To enter a house, you need to open a lock. To open a lock, you need a key. Kids in the family may not be given a key to the house as they don’t need it. It is generally not a safe practice to entrust a wee child with important artifacts or documents. The eldest daughter in the house may not be given a key to the house but one to her room and one to the front gate as she locks her own room for privacy, and needs a key to the gate as she comes home unescorted. And why give your daughter the key to your own room – she doesn’t need it and if she loses it, the security of your valuables will be compromised. Besides, she should not have the right to access your bedroom without your knowledge – it is a good value to instill in her some sense of sacredness. Perhaps you are out on one of those rare date-nights with your husband or wife. This time, you need to give one of your children the key to the house. Or perhaps you and your significant other are both going to be at work when the plumber is scheduled to fix the leaking kitchen sink. Now, somehow the plumber needs access to your house.
If you lose your key you need to get a new one made. The key-maker will want to verify that you are the owner of the house.
In the world of information technology, this is called ‘Access Management’. Employees in a company have different levels of authority and different fields to manage. It is logical that you give an employee only the access that his job necessitates and not any more. It tightens security and makes him recognize where he belongs in the company. Sometimes you need to seasonally or situationally give someone access to an app or database. All this must be possible in a sensible, trouble-free manner. Setting up the initial access rights for different employees to different apps is called user provisioning. Maintaining their access rights and situationally providing or revoking access is called access governance.
What about the ‘Identity’ in ‘Identity and Access Management’? Where does that fit in? The perspective of the systems and apps that need authorization is called access. The perspective of the person who needs access is called identity. Different accesses are given to an identity – an identity is given access. Like how one does not officially have a public identity until one has a passport, your identity in an organization’s systems does not exist until it is created by the IT department. You are nobody even if you are physically present. There is no basis upon which access to various apps and systems can be granted. The creation of this identity is called account creation. This is because in technical terms, your identity in a computer system is saved as an account.
Once your account is created, you need authorization to access different apps, systems and databases. Authorization determines the extent of your rights. Which apps or systems are you allowed to access and when are you allowed to access them? It is common practice to give rights-to-access on a need basis only. This tightens security as there are fewer total accesses which logically reduces the possibility of unauthorized access.
Once you have rights to access, you need to authenticate to gain access every time you wish to operate the app, system or database. Authentication is the process by which your right to access is determined.
Authentication can be password-based, biometric, or a combination (MFA – Multi-Factor Authentication) of a password and an SMS OTP (OneTime-Password), a password and an Email OTP, or any such combinations. An OTP is a onetime password that is sent to one of your devices or accounts such as your mobile number or email address and this creates a stronger authentication system for obvious reasons.
To give a slightly deeper understanding of IAM systems, here is an example. People in an accounts department will have different roles and hierarchical positions. It is possible with IAM to give specific people access to only specific steps within the accounting process. This also improves security and the confidentiality of data. It allows a data breach to be narrowed down to a smaller number of people rather than an entire department. A preset group of access rights is called a role. That is, based on the role you have within the organization, or more specifically, within the IAM system, what accesses you are granted by default are determined. It is possible to add and revoke accesses on a need basis and even to schedule accesses for certain times, situations, or seasons.
IAM is very important both for security and for the organized and logical operation of a company. Without it, data breaches would be astronomical and companies would lose all their integrity. It also creates order within an organization. “A place for each person, and each person in his place.” This was the motto of Henri Fayol, one of the fathers of modern management. It holds true here for without a high level of order, an organization will simply disintegrate into a cluster of people, there would be no formal sense of position or authority within the IT systems and chaos will reign supreme. An office would turn into a zoo, and we would all seem more like monkeys on typewriters than a purposeful organization with a goal and with direction.