The philosophy behind the I&AM Reference Architecture is based on the idea of the “Circle of Trust”. In this context, “security” is interpreted as the definition, the establishment, the enforcement and the verification of trust. (Reference: John Arnold, Information Security Bulletin, 2006). The IAM domain is reflected in terms of “establishment of trust” under the “Select” disciplines. Establishing trust requires activities such as access controls, account provisioning and role engineering.
Security disciplines are rooted in the Circle of Trust.
While in the past security was mostly associated or perhaps even resident in the Protection sphere, a more coherent approach and a more business-centred vision allows us to develop other complementary strategies:
1) It is essential to understand that there is no “security” without business direction, especially without the definition of what the business wants to maintain as a level of trust. The business policies come first, and the definition of what we want to have as a trusted environment is a precondition to all the rest.
2) The disciplines of protection, mostly centred around network and platform security have been historically the realm of security. But there is a well-established trend to go beyond perimeter and zone protection now.
3) More recently, perhaps accelerated by increasing regulatory pressure, the disciplines of Verification have been developed. But again, it is evident that there could be no Verification without Protection and Direction.
4) And finally, even more recently in history, but still immature, come the disciplines of Selection. These have grown out of the Protection quadrant, becoming much more than “access controls” and including now user provisioning and user authorisation workflows.
Overall, then, the need for Identity and Access Management processes is part of the growth of the security disciplines, and their increased linkage with business concerns. It must be clear that while the initial layers of security solutions were mostly technical the more recent are to a great extent mostly business-based and cannot exist without business process changes.