Access control and user identification. IDM systems

Ruslan Rakhmetov, Security Vision

In this article we will consider technical means ( IdM, IAM, IGA), general approaches to access control and user identification. In order not to get confused, let's first understand the terms and their differences, then we'll describe the capabilities of technical means and in parallel we'll look at common approaches and tasks to be solved.

IdM (Identity Management) can be deciphered as identity management. People (university, library and work passes, passport, driver's licence) and objects (barcode on products in a shop, serial number on a smartphone, incident number in an information security system) have IDs. In general terms, numbers allow you to identify what is in front of you from directories, databases and without prior knowledge, and these numbers need to be managed. Sometimes management is undertaken by a person (concierge in the entrance, face control service at the entrance to the restaurant), but for automation special technical means have been developed, which we will call IdM-systems in this article.

Besides assigning numbers and simple journaling, systems can be used for quick access to something (entering a library by library card, accessing a bank account by card number, etc.). The evolution of systems has allowed IdM to be used in a new role - for access control in the form of IAM (Identity and Access Management). Thus, for example, it is possible to enter an office using an electronic pass through a turnstile (ACS system is used), or remotely open a key box when checking into a rented apartment (via a password on the BnB service).

Further evolution was the developed processes of access coordination, conflict checking, granular delineation of authority and other parameters that allow to call the systems by a new acronym - IGA (Identity Governance and Administration).

In everyday life, there are simultaneously visitor logs, a concierge who asks which flat you're going to, and electronic queues that assign customers to windows in MFCs. In the life of companies, IdM, IAM and IGA class systems also exist simultaneously.

Figure 1 - Evolution of access control systems

We will tell you what are the main functions of access control and management systems, how they are organised and what additional tasks they can solve.

People come and go, equipment changes, the chain of command and basic business processes also change. It is therefore important to ensure lifecycle management: update rules in time, upload new data when a new employee joins, update processes when moving to a new office. Life cycles can be automated, as in ITSM, IRP, SOAR class systems , also IdM systems allow you to manually request the required access, when the administrator receives a notification and acts himself. If you use cloud services to store and share files, you have probably seen that you can give access to files to specific people. The person can call or messenger you to view a photo album, or they can request access directly in the app - you'll automatically receive a push notification or email with the request.

The more employees a company has, the more important it is to eliminate redundancy, dividing users into groups and creating chains of approvals with managers. This is caused not only by information security tasks, but also by the need to save IT resources: saving on traffic load, network segmentation, setting up communication channels between offices and related tasks. It is important to keep useful data closer, not to duplicate, not to ‘walk’ just like that on loaded networks. Sometimes rules can be configured in such a way that one is physically impossible when executing the other, so in addition to checking for redundancy it is necessary to carry out a compatibility check.

Nevertheless, the tasks of IAM systems are not limited to IT, you need to remember about information security, convenience, speed and automation. We use protection to enter any service: to open safes with treasures, to pay for purchases on a card (PIN-code), to receive delivery in a postamat. To maintain data security, one of the access elements is a password, which is important to update periodically (according to the life cycle, as in the example above or in our other article about personal cyber hygiene), so modern catalogues and IdM-systems allow you to remind you to change your password and limit the possibilities if the user has not done so.

Fig. 2 - How access control is organised

All information systems become more interesting, significant and useful when combined with others. Access control and management systems are no exception: they involve different employees (HR, managers, system administrators), databases and electronic systems. At the end of the review, we will talk about the main integrations that may be in demand and the tasks they solve.

When we talk about user identification in medium and large companies, the idea of manually creating a separate catalogue and matching the numbers on the pass to a particular person does not come to mind. This can be compared to the work of the FacePay system in the Moscow metro, when you need to recognise faces to work correctly, but machine learning is used to process tens of millions of faces. Integration with the catalogue is the main parameter in the work of access control systems - it is important to ‘pull up’ all useful data from the general catalogue in the company ( LDAP, AD) and do it automatically.

Passing through a turnstile in an underground or bus is similar to coming to an office where an ACS system is installed. It can be effectively used with cameras, account management system and simply to assess the passability of a particular office for possible expansion. Such integration also solves IS problems: for example, it is possible to automatically block an account at the domain level when leaving the office in the evening and activate all accesses when returning the next morning. ACS in integration with related systems will allow you to activate the nearest printer for printing, open the keypad for the offices on the floor, enter the system with elevated rights by inserting a card into the computer reader. In this case, you will not have to create many accounts and keep different passwords in your mind.

To solve the second problem, SSO ( single sign on) technology is used, which allows access to other systems through access to one system. You've probably noticed that when you log in to your smartphone with your Google or Apple account, you can quickly access your contacts, cloud, browser tabs without entering passwords. Applying the same password for different systems is insecure, but if there is a main system and the user has already confirmed that it is him, the processes can be accelerated and simplified, preserving the security of individual services.

To provide greater security, encryption and additional access certificates are used. Such infrastructure is called PKI (Public Key Infrastructure). Access control systems can effectively integrate with such systems for quick access requests, manual or automatic approval of requests. In doing so, the risks of password compromise will be significantly reduced.

There are many products that only work together more effectively. You can think of several other possible integrations (e.g. access with multi-factor authentication or joint editing of documents), but they all have one thing in common - the need to provide each employee with the information they need simply and quickly, while maintaining a balance with the integrity and security of that data.