Identity and Access Management
Written by Christian Fiott
An Identity and Access Management (IAM) system is made up of a set of software components and technologies used to govern access to Information Technology (IT) information within an organisation. It plays an important part in managing the user identity lifecycle, from both the security and operational aspects.
Let’s use an analogy to describe it in simpler terms. Imagine you have a building (representing your organisation) with several rooms (each room representing a software application or a service). Keys to the rooms are handed out by Paul, your trustworthy security guard, who is an essential part of your IAM system. You give Paul the details of the persons who can request access and which rooms each person can access, and he diligently notes everything down in his spiral notebook.
When people present themselves to Paul, he performs authentication to ensure they really are who they are claiming to be. They present their company ID and Paul checks it against his notebook. If the authentication is successful, they can request a key to enter a specific room. Once again Paul checks his notebook to see if they are allowed to enter that room. If they are authorised, then Paul happily provides the key, knowing that he has done his job well.
There are obviously other activities that are required for the system to work. Every now and then you ask Paul to add or remove people from the list or change their access rights. Being security-minded, once a month Paul also compiles a table with the details of all the information in his notebook, so you can review it. Transposing this scenario back to the IT world, this entails creating and deleting users, granting and revoking access, and generating reports. Authentication and authorisation are inherently handled by the various components in the infrastructure, but the management of users and their accesses is often done manually.
Having IT personnel to manually maintain a few users and a handful of applications can be manageable. Scale that up to lots of applications and services with a large user base, and one can immediately understand the benefit of automation. Sure, it requires an investment to automate, but manual processing also comes at a cost, and it’s more than just the wages. Trying to retain personnel and keep them motivated doing what is essentially repetitive work is very challenging. Catering for unforeseen spikes in demand is also a juggling act, especially if the service must be provided within agreed timeframes. Manually collating information from various systems to provide reports is often a daunting and laborious task. And let’s not forget that manual processing always introduces human error.
The Service Management Department within MITA is entrusted to process requests related to accounts and access rights for government employees, and it used to face all these issues. In recent years, new technologies were introduced to provide self-service provisioning for the most widely used services. The process starts when a person enters a request in a web portal that forms part of the IAM system. This person would typically be someone from the client’s IT department who understands both the business and the technical needs. Another person then vets the request and approves it. Once approved, automatic processing takes place typically within about thirty minutes, and an email is sent to the relevant stakeholders to notify its completion.
So, what happens behind the scenes? A database holds all the details and what they can access. When requests are approved, this database gets updated and thus it is considered to be the single source of truth. A synchronisation engine then senses any changes in this database and updates the various systems as required. This ecosystem results in having the correct information across all managed applications and services. Generating accurate reports is also simple and fast since the data comes from a single source.
Going forward, the plan is to increase the number of automated services. This will require applications to be modified, but the long-term benefits are becoming more obvious as time passes. The drastic increase in service provisioning speed and quality is proving that the required effort to automate is well justified.