Skip main navigation

Identity Access Management Concepts

In this video, you will learn about some important concepts and definitions in identity and access management.
So identity and access management is very simple conceptually. If you think about your own home, you control access to your home. Think of your house as your resource or your asset. Any visitor is granted access, or not, by you. During the introduction, we’ll look at the components of this relationship and actually, although this is simple conceptually, why it isn’t that straightforward in practice.
Identity and access management is the combination, then, of the systems, and the policies, and the processes, and the technology that we have. These help us manage and protect our assets. And we need to manage digital identities, authenticate our users, and continue to authorize access to any resources. This enables the right individuals to access the right resources, at the right time, and for the right reasons. We’ll see identity and access management referenced differently using different acronyms as we go through the course, and also as we see reference to this on the internet. We have IdAM, Idm, IAM, and IDM. And these are all interchangeable, and we’ll use all of these through the course as well.
So identity and access management is at the centre of IT security. Why is it so critical? Well, access to resources is at the heart of security itself. We’re trying to prevent inappropriate access to resources. We’re trying to protect things. This is present in every access attempt, whether that access attempt is successful or not. So this is so very important as a topic. We’ve also seen the growth in some
of those acronyms we see there in the third bullet point: anti-money laundering, know your customer, identity verification, know your business, and the customer information program. Just talking to each of those for a moment, IDV is the verification of an identity, helping to determine its authenticity. Passports, for example, have some kind of passport reader. How do we know that this ID is correct and accurate? And how do we know it correlates to the individual? So this typically involves some sort of database check, some sort of reference against a system that we have. Know your customer – this is a process whereby we try to establish any customers of our organization and their identity.
This takes other information, for example their address data, national identity information, copies of utility bills potentially, and this is supposed to build a better profile of our customer. Now, in the United States, where financial institutions are required to verify the identity of individuals using financial services, these are mandated processes. We must do this. This isn’t optional. So know your customer and the customer information program are legal requirements. The customer information program is a provision in the Patriot Act, so this is a legal requirement in the United States. So parts of identity and access management may be optional. They may be best practice. But very quickly we start to look at the requirements around legislation and around regulation.
So things like the screening of accounts, customer notification, and also access to data privacy legislation. We see, we have seen, and we continue to see a growth in legislation related to privacy and the rights of individuals where we hold personally identifiable information concerning them. And the definition, in the European Union’s eyes, under the General Data Protection requirement, of what constitutes personally identifiable information can be something as simple as an email address, a telephone number, an address, a name. So with that very broad definition of personally identifiable information, legislation like GDPR is typically applicable to the majority of organizations.
If you’re running an online internet store, you will be holding personally identifiable information about European Union citizens, if you have customers from the European Union. And so we are obliged to meet those requirements. So with the growth in IT systems discrete in their management, typically, lots of individual systems, lots of individual applications running in different areas of the business, and the growth of cloud-based solutions, we have a greater need than ever to integrate. We have lots of disparate systems not even in the same security domain.
So there’s a pressure for us, an increasing pressure for us, that’s seen continued growth over the past 20 years, to try and integrate these solutions to make sure that we can federate identities or federate access to these systems and services. And the cloud just created an exponential growth in this area. If we have software as a service offers, whether it’s email, whether it’s ERP systems or CRM systems, integrating some of those accounts, some of those identities, some of that information into our local area network, into our main network, becomes critical to operations. So this is where technologies like SAML and OpenID Connect have arisen. This is their background.
The broader array of systems that we have, and also the challenging geography around cloud services – where are our cloud services based? Where is our cloud? Because it is based somewhere. This creates a challenging risk environment. So the risk profile for us increases. So we have a greater need to be aware of what and how we are protecting our resources. If you think about the typical cloud service, who’s administrating it and where are they based? Where is your cloud service based? How is your data protected?

In this video, you will learn about some important concepts and definitions in identity and access management.

Once you have watched the video, take the concept of identifying and giving access further by reading the following:


When we gave the example of somebody visiting your home, we said this was simple, conceptually. In practice, however, it is complex. For example, if you were controlling access to your home, and everybody from your organization visited over a period of time, would you be able to recognize them all to make an appropriate access decision? If you look at this on the scale of a government dealing with citizens, we could be talking about hundreds of millions of people, who may also have multiple digital identities.

Within a single system, these subjects could be individual people, but they could be processes. Subjects may not even be human beings; they could be an application represented by a process. So, this isn’t just about a person anymore. The challenge for cybersecurity practitioners is to be able to map complex information, or metadata, correctly against identities.

Reflect and share: IdAM needs to be comprehensive to support a myriad of requirements. What challenges can you identify that would need to be considered in order to plan and implement comprehensive IdAM? Share with your fellow learners.

This article is from the free online

Cyber Security Foundations: Identity and Access Management

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now