The reason it is important to care about the two being different is because of how heavily they rely on each other in order to retain confidentiality, integrity, and availability. The purpose of Identity management is creating an entity a permission can be assigned to. For example, say a company leverages a CRM such as Salesforce. Salesforce is vital to most organizations utilizing it as it’s where most sales transaction occur. When it comes to provisioning users within Salesforce for access, you can do so in many ways. You can do manual provisioning within the app itself. Or you can leverage an IdP such as SailPoint or Okta to leverage account creation with JIT or SCIM provisioning. How you choose to do the provisioning is relative to your organization’s needs. However, without the provisioning step (identity management). You wouldn’t be able to assign the necessary permissions to leverage the tools/features that reside on Salesforce (access management).
I like your examples of CRMs and lsPs as applicable to identity and application management. Organizations that I have worked in leveraged third-party identity and access management software like Okta and SailPoint to assign permissions to specific applications to groups of individuals or specific individuals.
The reason these two concepts are confused is that they are two critical steps for a user who is accessing information. The information provided by identity management determines how the access management will function. Since users only enter identity information, they do not realize that there is an entirely different management system to establish their access. Identity and access are so closely tied together that it can be difficult to remember that they are not the same thing.
This misunderstanding can lead to potential security issues. If an organization’s identity management is detailed and descriptive, but access management is not clearly defined, the organization could potentially be opening the door for cybercriminals who can target users on your database with the kind of access they need to find the data and information they need.
I appreciate that you took your post one step further and included the ramifications of failing to differentiate between identity and access management. While it’s true that you need to ensure correct permissions are assigned to say a user’s account. It’s imperative that the user’s identity is correctly configured as well. For example, if a user is assigned a security group for access to a VPN. The VPN could then rely on a specific attribute such as department to establish the connection to the proper resources.
Identity management and access management are both critical components for an organization to employ in order to maintain the confidentiality, integrity and the availability of data. Access to data and information should be appropriately limited to those on a need to know basis, or the principal of least privilege. This can be controlled through authentication (identity management) and determining the information the user is allowed to access (user permissions and access rights). Appropriately limiting information helps protects the data confidentiality, permissions help protect the integrity of the data, and both access and identity management help protect the information from a threat actor with malicious intent which could impact the confidentiality, integrity and availability of data. As a side note, a malicious actor can be external or an insider. In the case of insider risk, implementing role based access and authentication helps mitigate insider risk. Lastly, if the CIA of data is compromised, the organization is then subject to financial loss, reputational risk and potentially regulatory/compliance/legal risk.
In order to safeguard sensitive data and prevent unauthorized access to systems, businesses and networks implement identity and access management systems. Solution providers in the field of identity and access management play a vital role in helping workers go about their daily tasks. Both methods of administration strengthen defenses against criminal hackers who use stolen usernames and passwords to infiltrate networks in search of sensitive information.
The two are used in tandem together, given that identity management determines how access management will be implemented; one without the other leaves the company vulnerable. For example, if anyone who is authenticated can access private information then authenticating users is completely pointless because anyone can be authenticated and gain access. At the same time requiring permissions to access information without a method of checking those permissions completely removes all accessibility of the data. It’s important to understand the differences and separate the two because one does not work without the other.
I like your example regarding if anyone who is authenticated can access private information then authenticating users is completely pointless if everyone that gains access has access to all information. This is where access management would come in to play by only allow authorized individuals with certain permissions to gain access to restricted data.
A business should care about the difference between identity management and access management because some can be authorized to have access to a system, but if the level of access isn’t managed people can have more access than they need or are authorized to have. Without identity management, unauthorized users can gain access to a system. Both identity management and access management are important to ensure authorized users have appropriate access. Managing access is not only important for authorized users, but also for terminated users. If authorized users are terminated, their access has to be removed timely to prevent unauthorized access.
I loved your example. Without those checks and balances to be put in place between the understanding of Access vs Identity management, unauthorized users would run rampant.
To list a bunch, it 1) enhances data security, 2) streamlines IT workload, 3) helps in regulatory compliance, 4) reduces human error, 5) more effective access to resources, 6) data confidentiality, and 7) helps manage access across devices and browsers. Having those sorts of checks and balances are critical to a company’s infrastructure.
There is a lot involved when it comes to identity management and access management, and it is key to every organization to understand the difference. Organizations holds a lot of data which puts them in a a situation where they need to do much in terms of security objectives, Confidentiality, Integrity, and Availability (CIA). So it is key to know the difference between the two to ensure that their data is safe and secure.
Why is it important to a business to care about the difference between identity management and access management?
A company cares about the difference between identity management and access management because without a proper understanding of the two, policy and procedure cannot be properly crafted and technical controls put in place to properly address authentication and authorization. A business needs to be sure that a user is who they claim to be and have reason and authorization to perform the actions they request.
Hi David,
I think this is a great point regarding policy and procedures, in that they cannot be written and designed effectively without the proper understanding of identity management and access management and the differences between the two. The tone at the top must be set and documented and available to employees, so that everyone understands their role and expectations regarding identity and access management. This can vary from the technical controls in place such as password parameters or lockout policies as well as rules for provisioning access and the frequency of access reviews.
It is important to care about the difference between identity and access management since without understanding the two, a business will be vulnerable. If there is too much emphasis on identity management, then finding individuals with access to data or information is easier for a malicious user. If there is too much emphasis on access management, then legitimate users may have difficulty in performing daily tasks due to constantly requiring privileges or not having access to resources. Both need to be clearly defined and well-managed as well as working together to properly facilitate secure business processes.
Nicholas Foster says
The reason it is important to care about the two being different is because of how heavily they rely on each other in order to retain confidentiality, integrity, and availability. The purpose of Identity management is creating an entity a permission can be assigned to. For example, say a company leverages a CRM such as Salesforce. Salesforce is vital to most organizations utilizing it as it’s where most sales transaction occur. When it comes to provisioning users within Salesforce for access, you can do so in many ways. You can do manual provisioning within the app itself. Or you can leverage an IdP such as SailPoint or Okta to leverage account creation with JIT or SCIM provisioning. How you choose to do the provisioning is relative to your organization’s needs. However, without the provisioning step (identity management). You wouldn’t be able to assign the necessary permissions to leverage the tools/features that reside on Salesforce (access management).
Kenneth Saltisky says
Hi Nicholas,
I like your examples of CRMs and lsPs as applicable to identity and application management. Organizations that I have worked in leveraged third-party identity and access management software like Okta and SailPoint to assign permissions to specific applications to groups of individuals or specific individuals.
Abayomi Aiyedebinu says
The reason these two concepts are confused is that they are two critical steps for a user who is accessing information. The information provided by identity management determines how the access management will function. Since users only enter identity information, they do not realize that there is an entirely different management system to establish their access. Identity and access are so closely tied together that it can be difficult to remember that they are not the same thing.
This misunderstanding can lead to potential security issues. If an organization’s identity management is detailed and descriptive, but access management is not clearly defined, the organization could potentially be opening the door for cybercriminals who can target users on your database with the kind of access they need to find the data and information they need.
Nicholas Foster says
Hey Abayomi,
I appreciate that you took your post one step further and included the ramifications of failing to differentiate between identity and access management. While it’s true that you need to ensure correct permissions are assigned to say a user’s account. It’s imperative that the user’s identity is correctly configured as well. For example, if a user is assigned a security group for access to a VPN. The VPN could then rely on a specific attribute such as department to establish the connection to the proper resources.
Christa Giordano says
Identity management and access management are both critical components for an organization to employ in order to maintain the confidentiality, integrity and the availability of data. Access to data and information should be appropriately limited to those on a need to know basis, or the principal of least privilege. This can be controlled through authentication (identity management) and determining the information the user is allowed to access (user permissions and access rights). Appropriately limiting information helps protects the data confidentiality, permissions help protect the integrity of the data, and both access and identity management help protect the information from a threat actor with malicious intent which could impact the confidentiality, integrity and availability of data. As a side note, a malicious actor can be external or an insider. In the case of insider risk, implementing role based access and authentication helps mitigate insider risk. Lastly, if the CIA of data is compromised, the organization is then subject to financial loss, reputational risk and potentially regulatory/compliance/legal risk.
Samuel Omotosho says
In order to safeguard sensitive data and prevent unauthorized access to systems, businesses and networks implement identity and access management systems. Solution providers in the field of identity and access management play a vital role in helping workers go about their daily tasks. Both methods of administration strengthen defenses against criminal hackers who use stolen usernames and passwords to infiltrate networks in search of sensitive information.
Shepherd Shenjere says
Hello Samuel,
I agree with you. The end result is to ensure that the business have enough defense against cybercriminals.
Maxwell ODonnell says
The two are used in tandem together, given that identity management determines how access management will be implemented; one without the other leaves the company vulnerable. For example, if anyone who is authenticated can access private information then authenticating users is completely pointless because anyone can be authenticated and gain access. At the same time requiring permissions to access information without a method of checking those permissions completely removes all accessibility of the data. It’s important to understand the differences and separate the two because one does not work without the other.
Jill Brummer says
I like your example regarding if anyone who is authenticated can access private information then authenticating users is completely pointless if everyone that gains access has access to all information. This is where access management would come in to play by only allow authorized individuals with certain permissions to gain access to restricted data.
Jill Brummer says
A business should care about the difference between identity management and access management because some can be authorized to have access to a system, but if the level of access isn’t managed people can have more access than they need or are authorized to have. Without identity management, unauthorized users can gain access to a system. Both identity management and access management are important to ensure authorized users have appropriate access. Managing access is not only important for authorized users, but also for terminated users. If authorized users are terminated, their access has to be removed timely to prevent unauthorized access.
Matthew Stasiak says
Hey Jill,
I loved your example. Without those checks and balances to be put in place between the understanding of Access vs Identity management, unauthorized users would run rampant.
Matthew Stasiak says
To list a bunch, it 1) enhances data security, 2) streamlines IT workload, 3) helps in regulatory compliance, 4) reduces human error, 5) more effective access to resources, 6) data confidentiality, and 7) helps manage access across devices and browsers. Having those sorts of checks and balances are critical to a company’s infrastructure.
Shepherd Shenjere says
There is a lot involved when it comes to identity management and access management, and it is key to every organization to understand the difference. Organizations holds a lot of data which puts them in a a situation where they need to do much in terms of security objectives, Confidentiality, Integrity, and Availability (CIA). So it is key to know the difference between the two to ensure that their data is safe and secure.
David Vanaman says
Why is it important to a business to care about the difference between identity management and access management?
A company cares about the difference between identity management and access management because without a proper understanding of the two, policy and procedure cannot be properly crafted and technical controls put in place to properly address authentication and authorization. A business needs to be sure that a user is who they claim to be and have reason and authorization to perform the actions they request.
Christa Giordano says
Hi David,
I think this is a great point regarding policy and procedures, in that they cannot be written and designed effectively without the proper understanding of identity management and access management and the differences between the two. The tone at the top must be set and documented and available to employees, so that everyone understands their role and expectations regarding identity and access management. This can vary from the technical controls in place such as password parameters or lockout policies as well as rules for provisioning access and the frequency of access reviews.
Kenneth Saltisky says
It is important to care about the difference between identity and access management since without understanding the two, a business will be vulnerable. If there is too much emphasis on identity management, then finding individuals with access to data or information is easier for a malicious user. If there is too much emphasis on access management, then legitimate users may have difficulty in performing daily tasks due to constantly requiring privileges or not having access to resources. Both need to be clearly defined and well-managed as well as working together to properly facilitate secure business processes.