What is Identity Management?
Identity Management (IdM) is the process by which organisations manage the digital identities of users and systems throughout their entire lifecycle: from creation, modification and use through to deletion.
Identity management ensures that only authorised people have access to information and systems — and that this happens in a controllable and verifiable manner.
🧠 Why is identity management important?
| Reason | Explanation |
|---|---|
| Security | Prevents unauthorised access to systems and data |
| Compliance | Meeting requirements from BIO, AVG, ISO 27001 |
| Traceability | Every action can be traced back to an individual user |
| Efficiency | Users obtain the right access immediately upon hire |
| Risk management | Minimises the risk of misuse of permissions or accounts |
🔁 Lifecycle of an identity
-
Provisioning
– An identity is created at the start of employment or onboarding -
Modification
– Roles or departments change, leading to adjusted permissions -
Granting/withdrawing access
– Permissions assigned based on function or necessity (need-to-know) -
Deactivation/removal
– On departure, project closure or aberrant behaviour
This cycle is often automated via an Identity & Access Management (IAM) system.
🛠 Components of identity management
| Component | Description |
|---|---|
| Digital identity | A unique account linked to a person, system or role |
| Authentication | Confirmation of identity (password, token, biometrics) |
| Authorisation | What is someone allowed to do? See also access management |
| Roles & groups | Structuring access on the basis of function or profile |
| Logging & auditing | Insight into who has done what, and when |
| Self-service portals | Users can reset passwords or request access |
🔐 Linkage with security
| Security principle | Application within identity management |
|---|---|
| Security by Design | IdM must be integrated into processes and systems from the design stage |
| Least Privilege | Users receive only the minimum permissions they need |
| Zero Trust | Authentication and authorisation are re-evaluated per session and context |
| Multi-factor authentication | Additional security through a second factor at login |
| Security policy | Policy defines requirements for passwords, roles, logging |
🏭 Identity management in OT environments
In OT (Operational Technology), identity management is often less mature, but essential:
| OT-specific aspect | Management point |
|---|---|
| Access to SCADA systems | Based on personal logins, no shared accounts |
| Engineering stations / PLCs | Separate accounts for programmers and operators |
| Physical access to installations | Integration of badge systems or biometrics into access management |
| Legacy systems | Often limited IdM: compensate with network segmentation and logging |
Identity management in OT is a prerequisite for IEC 62443 compliance and risk management.
🔗 Relation to other topics
| Related concept | Relevance to identity management |
|---|---|
| Access management | IdM provides the input: who gets which access? |
| Governance | Determines who is allowed to decide on identity and access structures |
| Incident Response Plan | Identity logs are crucial when investigating incidents |
| Continuity management | Procedures for access in crisis situations |
✅ Best practices
- Automate where possible (IAM tools)
- Use unique, personal accounts — never shared
- Integrate HR systems with your IdM process (joiners/leavers)
- Implement role-based access (RBAC or ABAC)
- Carry out periodic reassessment of access rights (recertification)
📌 In summary
Identity management is the foundation of access control and information security.
Without well-organised identity management, shadow access, lack of accountability and risk of misuse arise — particularly in complex IT and OT environments.