ICAM – Identity, Credential, and Access Management

ICAM – Identity, Credential, and Access Management

What is ICAM (Identity, Credential, and Access Management), and why does it matter to your business? You’re going to get the answers to both those questions. That’s not all. You will also find out the best ways to put this framework into action without putting your technology team under pressure. Start with understanding the fundamentals of the ICAM concept.

What Is ICAM?

The ICAM abbreviation stands for Identity, Credential and Access Management. It is best known as a standard issued by the U.S. General Services Administration, a U.S. government agency. The concept is vital for several reasons. First, it brings together several related ideas into a single overarching security framework. Second, the U.S. government is one of the largest buyers in the marketplace. Therefore, if you want to keep supplying the government, you need to understand their expectations.

At its most basic, ICAM is made up of several interrelated concepts, as stated in the Federal Identity, Credential and Access Management (FICAM) Roadmap and Implementation Guidance.

  • Identity Management. According to the roadmap, “The primary goal of identity management is to establish a trustworthy process for assigning attributes to a digital identity and to connect that identity to an individual.”
  • Credential Management. This concept applies to a variety of tokens, including digital certifications, smart cards, and cryptographic keys.
  • Access Management. The art and science of approving or preventing access to a resource.
  • ICAM Intersection. Fundamentally, the aim is to view the above disciplines on a holistic basis. Each area – identity, credential and access – need to operate together.

Tip: Lifecycle management is a recurring concept for ICAM. It’s not enough to set up accounts and access correctly. You also need to modify, remove and update those accounts and permissions regularly.

Why ICAM Matters: The Five Goals ICAM Achieves

Federal agencies need to pursue ICAM implementation for several reasons. Whether you are in government yourself or work closely with the government, it is crucial to understand these goals. In essence, these five goals define the business value for implementing this new security framework.

1) Comply with Federal Laws, Regulations, Standards and Governance Relevant to ICAM

2) Facilitate E-Government by Streamlining Access to Services

3) Improve Security Posture across the Federal Enterprise

4) Enable Trust and Interoperability

5) Reduce Costs and Increase Efficiency Associated with ICAM

In our experience, Goals 1 and 3 might be familiar to many of you. Governments are concerned about security attacks, so Goal 3 makes sense. Likewise, government agencies need to keep up with laws and regulations that may have security requirements. The remaining goals may be less familiar, so let’s consider those in further detail.

Facilitate Access To Services

Security is only partially about keeping out attacks. ICAM is also concerned with facilitating access to the right people. Keep this in mind if you are looking at a security change that would undermine authorized access. From a security performance perspective, make sure you measure your effectiveness in fulfilling user requests. If you lose track of user satisfaction, you will face more complaints.

Resource: Want to improve security performance over time and demonstrate your value to management? Produce a dashboard showing how you are managing security. To get you started, read our short guide to access management key performance indicators. Find Out if Your Access Management Program Is Successful with KPIs.

Enable Trust and Interoperability

These two security concepts are both related. Without trust, it is challenging to interoperate between different systems. If your organization cooperates with other organizations through APIs (application programming interface) and uses SaaS applications, study this principle carefully. 

Reducing Cost and Increasing Efficiency

Security expenses are never decided in the abstract. This principle requires that security operations and systems also need to keep costs and efficiency in mind. In our view, security efficiency is one of the essential quick wins. When you demonstrate that you are using your IT security budget effectively, executives are more likely to approve future budget requests. In the short term, increasing efficiency also means you can protect more of your organization’s assets with the same budget.

Why Cost And Efficiency Are The Silver Bullet In Reaching ICAM Success

While every principle matters and contributes to security success, there is one principle that plays a bigger role compared to everything else. That principle is efficiency! Without this in place, you will drown in work. There are simply never enough hours in the day to design, build and fully implement a full security system.

There are a few tools available that make ICAM easier to implement. To get you started, look at the following options. First, implement a single sign-on solution so your users will have fewer passwords to memorize. Single sign-on helps your end-users become more productive. You also need to look for ways to support your managers and support functions. That’s where using a group approach to identity management helps. Use Group Enforcer to simplify how you manage groups of users.

Reduce User Service Costs

In traditional IT security arrangements, end users have to wait on the phone and talk to somebody to get help. That approach does not scale up. What if you need to support people outside of traditional business hours? In that situation, you need a self-serve software solution like Apollo. This A.I. virtual chatbot is designed to help you with repetitive security tasks like managing password resets.

Why ICAM Matters Even If You Have Nothing To Do With The U.S. Government

We get it. U.S. government standards documents do not make for exciting reading. If you directly serve the U.S. government as a vendor, you may have no choice but to keep up with their requirements. Does that mean you can or should ignore ICAM in other cases? The answer is no. ICAM is a helpful standard to consider as you build your company’s IT security strategy. In technology management, it is easy to become narrowly focused on achieving your immediate goals. For example, you might decide to create a balanced scorecard for IT security based on the five ICAM goals.

Written by Nelson Cicchitto