Identity and access management, IAM, is within enterprise IT and is about defining and managing all roles and access privileges of individual network users and the circumstances in which users are granted/denied privileges. The core objective of an IAM system is one identity per individual. Once that digital identity has been created, it must be maintained, modified and monitored throughout the user’s lifecycle.
The overarching goal of identity management is to “grant access to the right enterprise assets to the right users in the right context, from a user’s system onboarding to permission authorizations to the offboarding of that user as needed in a timely fashion,” according to Yassir Abousselham, senior vice president and chief security officer for Okta, an enterprise identity and access management provider.
IAM systems provide administrators the tools and technologies needed to change a user’s role, track user activities, create reports on those activities and enforce organizational policies on an ongoing basis. IAM is designed to provide a way of administering user access across an entire organization and to ensure compliance with corporate policies and government regulations.
What IAM products and services do
Identity and management technologies include, but aren’t limited to, password-management tools, provisioning software, security-policy enforcement applications, reporting and monitoring apps and identity repositories. Identity management systems are available in on-premise systems as well as cloud-based systems.
In its Tech Tide: Identity and Access Management, Q4 2017, Forrester Research identified six IAM technologies with low maturity, but high current business value:
- API security enables IAM for use with B2B commerce, integration with the cloud, and microservices-based IAM architectures. Forrester sees API security solutions being used for single sign-on (SSO) between mobile applications or user-managed access. This would allow security teams to manage IoT device authorization and personally identifiable data.
- Customer identity and access management (CIAM) allow “comprehensive management and authentication of users; self-service and profile management; and integration with CRM, ERP, and other customer management systems and databases,” according to the report.
- Identity analytics (IA) will allow security teams to detect and stop risky identity behaviors using rules, machine learning, and other statistical algorithms.
- Identity as a service (IDaaS) includes “software-as-a-service (SaaS) solutions that offer SSO from a portal to web applications and native mobile applications as well as some level of user account provisioning and access request management,” according to the report
- Identity management and governance (IMG) provides automated and repeatable ways to govern the identity life cycle. This is important when it comes to compliance with identity and privacy regulations.
- Risk-based authentication (RBA) solutions “take in the context of a user session and authentication and form a risk score. The firm can then prompt high-risk users for 2FA and allow low-risk users to authenticate with single factor (e.g., username plus password) credentials,” according to the report.
IAM systems must be flexible and robust to handle the complexities of today’s computing environment. One reason is an enterprise’s computing environment used to be mostly on-premises and identity management systems authenticated and tracked users as they worked on-premises. There used to be a security wall around the premises but today that wall isn’t there anymore.
Identity management systems today should enable administrators to easily manage access privileges for a variety of users, hybrid environments that encompass on-premise computing, software as a service (SaaS) applications and shadow IT and BYOD users, and computing architectures that include UNIX, Windows, Macintosh, iOS, Android and even internet of things (IoT) devices.
Ultimately, the identity and access management system should enable centralized management of users “in a consistent and scalable way across the enterprise,” says Abousselham.
Recently, identity-as-a-service (IDaaS) has evolved as a third-party managed service offered within the cloud on a subscription basis, providing IAM to customers’ on-premises and cloud-based systems.
Why do I need IAM?
Identity and access management is a vital part of any organization’s security plan, as it is linked to the security and productivity of an organization in today’s digitally enabled world.
Compromised user credentials often serve as an entry point into an organization’s system and network, resulting in access to its information assets. Organizations use identity and access management to protect their information assets against the rising threats of ransomware, criminal hacking, phishing and all other malware attacks. Global ransomware damage costs alone are expected to exceed $5 billion this year, up 15 percent from 2016 per Cybersecurity Ventures.
In many organizations, users will sometimes have more access privileges than necessary. A vigorous IAM system will add an important level of protection by ensuring a consistent application of user access rules and policies across the whole organization.
Identity and access management systems can increase business productivity. The systems’ central management capabilities can minimize the complexity and cost of protecting user credentials and access. At the same time, identity and access management systems allow workers to be more productive, while staying secure in a variety of environments, where ever they work from.
What IAM means for compliance management
Most governments require organizations to care about identity management. Regulatory bodies such as Sarbanes-Oxley, Gramm-Leach-Bliley and HIPAA hold organizations accountable for protecting access to customer and employee information. Identity management systems help organizations comply with these regulations.
The General Data Protection Regulation (GDPR) is a recent regulation that requires strong security and user access controls. GDPR mandates that organizations protect the personal data and privacy of European Union citizens. Becoming effective in May 2018, the GDPR affects every organization that does business within EU countries and/or has European customers.
On March 1st, 2017, the New York’s Department of Financial Services (NYDFS) new cybersecurity regulations went into effect. The NYDFS regulations determine the requirements for the security operations of financial services companies that operate in New York. This includes the need to monitor the activities of authorized users and maintain audit logs, something identity management systems normally perform.
By automating many aspects of the user access to enterprise networks and data, identity management systems relieve IT support of routine but important tasks and help them stay in compliance with industry regulations. These are critical benefits given that today every IT position is a security position. There’s a global cybersecurity workforce shortage and the penalties for not being compliant with industry regulations can cost an organization millions, if not, billions of dollars.
What are the benefits of IAM systems
Implementing an identity and access management system and associated best practices can give your organization a significant competitive advantage. Nowadays, most organizations need to grant users outside the organization access to internal systems. Opening your network to customers, partners, suppliers, contractors and employees will increase efficiency and lower operating costs.
Identity and access management systems allow an organization to extend access to its information systems across a variety of on-premises applications, mobile apps and SaaS tools without having to compromise security. By providing greater access to outsiders can drive collaboration throughout the organization, enhancing productivity, employee satisfaction, research and development, and revenue.
IAM can decrease the volume of calls the IT support help-desk team gets regarding password resets. Identity and access management systems allow administrators to automate these and other time-consuming, routine and costly tasks.
An identity and access management system can be a foundation piece of a secure network because managing a user’s identity is an essential piece of access-control. An identity and access management system requires companies to define their access policies, specifically outlining who has access to which data and under which conditions they are granted access.
Well-managed identities mean greater control of user access. This translates into a reduced risk of internal and external breaches. This is important because, along with the rising of external threats, internal attacks are becoming more frequent. Approximately 60 percent of all data breaches are caused by an organization’s own employees, according to IBM’s 2016 Cyber Security Intelligence Index. Of those, 75 percent were malicious in intent; 25 percent were accidental.
As stated previously, an IAM system can bolster regulatory compliance by providing the tools to implement comprehensive security, audit and access policies. Systems designed today now provide features to ensure that an organization becomes and stays compliant.
How do IAM systems work?
A typical identity management system, in the past, comprised four essential parts: a directory of personal data the system uses to define individual users, a set of tools for adding, modifying and deleting that data, a system that regulates user access and an auditing and reporting system.
Regulating user access has traditionally involved several authentication methods for verifying the identity of a user including; passwords, digital certificates, tokens and smart cards. Hardware tokens and smart cards have served as one component in two-factor authentication, which combines something you know, like your password, with something you have, the token or the smart card, to verify your identity. A smart card carries an embedded integrated circuit chip that can be either a secure microcontroller or similar intelligence with an internal memory or a memory chip alone. Software tokens can exist on any device with storage capabilities like a USB drive to a cell phone.
In today’s complex environments along with heightened security threats, a strong user name and password no longer cut it. Today, identity and access management systems incorporate elements of biometrics, machine learning and artificial intelligence, and risk-based authentication to tighten security measures.
At the user level, authentication methods are aiding to better protect user identities. An example of this is the Touch ID-enabled iPhones has many people now accustomed to using their fingerprints as an authentication method. Newer Windows 10 computers offer fingerprint sensors or iris scanning, this is an example of biometric user authentication.
The move to multi-factor authentication
Some organizations are moving away from two-factor for three-factor authentication, says Abousselham, which combines something you know, a password, something you have, a smartphone, and something you are, facial recognition, iris scanning or fingerprint sensors. “When you go from two-factor to three, you have more assurance that you’re dealing with the correct user,” he says.
At the administration level, today’s identity and access management systems offer more advanced user auditing and reporting tools, such as context-aware network access control and risk-based authentication (RBA).
Context-aware network access control is policy-based. It predetermines an event and its outcome based on various attributes, says Joe Diamond, Okta’s director of products. For example, if an IP address isn’t whitelisted, it can be blocked. Or if there isn’t a certificate that indicates a device is managed, then a context-aware network access control could step-up the authentication process.
Risk-based authentication, RBA, is more dynamic and usually enabled with some level of artificial intelligence. With RBA, “you’re starting to open up risk scoring and machine learning to an authentication event,” Diamond says.
Risk-based authentication dynamically applies various levels of strictness to the authentication processes according to the current risk profile. The higher the risk, the more restrictive the authentication process will be for a user. A change in a user’s geographic location or IP address would trigger additional authentication requirements before the user can access the company’s network or system.
What is federated identity management?
Federated identity management allows a user to share digital IDs with trusted partners. It’s an authentication-sharing instrument that allows users to use the same user name, password or other ID to gain access to more than one network.
Single sign-on (SSO) is an important feature of federated ID management. A single sign-on standard allows users who verify their identity on one network, website or app to carry over that authenticated status when moving from network to network. The model works only among cooperating organizations, known as trusted partners, they essentially vouch for each other’s users.
Are IAM platforms based on open standards?
Authorization messages between trusted partners are usually sent using Security Assertion Markup Language (SAML). SAML defines an XML framework for exchanging security assertions among security authorities. SAML achieves interoperability across different vendor platforms that provide authentication and authorization services.
SAML isn’t the only open-standard identity protocol. Others include OpenID, WS-Trust and WS-Federation and OAuth, which lets a user’s account information be used by third-party services such as Facebook without exposing the user’s password.
What are the challenges or risks of implementing IAM?
A successful implementation of identity and access management requires planning and collaboration across all departments. Organizations that establish a cohesive identity and access management strategy, consisting of clear objectives, stakeholder buy-in and defined business processes, before they begin the project are more likely to be most successful. Identity and access management works best when you have human resources, IT, security and all other departments involved.
Identity information can come from multiple places, such as Microsoft Active Directory (AD) or a human resources app. An identity management system must be able to synchronize the user identity information across all these systems, providing a single source of truth.
With the shortage of qualified IT security people, identity and access management systems must allow an organization to manage a variety of users in different situations and environments, automatically and in real-time. Manually adjusting access privileges and controls for hundreds or thousands of users isn’t feasible or economical.
For example, de-provisioning departing employees can fall through the cracks especially when needing to be done manually. Reporting an employee’s departure from the company and then automatically de-provisioning access across all the apps, services and hardware they used requires an automated and comprehensive identity and access management solution.
Authentication must also be easy for users to perform, it must be easy for IT to deploy, and above all it must be secure, Abousselham says. This accounts for why mobile devices are “becoming the center of user authentication,” he added, “because smartphones can provide a user’s current geolocation, IP address and other information that can be leveraged for authentication purposes.”
One risk worth keeping in mind is centralized operations present tempting targets to hackers and malicious actors. By placing a dashboard over all a company’s identity and access management activities will reduce the complexity for more than the administrators. If compromised, it could allow an intruder to create IDs with extensive privileges and access.
What IAM terms should I know?
Industry buzzwords come and go but a few key terms in the identity and access management space are worth knowing:
- Access Management: Refers to the processes and technologies used to control and monitor network access. Access management features, such as authentication, authorization, trust and security auditing, are part and parcel of the top ID management systems for both on-premises and cloud-based systems.
- Active Directory (AD): Microsoft developed AD as a user-identity directory service for Windows domain networks. Though proprietary, AD is included in the Windows Server operating system and is thus widely deployed.
- Biometric Authentication: A security process for authenticating users that relies upon the user’s unique characteristics. Biometric authentication technologies include fingerprint sensors, iris and retina scanning, and facial recognition.
- Context-Aware Network Access Control: Is a policy-based method of granting access to network resources according to the current context of the user seeking access.
- Credential: An identifier employed by the user to gain access to a network such as the user’s password, public key infrastructure (PKI) certificate, or biometric information (fingerprint, iris scan).
- De-Provisioning: The process of removing an identity from an ID repository and removing access privileges.
- Digital Identity: The ID itself, including the description of the user and their access privileges.
- Entitlement: The set of attributes that specify the access rights and privileges of an authenticated security principal.
- Identity as a Service (IDaaS): Cloud-based IDaaS offers identity and access management functionality to an organization’s systems that reside on-premises and/or in the cloud.
- Identity Lifecycle Management: Refers to the entire set of processes and technologies for maintaining and updating digital identities. Identity lifecycle management includes identity synchronization, provisioning, de-provisioning, and the ongoing management of user attributes, credentials and entitlements.
- Identity Synchronization: The process of ensuring that multiple identity stores contain consistent data for a given digital ID.
- Lightweight Directory Access Protocol (LDAP): Is an open standards-based protocol for managing and accessing a distributed directory service.
- Multi-Factor Authentication (MFA): MFA is when more than just a single factor, such as a user name and password, is required for authentication to a network or system. At least one additional step is also required, such as receiving a code sent via SMS to a smartphone, inserting a smart card or USB stick, or satisfying a biometric authentication requirement, such as a fingerprint scan.
- Password Reset: In this context, it’s a feature of an ID management system that allows users to re-establish their own passwords, relieving the administrators of the job and cutting support calls. The reset application is often accessed by the user through a browser. The application asks for a secret word or a set of questions to verify the user’s identity.
- Privileged Account Management: Refers to managing and auditing accounts and data access based on the privileges of the user. A privileged user, for example, would be able set up and delete user accounts and roles.
- Provisioning: The process of creating identities, defining their access privileges and adding them to an ID repository.
- Risk-Based Authentication (RBA): Risk-based authentication dynamically adjusts authentication requirements based on the user’s situation in the moment authentication is attempted.
- Security Principal: A digital identity with one or more credentials that can be authenticated and authorized to interact with the network.
- Single Sign-On (SSO): A type of access control for multiple related but separate systems. With a single username and password, a user can access a system or systems without using different credentials.
User Behavior Analytics (UBA): UBA technologies examine patterns of user behavior and automatically apply algorithms and analysis to detect important anomalies that may indicate potential security threats. UBA differs from other security technologies, which focus on tracking devices or security events.