Identity Access Management

(IAM)
• Identity and access management (IAM) is a framework of business
processes, policies and technologies that facilitates the management of
electronic or digital identities.
• With an IAM framework in place, information technology (IT) managers can
control user access to critical information within their organizations.
• Systems used for IAM include single sign-on systems, two-factor
authentication, multifactor authentication and privileged access
management.
• These technologies also provide the ability to securely store identity and
profile data as well as data governance functions to ensure that only data
that is necessary and relevant is shared.
Why is IAM important?
• Businesses leaders and IT departments are under increased
regulatory and organizational pressure to protect access to corporate
resources.
• As a result, they can no longer rely on manual and error-prone
processes to assign and track user privileges.
• With IAM, automates these tasks and enables granular access control
and auditing of all corporate assets on premises and in the cloud.
• IAM, which has an ever-increasing list of features -- including
biometrics, behavior analytics and AI -- is well suited to the rigors of
the new security landscape.
Identity Lifecycle
• In the identity lifecycle, an identity is created that defines who or
what (human or non-human) needs access to a protected resource.
• Identity and access management (generally referred to as IAM) is the
practice of granting the right individuals access to the right resources
for the right reasons.
• Corporate identities: The identities that you manage for employees
of your organization. These identities are used for signing in to
workstations, accessing email, or using corporate applications.
Corporate identities might also include non-employees such as
contractors or partners that need access to corporate resources.
• Customer identities: The identities that you manage for users in
order to interact with your website or customer-facing applications.
• Service identities: The identities that you manage in order to enable
applications to interact with other applications or the underlying
platform.
• Managing corporate, customer, and service identities forms the
foundation of IAM. These topics are boxes 4, 5, and 6 (in green).
• Relying on identity management as the foundation, boxes 2 and 3 (in
blue) denote access management topics. These topics include
managing access to Google services, to Google Cloud resources, and
to your custom workloads and applications.
• Box 1 (in yellow) indicates access management topics that are beyond
the scope of these guides. To learn about access management for
Google Workspace, Google Marketing Platform, and other services,
see the individual product documentation.
Identity management
• Identity management focuses on the following processes:
Provisioning, managing, migrating, and deprovisioning identities,
users, and groups.
• Enabling secure authentication to Google services and to your custom
workloads.
Managing corporate identities
• Corporate identities are the identities that you manage for your
organization's employees. Employees use these identities for signing in to
workstations, accessing email, or using corporate applications.
• In the context of managing corporate identities, the following are typical
requirements:
• Maintaining a single place to manage identities across your organization.
• Enabling employees to use a single identity and single sign-on across
multiple applications in a hybrid computing environment.
• Enforcing policies such as multi-factor authentication or password
complexity for all employees.
• Meeting compliance criteria that might apply to your business.
Managing application identities
Application identities are the identities that you manage in order to let
applications interact with other applications or with the underlying
platform.
• Integrating with third-party APIs and authentication solutions.
• Enabling authentication across environments in a hybrid or multi-
cloud scenario.
• Preventing leakage of credentials.
Managing customer identities
Customer identities are the identities that you manage for users to let them
interact with your website or customer-facing applications. Managing
customer identities and their access is also referred to as customer identity
and access management (CIAM).
• In the context of managing customer identities, the following are typical
requirements:
• Letting customers sign up for a new account but guarding against abuse,
which might include detecting and blocking the creation of bot accounts.
• Supporting social sign-on and integrating with third-party identity
providers.
• Supporting multi-factor authentication and enforcing password complexity
requirements.
Access management
Access management focuses on the following processes:
• Granting or revoking access to specific resources for identities.
• Managing roles and permissions.
• Delegating administrative capabilities to trusted individuals.
• Enforcing access control.
• Auditing accesses that are performed by identities.
IGA System Components(Identity governance
and administration)
Password management: using tools like password vaults or, more often, SSO, IGAs
ensure users don’t have to remember many different passwords to access
applications.

Integration connectors: used to integrate with directories and other systems that
contain information about users and the applications and systems they have access
to, as well as their authorization in those systems.

Access request approval workflows: support the automation of a user’s request for
access to applications and systems and ensures all access is properly authorized.

Automated de-provisioning: supports the removal of a user’s entitlement to access

an application when the user is no longer authorized to access a system.
Attestation reporting: used to periodically verify user entitlements in various applications (such as
add, edit, view, or delete data) and is usually sent to a user’s manager.

Recertification of user entitlements: often a response to an attestation report, recertification of

user entitlements involves recording a manager’s approval of their staff’s system access. If access is
no longer required, this shifts to automatic de-provisioning.

Segregation of duties: rules that prevent risky sets of access from being granted to a person. For
example, if a person has the ability to both view a corporate bank account and transfer funds to
outside accounts, this might enable a user to transfer money to a personal account.

Access reviews: reviews include tools that streamline the review and verification (or revocation) of
a user’s access to different apps and resources. Some IGA tools also provide discovery features that
help identify entitlements that have been granted.

Role-based management: also known as Role-based Access Control (RBAC), this includes defining
and managing access through user roles.

Analytics and reporting: include tools that log activities, generate reports (including for
compliance), and provide analytics to identify issues and optimizations.
• User management: Activities for the effective governance and
management of identity life cycles
• Authentication management: Activities for the effective governance
and management of the process for determining that an entity is who
or what it claims to be.
• Authorization management: Activities for the effective governance
and management of the process for determining entitlement rights
that decide what resources an entity is permitted to access in
accordance with the organization’s policies.
• Access management: Enforcement of policies for access control in
response to a request from an entity (user, services) wanting to
access an IT resource within the organization.
• Data management and provisioning: Propagation of identity and data
for authorization to IT resources via automated or manual processes
• Monitoring and auditing: Monitoring, auditing, and reporting
compliance by users regarding access to resources within the
organization based on the defined policies
IAM processes support the following
operational activities:
Provisioning
• This is the process of on-boarding users to systems and applications.
• These processes provide users with necessary access to data and
technology resources.
• The term typically is used in reference to enterprise-level resource
management.
• Provisioning can be thought of as a combination of the duties of the human
resources and IT departments, where users are given access to data
repositories or systems, applications, and databases based on a unique
user identity.
• Deprovisioning works in the opposite manner, resulting in the deletion or
deactivation of an identity or of privileges assigned to the user identity.
Credential and attribute management
• These processes are designed to manage the life cycle of credentials and
user attributes—create, issue, manage, revoke—to minimize the business
risk associated with identity impersonation and inappropriate account use.
• Credentials are usually bound to an individual and are verified during the
authentication process.
• The processes include provisioning of attributes, static (e.g., standard text
password) and dynamic (e.g., one-time password) credentials that comply
with a password standard (e.g., passwords resistant to dictionary attacks),
handling password expiration, encryption management of credentials
during transit and at rest, and access policies of user attributes (privacy and
handling of attributes for various regulatory reasons).
Entitlement management
• Entitlements are also referred to as authorization policies.
• The processes in this domain address the provisioning and deprovisioning
of privileges needed for the user to access resources including systems,
applications, and databases.
• Proper entitlement management ensures that users are assigned only the
required privileges (least privileges) that match with their job functions.
• Entitlement management can be used to strengthen the security of web
services, web applications, legacy applications, documents and files, and
physical security systems.
Compliance management
• This process implies that access rights and privileges are monitored
and tracked to ensure the security of an enterprise’s resources.
• The process also helps auditors verify compliance to various internal
access control policies, and standards that include practices such as
segregation of duties, access monitoring, periodic auditing, and
reporting.
• An example is a user certification process that allows application
owners to certify that only authorized users have the privileges
necessary to access business-sensitive information
Identity federation management
• Federation is the process of managing the trust relationships
established beyond the internal network boundaries or administrative
domain boundaries among distinct organizations.
• A federation is an association of organizations that come together to
exchange information about their users and resources to enable
collaborations and transactions (e.g., sharing user information with
the organizations’ benefits systems managed by a third-party
provider).
• Federation of identities to service providers will support SSO to cloud
services.
Centralization of authentication (authN) and authorization (authZ)
• A central authentication and authorization infrastructure alleviates
the need for application developers to build custom authentication
and authorization features into their applications.
• Furthermore, it promotes a loose coupling architecture where
applications become agnostic to the authentication methods and
policies.
• This approach is also called an “externalization of authN and authZ”
from applications.