Open in app

Sign in

Write

Sign in

Identity and Access Management Basic Concepts

Anirban Bhattacherji
Identity And Access Management (IAM)
Published in
13 min readJun 21, 2023

Before dive into the modern authentication topics lets clarify few basic concepts of Identity and Access Management.

Identity and Access Management (IAM)

Let’s first start with IAM. What is IAM? Identity and Access Management (IAM) is a framework of policies, processes, and technologies that manage and govern digital identities and their access to resources within an organization. IAM aims to ensure appropriate access to information, systems, and applications while maintaining security, compliance, and operational efficiency. IAM encompasses the management of digital identities throughout their lifecycle. This includes processes such as identity provisioning (creating and assigning initial access rights), identity verification, access requests, modification or revocation of access rights, and identity deprovisioning (removal of access rights when no longer needed).

In this installment of this series we will get to know the following jargons related to IAM.

  • Authentication
  • Authorization
  • Identity
  • Certificates
  • Access Control
  • Role-Based Access Control (RBAC)
  • Attribute-Based Access Control (ABAC)
  • Permissions and Privileges
  • Least Privilege Principle

Lets dive into it

Authentication

So, what is authentication? Authentication is the process of verifying the identity of a user, device, or system to ensure that they are who they claim to be. It is a fundamental aspect of security in various contexts, including computer systems, networks, online services, and physical access control.

Imagine you reside in an apartment complex where you possess a key to access the building. This key serves as your authentication, verifying your status as a resident and granting you entry into the premises. However, it does not grant you access to individual apartments within the building. In a similar manner, the digital authentication process validates the identity of a user, device, or system, confirming that they are indeed who they claim to be. However, it does not automatically provide access to any specific resources.

Authentication

Authentication methods can vary depending on the level of security required and the specific context. Here are some commonly used authentication methods:

  • Password-based authentication: Users provide a unique combination of username and password to authenticate their identity. The system compares the provided password with the stored password associated with the username to verify the user’s identity.
  • Multi-Factor Authentication (MFA): MFA enhances security by requiring users to provide multiple pieces of evidence to verify their identity. This can include something the user knows (e.g., password), something they have (e.g., a physical token or smartphone), or something they are (e.g., biometric data like fingerprints or facial recognition).
  • Token-based authentication: Token-based authentication involves the use of cryptographic tokens or credentials instead of traditional usernames and passwords. These tokens are typically generated by an authentication server and are time-limited or one-time-use, providing an added layer of security.
  • Certificate-based authentication: Certificate-based authentication uses digital certificates issued by a trusted authority. The user presents a certificate, which contains their public key and is validated by the system against a trusted certificate authority to establish their identity.
  • Biometric authentication: Biometric authentication relies on unique biological or behavioral characteristics of an individual, such as fingerprints, iris patterns, voice recognition, or facial features. Biometric data is captured and compared with pre-enrolled data to verify the person’s identity.
  • Social login: Social login allows users to authenticate using their existing social media credentials (e.g., Google, Facebook, or Twitter) instead of creating a new username and password. The identity provider (social media platform) vouches for the user’s identity, and the service relying on the social login trusts the authentication performed by the identity provider.

Authorization

Authorization refers to the process of granting or denying access rights and permissions to authenticated entities, such as users, applications, or systems, based on their verified identity and defined privileges. While authentication verifies the identity of a user or entity, authorization determines what actions or resources that authenticated identity is allowed to access.

Now you have enterred the apartment building, and you want to enter in your apartment. You need another set of key (Role based access control — RBAC) that will authorise you to enter into your apartment. We will discuss more about role base access controll later in the article.

Authorization

As discussed above authorization is typically implemented through access control mechanisms that enforce a set of policies, rules, or permissions to govern access to specific resources or functionalities. The authorization process occurs after successful authentication and ensures that users or entities are granted appropriate privileges based on their roles, attributes, or other factors.

Identity

Now, as you understand authentication and authorization, let’s understand the key that is used to authenticate a user, device or a system. This is called Identity.
So, what is Identity? Identity refers to the unique and distinguishable characteristics or attributes that define an individual, a system, or an entity within a specific context. It represents the fundamental information or qualities that differentiate one entity from another. Identity is a crucial concept in various domains, including cybersecurity, authentication, authorization, and personal identification.

In different contexts, identity can refer to:

  • Personal Identity: In the realm of individuals, personal identity comprises a combination of characteristics that define a person as a unique individual. These characteristics can include attributes such as name, date of birth, gender, physical appearance, biometrics (e.g., fingerprints or facial features), social security number, or any other personally identifiable information (PII).
  • Digital Identity: Digital identity refers to the representation of an individual or entity in the digital world. It includes digital attributes associated with an individual, such as usernames, email addresses, account identifiers, and digital certificates. Digital identities are used for authentication, authorization, and tracking online activities.
  • System Identity: System or entity identity represents the identification of computer systems, devices, or software entities in a network or information system. Each system or entity is assigned a unique identifier to establish its identity and facilitate communication and access control within the network.
  • Federated Identity: Federated identity refers to the concept of linking and sharing identity information across multiple domains or organizations. It enables users to access resources or services using their existing identities without creating separate accounts. Federated identity systems use trust relationships between identity providers and relying parties to facilitate seamless authentication and authorization across different domains.
  • Legal Identity: Legal identity refers to the recognition and authentication of an individual’s identity by legal and government authorities. It involves official documentation, such as birth certificates, passports, national identification numbers, or driver’s licenses, which are used to establish a person’s identity for legal purposes.

Digital Certificate

A digital certificate, also known as a public key certificate or identity certificate, is a document that uses a digital signature to bind a public key with an identity. The certificate verifies that the public key belongs to the individual or entity named in the certificate, serving as a form of digital ID card.

The most reliable certificates are those issued by a Certificate Authority (CA), a trusted third party that validates the identities of entities involved in a secure communication. When a CA issues a certificate, it guarantees the holder’s identity, and the certificate is then considered a trusted certificate.

Types of Trusted Certificates

Several types of certificates exist, each serving a specific purpose in the realm of digital communication.

  • SSL/TLS Certificates: These certificates are used to secure the transmission of data between a user’s browser and a website, ensuring that any data exchanged is encrypted and secure.
  • Code Signing Certificates: These are used to verify the identity of a software developer or publisher. They assure the user that the software they’re downloading is genuine and hasn’t been tampered with since it was signed.
  • Email Certificates: Also known as S/MIME certificates, they secure email communication by enabling email encryption and allowing digital signatures on emails.
  • Client Certificates: These certificates are used to authenticate a client during an SSL/TLS handshake, proving the identity of the client to the server.
  • Root and Intermediate Certificates: These are special types of certificates used in the creation of certificate chains. A root certificate is a self-signed certificate that identifies the root CA. Intermediate certificates are used as a layer between the root certificate and end-entity certificates (like SSL/TLS), forming a chain of trust.

A Sample of a Certificate

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4 (0x4)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=California, L=Mountain View, O=YourCompany, OU=YourOrganization, CN=YourCommonName/emailAddress=YourEmailAddress
        Validity
            Not Before: Jun   15 02:43:51 2022 GMT
            Not After : Jun  13 02:43:51 2032 GMT
        Subject: C=US, ST=California, L=Mountain View, O=YourCompany, OU=YourOrganization, CN=YourCommonName/emailAddress=YourEmailAddress
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c2:04:ec:61:39:b8:85:d3:4a:9e:5c:5c:09:e7:6b:
                    ...
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         a5:4e:cd:79:39:b4:b4:73:0f:c8:c2:8b:3e:48:9a:42:1a:39:
         ...

A Sample Python Code Using Certificate

import ssl

# Create a new SSL context.
context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)

# Load the certificate and private key.
context.load_cert_chain(certfile="path/to/certfile.pem", keyfile="path/to/keyfile.pem")

# Now the context can be used in a server to create a secure connection.

Access Control

In the modern authentication paradigm, access control is a fundamental security principle that governs who or what can view or use resources in a computing environment. It is essentially a system of checks and permissions that allows or denies the use of certain resources.

Access control systems are an integral part of the identity and access management (IAM) frameworks and work in tandem with authentication and authorization processes. Access control can be categorized broadly into two types:

  • Role-Based Access Control (RBAC): RBAC, also known as Non discretionary Access Control, takes more of a real-world approach and assigns access controls based on the roles within an organization. Users are assigned roles, and then those roles are assigned permissions.
  • Attribute-Based Access Control (ABAC): ABAC, also known as policy-based access control, uses policies to evaluate a broad set of attributes, including user department, time of day, location of access, type of access required, etc., in making the access control decision.

We will discuss more about RBAN and ABAC in detail in the future sections.

Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC), also known as role-based security, is a method of regulating access to a computer or network resources based on the roles of individual users within an organization.

The RBAC method provides fine-grained control and offers a simple, streamlined way to provide access to system resources. In this model, rather than assigning specific permissions to each user, permissions are associated with roles, and users are assigned appropriate roles. This makes managing individual user permissions much simpler in large organizations.

Let’s break down the main components of an RBAC system:

  1. Role: A role represents a set of permissions that define access to resources. A role could be job-function specific like ‘manager’, ‘engineer’, ‘clerk’, or ‘auditor’, or they can be project or context-specific, like ‘project leader’ or ‘team member’.
  2. User: Users are the individuals in the system assigned to one or more roles which in turn define their access permissions.
  3. Permission: Permissions define the access level or type of operations that can be performed (like read, write, execute), each of which is assigned to various roles.
  4. Session: A session is a temporary set of permissions that is dynamically assigned to a user based on their role(s). This concept allows for additional flexibility.
  5. Constraints: Constraints allow admins to control specific conditions under which a user can or cannot perform certain actions.

The RBAC model can also be further categorized into three types:

  1. Flat RBAC: The most basic form where permissions are simply mapped to roles, and users are assigned these roles.
  2. Hierarchical RBAC: In this model, roles inherit permissions from other roles in a hierarchy. For example, a ‘manager’ role might include all the permissions of the ‘employee’ role plus additional ones.
  3. Constrained RBAC: This advanced form allows constraints to be applied to limit the activation of roles based on specific conditions. For example, a constraint might limit the use of a ‘database admin’ role to certain times of day.

Implementing RBAC can lead to enhanced organizational efficiency and security. By mapping roles directly to the organization’s structure, RBAC can reduce errors, enhance security by implementing the principle of least privilege, and simplify the management and auditing of user rights. However, it requires a good understanding of the organization and careful planning to define roles and permissions effectively.

Attribute-Based Access Control (ABAC)

Attribute-Based Access Control (ABAC) is a flexible, fine-grained access control method that uses attributes as building blocks in creating access control rules. It is considered a step beyond Role-Based Access Control (RBAC) in complexity and adaptability.

In the ABAC model, attributes associated with users, resources (like files or records), actions, and the environment are used to create access control rules that define what actions a user can perform under specific conditions.

Here are the key components of an ABAC model:

  1. User Attributes: These can include details like the user’s role, department, location, title, or even certification level.
  2. Resource Attributes: These attributes pertain to the resources the user wants to access and could include things like resource type, classification level, owner, or location.
  3. Action Attributes: These attributes define the type of access or operation a user wants to perform on a resource. This could be actions like read, write, delete, or execute.
  4. Environment Attributes: These attributes can be dynamic and might include aspects like the current time, the risk level, or the user’s current location or IP address.

An access control rule in an ABAC system might look like this:

A user with the role 'Manager' can access a document with the classification 'Confidential' for 'Read' operation from IP addresses within the corporate network during business hours.

This rule uses a combination of user attributes (role), resource attributes (classification), action attributes (‘Read’ operation), and environment attributes (IP address and time) to define a precise access control rule.

The power of ABAC comes from its high degree of adaptability. Because it can evaluate many different attributes, it can make more nuanced access decisions that better fit complex, real-world scenarios. It is particularly beneficial for large, diverse organizations with complex security requirements, as well as situations where contextual factors, such as time or location, are important.

However, the flexibility of ABAC comes with increased complexity in creating and managing access control rules. Therefore, successful ABAC implementation requires careful planning and an in-depth understanding of the organization’s needs and workflows.

Permissions and Privileges

Permissions and privileges are crucial concepts in the realm of computer security and access control. They define what a user or a process can do within a system or a network.

Permissions typically refer to the authorization given to users or systems to perform certain actions on specific resources. These actions can include read, write, execute, modify, or delete operations. Permissions are typically set by the owner of the resource or an administrator. For instance, a user might have read and write permissions for a certain file, meaning they can view and modify that file. Conversely, they might have only read permissions for another file, meaning they can view it but cannot modify it.

Permissions are often categorized based on the type of access they provide. For example, in a Unix-like system, there are three basic types of permissions:

  1. Read: Allows the contents of a file to be read or a directory’s contents to be listed.
  2. Write: Allows modification of a file or the ability to add, remove, or rename files in a directory.
  3. Execute: Allows a file to be run as a program or script or a directory to be entered and operated within.

Privileges, on the other hand, are a type of permission typically granted to users, allowing them to perform system-related operations that are generally beyond the scope of ordinary users. Privileges can include actions like installing software, changing system settings, creating new user accounts, or managing network settings.

The highest level of privilege on a system is often referred to as “root” on Unix/Linux systems or “Administrator” on Windows systems. Users with these privileges can perform any action on the system and have unrestricted access to all resources.

In the realm of security, the principle of least privilege (PoLP) is a computer security concept in which a user is given the minimum levels of access necessary to complete his/her job functions. This helps to reduce the potential risk and impact of security breaches by limiting access to resources to those who truly need them.

In summary, permissions and privileges are fundamental to managing access control within a system or network, helping ensure that users and processes can only perform actions they’re authorized to do, thus maintaining the security and integrity of the system.

Least Privilege Principle

Least Privilege Principle or The Principle of Least Privilege (PoLP) is a computer security concept in which a user is given the minimum levels of access — or permissions — necessary to perform his or her job functions. This principle is applied across all areas of business operations and information technology environments.

The principle helps reduce the risk of security breaches by:

  1. Minimizing Attack Surface: By providing only necessary access rights, the potential points of attack are reduced. An attacker gaining access to a user account can only access what that user can, nothing more.
  2. Reducing Impact of Mistakes: Users with high-level privileges may inadvertently modify or delete critical system files or data. By limiting these privileges, the risk of such errors is minimized.
  3. Simplifying Access Control: By giving users only the permissions they need, tracking and controlling user access can become simpler.
  4. Improving System Stability: Users with unrestricted access could change system settings either maliciously or unknowingly, potentially leading to system instability. PoLP can help prevent this.
  5. Increasing Accountability: When users have only the access they need, it’s easier to monitor user activity and detect abnormal behavior.

The principle of least privilege can be applied to various parts of a system:

  1. Users: Regular users should be given only the access necessary to perform their tasks. They should not have administrative access unless necessary for their specific duties.
  2. Applications and Systems: Applications should run with as few privileges as possible to perform their required functions. For instance, a web server doesn’t typically need to edit system files, so it should not have the permission to do so.
  3. Processes: Just like users and applications, processes should be restricted to only the necessary system resources.
  4. Devices: Devices should be given only necessary network access, reducing potential vectors for attack.

Applying the principle of least privilege requires understanding what access each role in your organization truly needs and being vigilant about granting additional privileges. This can be challenging in complex environments, but tools like automated privilege management and regular audits can help.

In summary, the principle of least privilege is a best practice in information security and a key part of a robust cybersecurity strategy. It’s not a silver bullet for all security risks, but it significantly reduces the potential for damage, whether from internal or external sources.

Further Reads

  1. Authentication vs. Authorization
  2. Cloud Identity
  3. Role-Based Access Control
  4. Internet X.509 Public Key Infrastructure rfc
  5. Principle of Least Privilege

Next Topic

SAML Authentication: A Comprehensive Examination of Architecture, Use Cases, Benefits, and Limitations

Authentication
Authorization
Identity
Digital Security
Cloud Security

--

--

Anirban Bhattacherji
Identity And Access Management (IAM)

Written by Anirban Bhattacherji

30 Followers
Editor for

Software Engineer @ Microsoft

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams