Identity Management vs. Access Management: What’s the Difference?
by Remediant, on Oct 16, 2018
To all but a small percentage of people, there is no real difference between identity management and access management because very few people need to understand the distinctions. Or at least, they don’t realize that they need to understand how the two concepts are dissimilar. They are related, but decidedly not the same thing.
- Identity management relates to authenticating users.
- Access management relates to authorizing users.
The problem is that most people don’t understand the difference between authentication and authorization in terms of technology, and that is a weakness that malicious hackers can exploit. Just because you have strict authentication requirements does not mean that you have strict authorization standards. For example, you can have a single administrative account that is used for authenticating users. Clearly, users can only access the desired information if they have the login for the account. If a black hat hacker is able to find those credentials, then the authorization is guaranteed.
This is a very limited example. To better understand the difference between identity and access, it is important to understand how the two concepts work together to secure a system, database, or network.
Understanding Identity and Authentication
While having a user login and password are typically the most common methods of determining a user’s identity, they are not the only ways. The first step to add a user to a system is to determine that person’s identity. Companies need to know who is making each request.
Technology has come a long way so that identity management now includes details like biometrics (such as retinal scans and thumbprints) and tokens are used to ensure that user information cannot be duplicated by anyone else. As devices become more secure and portable, they are also becoming a common means of identifying a particular user.
The system managing the identities will verify the provided details against a long list of all possible users. As a system or company gets bigger, the problem can increase exponentially. Instead of constantly running through a lengthy list of users, identity management has moved toward assigning identities based on groups, and then assigning roles for those groups. This reduces the number of names and information that must be reviewed in the process, with the username “Admin” being a very common example of how this is done.
Identity can also be layered to include details about a person to determine their role. For example, a company can provide the department and unit with a username so that the system has details about that user. This can be used to help determine the access of information that is available for that user, but that is a different step. Identity management only deals with determining who the user is. They are classified in a way that can make it easier to set up the access aspect.
Understanding Access and Authorization
Once a user has been established in the system, that is when the user is provided access – “the who” the user is has to be answered before the system can determine what information or data that person can access. The user is first authenticated through identity management, and then the system determines what that person’s authorization is. Knowing that a person works for a specific department specified in the identity section will help the system determine what that person is authorized to see.
If someone in accounting accesses a system, having the person assigned to the accounting group will give them access to the finances of the company. If a person in engineering accesses the system, that person will be authorized to access engineering plans, charts, drawings, and documents that the accountant cannot access, but the person won’t have access to the financial information.
Access management determines the identity and attributes of a user to determine what that user’s authorization is. It evaluates the identity but does not manage that data.
Why People Get Confused and Why It Matters
The reason these two concepts are confused is that they are two critical steps for a user who is accessing information. The information provided by identity management determines how the access management will function. Since users only enter identity information, they do not realize that there is an entirely different management system to establish their access. Identity and access are so closely tied together that it can be difficult to remember that they are not the same thing.
Consequentially is something that malicious users can use against their intended victims. If the identity management is detailed and descriptive, but the access management is not clearly defined, it becomes very easy for a black hat hacker to find the person with the kind of access they need to find the data or information they want to get access to. If access management is detailed, but the identity management is too vague, it can create countless problems for legitimate users trying to go about their day.
To ensure the right flow and tighter security, both need to be detailed and aligned. Both of them are basic concepts, and they are essential to the security of the whole system.