What is identity management?
Identity management, also referred to as ID management and IDM, is a security solution that is used to verify and assign permissions to digital entities, which can be people, systems, or devices. Identity management includes creating, maintaining, and verifying these digital identities and their attributes and associating user rights and restrictions with established identities.
Learn more about advancing intelligent identity management.
With identity management, administrators can ensure that the right amount of access is granted at the right time using identity governance, access management, and directory services to keep IT systems, networks, and data protected against unauthorized and malicious access.
What is a digital identity?
A digital identity is a collection of information about individuals, organizations, or electronic devices that exists on a network or online. Digital identities are made up of any number of characteristics, or data attributes, such as:
- Date of birth
- Domain
- Email address
- IP address
- Medical history
- Online search activities (e.g., browsing history, electronic transactions)
- Purchasing history or behavior
- Social security number
- Username and password
Core functions in identity management
Identity management in connected systems and networks focuses on three core functions:
- Determining whether a set of digital credentials presented to a service or application validates an entity’s identity and if that entity has permission to conduct the requested transaction.
- Assessing whether an access management system can trust the results of that validation enough to grant access to the requested data or services.
- Establishing whether to trust credentials presented by a website or web application, to represent the business, institution, or agency with which an individual wants to conduct a transaction.
How identity management works
To start, an identity management system establishes a digital identity for each entity under management. Once a digital identity is in place, an identity management system is used to administer the digital identities, including supporting maintenance, modifications, and monitoring throughout their lifecycles.
Identity management also enables the creation and enforcement of policies that direct access privileges. These are used to control which users have access to which resources, devices, and assets in the network. Using access controls, identity management prevents unauthorized access to resources, which increases security and productivity, and reduces risk and vulnerabilities.
Identity management systems continually monitor information sources. If something changes in the information source, the identity management system pulls the new information, recomputes it, applies policies, and then pushes that information to other systems. Typically, an identity management system has a set of rules and scripts that are used to process the data.
Identity management versus access management
The terms identity management and access management are commonly but erroneously used interchangeably or in combination. The function of identity management is used to confirm that an entity is who or what they are presented to be. In contrast, access management uses validated identity information to determine what resources an entity can use and how.
Why the enterprise needs identity management
Tracking identity information for the many entities in an enterprise network is a challenge. Identity management systems provide a solution that enhances both security and operations within an organization.
An identity management system protects enterprises by ensuring that only authenticated users (i.e., individuals or devices) are granted access to the specific applications, components, and systems they are authorized to use.
Identity management systems also provide IT administrators with a single source of truth to establish, maintain records, and meter users’ access to resources as they are onboarded or leave the organization.
In addition, identity management systems allow IT teams to apply business policies to users’ access. For example, dependent conditions can be set, such as requiring secured connectivity when accessing sensitive information.
Benefits of identity management
Time to value is accelerated with an identity management system by expediting access to enterprise resources, which improves security and productivity. Identity management systems enable administrators to automate many user-account–related tasks, such as onboarding new users and devices to the network and granting them access to the appropriate systems and applications based on roles and requirements.
Using an identity management system, administrators have granular access capabilities that allow them to apply the principle of least privilege. This limits the cybercriminals’ reach across data and networks if credentials are compromised by hacking, phishing, or other malware. It can also mitigate the scope of a ransomware attack.
Other benefits realized with identity management are:
- Ability to provide authorized access through any platform with existing digital identities
- Additional layers of protection by ensuring user access policies and rules are applied consistently across an organization
- Audit trail of all the changes allowing administrators to trace who has changed what and when
- Better management of employees’ systems and data access
- Capability to create groups, replicate the organizational structure, and provision and deprovision services (e.g., virtual sites)
- Centralize storage of user’s digital information
- Continual monitoring for unapproved access and changes in users’ privileges and access that could be a threat
- Enhanced employee productivity by expediting onboarding
- Reports that provide information about user privileges and access to the systems
- Self-service interface for users to perform a number of tasks, including resetting their passwords, requesting access, and reviewing their accounts to check usernames
- Simplified processes for changing access authorizations for different systems when a user’s role or function changes
- Single identity to log in to different systems eliminating the need to have multiple sets of user IDs and passwords for disparate systems
- Streamlined identity management for customers, partners, suppliers, and devices
- Support for the whole identity lifecycle
- User notifications about the changes in their privileges or accounts
What to look for in identity management software
When evaluating identity management software, it is important to take the time upfront to create a baseline needs assessment. This will vary by organization, but the following are several key areas that should be considered and used to guide the selection of an identity management solution.
Industry
Basic identity management systems provide the requisite functionality for many organizations. However, some industries have unique requirements. Some solutions are tailored for different industries (e.g., healthcare, financial services) and include functionality that addresses their specific needs (e.g., compliance, advanced security, geographically distributed user bases).
On-premises versus cloud deployment
Cloud identity management solutions have become the default option for most organizations. However, some need either all on-premise or hybrid options. It is important to understand what the deployment options are as well as their strength and available support.
Size of the organization
Identity management software needs will differ based on the organization’s size to match capabilities and tools with IT environments, business locations, user locations, and workloads. Another important consideration with regard to size is anticipated growth. An organization that expects significant growth should select an identity management system that can scale as needs change.
Support requirements
The first support consideration should be related to deployment and implementation. Identity management solutions providers should be evaluated according to the support they offer and how that aligns to the organization’s needs. Once the system has been launched, it will require ongoing maintenance and monitoring. Organizations must also determine if this will be handled internally or if vendor support is required.
User base
An organization’s user base should be factored into evaluations of identity management systems. For instance, consider if human users are limited to employees only or if they will include external users, such as contractors, customers, and partners. Non-human entities (e.g., devices, applications, cloud storage) should also be considered.
Capabilities: Must-have and nice-to-have
When selecting identity management software, it is important to prioritize capabilities. While most vendors offer a basic set of capabilities, the extended feature list often differs.
A prioritized list of capabilities helps eliminate identity management systems that do not meet requirements and provides a guide for assessing other options. Categories and features to look for and evaluate when assessing identity management systems include:
Administration
- Ability to change users and permissions in bulk
- Automated provisioning for existing and new cloud and on-premises applications procured
- Consoles and tools for operations, monitoring, and maintenance that are easy to understand and use
- Self-service password administration to allow users to set and change passwords without IT support
Authentication and access
- Ability to log into multiple systems, including legacy applications, cloud applications, network resources, and servers
- Authentication technologies either included or supported (e.g., one-time passwords, biometrics, knowledge-based, key cards, mobile-phone-based tokens)
- Good authentication user experience, including how credentials are provided
- Third-party (e.g., customers, partners) access for users within or outside the company’s network
Identity directories
- Cloud-based directory option that contains all user names and attributes
- Support for application-as-profile master—the directory treats the user’s profile in an application as the ongoing source of truth for that user’s profile, and changes to a profile in the master application drive changes to the profile in other applications
- Variety and quality of integrations with identity repositories (e.g., active directory, LDAP)
Platform
- Ability to customize the user interface
- Reliability of cloud-based service (i.e., minimal downtime)
- Maintains optimal performance under significant workloads
- Scalable to support an increased number of users
- Vendor follows appropriate security protocols and has appropriate certifications
- Pre-built and customizable reports are provided to manage operations
- Logging capabilities to support audit requirements
- Ability to act as the identity provider to external service providers
- Cross-browser support for browser-based applications
- APIs to support integrations with cloud and on-premises applications
Provisioning
- Ability for stakeholders and managers to approve or reject requested changes to access based on a defined workflow
- Ability to terminate access to multiple applications based on dates
- Automated (i.e., smart) creation of account and access rights, changes, and removals for on-premise and cloud applications
- Bidirectional profile synchronization to maintain profile attributes consistency across applications, if the change is made in the provisioning system or the application
- Policy management capabilities that allow administrators to create access policies and apply policy controls throughout request and provisioning processes
- Profile Attribute Transformation: Transforms profile attributes to the required format for all of the systems being updated
- Role management capabilities that allow administrators to establish roles with an associated set of authentication rights
- Users can request access to an application and be automatically provisioned if they meet policy requirements (i.e., self-service access)
Systems and application support
- Ability for users to access company applications from their own device as allowed by company policy
- Mobile capabilities for various mobile operating systems
- Single sign-on for native and cloud applications
- Standard integrations to most common cloud and on-premise applications
Identity management and data security
Because identity management systems manage an organization’s user credentials, it is imperative that the solution meet internal security requirements. This ensures that security standards are maintained according to corporate protocols, and compliance requirements are met.
A consideration in assessing identity management tools is their ability to identify unusual user behavior that can indicate nefarious activity.
This includes monitoring systems for altered permissions and the ability to lock users out of systems if any anomalous activity is detected.
Identity management and compliance
An identity management system should address compliance requirements. Some have more compliance capabilities than others.
For organizations that are subject to broad compliance standards, consider which regulations the identity management solution can support. This is especially important for organizations with a global presence.
Identity management and mitigating cyber risk
Governance and administration processes are key components in programs and processes that mitigate cyber risk. These capabilities should be included in identity management solutions. This includes providing transparency across all applications and users’ access. Systems should also provide the ability to identify the source of any unauthorized access or policy violations.
Identity management software can also mitigate cyber risk by providing lifecycle management automation, such as automatically revoking access privileges when a user is no longer associated with the organization or changing access privileges when a user’s role changes.
Strong identity management bolsters the enterprise’s security posture
The primary role of identity management is to ensure that only authenticated users are able to access specified applications, systems, and IT environments based on their authorizations. Identity management systems with rich automation capabilities can take security to a higher level by reducing the risk associated with access.
Automating policies eliminates human errors related to onboarding, terminating, and changing access. As a result, identity management can significantly reduce vulnerabilities, strengthen security, and increase productivity by eliminating inevitable lag times in manual processes.
