It might be a bold statement, but there is no consistent definition of the domain of identity and access management (IAM). Over the years, this inconsistency has led to widespread confusion.

Much has been written about the IAM domains of capabilities and services. With so much thoughtful and innovative work and so many disparate parties, it’s no wonder IAM lacks a single lexicon. There are some commonalities, however. The work by Gartner, Forrester Research, the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO) and other organizations have helped to clear some fog.

Clearing the Fog

Older and more mature concepts have been widely adopted. For example, as much as it bothers those of us who understand Lightweight Directory Access Protocol (LDAP) as an actual protocol, it’s common to hear “the LDAP” in reference to an enterprise directory. But less mature concepts still vary widely and lack precision and consistency.

This isn’t strictly a problem with nomenclature. The real issue is the lack of consistent understanding about the relationships between the IAM domains. My colleagues and I have worked with hundreds of clients across industry sectors in the U.S. and Canada. In doing so, one of the most common topics of conversation starts with a client asking, “What do you mean when you say …?” We have become adept at translating the corporate vernacular.

Even after more than 15 years of widespread, mainstream IAM use, it has become routine to describe our view of the IAM domain. My colleagues and I developed a structure to describe this domain as it is divided into services that may be consumed by business users. Breaking these down further, we defined a set of common use cases for each.

The Fundamental IAM Domains

IAM is one of the most important facets of information security. It is connected to nearly every other element of security — in fact, it touches almost every aspect of the business. Think about that for a moment: What other systems affect nearly every user, every department and every application, and influence the financial reliability of a business? An enterprise resource planning (ERP) package? A web hosting platform? An HR management solution? Maybe, but not much else.

Below are the fundamental IAM domains:

  • Identity data defines how user data is stored, used and managed. This data includes basic information (name, email, user ID, phone numbers, etc.), entitlement data (who has access to what applications, detailed application access) and identity metadata (user preferences and provisioning metadata).
  • Identity management defines how users acquire, change, manage and lose access and identity data. This is likely the largest IAM domain and certainly the most complex. It is the manifestation of processes specific to each organization.
  • Access governance defines how an organization’s management can oversee, control, report on and respond to users’ access and the use of secured resources. This is the most diverse IAM domain, with links to other security areas. It is also, in our experience, the IAM domain with the lowest level of maturity among clients.
  • Access enforcement defines how users’ access is enforced to know who they are and ensure they only access what they are authorized to access. This is the domain that most end users interface with most directly and most often.

Domain Codependence

None of the IAM domains can exist without the others. Even identity data, which is the source of necessary information and was the first to mature into the pseudocommodity it is today, is dependent on the other domains. While it’s common to think about these domains tactically, it’s impossible to ignore the others.

Let’s consider the following example: Imagine your company received audit commentary stating the need for two levels of certification for user access to a set of applications. The natural reaction is to focus on access governance. But without high-quality identity data and alignment between access governance policies and the identity management provisioning rules, companies find themselves solving the symptom but not necessarily making themselves more secure. The audit finding will go away in the next audit cycle, but is that what we as security professionals are trying to achieve? Aren’t we trying to protect our sensitive resources?

Below is a high-level relationship between the IAM domains. These are the necessary links that enable all IAM domains to achieve maturity. Improvements in one IAM domain positively affect the others. Conversely, neglecting one weakens the others.

There has been an interesting and important growth of maturity in each IAM domain. It has not been consistent across all domains, however. The technology solutions have often led the way, while process integration has been the laggard in every case.

Recently, the majority of IAM initiatives across the industry have focused on wider adoption, process alignment and expanded functionality. Very few companies have high maturity in all capabilities of each IAM domain. Some try to boil the ocean and do all of them poorly. Others only fight fires and are unable to deliver strategic IAM services. Others still are heavily constrained by cost and cannot succeed at even the most basic capabilities. As a result, there appears to be an upper boundary to the maturity organizations are reaching in their attempt to fully service business users. Perhaps we need a better way to offer these capabilities — one that focuses on specific value.

IAM Service Model: Measuring Maturity and Value

The next step is to define the services these IAM domains offer and understand the value each can provide. We need to come to a consensus about what positive changes an organization might reap from each domain. Some are monetary, some are intangible and some simply won’t apply to your organization. But they all have value to stakeholders and business units.

These are not universal, and the extent of the value is dependent on the maturity in each area. The important takeaway is the direct relationship between maturity and the value received.

Identity data enables organizations to achieve:

  • Cross-IT platform standardization;
  • Consistent levels of access across applications;
  • Common credentials;
  • Centrally enforced security over sensitive identity data; and
  • User data mining.

Benefits of identity management include:

  • Operational efficiency through automation;
  • Improved user effectiveness for new hires and movers;
  • Regulatory compliance through process automation;
  • Smooth organizational changes; and
  • Improved security through policy enforcement.

Access governance empowers organizations to:

  • Automate regulatory compliance;
  • Simplify audit processes;
  • Integrate cross-security platforms, such as system on chip (SoC) and event correlation; and
  • Increase visibility into oversight and management controls.

Access enforcement engenders:

  • Improved user experience;
  • Consistent access control enforcement;
  • User engagement and analysis;
  • Regulatory compliance enforcement; and
  • Business partner integration.

What About Privileged Identities?

If we take a product-centric view of the IAM domain, it would seem that privileged identities are not included. In our view, however, privileged identities are not a separate IAM capability. Rather, all of these IAM domains must apply to privileged identities, but via different mechanisms and use cases.

Fundamentally, privileged identities represent a small population of users — typically employees or vendors — who have unique and potentially risky access. In spite of the low number of affected users, many technology solutions provide these capabilities for this narrow audience. It’s justifiable given the high potential impact and unique use cases.

More from Identity & Access

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

An IBM Hacker Breaks Down High-Profile Attacks

On September 19, 2022, an 18-year-old cyberattacker known as "teapotuberhacker" (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer's worst nightmare. In addition, the malicious actor claimed responsibility for a…