An Overview Of Identity Management

What is identity management? 

Well, in a nutshell, identity management is the process,which deals with how we manage the identity of the person or a group of people in different contexts.

• The term identity management consists of two things, which are given below.
  
  
• Identity is the boundary line, which creates a difference between two things, when we talk about the objects in OOPS. Let's say that every object has some identity, the characteristics which differ from 1 object to another, every entity in the world is has some unique identity, so what is the entity? Entity is any tangible or intangible thing in the world, which is having some unique characteristics. These characteristics are enough to differentiate these things from one another.
  
  
• We say that humans are have hair, reproduction and breathing characteristics, which create difference between human beings and non living things.
  
  
• Management - It is the process of dealing with or controlling things or people. Here, we control the identity of the individual person or a group of persons.

Explanation

• The digital world is growing day by day, so securing the identity of the individual is become a difficult task. Everyone has a different identity in different contexts. For example, a father is an employee and may be a brother or a husband, which is a different identity in a different context.
  
  
• Identity management is the key base of the organization because each organization needs protection against the unauthorized access of information and assigns limited functionality for each employee, which may be General Manager having access to an entire Application and associates  having limited scope of the Application,
  
  
• Today, every organization needs Identity Management, Identity Management is the abstract term eand very organization has their own method to implement how they manage the identity of the person,
  
  
• Google is has its own identity management mechanism
  
  
• Microsoft has some identity management mechanism
  
  
• Each organization defines some keys things with which they manage the identity of the person.
  
  
• If we talk about Facebook, then we see that Facebook uses OAuth+ signed Request to manage the identity.

Ways to implement identity management

Difference between authentication vs authorization

• I want to clear up the difference between authentication and authorization, using a basic example.
  
  
• When we enter in some organization, then we have a card, which we swap on the machine, so the machine authenticates that this person belongs to an employee of our organization but if an employee belongs to HR department, then the Finance department does not allow this person to interfere in Finance department matters as it says that you are not an authorized person for this matter.
  
  
• Entering the username and password is called Authentication, and Authorization verifies whether you have access to use some operation or not.

Authentication

• Unique username and password are assigned to the person, which uniquely identifies the person. Only username and password are enough to authenticate the person. It is most widely and commonly used in real word identity management scenarios.
  
  
• If a person wants to do shopping through the Amazon store, then first of all; they enter the username and password then Authenticator module of Amazon takes this username and password and then matches through the database if this person is valid or not; if the person is valid, then authenticator module verifies the person as a valid person, which gives the access to Amazon store.

Tow Factor/Multifactor

• We use Two Factor or sometimes more than 2 factors (sometime called Multifactor) authentication mechanism to authenticate the person.
  
  
• It is sometimes a hardware device or may be some code mechanism.
  
  
• These days, I think all of the organizations use two factor to authenticate the person.
  
  
  https://mobikul.com/wp-content/uploads/2016/04/Android-Smart-Lock-Option.png

We see in the images that we use in more than 1 factor, as we may be using (pin+voice), which we may use (pin+location) or we may use (pin+voice+location).

• Google provides more than 1 factor to authenticate the person like enter the username and password, then we use code to authenticate ourselves against the username and password.
  
  
• In a nutshell, any other way which is used to authenticate the person in conjunction with the username and password, is called Multifactor/two Factor Authentication.

Authorization/Access control

• Authorization and access control is nothing but just the rights of the user, which type of Application is used by the user.
  
  
• If we take an example of Facebook group, we are the users of Facebook, but if some person creates a closed group, then we have no access control i.e. in other words, we have no authorized person for that group.
  
  
• Second Example is that if we want to go to a bar, the guard on the gate checks our NIC, so by checking the NIC, the guard authenticates the person but if age is less than 20, then the guard says you are not authorized to enter in the bar as the bar is only for above 20 age
  
  
• Authorization/access control is what you are authorized to do.

Role Based Authentication/Authorization

• Every person has some role like if we work in an organization; the role is defined by our higher authorities. For example, a person is a Manager, a person is an Admin, a person is a House Manager etc. so we define the roles of the person.
  
  
• Similarly, in Role Based Authentication/Authorization; the person authenticates/authorizes based on role. If I am an Admin, then we authenticate first on the basis of role and are authorized in what to do on the basis of our role.
  
  
  https://i-msdn.sec.s-msft.com/dynimg/IC70692.gif

• On the basis of our role; the system gives the permission.
  
  
• If we talk about Hospital Management System, then a doctor wants to access the doctor related Application and Administration wants to access the administration related Application, so what do we do ? We define the role first, then we authenticate/authorize the person on the basis of role, by checking the Role doctor is only Authorize to Access the Doctor Related Services & Application and administration accesses the admin related Application & Services.

Directories

• Directories are the combination of all local storage of the Application database, which authenticates or authorizes the users.
  
  
• Let’s take a scenario, where our organization contains 3 kinds of apps.
  
  
• App 1- This app has his own local database person. First, enter the username, password and this Application authenticates and authorizes the user to accomplish the task.
  
  
• Similarly, App 2 has his own local database person. First, enter the username, password and this Application authenticates and authorizes the user to accomplish the task.
  
  
• Similarly, App 3 has his own local database person. First, enter the username, password and this Application authenticates and authorizes the user to accomplish the task.
  
  
• Thus, there is much difficulty for a person to remember 3 passwords for different apps.
  
  
• Thus, what needs to be done? We create the directories and directory contains all location storage database of the different types of Application, which runs in the enterprise and a single password is enough to authenticate/authorize the person to enter the Enterprise Application.
  
  
• Microsoft Azure Active Directory is the Example of Directories, where single password is enough to use all the Services and the Application.
  
  
  https://docs.microsoft.com/en-us/azure/active-directory/media/role-based-access-control-what-is/rbac_aad.png

Single Sign On/Token Based

• We live in a mobile world and many of the Services; which we use use the mobile phone Application.
  
  
• Single Sign On/Token Based Authentication is widely used in the mobile based Application 
• For example, Sound cloud uses the Token Based Authentication to authenticate the user. Web API plays an important role to implement the token based authentication.
• When the person first logins to the system, then the request goes to the Web Server “Web API” accepts this request to authenticate the user ID and password, once the person is authenticated against the user name and password, then the system generates a ticket “Token”, so the token contains any unique value, expiration time and authorization information of the user, which is sent to the mobile Application. If we talk about an Android, then the token saved is the shared resource of the Application.
• From the next time, if the person wants to access the Services, then along the request of the Service, Mobile Application sends the token; first Server validates the token, followed by sending the response back to the client.
• Username and password is only used 1 time to authenticate the person. Once the token is generated, then the token is responsible for the Services until the token does not expire.
• 
  
  http://logcorner.com/wp-content/uploads/2016/10/2.png

Provisioning/Deprovisioning

• If we hire the new employee, then Identity Management System gives the username, password and assigns the role; for example -  Sign-in to new Google account; where our role is a user and not an administrator, so we access all the user type apps. This concept is known as Provisioning.
  
  
• Similarly, if a person leaves the organization, then the identity management system removes/disables the identity of the person and they no longer are able to access all the Applications and Services. This concept is known as Deprovisioning.

Identity Life Cycle

All these things, which we have discussed forms Identity Life Cycle, broadly contain the steps given below.

• Provision
  
• Management
• Deprovisioning
  
  
  https://s-media-cache-ak0.pinimg.com/736x/fd/a1/9b/fda19bbe6e7a6b2b09f4a716593f0865.jpg