According to Vacca Chapter 71:
Identity management refers to “the process of representing, using, maintaining, deprovisioning and authenticating entities as digital identities in computer networks. Identity management relates to authenticating users.
Put simply, identity management manages digital identities. Identities combine digital attributes and entries in the database to create a unique designation for a user. Its management consists of creating, maintaining, monitoring, and deleting those identities as they operate in the enterprise network. Businesses need to make sure users have the permissions they need to perform their jobs and limit other permissions. Also, it handles authentication.
Access management determines the identity and attributes of a user to determine what that user’s authorization is. It evaluates the identity but does not manage that data. It controls the yes/no decision to allow or block users from accessing a resource, database, etc. Additionally, it manages the access portals via login pages and protocols, while also ensuring that the user requesting access actually belongs at all. This actually differs from authentication, since authentication can determine the user but not whether they deserve access. Instead, it manages authorization.
Authentication does not equal authorization, and vice versa. The former, a province of identity management, determines who the user is, whether based on groups, role, or other qualities. Authorization evaluates the user to determine what the user can actually see and access after authentication.
Shubham…Your explanation on this is broad with details and here is my contribution in addition to Identity management. It emphasizes the importance of protecting our digital identities which is increasingly critical as the acceleration of digital transformation efforts plunge a open doors for threat actors. It explains users on the internet can hold dozen of online accounts across various services. Identity management refers to the mechanisms and technology put in place for personal identifiable information (PII) and access control.
Identity is conceptually a complex term and Access is the flow the flow of information between a subject and an object. Access control, as a concept, has a long history. Access is one of the most exploited aspects of security because it is the gateway that leads to critical assets. Access control needs to be applied in a layered defense-in-depth method, and understanding of how these controls are exploited is extremely important. On the other hand; Identity has been defined in different ways over the years to holds and describe the identity of a person, attributes, devices, and applications being part of an infrastructure in a context of uniqueness. Much can’t be said here about Identity management and Access control management without defining the terms related to identity in a context based on “Who we are: Name, citizenship, birthday”, “What we like: Our favorite reading, food, clothes”, “What our reputation is: Whether we are honest, with or without any problems”, defines identity.
Access control conceptually dig into the technologies the industry puts in place to enforce these concepts and how access to information, data, services, and systems, as well as access to physical locations is governed by controls and how users and systems communicate and interact with these resources. Access control protects the systems and resources from unauthorized access and can be components that participate in determining the level of authorization after an authentication procedure has successfully completed.
Identity and access management refers to the policies, processes, mechanisms, and technologies that establish user identities and enforce rules about access to digital resources. For example in Temple university setting, many information systems–such as e-mail, learning management systems, library databases, and grid computing applications–require users to authenticate themselves (typically with a username and password). An authorization process then determines which systems an authenticated user is permitted to access. With an enterprise identity management system, rather than having separate credentials for each system, a user can employ a single digital identity to access all resources to which the user is entitled. Also, Identity management and access management focus on the digital environment in terms of digital identity (triad – Cost, Usability, and Risk).
However, within a complex organization, establishing an Identity and Access Management (IAM) used interchangeably with Identity Management program is not an easy task. Many stakeholders, technology areas, policies and processes must work together for a scalable and robust IAM Program. In addition, governance plays a key role in the success of any IAM Program and implementation with control implementation, laws and regulation.
I appreciate your in depth explanation of how identity management and access management differ. Your IAM example concerning Temple’s systems was helpful because it made me realize how we interact with authentication mechanism every day. When you enter a username and password, use a PIN, scan your fingerprint, or tap your bank card, your identity is being verified for authentication purposes. It is not until your identity is verified that access control is implemented to determine your level of access which is what we refer to as authorization.
Vacca defines identity management as “the process of representing, using, maintaining, deprovisioning and authenticating entities as digital identities in computer networks” (Chapter 71). It manages digital identities which are a representation of an entity in a specific context and deals with people’s names, citizenship, birthday, reputation, interests, etc. In the chapter under identity management overview, the model of identity is displayed as the following: a) Users who want to access a service, b) Identity provider (IdP): is the issuer of user identity, c) Service provider (SP): is the relay party imposing an identity check, d) Identity (Id): is a set user’s attributes, and e) Personal authentication device (PAD): device holding various identifiers and credentials and could be used for mobility. These different attributes and entries in the database are combined to create a unique designation for a user. Its management consists of “creating, maintaining, monitoring, and deleting those identities as they operate in the enterprise network” (Chapter 71).
On the other hand, access management deals with controls or yes/no decisions to allow or block users from accessing a resource, database, etc. Access management simultaneously manages access portals through login pages and protocols, and ensures that the user requesting access is associated with the database; information available or attributes of the user are used to determine whether access control is granted. Together, identity management and access management are known as IAM and are useful for verifying a user’s identity and their level of access to a particular system.
IAM is a method of authorizing users. The user has the right to access the minimum data required to complete the work to reduce the bad guys from getting as much information as possible. Monitoring IAM is the main component of the AD environment. Without proper configuration-management, monitoring, and implementation of Group Policy and IAM, there may be serious access vulnerabilities. In this case, an attacker can access highly privileged areas in the internal system that contain more sensitive data. It may be leaked or changed.
Identity management:
Give digital identity to authorized person. Users can access the technical resources they need to perform their job functions. Its functions include the development, maintenance, monitoring, and deletion of identities and authentications running in the organization’s network.
Access management:
When the user is authorized to enter the network, the access management will determine whether the user allows or prohibits the user from accessing resources or databases.
For example: When you become a student or employee of Temple, you will get the identity card of Temple University, including the permission to log in to the Temple website. If you are a student, you will have the right to choose courses. If you are a professor, you will have the right to enter the course resource library to select the materials you need and distribute to the students in Canvas.
The example you mentioned really helps in understanding the difference. Identity management and access systems enable your organization to manage employee apps without logging into each app as an administrator. It ensures that the right people and job roles in your organization (identities) can access the tools they need to do their jobs. .
Shubham Patil says
According to Vacca Chapter 71:
Identity management refers to “the process of representing, using, maintaining, deprovisioning and authenticating entities as digital identities in computer networks. Identity management relates to authenticating users.
Put simply, identity management manages digital identities. Identities combine digital attributes and entries in the database to create a unique designation for a user. Its management consists of creating, maintaining, monitoring, and deleting those identities as they operate in the enterprise network. Businesses need to make sure users have the permissions they need to perform their jobs and limit other permissions. Also, it handles authentication.
Access management determines the identity and attributes of a user to determine what that user’s authorization is. It evaluates the identity but does not manage that data. It controls the yes/no decision to allow or block users from accessing a resource, database, etc. Additionally, it manages the access portals via login pages and protocols, while also ensuring that the user requesting access actually belongs at all. This actually differs from authentication, since authentication can determine the user but not whether they deserve access. Instead, it manages authorization.
Authentication does not equal authorization, and vice versa. The former, a province of identity management, determines who the user is, whether based on groups, role, or other qualities. Authorization evaluates the user to determine what the user can actually see and access after authentication.
Oluwaseun Soyomokun says
Shubham…Your explanation on this is broad with details and here is my contribution in addition to Identity management. It emphasizes the importance of protecting our digital identities which is increasingly critical as the acceleration of digital transformation efforts plunge a open doors for threat actors. It explains users on the internet can hold dozen of online accounts across various services. Identity management refers to the mechanisms and technology put in place for personal identifiable information (PII) and access control.
Oluwaseun Soyomokun says
Identity is conceptually a complex term and Access is the flow the flow of information between a subject and an object. Access control, as a concept, has a long history. Access is one of the most exploited aspects of security because it is the gateway that leads to critical assets. Access control needs to be applied in a layered defense-in-depth method, and understanding of how these controls are exploited is extremely important. On the other hand; Identity has been defined in different ways over the years to holds and describe the identity of a person, attributes, devices, and applications being part of an infrastructure in a context of uniqueness. Much can’t be said here about Identity management and Access control management without defining the terms related to identity in a context based on “Who we are: Name, citizenship, birthday”, “What we like: Our favorite reading, food, clothes”, “What our reputation is: Whether we are honest, with or without any problems”, defines identity.
Access control conceptually dig into the technologies the industry puts in place to enforce these concepts and how access to information, data, services, and systems, as well as access to physical locations is governed by controls and how users and systems communicate and interact with these resources. Access control protects the systems and resources from unauthorized access and can be components that participate in determining the level of authorization after an authentication procedure has successfully completed.
Identity and access management refers to the policies, processes, mechanisms, and technologies that establish user identities and enforce rules about access to digital resources. For example in Temple university setting, many information systems–such as e-mail, learning management systems, library databases, and grid computing applications–require users to authenticate themselves (typically with a username and password). An authorization process then determines which systems an authenticated user is permitted to access. With an enterprise identity management system, rather than having separate credentials for each system, a user can employ a single digital identity to access all resources to which the user is entitled. Also, Identity management and access management focus on the digital environment in terms of digital identity (triad – Cost, Usability, and Risk).
However, within a complex organization, establishing an Identity and Access Management (IAM) used interchangeably with Identity Management program is not an easy task. Many stakeholders, technology areas, policies and processes must work together for a scalable and robust IAM Program. In addition, governance plays a key role in the success of any IAM Program and implementation with control implementation, laws and regulation.
Elizabeth Gutierrez says
Hi Oluwaseun,
I appreciate your in depth explanation of how identity management and access management differ. Your IAM example concerning Temple’s systems was helpful because it made me realize how we interact with authentication mechanism every day. When you enter a username and password, use a PIN, scan your fingerprint, or tap your bank card, your identity is being verified for authentication purposes. It is not until your identity is verified that access control is implemented to determine your level of access which is what we refer to as authorization.
Elizabeth Gutierrez says
Vacca defines identity management as “the process of representing, using, maintaining, deprovisioning and authenticating entities as digital identities in computer networks” (Chapter 71). It manages digital identities which are a representation of an entity in a specific context and deals with people’s names, citizenship, birthday, reputation, interests, etc. In the chapter under identity management overview, the model of identity is displayed as the following: a) Users who want to access a service, b) Identity provider (IdP): is the issuer of user identity, c) Service provider (SP): is the relay party imposing an identity check, d) Identity (Id): is a set user’s attributes, and e) Personal authentication device (PAD): device holding various identifiers and credentials and could be used for mobility. These different attributes and entries in the database are combined to create a unique designation for a user. Its management consists of “creating, maintaining, monitoring, and deleting those identities as they operate in the enterprise network” (Chapter 71).
On the other hand, access management deals with controls or yes/no decisions to allow or block users from accessing a resource, database, etc. Access management simultaneously manages access portals through login pages and protocols, and ensures that the user requesting access is associated with the database; information available or attributes of the user are used to determine whether access control is granted. Together, identity management and access management are known as IAM and are useful for verifying a user’s identity and their level of access to a particular system.
Yangyuan Lin says
Hi Elizabeth,
IAM is a method of authorizing users. The user has the right to access the minimum data required to complete the work to reduce the bad guys from getting as much information as possible. Monitoring IAM is the main component of the AD environment. Without proper configuration-management, monitoring, and implementation of Group Policy and IAM, there may be serious access vulnerabilities. In this case, an attacker can access highly privileged areas in the internal system that contain more sensitive data. It may be leaked or changed.
Yangyuan Lin says
Identity management:
Give digital identity to authorized person. Users can access the technical resources they need to perform their job functions. Its functions include the development, maintenance, monitoring, and deletion of identities and authentications running in the organization’s network.
Access management:
When the user is authorized to enter the network, the access management will determine whether the user allows or prohibits the user from accessing resources or databases.
For example: When you become a student or employee of Temple, you will get the identity card of Temple University, including the permission to log in to the Temple website. If you are a student, you will have the right to choose courses. If you are a professor, you will have the right to enter the course resource library to select the materials you need and distribute to the students in Canvas.
Shubham Patil says
Lin,
The example you mentioned really helps in understanding the difference. Identity management and access systems enable your organization to manage employee apps without logging into each app as an administrator. It ensures that the right people and job roles in your organization (identities) can access the tools they need to do their jobs. .