Identity Management Fundamentals

The concept of identity management is simple. It’s basic and it’s fundamental to information security. This begs the question, why are so many organizations terrible at it?  
 
By Evan Francen, CEO of FRSecure
 
Revisiting the basics
Let’s level set. Experts can use the reminder, and novices need to learn. Understanding the basics of identity management is critical before diving into the deep end.
 
First, identity management (IM) is different than identity and access management (IAM), even though the majority uses these terms interchangeably. The confusion leads to poor practices and terrible results. I’ll explain.
 
Identity
In a system, there are subjects and objects. Subjects are active entities, objects are passive. Subjects operate (read, write, delete, etc.) on objects or other subjects. Subjects require an identity, a way to identify them in the system. Subjects are often associated with people, but not always. There are other active entities in the system that also require an identity, things like services and applications.
 
Sometimes it helps to put identity into context, which is where access management enters the fray.
 
Identity, Authentication, Authorization, and Accountability
If an identity were used by itself, it would result in chaos. Any subject could use any identity, and all subjects could use all identities. Identities could either do nothing in a system or do all things in a system. Compounding our problems is the fact that you wouldn’t know what was happening or even if anything was happening at all.
An identity is an element that exists by itself, but it needs other functions in order to work within a system. Identity is an identifier of a subject (user, application, service, etc.) in a system. The identifier is most often stored by the system as an account; user account, system account, etc. It’s safe to use identity and account synonymously.
 
Functions that make an identity usable:
 
Authentication – Verification (or proof) that a subject is permitted to use an identity. This controls which subjects use which identities. Proof can come in several forms, or factors. The most traditional forms of authentication are:
  Something you know – a password, PIN code, passphrase, etc.
•  Something you have – a cell phone (where a text can be sent), a computer, a token, an access card, etc.
•  Something you are – most often called a biometric; fingerprint, face (facial recognition), hand shape (hand geometry), etc. 
Authorization – The things, permissions and privileges, that a subject is granted within the system while using an identity.
Accountability – Evidence of what’s happening and what happened in a system. Logging is a common form of accountability.
 
The basics are beautiful. Without authentication, any subject could use any identity and all subjects could use all identities. Without authorization, an identity could either do nothing in a system or do everything in a system. Without accountability, we would have no idea what’s happening.
 
Difference between IM and IAM
At a functional level; IM relates only to the identity; however, managing an identity must also include authentication. Authentication controls which subjects can access which identities. Identity management then is identity and authentication from our previous definitions.
 
At a functional level; IAM includes access, meaning what an identity is permitted to do; authorization. Identity and access management then includes identity, authentication, and authorization. Both IM and IAM benefit from accountability, so this function is added to both. This results in:
 
• IM = Identity + Authentication + Accountability
• IAM = Identity + Authentication + Authorization + Accountability
 
IA and IAM are in fact two functions that are integrated, not one single synonymous function. 
 
 
 
Start with identity management
If you don’t get IM right, you’ll never get IAM right. Most organizations fail at IM, and don’t have a prayer in getting IAM correct. Over the past year, we’ve compiled the results of more than one hundred Active Directory user account audits. The results aren’t good.
 
On average, 42.4% of all accounts (user and service) are enabled, 54.19% of the accounts are disabled, and 3.41% of the accounts are expired. The table referenced here only accounts for enabled accounts. So, it’s safe to say that on average, 13.02% of enabled accounts were found to have not logged in within the past year and 17.69% had passwords that exceed the age of one year.
 
Most troubling; however, may be the fact that 14.77% of all enabled accounts showed no evidence of having ever logged in.  If these numbers don’t trouble you, maybe they haven’t sunk in yet.
 
Why are things this broken?
Things that are neglected fall apart. Like the decay of a neglected farm home, so becomes a user account database (e.g. Active Directory). There are three primary reasons for the decay:
 
1. Poor definition and formalization of identity lifecycle processes. There are four high-level processes that must be defined and formalized; Creation, Change, Deactivation (disable/delete), and Audit. There are several supporting processes under these headings. Processes must be defined and documented.
2. Poor understanding of the fundamentals and feeling overwhelmed. We know that IM and IAM are integrated, but different. Start with IM, and an identity audit. Validate every identity, and shore up authentication. A tedious exercise, but not an overwhelming one.
3. The work is tedious and uncomfortable. Tedious work isn’t appealing. People want easy buttons and blinky lights. The work can be uncomfortable because it will require coordination with the business. Coordination will be the only way you can effectively validate the identities.
 
Identity management isn’t complicated, but it does take a commitment. You can do it, and you’ll be glad you did! Next up, the “A” in IAM.
 
Evan Francen is CEO & Co-Founder of FRSecure 
 
You Might Also Read:
 
No Easy Button Solution To Cybersecurity’s Skills Shortage:
 
 
 
 
 
« The EU’s Copyright Directive Risks Creating Two Internets
The UK Needs Data Driven Policing »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

International Association for Cryptologic Research (IACR)

International Association for Cryptologic Research (IACR)

(IACR is a non-profit scientific organization whose purpose is to further research in cryptology and related fields.

Qatar Computing Research Institute (QCRI)

Qatar Computing Research Institute (QCRI)

QCRI perform cutting-edge research in such areas as Arabic language technologies, social computing, data analytics, distributed systems, cyber security and computational science and engineering.

AVeS Cyber Security

AVeS Cyber Security

AVeS combines expert knowledge and services with leading technology products to provide comprehensive Information Security and Advanced IT Infrastructure solutions.

Agesic

Agesic

Agesic is an institution that leads the development of the Digital Government and the Information and Knowledge Society in Uruguay.

C2A Security

C2A Security

C2A Security offers a comprehensive suite of cyber security solutions for the automotive industry, providing in-vehicle end-to-end protection.

Optra Security

Optra Security

Optra Security specializes in information security with a focus on Application Security.

CyberInsureOne

CyberInsureOne

At CyberInsureOne, we break down the complex world of cyber insurance, and connect you with providers that can give you and your company peace of mind.

S4x Events

S4x Events

S4x are the most advanced and largest ICS cyber security events in the world.

CyberKnight Technologies

CyberKnight Technologies

CyberKnight Technologies is a cybersecurity focused value-added-distributor (VAD) headquartered in Dubai and covering the Middle East.

Global Cyber Risk (GCR)

Global Cyber Risk (GCR)

Global Cyber Risk is a technology and advisory services firm that provides first tier cybersecurity services to both large corporations and small and mid-sized businesses.

Guardara

Guardara

Guardara's mission is to help our customers to continuously improve in every aspect of software development.

Trusted Connectivity Alliance (TCA)

Trusted Connectivity Alliance (TCA)

Trusted Connectivity Alliance is a global, non-profit industry association which is working to enable a secure connected future.

Sollensys

Sollensys

Sollensys is a leader in commercial blockchain applications. Our flagship product, The Blockchain Archive Server™ is the best defense against the devastating financial loss that ransomware causes.

Techsolidity

Techsolidity

Techsolidity is an emerging e-learning platform that offers a wide range of upskilling programs worldwide in areas including cybersecurity.

Oz Forensics

Oz Forensics

Oz Forensics is a global leader in preventing biometric and deepfake fraud. It is a developer of facial Liveness detection for Antifraud Biometric Software with high expertise in the Fintech market.

Revytech

Revytech

Revytech is a tech company providing services in a broad range of areas including IT operations, cyber security and network engineering.