Towards a generic Identity and Access Assurance model by component analysis - A conceptual review

Identity management provides a view on who has access to systems. Continuous organisational integration creates new Identity Management requirements such as Federation of Identities, Secure Token Services and Social Media Identity Providers. Access Management addresses the question of what resources an identity can access. A common implementation approach to address this is to utilise Role Modeling that links an identity with required access, enabling Role Based Access Control for access to system functions. Access Assurance provides fine grained access control ensuring that the identity has the right access based on attributes or rules defined by dynamic security policies. The need for Identity and Access Assurance (IAA) is not only for operational efficiency but often driven by legislative and user-experience requirements. IAA requirements are clearly visible as they are often highlighted in audit findings. Disconnect is often found between identity and access that results in integration complexity and duplication between systems because IAA programs are rarely implemented from a top-down approach, driven by the CIO into the organisation. Most often IAA is implemented from an operational management perspective within business unit silos. Furthermore, Security Frameworks such as SABSA (Sherwood Applied Business Security Architecture) provide comprehensive insights into the IAA domain but are focused either too narrowly or broadly. This paper investigates the creation of a Identity and Access Assurance Component Model by evaluating the prominent security frameworks in order to assist C-Level executives to make informed decisions on IAA investment and implementation priorities.