Manage Learn to apply best practices and optimize your operations.

Comparing access control mechanisms and identity management techniques

In the IAM world, what's the difference between access control and identity management. This IAM expert response explains how the two relate as well as some best practices for both access control mechanisams and identity management.

What's the difference between access control mechanisms and identity management techniques?

Access control is only one subset of identity management. Identity management covers a whole range of functions: access control, user provisioning, directory services, account auditing, role and group management, single sign-on (SSO) and privileged account management.

In addition, since 2005, identity management products have coalesced into full-blown identity and access management suites from large IT vendors like Sun Microsystems Inc., Oracle Corp., Microsoft, IBM and Novell Inc. There are four pillars to these IAM suites: identity administration, identity infrastructure, access management and auditing.

Roughly speaking, these four areas break down as follows: Identity administration sets up user roles and groups that allow access only to authorized systems. Identity infrastructure is the data store that holds user accounts and identity information, such as Active Directory or LDAP. Access management sets up user accounts with user IDs and passwords, or whatever system is used for access, like smart cards or biometrics. Finally, auditing is about reporting on accounts, such as who has access and to what systems.

Each of these pieces used to be individual products (and in some cases still are), but most have been snapped up and bolted in to IAM suites.

Compliance has driven the growth of these suites, as federal regulations like SOX, HIPAA and GLBA, and industry standards like PCI DSS have forced companies to account for user access to their systems. These regulations require enterprises to assign unique IDs to each user, be able to report regularly on who has access to systems and what the users are doing on those systems.

On another level, access control differs from identity management in that access control is strictly concerned with providing authentication credentials, such as user IDs and passwords or smart cards. The point is to provide users access, not prove their identity. This narrow focus, according to identity management experts, leads to cases of mistaken identity. People who shouldn't have access to systems, like malicious users, masquerade as legitimate users to gain unauthorized access. In this way, identity management revolves around verifying users -- ideally with multiple pieces of proof of their identity -- before issuing credentials.

More on this topic


This was last published in October 2008

Dig Deeper on Network Access Control technologies