Access Management and Identity Management, albeit two sides of a coin, similar in purpose and end-goal, are in some other ways different — although only very few people know this.
- Access management relates to authorized users.
- Identity management relates to authenticating users.
Read more about Tech
The problem is that most people don’t understand the difference between authentication and authorization in terms of technology, and that is a weakness that hackers can exploit. Just because one has strict authentication requirements does not mean that they have strict authorization standards. For example, you can have a single administrative account that is used for authenticating users. Clearly, users can only access the desired information if they have the login for the account. If a hacker is able to find those credentials, then the authorization is guaranteed.
This is an example to break down the differences between identity and access. It is important to understand how the two concepts work together to secure a system, database, or network.
Understanding Identity And Authentication
While having a user login and password are typically the most common methods of determining a user’s identity, they are not the only ways. The first step to add a user to a system is to determine the user’s identity. Organizations need to know who is making each request.
Technology has come a long way so that identity management now includes details like biometrics (such as retinal scans and thumbprints) and tokens are used to ensure that user information cannot be imitated by anyone else. As devices become more secure and portable, they are also becoming a common means of identifying a particular user.
The system managing the identities will verify the provided details against a long list of all possible users. As a system or company gets bigger, the problem can increase exponentially. Instead of constantly running through a lengthy list of users, identity management has moved toward assigning identities based on groups, and then assigning roles for those groups. This reduces the number of names and information that must be reviewed in the process, with the username “Admin” being a very common example of how this is done.
Sign up to the Connect Nigeria daily newsletter
Identity can also be layered to include details about a person to determine their role. For example, a company can provide the department and unit with a username so that the system has details about that user. This can be used to help determine the access of information that is available for that user, but that is a different step. Identity management only deals with determining who the user is. They are classified in a way that can make it easier to set up the access aspect.
Understanding Access And Authorization
Once a user has been established in the system, that is when the user is provided access – “the who” the user has to be answered before the system can determine what information or data that person can access. The user is first authenticated through identity management and then the system determines what that person’s authorization is. Knowing that a person works for a specific department specified in the identity section will help the system determine what that person is authorized to see.
If someone in accounting accesses a system, having the person assigned to the accounting group will give them access to the finances of the company. If a person in engineering accesses the system, that person will be authorized to access engineering plans, charts, drawings, and documents that the accountant cannot access, but the person won’t have access to the financial information.
Access management determines the identity and attributes of a user to determine what that user’s authorization is. It evaluates the identity but does not manage that data.
Why People Get Confused And Why It Matters
The reason these two concepts are confusing is that they are two critical steps for a user who is accessing information. The information provided by identity management determines how access management will function. Since users only enter identity information, they do not realize that there is an entirely different management system to establish their access. Identity and access are so closely tied together that it can be difficult to remember that they are not the same thing.
Consequentially, it is something that malicious users can use against their intended victims. If the identity management is detailed and descriptive, but the access management is not clearly defined, it becomes very easy for a hacker to find the person with the kind of access they need to find the data or information they want to get access to. If access management is detailed, but identity management is uncertain, it can create countless problems for legitimate users trying to go about their daily tasks.
To ensure the right flow and tighter security, both need to be detailed and aligned. Both of them are basic concepts, and they are essential to the security of the whole organization or system.
Featured Image Source: RSI Security
Got a suggestion? Contact us: editor at connectnigeria dot com