In other words, it’s the governance, lifecycle and procedures that are difficult, especially in state and local government environments. Federating an identity store and feeding it to all sorts of different applications and services is technically challenging, but that’s simply a question of navigating all the acronyms and protocols.
Understanding IAM and its relationship to zero trust really comes from breaking down IAM to its two components: identity management (used for authentication) and access controls or access management (used for authorization).
How Can State and Local Governments Manage Identities?
IAM starts with identity management: That’s not just the database of identities. It’s the database plus the entire lifecycle of managing identities in an agency (or in some cases, the identities of constituents using government services).
An example of the simplest type of identity management might be an agency using Microsoft’s Active Directory to store identities, combined with the governance attached to adding, changing and deleting identities from the directory.
Most agencies struggle with procedures, policies and governance. In part, that’s because tools such as Active Directory are “take it or leave it.” Admins get a set of technical capabilities, and if they don’t like those capabilities, they don’t have a lot of options to influence the direction of the product.
This means there’s not a lot of technology to understand and build; it’s more a question of how to use that technology and whether additional layers are needed to handle any special requirements of an application or agency. But there are also technology choices that influence IAM, especially because IAM is now so closely tied to zero-trust architectures.
How Does Identity Management Support Authentication?
While much of identity management is mature technology backed by old-school policies and procedures, there is a lot of action in one particular area: the actual authentication mechanisms supported by IAM. Thinking about authentication is now a particularly critical part of understanding IAM, especially because simple passwords are no longer considered adequate for security.
This means that authentication methods such as multifactor authentication (MFA) and FIDO2 (so-called passwordless authentication) have a strong bearing on the definition of IAM. State and local government IT teams embarking on an IAM and zero-trust journey should start by clearly defining their user community and then identifying the various authentication mechanisms that are required.