Identity and access management architects can benefit from the following identity management use cases to improve Identity, Credential, and Access Management (ICAM) practices within their organizations.
The identity management use cases listed for ICAM best practices are approved by the US government as IAM guidelines for various government agencies. These cases involve several factors that contribute to the use and deployment of the use cases. They include the personnel who are part of the ICAM cycle and the systems involved, with a high-level summary of the possible actions.
The listed identity management use cases tend to be interrelated, even with each specific ICAM business process. The technologies and activities are generalized in these cases, ensuring their application can be diversified across many organizations.
It is important to note that the detailed processes in these identity management use cases are not specific to an organization or department. Every entity should analyze its own systems and processes for alignment with the use cases. Below is comprehensive information on what the use cases entail and how you can use them to your enterprise’s advantage.
Identity Creation and Maintenance
When organizations onboard an employee or a contractor, they collect identity related data from the person, and store pieces of the information as identity attributes which serve as a digital proxy to identify the person within the organization. The attributes will be aggregated into a single identity format to keep individual identities unified.
The administrator is mainly involved in collecting and managing employee’s identity data throughout the IAM life cycle. The identity information collected doesn’t necessarily have to come directly from the individual. Identity information can also be collected from HR systems, or onboarding documents.
Creating an enterprise identity comes next, with the administrator adding the identity information into the pre-determined data repository. The process results in having an authoritative source for the enterprise identity of the individual.
Maintaining the enterprise identity data is essential to keep up with any changes that may affect your organization. Identity maintenance should be performed as often as possible. It is preferable to treat identity maintenance as an ongoing process to avoid missing out on vital data that may negatively affect the IAM lifecycle. The process is imperative, mostly when the individual has updated their personal information. Changes need to be made to maintain an effective identity system. Your identity maintenance’s final process is making updates to your enterprise identity system. There are two ways in which you can make the updates.
An administrator can directly update the set authoritative sources, or, allow the individual to use the system to update the information they are changing. The data will automatically update the system on the identity attributes based on the authoritative source.
Proof an Identity
The creation and assigning of a credential to an individual needs some proof of the person’s claimed identity. Also known as identity proofing, it is an essential process through which an organization is involved in collecting and verifying information of an individual so that it can be used to establish an enterprise identity. The Identity Assurance Level (IAL) platform is perfect for determining the critical factors you should consider when conducting identity proofing of the individual.
There are up to three IAL’s that you can use to get the process going. But for federal agencies, there is a minimum requirement of IAL2 for contractors or employees who have recurring access to the government’s resources. With these use cases, IAL1 is not included.
Such use cases mainly describe the steps for proving an identity both at IAL3 and IAL2, which are high-level steps into the process. Some IALs may require more information about the employee, even with other verification processes. Depending on your entity’s processes, you can’t quite know the required IALs until you begin the identity proof process.
Having sufficient information about the individual is important to avoid wasting time in the identity management process. The more information you have at hand, the better it is. The contractor or employee’s information can also be referred to as identity evidence. It may be physical; these are either a driver’s license, birth certificates, passports, or any other valid credential available and verified for use in the IALs.
For the IAL2, the following information may be required:
• Last name
• First name
• Address of record
• Email address
For this IAL2, all the information must be supported by valid identity documents, and the verification rate should be high. After collecting the identity information, which can be remote or in-person, the administrator will need to confirm the provided information is valid and latest data. Comparison of photo identification may be necessary and the address must match the same information provided in the documents presented.
For the IAL3, the following are some information you will need:
• Address of record
• Email Address
• First name
• Last name
For the IAL3, all the information must be supported by valid identity documents, and the verification rate should be superior. The administrator has the freedom to make verifications with the issuing organization. This may result in the successful proof of the individual identity at either IAL2 or IAL3.
Entitlement Lifecycle Management
Lifecycle entitlements are assigned to individuals, their roles, and even groups. The entitlements are set to determine access to the agency services by the employed individuals or contractors. If the entitlements are not assigned, the employees don’t have authorized access to the entity’s services. The process is straightforward.
The first step is to initiate the request from the individual. The individual will have to request access to the entity’s services and wait for the administrators’ feedback. The individuals can also join specific groups with access to parts of the entity’s services and directly access what they need. The requestor may be anyone within the firm, such as the supervisor, employee, security personnel, or even a general contractor.
The next step involves a review of the request from the requestor. At this stage, the administrator’s work compares the individual’s request with his access requirements based on their working position. If the requestor qualifies for access to the entitlements and there is a relevant need, the administrator has a green light to approve it.
As soon as the administrator assigns the entitlements to the contractor, they can receive the necessary entitlements without any limitations. However, consider there may be a change in the contractor’s role in the organization. The administrator has the right to change the entitlements as necessary or even terminate the entitlements.
Create and Issue a Credential
Creating credentials for an individual is only possible after completing an individual’s identity proof cycle. Think of the certification as a physical card that gives access to the entity’s services. It is a form of authenticating the individual’s identity to gain access to the system. For contractors and employees, the preferred credential is the Personal Identity Verification (PIV) card.
Just in case the administrator cannot issue a PIV card to the employee, you can use a combination of factors to get to the credentials of the Authenticator Assurance Level 2, also known as (AAL2).
This use case is a three-step process. The first one is to initiate the request. The individual who needs the credentials for access has to provide an identification card issued by the government.
The review process verifies the issued government identification card. The final process is to generate authentication credentials for the employee or contractor. It can work for individuals who need access to buildings and even protected resources for specifically authorized work.
Issue a Derived Credential
A derived credential comes directly from an already existing credential but has a variation in its form factor. This form factor can be a mobile device or any other portable device that can show the credentials. Their derived credentials use the data initially used in the IAL verification process from the existing credentials.
It can have a lower AAL or the same one depending on the individual’s access needs. The derived credential is mainly applicable in areas where the individual needs authentication to have access, but they cannot seem to get it. Leveraging on the derived credential is the best way to gain the same access without the strict authentication requirements.
The individual only needs to have Authenticator Assurance Level 3 or two to use the derived credential when the situation arrives. Obtaining the derived credential is also relatively easy as long as all parties are involved. Initiation of the request is the first step. The individual’s request on the identity data is sent directly to the identity manager for processing.
The identity manager could be a system or a person depending on how a specific organization operates and its resources. After the request, the identity manager needs to authenticate and verify the credential that already exists. The sources for authentication of data retrieved can change from one to another, including personal databases, HR systems, and security data.
The final stage is generating the derived credential for the individual to use. There is a notable change in the enterprise identity record of the user. The derived credential can be applied in different scenarios. It includes the need to authenticate an enterprise’s application by an employee who already has an enterprise credential.
Accessing secure websites through VPN from a remote location is also an example where a derived credential may be necessary.
Managing the Credential Lifecycle in Identity Management Use Cases
Like any other identity management use case, all active credentials need regular maintenance to keep them functioning to their optimum levels. This use case shows the most popular activities for credential maintenance. These are:
• Resetting a credential – Resetting a credential is applicable when a contractor forgets his identification number or password needed for authentication. The individual will have to request a reset to continue using their credentials.
• Renewal of credentials – It is necessary to renew an individual’s credentials if expiring and still need to use them. It is also applicable to renew the credentials if the individual’s identity information has changed. In this situation, it is possible to request a replacement credential. It is best to renew the credentials before they expire to avoid the wait time for creating another one.
• Revoking a credential – When an individual is no longer working with the entity, the administrator needs to request revocation of the individual’s credentials and any other enterprise accounts they may still have access to. The administrator, in this case, can be the supervisor, sponsor, or any other personnel to high-level access.
All administrators should review their employees’ or contractors’ credentials and eligibility to identify data that may be orphaned in the system.
Granting Access in Identity Management Use Cases
The grant access use case mainly entails individuals’ authentication to authorize their agency services access. The agency services can range from files, physical facilities, specific applications, and just about any special resource that needs access.
It involves an Access Control System administrator, also known as (ACS). This administrator’s main function is granting access to the employee as long as they have both an active credential and an enterprise identity. The individual will also have to have a specific reason to access the enterprise’s resources. The following are some of the steps that the individual must undergo to get full access to what they need.
• Authentication – Authentication is the first step to getting through the Access Control System to get your access granted. The individual’s identity needs to be verified to validate the person who needs to access the entity’s service.
• Authorization – Through authorization, any employee or contractor that meets the criteria can be granted access. This limits access to a specific number of people. The process is not complicated but has a couple of steps to get through the verification process.
The first step is the access attempt. An employee or any contractor needs to access the entity’s services. Then at the second step, the authentication process begins to determine who the individual is. The individual has to ensure the minimum assurance requirements are met. The authenticator uses the AAL2 and the AAL3 for the process.
The AAL2 uses a two-factor process, while the AAL3 uses the two-factor process and the authentication hardware. As soon as the authentication is successful, the ACS identifies the individual’s access entitlements and the protected resource. The ACS then compares the employee’s access entitlements and decides to either authorize or reject the request.
If all the details match up the requirements, the ACS grants access to the agency’s resources. The ACS keeps the information for auditing needs.
Accepting Federation Assertions
Using federation to accept authentication assertions and identification is important to ensure access is limited and only used for the right purposes. Reports can be generated by inter-connected agencies or business units for sharing individual or contractor attributes for easier access and functionality.
Government Identity Management Use Cases
For government identity, complex identity governance use cases are essential for identifying management systems for some sections of the government’s special needs. These can be sections such as national security and law enforcement. Every service-oriented part of the government is directly proportional to its role in every citizen’s life. The identity governance use cases in government identity cases can facilitate many responsibilities and accountabilities in the country’s agencies.
Access Management Use Cases
Through access management use cases, avoiding strict bureaucracy makes it more efficient to access and use resources making it beneficial to citizens and improving their overall living standards. Authentication of enterprises’ identities and access to protected services is vital to keep the government systems functionating. With supporting elements such as federation and governance, there’s so much that ICAM technologies can facilitate ensuring systems are running as smoothly as possible in a secure mode.
Supporting business objectives is essential for moving towards success. Applying identity management use cases in business processes is the best path forward for government agencies and organizations to offer uninterrupted services while ensuring system security and data protection.