Definition of Identity and Access Management
Identity and access management (IAM) is a business and security discipline that enables the right people, software, and hardware, as appropriate to job roles and functionality, to have access to the tools required to perform assigned duties, without also granting them access to those that are not needed and/or present a security risk to the enterprise. Organisations that utilise IAM can streamline operations by managing identities without requiring individuals to log into applications as administrators.
Identity and access management is a vital initiative for any enterprise because it supports the crucial need to enable the appropriate access to tools and resources in increasingly diverse technological ecosystems and to comply with ever-changing privacy and security regulations. IAM affects many aspects of the enterprise, not just IT, and requires strategic business planning in addition to specialised technical capabilities.
IAM Concepts
The core of identity and access management, is, of course, identity. The objective of IAM is to assign one digital identity per individual or other entity, which must then be controlled, managed, and supported throughout its lifecycle.
Another important concept is digital resource, defined as any combination of data and applications, such as software, databases, application programming interfaces (APIs), devices, and more, in a computer system.
When a team member, customer, device, robot, or any other entity with an identity needs access to an organisation’s resources, identity and access management confirms the identity and controls its access to the digital resource.
IAM Terminology
Before diving into a deep discussion of identity and access management, it’s helpful to know brief definitions of related terms, including:
- Access management: Access management is defined as the practices and tools that monitor and manage network access. Identity management solutions, whether on-premises or cloud-based, typically include features like authentication, authorisation, and trust and security auditing.
- Active directory (AD): AD, a user-identity directory service, is a proprietary Microsoft product that is widely available through the Windows Server operating system. Integrations allow access to be seamlessly provisioned and deprovisioned, easing IT team workloads.
- Biometric authentication: This security method uses unique characteristics such as fingerprints, retinas, and facial features to authenticate users.
- Cloud infrastructure entitlement management (CIEM): CIEM is the process of managing identities and access across increasingly complex cloud infrastructure environments. A least privilege approach is utilised to ensure that users only have access to the resources they need, and only for long as they need them.
- Deprovisioning: Deprovisioning is the act of removing user access to applications, systems, and data within a network.
- Digital identity: A digital identity consists of user attributes (such as name, government ID number, email address, biometrics, and other personally identifiable information), and digital activity and behavioural patterns (such as browsing history, downloads, and operating system).
- Identity and access management (IAM): IAM is a specialty discipline within cybersecurity designed to ensure only the right people can access the appropriate data and resources, at the right times and for the right reasons.
- Identity as a service (IDaaS): IDaaS is an is an application delivery model that allows users to connect to and use identity management services from the cloud.
- Identity governance: Identity governance is the act of using IT software and systems to manage user access and compliance.
- Identity provisioning: A key component of the identity governance framework, identity provisioning manages user accounts and ensures users have access to the right resources and are using them appropriately.
- Multi-factor authentication (MFA): MFA is an access management tool that combines two or more security mechanisms for accessing IT resources, including applications and devices.
- Principle of least privilege: To protect data and applications, access is only granted to an identity for the minimum length of time required, and is only permitted to the resources required to perform the task.
- Privileged access management (PAM): Privileged access is limited to users such as administrators who must have access to applications, systems, or servers for implementation, maintenance, and updates. Since breaches to these credentials could be catastrophic to the enterprise, PAM tools separate these user accounts from others and track activities associated with them closely.
- Role-based access management (RBAC): RBAC allows the enterprise to create and enforce advanced access by assigning a set of permissions. The permissions are based on what level of access specific user categories require to perform their duties. In other words, different people in the organisation can have completely different levels and types of access privileges based solely on factors such as their job functions and responsibilities.
- Separation of duties (SoD): Also known as Segregation of Duties, Separation of Duties is a security principle used by organisations to prevent error and fraud. This internal control relies on RBAC to prevent error.
- Single sign-on (SSO): SSO is an authentication service allowing a user to access multiple applications and sites using one set of credentials.
- User authentication: A fundamental task of IAM systems is to validate that an identity is who or what it claims to be when logging in to and utilising applications and data. Most people are familiar with the traditional authentication that occurs when a user enters a username and password into a sign-in screen; modern user authentication solutions, and those of the future, utilise artificial intelligence and other technical advancements for improved safeguarding of organisational assets.
Authentication vs Authorisation
Authentication and authorisation are often used interchangeably, but they are separate processes used to protect the enterprise from cyber attacks.
Authentication is the process of verifying an identity; authorisation is the process of validating the specific applications, files, and data the user can access.
Authentication is accomplished through passwords, one-time personal identification numbers, biometric information, and other information provided by the user; authorisation is performed via settings that are implemented and maintained by the organisation.
Why the Enterprise Needs Identity and Access Management
Why Is IAM Important?
The enterprise needs IAM to support security and compliance, as well as improve organisational productivity. This applies not only to people resources, but to any entity to which an identity is assigned (e.g., Internet of Things (IoT) devices, application programming interfaces (APIs)). The proliferation of device types and locations from which applications and data are accessed also underlies the importance of identity and access management.
Identity and access management enables the enterprise to manage access based on groups or roles, rather than individually, vastly simplifying IT operations and allowing IT professionals to pivot focus to non-automated projects that require their expertise and attention. Team members also appreciate IAM because it offers them access to the tools they need while minimising frustration over passwords.
However, identity and access management is not only used for employees, but for contractors, partners, customers, robots, and even code segments such as APIs or microservices. Increasing efficiency, reducing costs, enabling greater business productivity, and optimising the functionality of technical systems make the IAM solution not just important, but a critical tool for the enterprise.
IAM’s Role in Security
Identity and access management reduces the number of traditional points of security failure associated with passwords. The enterprise is vulnerable not only to data breaches associated with passwords and password recovery information, but to human frailties when it comes to creating passwords – generating easy-to-remember (and easy to crack) passwords, using the same passwords across multiple applications and systems, and updating passwords with one minor change instead of completely new, randomly generated passwords.
The IAM ecosystem is even more complex, and the demand for security even greater, when it comes to multi-cloud hybrid environments and software as a service (SaaS) solutions. Genuine data security for today’s organisations is impossible without a structure for managing identity and access.
A robust identity and access management requires the enterprise to go beyond securing a network; the organisation must revise access policies that are often outdated, with legacy rules and role definitions that have not evolved with the growth of the business. The IAM system also must extend beyond IT to all parts of the enterprise, with integrations to support increased visibility and control.
IAM and Regulatory Compliance
Regulatory compliance is a rapidly-changing environment; in addition to well-known laws like the European Union’s General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), and the Sarbanes-Oxley Act (SOX), many other regions, countries, and states are enacting their own privacy regulations. Identity and access management supports rigorous data security requirements and provides the transparency and documentation needed to enable compliance.
When IAM processes are not complete or are ineffective, organisations can find themselves out of compliance with government regulations or industry standards. Even when the identity and access management program is functioning properly, incorrect or deficient information about the program or how data is protected can compromise an audit.
IAM and Bring Your Own Device (BYOD)
Identity and access management solutions can improve employee productivity by enabling access not only to large volumes of data and multiple applications, but granting that access across numerous devices and locations. IAM also facilitates collaboration with partners, vendors, and other third parties that support the enterprise.
IAM and the Internet of Things (IoT)
The proliferation of IoT devices offers many benefits, but also generates numerous cyber security concerns. Identity and access management solutions treat IoT devices as identities that must be authenticated and authorised before granting access to the enterprise’s digital resources.
Benefits of IAM
- Automation: Automating low-risk functions focuses expert IT attention on larger problems and on how to accelerate the business. The enterprise can increase IT team effectiveness while reducing IT costs. Onboarding and offboarding can also be automated to seamlessly grant, modify, or revoke access as users join, change roles, or leave the organisation.
- Advanced anomaly detection: IAM uses artificial intelligence to help organisations understand trends and anomalies in access data to identify risks and track the effectiveness of their identity programs.
- Enabling zero trust: The enterprise that implements identity and access management can enable a zero trust model that goes beyond simple authentication decisions and uses a complete, up-to-date identity record for each user, ensures users only have access to the resources they need when they need them, and adapts as changes occur and when new threats are detected.
- Eliminating weak passwords: Many data breaches are caused by default, frequently used, and poorly structured passwords. However, password administration places a heavy burden on IT – 40% of all helpdesk calls are about password issues, and the average cost of a helpdesk call for a password reset is $17. Password management enables the enterprise to efficiently use password policies to enforce strong password requirements and use sync groups and a password dictionary for greater control.
- Mitigating insider threats: Data breaches can also be caused by neglectful or malicious insiders, but relying exclusively on employee awareness is insufficient without proper technology. Identity and access management closes the security gap. It recognises that many identities other than employees should be considered insiders (e.g., contractors, clients, partners, smartphones, servers), and that coupling identity management of systems, applications, and data files with behaviour monitoring and analysis can counter insider threats.
- Simplifying compliance: Identity and access management helps organisations govern access, track usage, and enforce policies for all users, applications, and data to automate regulatory enforcement and demonstrate compliance.
How Identity and Access Management Works
Two major tasks performed by IAM solutions are confirming identity and ensuring that only the appropriate level of access is permitted.
What IAM Does
Identity and access management verifies that the user, software, or hardware is who they say they are by validating their credentials against a database. To ensure only the necessary access is granted, IAM enables the enterprise to allocate narrowly constructed permissions based on identities instead of permitting broad-based access via a username and password.
IAM Functions
Identity and access management solutions provide the following functions:
- Manage user identities: Create, modify, and delete users, either on their own or by integrating with other directories. New identities can also be generated for users who require specialised access to the enterprise’s systems or tools.
- Provision and deprovision users: Provisioning involves identifying the tools and access levels that will be granted to a user; with IAM, provisioning can be granted by role, department, or another identity category. This time-saving process relies on role-based access control (RBAC) rather than specifying access to each resource by individual user.
With RBAC, users are assigned one or more roles based on job function or other criteria and automatically granted access through the identity and access management solution. IAM also enables the enterprise to quickly deprovision users as needed to minimise security risks. - Authenticate users: Methods used by identity and access management solutions to confirm user identities include multi-factor authentication (MFA) and adaptive authentication. As the name suggests, multi-factor authentication means that the IAM solution requires more than one element of proof of identity; an example of MFA is requiring both a password and facial recognition.
With MFA, users are asked for specific credentials when they attempt to access tools or resources; with adaptive authentication, the security level increases, because the credentials requested differ based on the situation. - Single Sign-On (SSO): SSO enables users to confirm their identity through a single IAM portal that grants access to all tools to which they have access, rather than requiring them to sign in to multiple resources.
- Auditing and Reporting: Audits in identity and access management allow organisations to identify and monitor blockages, errors, and suspicious user behaviour and take appropriate action. IAM solution reports support security and compliance by recording activities such as times users logged in and out, which systems and resources were accessed, and authentication type.
Identity Security Components
There are three core components of identity security:
- Intelligence: Artificial intelligence and machine learning provide the visibility and ability to detect and remediate risk that enable the enterprise to stay ahead of the curve.
- Automation: Organisations must be able to automate identity processes to better discover, manage, and secure user access so team members can focus on innovation, collaboration, and productivity.
- Integration: Integrations extend the enterprise’s ability to embed identity context across the environment and centrally control access to all data, applications, systems, and cloud infrastructure for all identity types.
Identity Management vs Access Management
Identity management and access management are related, but are not interchangeable terms. Identity management confirms that the user is who they say they are and stores information about the user (e.g., department, supervisor, job title, direct reports) to support authentication.
Access management utilises information about the user’s identity to determine which applications and data they are allowed to access, as well as what actions the user is allowed to take within them. For example, many users might have access to the enterprise’s procurement software to enter requisitions, but not all users are allowed to approve them, and no users are allowed to approve their own.
Cloud vs On-Premises IAM
Traditionally, identity and access management was managed “on premises” with a server at the physical location of the organisation. Migrating IAM from on-premises to the cloud offers greater efficiency and lowers costs to the enterprise by reducing the need to purchase and maintain on-prem infrastructure. Other benefits of cloud identity and access management include:
- improved uptime
- distributed and redundant systems for better reliability and security
- shorter Service Level Agreements (SLAs)
Identity and Access Management, the Cloud, and Identity as a Service (IDaaS)
Today’s enterprise is challenged with controlling user access to data and applications located on-premises, in conventional systems and private clouds, and in one or more public clouds. Managing user access must be conducted as smoothly as possible without placing unnecessarily heavy burdens on IT teams.
IAM solutions delivered via the cloud are increasingly common. Cloud identity and access management tools offer greater security and flexibility to the enterprise than conventional username and password software. IDaaS is offered as an individual product or alongside on-premises identity and access management platforms.
Identity and Access Management Technologies and Tools
IAM solutions offer administrators the technologies and tools to modify user roles, track activities, generate analytics and reporting, and implement policies. Specific technologies and tools include:
- Privileged access management: Designed to manage and monitor privileged access to accounts and applications, alerting system administrators to high-risk events
- Automated provisioning and deprovisioning: Automation makes it easy to quickly grant, modify, or revoke access
- Separation of duties: Enables creation of a suite of comprehensive separation of duties policies that enforce critical controls, with software that automatically scans and detects violations
- Identity lifecycle management: Avoids over-provisioning that can expose the enterprise to serious security risks while providing team members with fast access to technology to accomplish their tasks.
- Workflows: Removes the complexity of building tailored workflows and reduces the workload on teams by automating repetitive tasks
IAM Implementation Strategy
Identity and access management is a cornerstone of a zero trust architecture, so IAM implementation strategy should include zero trust principles, such as least privilege access and identity-based security policies. A zero trust policy dictates that every user is constantly identified and their access managed, foregoing the traditional security posture of continued access without re-identification once granted. Under zero trust, the enterprise’s identity and access management solution continually monitors and safeguards the identities and access points of its users.
Other key principles are:
- Centralised identity management: A crucial element of zero trust is managing access to tools and resources at the identity level; a centralised approach is more efficient and organised.
- Secure access: As mentioned above, this is typically managed through multi-factor or adaptive authentication; a hybrid approach may also be utilised.
- Policy-based control: Users should be granted the permissions required to perform their job duties, based on their role, department, or other established groupings, with no more access than needed.
- Privileged accounts: Privileged accounts provide access to confidential and sensitive data on systems, networks, and databases. For example, privileged accounts might enable an organisation’s IT professionals to manage its applications, software, and server hardware.
- Training and support: Training on the enterprise’s identity and access management solution helps ensure that the organisation receives maximum value from the platform, and ongoing support helps the company understand technological changes and manage solution updates internally.
Tactical IAM Implementation
Conducting an audit of current and legacy systems is often the best first step towards tactical identity and access management solution implementation.
- Identify primary stakeholders and collaborate with them frequently from the start of the implementation.
- List goals for the IAM solution and the capabilities required to achieve them.
- Determine opportunities and challenges while categorising user types and generating use cases.
The tools that are utilised to implement identity and access management in an organisation include:
- password management tools
- provisioning software
- security policy enforcement applications
- monitoring and reporting applications
- identity repositories
Identity and Access Management Implementation Challenges
Typical IAM implementation challenges include:
- Understanding and managing user expectations
- Meeting stakeholder requirements
- Integrating compliance standards
- Knowledge and skill required when considering multiple user sources, authentication factors, and open industry standards
- Expertise to implement identity and access management at scale
Identity and Access Management Standards
An IAM solution must integrate with many other systems to provide complete visibility of access to all the enterprise’s systems, users, and roles. Standards that identity and access management platforms support in order to facilitate these integrations include:
- OAuth 2.0: OAuth is an open-standards identity management protocol that provides secure access for websites, mobile apps, and Internet of Things and other devices. It uses tokens that are encrypted in transit and eliminates the need to share credentials. OAuth 2.0, the latest release of OAuth, is a popular framework used by major social media platforms and consumer services, from Facebook and LinkedIn to Google, PayPal, and Netflix.
- OpenID Connect (OIDC): With the release of the OpenID Connect (which uses public-key encryption), OpenID became a widely adopted authentication layer for OAuth. Like SAML, OpenID Connect (OIDC) is widely used for SSO, but OIDC uses REST/JSON instead of XML. By using REST/JSON protocols, OIDC was designed to work with both native and mobile apps, whereas the primary use case for SAML is web-based apps.
- Lightweight Directory Access Protocol (LDAP): One of the oldest identity management protocols established by the industry, LDAP stores and arranges data—such as user or device information—so it’s easy to search. LDAP runs above the TCP/IP stack to search the directory contents and relay the authentication and authorisation information. Legacy LDAP by itself is not a secure protocol because it’s based on plain text, and organisations have been moving to LDAPS, or LDAP over SSL. LDAPS enables the encryption of LDAP data in transit between server and client, preventing credential theft.
- Security Assertion Markup Language (SAML): SAML is an open standard utilised for exchanging authentication and authorisation information between, in this case, an IAM solution and another application. This method uses XML to transmit data and is typically the method used by identity and access management platforms to grant users the ability to sign in to applications that have been integrated with IAM solutions.
- System for Cross-Domain Identity Management (SCIM): Created to simplify the process of managing user identities, SCIM provisioning allows organisations to efficiently operate in the cloud and easily add or remove users, benefitting budgets, reducing risk, and streamlining workflows. SCIM also facilitates communication between cloud-based applications.
IAM and Artificial Intelligence
Artificial intelligence (AI) plays an increasingly critical role in identity and access management by empowering the enterprise to approach it with both greater flexibility and much more detail. User and entity behaviour analytics (UEBA) utilises AI to detect activity that should be further investigated, such as:
- Many sign-in attempts during a short timeframe
- Logins or login attempts from unknown places or devices, or at unusual times based on the user’s typical movements
- Sign-ins from users who aren’t on the organisation’s virtual private network (VPN)
- Overtly malicious logins
AI can evaluate micro-interactions with respect to time, location, and user activities, determining possible risk in every instance. Using continuous authentication, this analysis is conducted with every user interaction. The ability to conduct these analyses in real or near-real time is crucial to quickly preventing or mitigating cyber threats.
The Future of Identity and Access Management
The need for identity and access management is increasingly supported with the rise of remote work and use of mobile devices. Users expect to be able to work on their preferred devices no matter where they are located and can be naïve about unsecured networks and other risks, even with increased frequency and depth of workplace cybersecurity training. Without the right IAM solution, IT teams often place growth initiatives in backlog to manage user requests and deal with cyber threats associated with the larger attack surfaces generated by this flexibility.
The ability to grow and develop IAM solutions quickly by exponentially expanding understanding of cyber risk is crucial to safeguarding the assets of the enterprise. Organisations will benefit from increased security options via evolutions of next-generation antivirus software, host-based firewall, and/or endpoint detection and response (EDR). As the enterprise’s digital ecosystem continues to evolve, so too will identity and access management.
Future Elements of Identity Security
- Integrated identity program: Identity is integrated with machine identities, the cloud, APIs, and data protection
- Dynamic trust models: AI models adjust authorisation based on behaviour and interaction history
- Universal ID: Merged identities are federated and universal; “bring your own identity” is the norm
- Frictionless access: Universal biometrics across physical, digital, and phone include sophisticated privacy protocols
Secure the Enterprise with IAM
Identity and access management is a key element of the enterprise security program because it insulates critical assets and systems from inadvertently or purposefully created network entry points that might otherwise be exploited by cybercriminals. Enterprises that acquire robust identity and access management capabilities and build mature programs benefit not only from lower identity management budgets, but from the ability to quickly and seamlessly pivot in response to new business challenges and opportunities.