Skip to main content
2023-07-03

Introduction to Identity and Access Management (IAM)

2023-07-03

Almost all of the businesses and services in our society are nowadays depending on digital services in one way or another. Not only "born digital" or pure digital businesses (such as streaming music, movies or e-books), but also restaurants, mechanical workshops, hairdressers or automotive firms are dependant on digital solutions to run their daily operations. It can be services for bookings, webpages with contact information, ordering systems and mandatory reports to governments.

Not to mention what citizens of the modern society would think of not being able to communicate with governmental agencies, municipalities or other public organisations in a digitized way. In short, without digitization, the modern society would just stop. 

A day without single-sign-on

It used to be that the applications and computing power (servers or cloud environments) providing the digital services was at the centre of it all. With the rapid spread of connectivity, connected systems and services powering automation – the centre of it all is now Integration/APIs and digital identities (please refer to the blogs at https://www.redpill-linpro.com/en/blogs/api-microservices-and-integration for additional reading on this topic).

Why is this? Well… one can always turn to oneself and for a second try to imagine how your day would look like if there was no single-sign-on, forcing you to sign into each and every system you use, every time you want to use it? It would also be literally impossible to interact with your smartphone, tablet or all the apps on your work PC without a digital identity. For your private use case, this identity is often in the shape of an id from Google or Apple. 

This is basically what IAM is all about. Making sure that it is possible to access relevant digital systems and information with a digital user id. This way the system can authenticate you and provide you access to the information you are authorized for. This may sound simple in theory, but of course in real life there are many decisions made by organisations, system owners and other stakeholders before this happens.

Trying to bring the level of detail further, the frameworks (and concepts) for managing digital identities and access to artefacts and information, goes under the name of Identity and Access Management (IAM). Wikipedia states that Identity and Access Management (IAM) “is a framework of policies and technologies to ensure that the right users have the appropriate access to technology resources.”

In the digitized society, this is also expanded to system to system interaction and making sure that each system has access to the right resources in other digitized solutions.

Our colleague, Benneth Christiansson, has put words to this in an episode of our podcast series "IT Talks":

The problem

The actual pains, problems and questions that IAM is targeting, has been described in several posts already. One common use case to describe the challenges that IAM addresses is the “Airport parable” which compares the IAM solution of a digital business with an airport and the traveller logistics from securing the boarding pass (on-boarding, establishing trust), entering security gates, shopping tax-free, boarding air planes, transferring air planes in a different country until finally exiting the “system” at the destination (off-boarding, loosing trust).

One might look upon airports as a series of systems that a passenger is allowed access to as long as he/she has bought a ticket, can prove his/her identity, holds the correct travel documents and concurs to safety and security regulations. If all this is true, the passenger is granted access to the airport system and available service (in accordance with privileges) as long as he/she stays in the system.

Once at the destination and leaving the system, the passenger must go through the same procedure again to be granted access. This is very similar to the journey/lifetime of a digital id/token and the trust given to its holder. 

So in relation to the Airport parable; What is the actual problem that IAM aims to solve? Is it a question about:

  • Identity and authentication?
  • Access and authorization?
  • Cost and resources?
  • Pure security issues?
  • Or is it really “User experience” and simplicity for the consumer?

It is probably all of the above!

Your IAM solution is the most important component when deciding on who, which or what you grant access to your data and services, but also the portal (login), to your systems and therefore the first thing that can “bug” your co-workers and customers if it’s not working – or working poorly. Why is it the most important component? Just ask; “What happens in our organization and with our products/systems if the IAM is removed (either prevents all access between user, customer, systems, integrations, or allowing all access)”?

Just as in the example of the airport – if we are not allowed to enter, then the rest of the services in the entire organization is not interesting at all, but also if it is the other way around and everyone is let in with full access. That will for sure cause a lot of problems...

The IAM maturity and understanding differs a lot between organizations and individuals – but if you haven’t started work on your IAM strategy yet and haven't got this organized, it is really about time now!

Advance your digitization process

To address challenges with Identity and Access Management to allow you and your organisation to advance your digitization process with remained control, we have created the "IAM Ready" model. This model is intended to assist you with mapping your work with IAM in the maturity ladder and help you with specific methods and solutions to challenges you might face in various phases of the process.

In short this can be your tool to create a smooth and structured process to stay in control on who accesses which of your digitized assets, while at the same time keeping this a smooth process for the user/system.

We will introduce the "IAM Ready" model in following blog posts.

Written by Johan Lundin