Information systems and computer security are under constant development. As new technologies emerge, they come with a new set of challenges, and competition pressures companies to adapt or be left behind. One of the recent major changes in the technology landscape has been the introduction of cloud computing. Contrary to the earlier approach of running software in traditional servers, cloud computing enables flexible scaling and delivery of computer system resources on demand.
The trend of moving software systems to the cloud also applies to Identity and Access Management (IAM) systems. IAM systems are responsible for managing the digital identities of users and providing access to protected services. IAM systems consist of multiple components. One component is Identity Management (IdM), which is the core of any IAM system. They were developed at the turn of the millennium as a solution to a problem where organizations’ multiple services required their separate identities for every user. These were difficult and costly to maintain and prone for inconsistencies between the data. To address these problems identity management tools were developed to ensure data is up to date and consistent across different directories . Further developments were done with the introduction of meta-directories, where user information was gathered into a single manageable directory. Organizations benefited from these systems with streamlined administrative operations, saving costs on managing user information with a single identity per user.
One of the newer developments in the IAM field has been the introduction of Customer Identity and Access Management (CIAM). CIAM systems offer all the capabilities of traditional IAM systems, but with a focus on customers and users outside traditional organization limits and federated identity management. Through the self-service portal users can register, update their profile information and manage authentication methods. More privileged users can also set roles and permission to normal users and configure required access levels to applications straight from the portal.
There are also very capable, open source IAM-technologie offerings. Some of these have been made available as containerized micro services enabling a full devops architecture for such services. Considering the fluid nature of IAM architectures and constant need for development, this is a very attractive combination for a CIAM service. These systems support Single Sign-On across multiple Software as a Service products and let customers link their own applications to the CIAM system thus making it a valuable component of the infrastructure.
In this blog series we explore the opportunities a cloud based, devops driven CIAM solution can provide. First blog has an overview of the technology solutions involved and a high level overview of CIAM and the potential benefits.
Identity and Access Management
Identity is the information from which a specific entity can be identified. These entities in the context of computer technology can be either a person, device or combination of both . An entity is typically identified by a unique ID or an email that is stored in a database and used to reference an entity. Additional attributes are often attached to identity for more information about the user. First name, last name, and address are some common additional attributes used to enable enhanced functionality to the systems that are required when signing in to a new application.
Unique identifiers are accompanied by credentials, such as a password or an ssh-key, which together are used to authenticate entities. Good credentials make it harder for others to impersonate a user. The required level of needed credentials is context-dependent. Sometimes a simple username and password might be enough, in higher-risk environments, more secure means of authentication should be used for confirming identities. Multi-Factor Authentication (MFA) is one of the ways to provide more secure authentication.
Before IdM systems, users had one identity for every separate application. This led to problems in managing accounts and upkeeping security. Multiple accounts for a single person causes redundant work for the organization managing the accounts. When an employee moves and changes their address, the update process needs to be done to every account and database where the information is stored. Also, if a person leaves the organization, all accounts need to be deleted to prevent the employee from further access to the organizations’ systems. Failure to do so leads to so-called ‘ghost accounts’ that put the security of the organization’s systems at risk. Nowadays, the amount of individual user stores continues to grow as more companies offer services that use them, this makes the IAM systems all the more important so companies can minimize the risks that come from multiple user stores and do proper IdM.
Another problem multiple accounts caused was with the security of credentials. Having to remember multiple credentials can often lead to the reuse of passwords and patterns, causing a situation where one exposed password risks other accounts. Having a single account for multiple services isn’t always safer than one account per service since if that account is compromised, then all services can be used by the attacker. That said, if the single account for the system is protected properly it can be managed more easily and is more secure for the whole system . Realizing the risks of improper user management, companies started to develop solutions to these problems, which led to the inception of IAM.
As companies would grow and adapt to changes in the market, they’d create processes, systems, applications and technologies used to manage digital identities and resource accesses provided through them . To understand what identity management is about, it’s necessary to understand some common functionalities these systems are created to fulfil. Osmanoglu Ertem  defined these key functionalities as following:
- Establishing unique identities and associated authentication credentials
- On-boarding these identities into target applications, systems, and platforms
- Provisioning and deprovisioning new user accounts
- Managing identity data and credentials (e.g., self-service password reset)
- Creating workflow processes for approving account creation and modification
- Providing the ability to modify, suspend, or remove accounts
- Auditing and reporting user identity information
With systems capable of these tasks, companies could operate better in the digital space and as time went on, more companies had demand for similar systems and they were developed into products and sold to other companies. While these functionalities made IdM easier, in most cases there is also a need to manage how and what services these identities can operate and for that part there is the access management part of IAM.
Access management is a framework of policies and technologies for ensuring that proper entities have access to resources in computer systems. Responsibilities of access management systems are identifying, authentication, and authorization of users in an environment so that correct entities have access to the right resources and others are denied access .
Access management systems are vital for protecting the sensitive data of organizations in a network. Not only is it enough that correct entities are recognized, but some information and operations should only be accessible by people with specific roles or attributes.  Important functions in access management include:
- Protecting resources from unauthorized access
- Providing proper entitlements to entities
- Limiting access to resources depending on entitlements or attributes
- Ability to update or remove entitlements from entities
- Auditing users and use of privileges
Accomplishing these tasks requires an IAM system to enforce proper IdM, authentication and authorization, as well as monitoring and auditing events like granting roles, login attempts and accessing protected resources. In the next Sections 2.1.2 Authentication and 2.1.3 Authorization, I am going to discuss authentication and authorization in more detail.
In order for a person to log in to the system with their digital identity he or she needs to be identificated and authenticated. Identification is the process of matching the person with a correct identity. A common way to do this is ask for a person to give their unique username or email that’s used in the system. After identification, the user must verify that they are who they’re claiming to be. This process is called authentication, and can be done in multiple ways, a common one being by credential like a password only known by the person. There are many aspects to authentication like different authentication methods, factors, and strength of authentication.
Authentication can refer to verification of a natural person or device’s identity. Depending on the authentication target, different credential types should be used. For a natural persons credential types are divided into three factors :
- Something you know, (password, PIN)
- Something you are (biometrics, fingerprint)
- Something you have (security token, third party authenticator)
Authentication based on one of these factors is called single-factor authentication. This is a weak-level of authentication that should only be used in low-risk environments. To increase security, authentication can use multiple factors, which is called Multi-Factor Authentication (MFA). MFA combines either two (2FA) or more of these factors, making it much harder for malicious parties to get access to an account. In Finland banks and government agencies are required to use MFA , and authenticate users with some combination of multiple factors.
Authentication strength is not only about the amount of factors used. Another variable is how the initial user onboarding to the system was done. Evaluating the trustworthiness of authentication is often divided into two parts: how the initial identification was done and the method of digital authentication . A common way of signing on to a web service is done by giving email and profile information of which only email is confirmed by sending a verification link to that address. Simple authentication when registered by a user as a self-service is naturally weaker compared to registering within an organization having the account provisioned in person after identification. Then again replacing simple authentication with MFA makes the account more secure regardless of the initial identification. Deciding on the authentication process is dependent on both variables, and should be based on the desired security of the system.
After authentication there comes authorization in access management. The authorization layer is responsible for defining which entities have access to which resources. When a specific entity has authenticated to the system, the authorization service either approves or declines access to resources based on defined rules. There are multiple models for managing authorization rules and policies and next the most commonly used ones are presented.
Figure 3: Generic Identity, Entitlement & Access Management System, Adapted from: 
ABAC: Attribute-based access control
Access is based on the user’s attributes. Granting of access can be made on the existence of an attribute on the user or depending on the value of the attribute. For example, access could require the user´s age to be more than 18 to perform a certain action. One of the strengths of attribute-based access control is the flexibility it provides .
RBAC: Role-based access control
Users are assigned to roles that have permissions to do certain operations. Roles are often based on an individual’s duties in an organization (teacher, student). Here, users themself are not permitted to perform certain operations, but the permissions come with the roles they are assigned to. A single user can have multiple roles with different permissions and the same permission can be given to multiple roles. This is one of the most common ways of implementing access control .
UBAC: User-based access control
Access permissions are defined individually for each user. This access control method has potential for fine grained permissions, but can be labor-intensive to manage as each user must be given or revoked permissions individually .
CBAC: Context-based access control
Context-based access control defines access depending on the context of the request. Deciding parameters can be for example time, location, or device type. This type of policy is normally used in conjunction with another to provide more fine-grained access control. One of the challenges with this type of access control is making sure the data sent by the user is not fraudulent. Users could easily fake their GPS location and these kinds of issues need to be taken into consideration when implementing CBAC .
Regardless of the authorization strategy used, the actual authorization in web services can be divided into different components that each have their own functions. The components are defined in an Oasis Standard as Policy Administration Point (PAP), Policy Decision Point (PDP) and Policy Enforcement Point (PEP) . In PAP, resource access rules are defined and administered for users, PDP is responsible for deciding if a request is authorized an access and PEP enforces the decision, granting or denying access based on the PDP response. In practice, when a user requests access to protected resource PEP is invoked, which requests PDP for a decision, which furthermore requests PAP to return the resource’s access policy. Then PAP returns the access policy to PDP, which decides if the resource can be accessed and PEP enforces that decision .
A complete IAM system should be capable of establishing policy decisions, and granting access to resources based on these policies. Furthermore the system should be able to also revoke access and privileges given to users. As accesses change overtime, the auditing process becomes an important part in keeping sure authorization is working as intended and incorrect users are denied access. For these reasons many IAM systems provide an ability to evaluate or audit authorization decisions .
CIAM is a subset of identity and access management. In addition to traditional IAM capabilities and benefits, CIAM systems are focused to deliver IAM for customers and users outside the traditional organizational boundaries . The target services are extended from organization’s internal applications to services with general users on the web. This brings the requirement for the system to be scalable for a larger number of users, making a cloud deployment a natural fit. Support for modern federation protocols also becomes important so that these services can be accessed on the web with a single set of user credentials.
One way CIAM tackles the increased number of users and rising management costs is by having users self-manage their accounts. CIAM systems often provide self-service portals where users can manage their own account information and consent on services. Also, things like registering and password reset should be made available to users without management intervention, offloading these tasks to users and requiring minimal costs and involvement from the organization.
Benefits of CIAM (user and administrator)
The benefits of CIAM largely come from the benefits of a traditional IAM system. The main goal is to “increase security and productivity, while decreasing the cost, downtime and repetitive tasks” . As discussed before, the companies can benefit from these monetarily, but there’s also benefits for users of the system. Users benefit by having their information stored securely and being able to edit their information. Also, social login is a feature often supported by CIAM, so users can use or link their social identities to this system, making it possible to sign in to services with an already existing account.
Components of CIAM system
A CIAM system can be roughly divided into components based on the functions it provides. In Figure 4, the most important components are presented to get a better view of the system as a whole. Next chapters intend to deepen the technical understanding of the components from identity federation, federation protocols, user directories, customer portal and about their purposes for the system.
Figure 4: Components of a generic CIAM-system
These components will be inspected in more detail in the next part of this blog series
|||Lehtinen K. Novell Identity Manager: Identiteetin- ja pääsynhallinta. Thesis. Seinäjoen ammattikorkeakoulu. Seinäjoki, 2009. Available at: https://urn.fi/URN:NBN:fi:amk-200910114893.|
|||Staff Webopedia. Identity. [Cited 8.9.2021]. Available at: https://www.webopedia.com/definitions/identity/.|
|||Jøsang A, Fabre J, Hay B, Dalziel J, Pope S. Trust requirements in identity management. Citeseer, 2005. P. 99–108.|
|||Linden M. Identiteetin- ja pääsynhallinta. Tampere University of Technology. Tampere, 2017. Available at: http://urn.fi/URN:ISBN:978-952-15-3992-3.|
|||Osmanoglu E. Identity and Access Management: Business Performance Through Connected Intelligence. Waltham, USA: Syngress, 2014. 648 P. ISBN 978-0-12-408140-6.|
|||Schwartz M, Machulak M. Securing the Perimeter Deploying Identity and Access Management with Free Open Source Software. 1st ed. Berkeley, USA: Apress, 2018. P. 383. ISBN 1-4842-2601-1.|
|||Beal V. Identity and Access Management (IAM). [Cited 18.8.2021]. Available at: https://www.webopedia.com/definitions/iam/.|
|||Jøsang A, Pope S. User centric identity management. Citeseer, 2005. P. 77.|
|||Ometov A, Bezzateev S, Mäkitalo N, Andreev S, Mikkonen T, Koucheryavy Y. Multi-factor authentication: A survey. Cryptography, 2018. Vol 2:1. DOI 10.3390/cryptography2010001.|
|||Digital and Population Data Services Agency. Tunnistus. [Cited 14.9.2021]. Available at: https://dvv.fi/tunnistus.|
|||OP Financial Group. Tunnistautuminen. [Cited 14.9.2021]. Available at: https://www.op.fi/henkiloasiakkaat/digitaaliset-palvelut/tunnistautuminen.|
|||Nordea. Tunnistautuminen muuttuu. [Cited 14.9.2021]. Available at: https://www.nordea.fi/henkiloasiakkaat/tuki/e-tunniste-muuttuu.html.|
|||Alliance C. Security guidance for critical areas of focus in cloud computing v3.0. Cloud Security Alliance, 2011. Vol 15. P. 1-176. Available at: https://citadel-information.com/wp-content/uploads/2012/08/security-guide-cloud-security-alliance-csaguide.v3.0.pdf.|
|||Hu V, Ferraiolo D, Kuhn D, Schnitzer A, Sandlin K, Miller R, Scarfone K.Guide to attribute based access control (abac) definition and considerations. NIST, 2019. DOI 10.6028/NIST.SP.800-162.|
|||Rountree D. Federated identity primer. 1st ed. Waltham, USA: Syngress, 2013. p 97. ISBN 1-283-85162-8.|
|||Camelot. Differentiating Between Access Control Terms. 2001. [Cited 26.10.2021]. Available at: http://www.windowsecurity.com/uplarticle/2/Access_Control_WP.pdf|
|||Shebaro B, Oluwatimi O, Bertino E. Context-based access control systems for mobile devices. IEEE Transactions on Dependable and Secure Computing, 2012 Vol 12:2. P. 150-163. DOI 10.1109/TDSC.2014.2320731|
|||OASIS. eXtensible Access Control Markup Language (XACML) Version 3.0. [Cited 19.10.2021]. Available at: http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html.|
|||Jøsang A, A consistent Definition of Authorization. Security and Trust Management, 2017, Volume 10547. p. 134-144. ISBN 978-3-319-68063-7.|
|||Amazon Web Services. How AWS Audit Manager works with IAM. [Cited 19.10.2021]. Available at: https://docs.aws.amazon.com/audit-manager/latest/userguide/security_iam_service-with-iam.html.|
|||Keycloak. Authorization Services Guide. [Cited 19.10.2021]. Available at: https://www.keycloak.org/docs/latest/authorization_services/#_policy_evaluation_overview.|
|||Sawma E. Decoding Customer IAM (CIAM) vs. IAM. [Cited 19.10.2021]. Available at: https://www.okta.com/blog/2017/07/decoding-customer-iam-ciam-vs-iam/.|
|||Kumar, V, Bhardwaj, A. Identity Management Systems: A Comparative Analysis. International Journal of Strategic Decision Sciences (IJSDS), 2018. Vol 9:1. P. 63-78. DOI 10.4018/IJSDS.2018010105.|