What is the process of establishing the identity of a person or service that wants to access a resource?

What's the difference between authentication and authorization? Authentication confirms that users are who they say they are. Authorization gives those users permission to access a resource.

While authentication and authorization might sound similar, they are distinct security processes in the world of identity and access management (IAM).

What Is Authentication?

Authentication is the act of validating that users are whom they claim to be. This is the first step in any security process. 

Complete an authentication process with:

• Passwords. Usernames and passwords are the most common authentication factors. If a user enters the correct data, the system assumes the identity is valid and grants access.
• One-time pins. Grant access for only one session or transaction.
• Authentication apps. Generate security codes via an outside party that grants access.
• Biometrics. A user presents a fingerprint or eye scan to gain access to the system. 

In some instances, systems require the successful verification of more than one factor before granting access. This multi-factor authentication (MFA) requirement is often deployed to increase security beyond what passwords alone can provide.

What Is Authorization?

Authorization in system security is the process of giving the user permission to access a specific resource or function. This term is often used interchangeably with access control or client privilege.

Giving someone permission to download a particular file on a server or providing individual users with administrative access to an application are good examples of authorization.

In secure environments, authorization must always follow authentication. Users should first prove that their identities are genuine before an organization’s administrators grant them access to the requested resources.

Authentication vs. Authorization

Despite the similar-sounding terms, authentication and authorization are separate steps in the login process. Understanding the difference between the two is key to successfully implementing an IAM solution.

Let's use an analogy to outline the differences.

Consider a person walking up to a locked door to provide care to a pet while the family is away on vacation. That person needs:

• Authentication, in the form of a key. The lock on the door only grants access to someone with the correct key in much the same way that a system only grants access to users who have the correct credentials.
• Authorization, in the form of permissions. Once inside, the person has the authorization to access the kitchen and open the cupboard that holds the pet food. The person may not have permission to go into the bedroom for a quick nap. 

Authentication and authorization work together in this example. A pet sitter has the right to enter the house (authentication), and once there, they have access to certain areas (authorization).

Systems implement these concepts in the same way, so it’s crucial that IAM administrators understand how to utilize both:

• Authentication. Let every staff member access your workplace systems if they provide the right credentials in response to your chosen authentication requirements.
• Authorization. Grant permission to department-specific files, and reserve access to confidential data, such as financial information, as needed. Ensure that employees have access to the files they need to do their jobs. 

Understand the difference between authentication and authorization, and implement IAM solutions that have strong support for both. You will protect your organization against data breaches and enable your workforce to be more productive.

Granting Permissions with Okta

Okta Lifecycle Management gives you an at-a-glance view of user permissions, meaning you can easily grant and revoke access to your systems and tools as needed. Meanwhile, Okta Adaptive MFA lets you safeguard your infrastructure behind your choice of authentication factors. 

For example, make production orders accessible only to certain users who may then have to authenticate using both their company credentials and voice recognition. 

The opportunities to streamline IAM in your organization are endless. Find out how Okta can keep you, your employees, and your enterprise safe.

Identity and Access Management (IAM), also called identity management, refers to the IT security discipline, framework, and solutions for managing digital identities. Identity management encompasses the provisioning and de-provisioning of identities, securing and authentication of identities, and the authorization to access resources and/or perform certain actions. While a person (user) has only one singular digital identity, they may have many different accounts representing them. Each account can have different access controls, both per resource and per context.

The overarching goal for IAM is to ensure that any given identity has access to the right resources (applications, databases, networks, etc.) and within the correct context.

In this blog, I will cover the basics of IAM, including key components and strategies, tools and solutions, best practices, operational and security benefits, as well as how IAM intersects with privileged access management (PAM).

Identity and Access Management Fundamentals

Identity management is a foundational security component to help ensure users have the access they need, and that systems, data, and applications are inaccessible to unauthorized users.

Identity and access management organizational policies define:

• How users are identified and the roles they are then assigned
• The systems, information, and other areas protected by IAM
• The correct levels of protection and access for sensitive data, systems, information, and locations
• Adding, removing, and amending individuals in the IAM system
• Adding, removing, and amending a role’s access rights in the IAM system

Technology to Support Identity and Access Management

IAM is typically implemented through centralized technology that either replaces or deeply integrates with existing access and sign on systems. It uses a central directory of users, roles, and predefined permission levels to grant access rights to individuals based on their user role and need to access certain systems, applications, and data.

Role-Based Access

Most IAM technology applies “role-based access control (RBAC) — using predefined job roles to control access to individual systems and information. As users join or change roles in the enterprise, their job role is updated, which should impact their access rights.

For example, employees working in HR may have access to different systems and employee data based on their job roles, as follows:

Of course, if certain users require special access outside their standard job role, exceptions can be granted.

IAM Tools

An identity management system typically involves the following areas:

• Employee data—such as through an HR system, directories (i.e. Active Directory), and more—used to define and identify individual users
• Tools to add, modify, and delete users
• Password management tools and workflows
• Integration with or replacement of the existing login system(s)
• Enforcement of user access rights to certain systems and information
• Auditing and reporting for visibility into how systems and information are being used

IAM Administration

IAM systems should:

• Record, capture, and authenticate user login information (usernames, passwords, certificates, etc.)
• Manage the employee database of users and job roles
• Allow for addition, deletion, and change of individual users and broader job roles
• Provide a history of login and systems access for audit purposes
• Allow for properly-segmented definitions and access controls for every part of the business's systems and data
• Track user activities across all systems and data
• Report on user activities
• Enforce systems access policies

Three Typical Systems Used for Identity and Access Management

There are many technologies to simplify password management and other aspects of IAM. A few common types of solutions that are used as part of an IAM program include:

Single Sign On (SSO): An access and login system that allows users to authenticate themselves once and then grants them access to all the software, systems, and data they need without having to log into each of those areas individually.

Multi-Factor Authentication: This system uses a combination of something the user knows (e.g. a password), something the user has (e.g. a security token), and something the user is (e.g. a fingerprint) to authenticate individuals and grant them access.

Privileged Access Management: This system typically integrates with the employee database and pre-defined job roles to establish and provide the access employees need to perform their roles.

IAM technology can be provided on-premises, through a cloud-based model (i.e. identity-as-a-service, or IDaaS), or via a hybrid cloud setup. Practical applications of IAM, and how it is implemented, differ from organization to organization, and will also be shaped by applicable regulatory and compliance initiatives.

How IAM Can Control Interactions with Data and Systems

Sophisticated IAM technology can move beyond simply allowing or blocking access to data and systems. For example IAM can:

Restrict access to subsets of data: Specific roles can access only certain parts of systems, databases, and information.

Only allow view access: Roles can only view data, they cannot add, update, or amend it.

Only permit access on certain platforms: Users may have access to operational systems, but not development or testing platforms.

Only allow access to create, amend, or delete data, not to transmit it: Some roles may not be able to send or receive data outside the system, meaning it cannot be exposed to other third parties and applications.

Ultimately, there are many ways to implement IAM policies to define and enforce exactly how individual roles can access systems and data, based on a company’s specific needs.

Why Identity and Access Management is a Vital IT Enablement & Security Layer

IAM is critical to protecting sensitive enterprise systems, assets, and information from unauthorized access or use. An end-to-end IAM implementation will reduce the likelihood and impact of data breaches, and ensure that only legitimate, authenticated users have access. IAM is crucial to protect the following areas by only allowing authorized access:

Data and information: Sensitive customer, business, supplier, or other data, stored on local servers, in the cloud, or elsewhere.

Software and applications: Systems used by employees, customers, suppliers, partner businesses, and others.

Development, testing, staging, and operational platforms: All IT environments used for product and service development, launch, and operations.

Devices: Laptops, desktops, smartphones, tablets, IoT, and other devices.

Locations: Business locations including private office spaces, data centers, and secure locations.

Integrations: Data that is being transmitted, received, stored, or otherwise interacted with as it moves between different areas.

The Intersection of Identity and Access Management & Privileged Access Management

While some folks treat privileged identity management (PIM)—also called privileged access management (PAM) or just privilege management—as a sub-category within IAM, others consider PAM its own entity. Nevertheless, for holistic identity governance that controls both non-privileged and privileged identities, IAM and PAM both need to be mature programs that work and communicate with each other.

While IAM enables organizations to provision/de-provision identities, authenticate them, and authorize their access to resources and certain actions, it lacks the ability to layer on granular controls (such as enforcing the security principle of least privilege) when it comes to privileged identities and privileged access and permissions.

With an IAM solution alone, permissions and privileges are generally granted in broad strokes to far too many people, accounts, applications, etc. So, while IAM solutions allow IT teams to address ‘who has access to what?’, PIM/PAM solutions must be layered on to address such questions as “is that the appropriate amount of access?”, and “are those privileged activities appropriate?“

Since privilege misuse or abuse is recognized to be a key ingredient of almost all security breaches today, integrating the critical PAM piece with an IAM implementation is essential. The higher the degree of the integration between identity and access management with privilege management, the more streamlined the control and auditing over all privileged and non-privileged accounts and access.

Final Words on Identity and Access Management

IAM is a central practice to protecting sensitive business data and systems. Implemented well, IAM provides confidence that only authorized, authenticated users are able to interact with the systems and data they need to effectively perform their job roles.

While any IAM implementation will start with an audit of an organization’s needs (defining roles, access requirements, etc.) and creation of a policy, there are many different IAM tools and solutions that can help you execute on an IAM program. Any tools you select should meet the use cases for your environment.

Also consider prioritizing those tools that can provide highly automated workflows to simplify IAM administration, and identity management tools that integrate well with other systems and security technologies (such as PAM). The more seamless the tool fits within your own environment and with other security tools, the more likely you are to close security gaps and improve business operations.