The document provides an overview of identity and access management (IAM), detailing the processes involved in identity lifecycle management, including creation, maintenance, and de-provisioning of identities. It emphasizes the importance of ensuring authorized access to resources through various components like self-service management, provisioning, and identity analytics. Additionally, it contrasts traditional IAM approaches with consumer identity and access management (CIAM), highlighting differences in user management and intended application environments.

1. Presented by
Venkatesh Jambulingam
Cloud Security Expert
22-Jan-2022
Identity Management

2. | 22-Jan-2022 | Venkatesh Jambulingam |
▶Identity & Access Management Overview
▶Identity Management
– Types of Identities
– Identity Lifecycle / JML
– Provisioning/De-Provisioning
– Identity Mapping & Orphan accounts
▶Self Service
– Password reset
– Access Request
– Name / Profile Change
▶Consumer Identity & Access Management
2
Contents

3. IAM Overview

4. | 22-Jan-2022 | Venkatesh Jambulingam | 4
Identity & Access Management Overview
Ensuring right entities have right access to right resources at the right time for right reasons and hence protect the
confidentiality of the data
Identity
Management
Access
Management
Identity
Governance
Privileged Access
Management

5. | 22-Jan-2022 | Venkatesh Jambulingam | 5
Identity & Access Management Components
Self Service
Access Request
Management
Self Service
Password
Management
Policy, Role &
Attribute based
Access Control
Application
Onboarding &
Integration
Automated &
On-Demand
Provisioning
Identity Management
Automated
Lifecycle
Management
Role
Management
Access
Review
Segregation of
Duties
Identity Governance
Identity Analytics
& Insights
Compliance Controls
& Certification
Cloud & Data Access
Governance
Authentication
Multi-Factor
Authentication
Single Sign on Password less
Access Management
Authorization
Federation
Password
Vault
Session
Manager
Access
Manager
Compliance
Control
Privileged Access Management
Password
manager
Privileged Threat
Analytics

6. Identity Management

7. | 22-Jan-2022 | Venkatesh Jambulingam | 7
Type of Identities
B2B Identities B2C Identities
Consumer
Servers & Network Devices
APIs/Services Smart Watch
Managed in IAM system Managed in CIAM system
Employees & Contractors
Programs & Applications
Desktops, Laptops,
Printers, Scanners
Connected Car
AR/VR/MR Headsets

8. | 22-Jan-2022 | Venkatesh Jambulingam | 8
Identity Lifecyle
Create New
Identity
Create Accounts
Provision Access
& Birth Right
Access
Maintain Profile
& Manage
Access
De-Provision
Access
New identity is created in authoritative source
system (HR, CRM, AD, Asset Inventory) based
on physical word identity (Driving License,
Passport, Serial Number of device etc.,)
For human identities, AD/LDAP
account & mailbox is created.
For non-human identities, service
accounts are created in AD/LDAP
Multiple apps could be given
access by default based on role or
attributes. This is called birth right
access. Additional access is
granted based on request
Email & Phone number change
Promotion & location change
Department & Project Change
Legal Entity Change
Maintain access levels for each
of these changes.
User account is deactivated
immediately if user is terminated
User account is deactivated on
midnight of LWD+1 if user
resigned/retired

9. | 22-Jan-2022 | Venkatesh Jambulingam | 9
Identity Lifecycle - Joiner
New person identity
Govt issued identity provided by
the person to the organization
e.g. Driving License, Passport
Organization
Application identity or device
identity is created based in
CMDB/Asset Inventory
New non-person identity
Device Serial Number, Make, Model
or Application identifiers are shared
with Organization
User identity is created in
HRMS by the HR team based on
physical govt issued ID card
HR (Employee ID)
AD (Login ID)
Mailbox (Email ID)
Payroll (Employee ID)
Collaboration (Email ID)
Digital Certificate
Service account in AD
Digital certificates
Provisioning system creates
the necessary accounts
needed for given identity
Identity

10. | 22-Jan-2022 | Venkatesh Jambulingam | 10
Identity Lifecycle - Mover
Person identity
User Changes project, location
or gets promoted
Moves/Changes
for identity
Allocation details of device /
application is captured in
CMDB/Asset Inventory
Non-person identity
Device is allocated/moved for
specific use in a specific environment
HR team updates the location,
designation, or project details
in HRMS
Profile details updated in other
downstream systems
Old permissions are revoked
New permissions are added
Network / other Access
permission granted
Provisioning system updates the
necessary permission/access for
given identity
Identity

11. | 22-Jan-2022 | Venkatesh Jambulingam | 11
Identity Lifecycle - Leaver
Person identity
User Retires or User is Fired
Retire / Fire /
Decommission
Allocation details of device /
application is updated as
decommissioned in
CMDB/Asset Inventory
Non-person identity
Device is decommissioned as not fit
for use
HR team updates the person’s
employment status in HRMS as
retired or fired with along with
last working day
User identity is deactivated on
LWD +1 midnight in AD
In case of firing, it is deactivated
immediately
All access permissions are
revoked
Identity of the application /
device is deactivated
Provisioning system updates the
necessary permission/access for
given identity
Identity

12. | 22-Jan-2022 | Venkatesh Jambulingam |
▶Provisioning is a process that involves creation of user accounts, assigning & managing roles and permissions for these accounts in
various target resources like applications, systems and networks performed in an automated or semi-automated way
▶Provisioning application will read user information from identity system, read application roles from application onboarding
information and will create a role mapping based on the organization policies
▶Role mapping information can be sent to the target application based on the provisioning configuration type.
▶Authorization information can be sent by the provisioning application or local authorization can be done by the application based
on role mapping data sent by provision application
12
Provisioning
User1 User2
Role #1:
App Owner
Role #2:
Manager
Authoritative
Identity System
Provisioning app Application Roles, Permissions
Application #1
Database
User 2
Role Mapped Database
for each provisioning
target application
Identity
Token/Roles
User 4 User 5
Group 1
User 4 User 5
Group 1
User3
Role Mapping based
on organization policy
Role #3:
Analyst

13. | 22-Jan-2022 | Venkatesh Jambulingam |
▶Discretionary access provisioning
–Often used in small to mid-sized companies, this approach allows a network administrator to decide which applications and
data end users can access.
▶Self-service access provisioning
–Typically, this approach is used to help reduce an administrator’s workload. It enables users to participate in some aspects of
the provisioning process such as requesting an account and self-managing passwords.
▶Workflow-based account provisioning
– Approvals from designated approvers are required before granting user access to an application or data. For example, access
to finances would require approval from the company’s chief financial officer.
▶Automated account provisioning
–With this method, every account is added in the same manner through a centralized management application interface
–This streamlines the process of adding and managing user credentials and provides administrators with the most accurate way
to track who has access to specific applications and data sources
–Although provisioning and identity management processes are the same, the extent and type of provisioning varies greatly
among different users (e.g. patients, clinicians, customers, and partners)
13
Provisioning Types

14. | 22-Jan-2022 | Venkatesh Jambulingam |
▶Identity mapping is an activity that links various accounts across applications in different formats to single authoritative identity in
HRMS or active directory
▶Orphan accounts are identities in the applications that do not point to any authoritative identity
▶Orphan accounts represent two kinds of security risk:
–If the account actually has no owner, or the owner has left, they represent an elevated risk of misuse, since any unusual use
of the account will not be detected by the account's (absent) owner.
–Orphan accounts cannot be reliably deactivated when their owner leaves, because of the missing linkage to that owner.
14
Identity Mapping & Orphan Accounts
Data Integration
Tools
Rules and
Stored
Procedures
Performed using
IDM/IGA tools or
even without them
Orphan
Accounts
HR (Employee ID)
Authoritative Source
Identity
Map
HCM
AD (Login ID)
Mailbox (Email ID)
Payroll (Employee ID)
Collaboration (Email ID)
AD
E.g., SSIS or ODI

15. Self Service

16. | 22-Jan-2022 | Venkatesh Jambulingam |
▶ Self-service password reset is defined as any process or technology that allows users who have either forgotten their password
or triggered an intruder lockout to authenticate with an alternate method and repair their own problem, without calling the help
desk
▶ Self-service password reset solutions perform the reset and unlock functions by directly interacting with the user directory,
typically this is Active Directory
16
Self Service Password Management
User account
Gets locked/Password
Reset
Self service portal
challenges the users with
security questions and asks
for additional details to
verify the identity
User opens into self service
portal and requests password
reset or account unlock
Password Reset / Account Unlocked
in AD / IDP by self service portal
and user is notified
User provides
the correct
response

17. | 22-Jan-2022 | Venkatesh Jambulingam |
▶ Workflow Automation refers to the design, execution, and automation of processes based on workflow rules where human
tasks, data or files are routed between people or systems based on pre-defined business rules.
▶ Workflow allows business users and automated processes to request and authorize access changes.
▶ The changes are executed across the network according to predefined IAM rule sets.
17
Self Service Access Request Management
User raises a request in
self service portal for new
access /change in access
Approver(s) review
requests based on
needed approval levels
Notify user and update the ticket
status in the self service portal
Request forwarded to IAM team or the
automated provisioning system picks up
the approved ticket for processing
User assigned the new access or change
in access done as per request
Approved

18. | 22-Jan-2022 | Venkatesh Jambulingam |
▶ Self-service profile change is a process or technology that allows users to modify their name and other profile details like phone
number, address and photo without a need for calling the help desk or support team
18
Self Service Profile Change
User wants to change their
profile information like phone
number, address, photo
In case of name change,
employee uploads govt issued id
or marriage certificate
Updated information is replicated
across other downstream
systems automatically
User logs into and makes the
changes in the HR system or other
authoritative system
In case of name change, human
resources team will verify the
physical id / marriage certificate
and approve the name change
Downstream systems displays the
updated information

19. Consumer Identity &
Access Management

20. | 22-Jan-2022 | Venkatesh Jambulingam |
▶ Customer identity and access management is a special type of IAM
system that enables organizations to securely capture and manage end
consumer or customer identity and profile data, and control customer
access to applications and services in a B2C environment.
▶ CIAM solutions ensure a secure, seamless customer experience at
extreme scale and performance, no matter which channels (web, mobile,
etc.) customers use to engage with an organization brand.
20
Consumer Identity & Access Management (CIAM)
CIAM
Features
Social
Registration
Self Service
Account
Management
SSO/MFA
& Access
Management
Consent
Management
Customer
Registration
Registration Authentication Self Service Support
Self Service Support Personalization
Security &
Privacy
Customer Onboarding & Engagement
Brand Loyalty & Customer Experience
Customer Trust

21. | 22-Jan-2022 | Venkatesh Jambulingam | 21
IAM vs CIAM
▶ CIAM solutions are designed to support millions of
customers or consumers of an organization
▶ CIAM solutions are built to handle rapid spikes in traffic
volume and frequency.
▶ Built for B2C setup
▶ Consumers can have multiple identities
▶ Identities are self-registered & manged by customers
themselves
▶ Provides with a consistent login experience no matter
where the end-user is or what device they’re using.
▶ Supports Social Authentication
▶ Enables Consent Management
▶ Allows organizations to create personalized user
experience
▶ IAM solutions are designed to handle thousands of
identities in a given organization
▶ Traditional IAM solutions have less capability to handle
sudden spikes in authentication & authorization traffic
▶ Suitable for B2B setup
▶ Single identity per user
▶ Identities are created by on organization for their
employees or contractors
▶ Primarily used for authentication & authorization with strict
security policies for corporate and business applications
IAM CIAM

22. Thank you
Creative
Commons
By Non
Commercial
Share
Alike
This document is shared under
CC BY-NC-SA 4.0 license

23. | 22-Jan-2022 | Venkatesh Jambulingam | 23
About me
Venkatesh Jambulingam
Cloud Security Expert
Email:
cybervattam@gmail.com
cybervattam@outlook.com
Follow me on