The Identity and Access Management Architecture defines three layers of I&AM processes. These are essentially business processes engineered to provide centralised user management, access control, account lifecycle management and security policy compliance.
The three layers are:
1.IDENTITY INTEGRATION: Identity Data Governance, Identity Validation, Role Engineering, Directory Integration and Directory Rationalisation
2.ACCOUNT LIFE-CYCLE MANAGEMENT: Authorisation Workflows, Centralised User Management, Server User Management, Integrated User Provisioning and Comprehensive Access Control and Audit
3.IDENTITY AND ACCESS MANAGEMENT SERVICES: Application Enablement Services, Directory Enabled Network Access Control, Multi-Factor Authentication, Credentials Management and Federated Access Management
[Click twice on the image to see it in full size]
The three layers are interdependent in one direction: the upper layers are dependent on the lower ones. The foundational layer, labeled “Identity Integration” is the basis for the full development of Identity and Access Management. It should also be noted that once a “layer” is started and developed, it continues to exist. In that sense, I&AM solutions are not “one off“ projects but permanent processes adopted by the organisation.
An I&AM implementation programme should have a series of steps or a staggered development by which each layer builds on the previous one.
On the other hand, because these components can be applied to sub-sets of target systems, in some cases it is possible to anticipate results of the upper layers. For example, it is possible to obtain some Federated Access capabilities (Third Layer) while still working on the First Layer.
The IDENTITY INTEGRATION Layer has the following components or deliverables:
•Identity Data Governance
Identity Data Governance is the most important element in the I&AM Strategy. This step is essentially non-technical and pertains to the ownership, custodianship and management of the identity data assets of the organisation. Without ownership and senior level management of this category of information, it is not possible to articulate a long-running Identity and Access Management Programme.
Identity Validation is a continuous process of user data verification and attestation. It starts with a Data Cleansing process, by which current identity sources are cleansed using authoritative employee and payroll information. Invalid and orphan accounts are removed from the target systems and the authentication sources. Concurrently, user management processes are put in place to maintain the clean data and to validate it periodically. These processes are known as Attestation Workflows.
Role Engineering is the definition of business-related functions in the organisation. These functions encompass a series of entitlements (access rights and permissions) upon business IT services. There may be wide catch-all roles like “employee” for example, which would allow the organisation to provision a set of basic access rights to every employee; but on the other hand other more restricted and precisely defined roles are necessary (for example “mainframe developer”) so that strict access controls are maintained on critical systems.
Directory Integration is the process which builds and maintains central, valid and managed authentication and authorisation sources. These sources can either be traditional LDAP services (directories) or more advanced metadirectories or virtual directories. This process eliminates redundancy, reduces management effort and guarantees a single valid version of authorized users in the organisation.
The Directory Rationalisation process is the last in this Layer. It is more a product of the success of the previous components and allows for the reduction of the number of authentication sources. Where the organisation has many separate and disjoint user management sources the I&AM Programme aims at having a reduced number ofcentral authoritative directories.
The Account Life Cycle Management Layer builds on the First Layer. It has the following components:
The Authorisation Workflows are an automated representation of the user account administration process. A business process has to exist first and has to be well documented and understood before automation is attempted. The Identity and Access Management Solutions provide user interfaces for end users and managers to request, authorize, modify, validate, maintain and terminate user access to systems. The solutions generally rely on automated email flows and web interfaces to achieve this.
•Centralised User Management
Centralised User Management is the result of all the previous components and especially the First Layer of the IAM processes. Where before the organisation had multiple tools and processes, it now will have a single identity data warehouse, a single user data model, a reduced number of authentication sources and an established role model. Under those circumstances we can begin to say that the organisation has a “centralized user management system”. We differentiate centralized user management from integrated user provisioning because the user data repositories can be well managed and central without having an automated user provisioning system in place.
•Server User (Privileged User) Management
Management of user access to servers is a key part of the enterprise security capabilities. Frequently this is addressed on a platform by platform basis, with disparate standards and security policies. The I&AM programme aims at simplifying user access management across platforms and re-using identity stores with centrally managed policies and standards.
•Integrated User Provisioning
When the centralized user management system is in place one of the key outcomes is the agile and efficient provisioning of accounts to employees, contractors and temporary workers. Independently of their locations, the workers obtain access to the systems they need to do their work. Equally important is that the joiners, movers and leavers processes are adequately represented through the I&AM system so that users have access rights and privileges only according to their roles and their specific tasks within the teams. Temporary access and delegates access is also allowed in a centralized manner. A user provisioning system generally uses connectors or adaptors to connect to the managed systems and create, maintain, delete accounts and user rights.
•Comprehensive Access Control and Audit
Finally, based on all the above components of the second layer, the organisation can generate audit reports and can trace all user account activity in on a daily basis. Account requests, authorisations and changes are logged and archived allowing for more control and accountability in business operations.
The Identity and Access Management Services Layer builds on the First and the Second Layers. Its components are:
•Application Enablement Services
Given all the services and systems of the previous two layers, Application Enablement is the agile provision of authentication and authorisation services to new or modified applications in the environment. Where this sort of enablement took weeks or months in the past, it is now possible to do achieve this in days instead.
•Directory-Enabled Network Access Control
Increased mobility of the staff, as well as increased use of outsourcing and partnerships requires stronger but also practical security mechanisms to protect the boundaries of the organisation. Directory enabled network access control (DEN or NAC) increases network security by linking hardware access protocols with identity data sources and security policies.
Multi-Factor Authentication (also called Strong Authentication) is the addition of “factors” to the normal login and identification process. Depending on business requirements, the organisation is able to add biometric security or multi-factor authentication to the normal workstation login system. It is also able to offer different adaptive levels of security depending on the nature of the applications and their risk positions.
Complex organisations –especially those with large customer bases and multiple business channels (Banking, Retail)– require flexible ways to handle customer and employee identity data, while at the same time maintaining ideally a single view of the customer and the staff members. Credentials Management is the process which maps the various business channels to centralised identity data, and ensures appropriate access rights without slowing down the business process.
•Federated Access Management
Federated Access Management is the culmination of the I&AM Process Layers. This allows the organisation to integrate systems and applications, domains and divisions by using a single set of user data. Instead of hard-wiring the applications to specific user repositories it is possible to establish trust across the divisions and departments, so that users will be able to access data and services without multiple logins and without excessive management effort. At the same time, all users will be provided with the exact access rights they need, based on their job definition and the permissions associated with their roles in the organisation. The organisation then becomes an Identity Provider and is able to operate in wider federations with service suppliers in the market.