Nov 21, 2017

Why is ICAM So Important?


Today, information is being produced by and shared with billions of people and machines and around the world. Much of this environment is filled with information that owners are willing to share with others. But much proprietary and private information is not being so freely shared – and for good reason.

In the right hands, information can be beneficial.  In the wrong hands it can be harmful.  For example, medical information in the wrong hands could cause harm to a patient.  On the other hand, the release of the same information to the right doctors could greatly benefit the patient.  Such is the nature of information.  

To help ensure that information goes where it is supposed to, we have Identity, Credential and Access Management (ICAM).  ICAM is a holistic approach to protecting and allowing access to logical and physical resources.  This approach is also known as Identity Access Management (IdAM); Identity, Authentication and Authorization (IAA) and Identity and Access Management (IAM), depending on the environment.

ICAM can be applied both to logical access control (e.g., access to information systems and data resources) and physical access control (e.g., access to facility, building, room and vehicle resources).  ICAM is recognized by many as a technical means to help with responsible resource sharing in a manner that:

  • protects privacy and civil liberty interests;
  • protects against external and insider threats;
  • breaks down information silos; accelerates access to resources;
  • and enhances mission advantage.

For many, this may sound relatively simple.  After all, commonplace activities like a patient talking with a doctor or an employee gaining access to a secure facility each seem to assume many of the above ICAM traits with relative ease. In reality, however, there is more at play than meets the eye.

In the patient/doctor and employee/secure facility scenarios, apparent are the use of credentials and the access to resources.  Not so obvious are the many ICAM activities involved in such transactions, briefly described below:

  • Identity Management - Identity proofing and verification occurs before identity information of a subject is bound to a credential.  This typically involves the production of other certified information (e.g, birth certificates, passports, etc.) and verification of the certified information.
  • Credential Management – Credentials typically include information about a credential issuer and identity information of a qualifying subject bound to the credential.  They are often subject to lifecycle management and have an expiration date. Identity information bound to the credential usually includes a unique identifier associated with the subject and sometimes also includes additional attribute information of the subject.  
  • Access Management – Before access to a resource is obtained, a decision is made as to whether a subject may access the resource.  This often involves comparing characteristics of the wanted resource, attributes of the resource requester and the environment of the exchange against a rule set often established by policy.  If rules are satisfied, access to the resource is granted.

This just scratches the surface.  In ICAM environments, many stakeholders must come together to agree on matters dealing with the associated legal, technology and funding requirements.

Looking at ICAM through a more macro-enterprise lens reveals an even more complex environment of logical and physical resources being shared among humans and systems throughout the enterprise.  As such, the implementation of ICAM efforts needs to be well coordinated and managed to allow for efficient use of personnel, technologies, and funding in support of enterprise mission success.

Scaling up even further, enterprises often want to share with other enterprises, governments want to share with other governments and countries with other countries.  For the U.S. government, sharing in large part involves the responsible sharing of information among federal, state, local, tribal, territorial, private sector and foreign partner organizations.

Such is the complexity of resource sharing.  Identity, Credentials and Access Management is a means to help manage this complexity so that the right person or system can responsibly share or access the right resources in an appropriate amount of time.  

Ron Sulpizio is an engineer and lawyer with 25 years of information technology experience, specializing in identity and access management, policy writing, cryptography systems, cybersecurity, information sharing, export regulation, privacy and patent prosecution. Ron has been part of the PKH Enterprises team since 2016.
Share on Twitter
Share on Facebook