile apps. Provides user sign-up, sign-in, and access control for AWS resources. Integrates with API Gateway, AppSync and Amazon S3.
-
Ory - Open source reverse proxy for authentication and authorization focused on application integration and scalability. Has adapters for OAuth2, OpenID Connect, SAML 2.0. Allows integrating with various identity providers (IdPs). Granular authorization policies based on rules.
-
Authzed - IAM platform as a service for centralized management of identities, roles and policies. Authorization based on ABAC (Attribute-based access control). Integrates with identity providers like Okta, Auth0 and AD. Allows managing identities, roles, policies and permissions. Tracking and auditing of activities.
The IAM market continues to grow and evolve with new standards and capabilities. Organizations must balance features, complexity, and cost when choosing solutions to meet their specific needs and use cases. With the right IAM foundation, companies can securely embrace digital transformation and emerging technologies.
Access Control
Role-Based Access Control (RBAC)
- Access to resources is determined by the role a user has within the organization. Roles have predefined permissions associated with them.
- Users are assigned to roles based on their job duties and responsibilities.
- Examples of roles include manager, employee, system admin, etc.
Attribute-Based Access Control (ABAC)
- Access to resources is determined by attributes of the user, environment, and resource. Attributes can include user department, time of day, IP address, etc.
- Policies define which attribute combinations are allowed access to a given resource.
- More flexible than RBAC as attributes can be combined in various ways to define access.
- Attributes can change dynamically, allowing access to change in real-time.
ACL (Access Control Lists)
Access Control Lists (ACLs) are a simple and widely used mechanism for managing access permissions. An ACL is essentially a list that associates entities (users, groups, or other objects) with specific permissions over a resource.
For example, in a file system, an ACL can specify that the user "John" has read and write permissions on a particular directory, while the group "IT Team" has read permission, and the user "Maria" has no permission at all. ACLs are often used in conjunction with other authorization models, such as RBAC or ABAC, to provide more granular control over access.
The main differences:
- RBAC is based on static user roles, ABAC is based on dynamic attributes.
- RBAC roles tend to be coarse-grained, ABAC can provide fine-grained control.
- ABAC provides more flexibility but can be more complex to manage than RBAC.
- RBAC policies tend to be simpler and easier to understand.
In practice, many systems use a hybrid approach with roles and attributes.