What is IAM? Identity and access management explained
IAM products provide IT managers with tools and technologies for controlling user access to critical information within an organization.
Identity and access management (IAM) in enterprise IT is about defining and managing the roles and access privileges of individual network users and the circumstances in which users are granted (or denied) those privileges. Those users might be customers (customer identity management) or employees (employee identity management. The core objective of IAM systems is one digital identity per individual. Once that digital identity has been established, it must be maintained, modified and monitored throughout each user’s “access lifecycle.”
Thus, the overarching goal of identity management is to “grant access to the right enterprise assets to the right users in the right context, from a user’s system onboarding to permission authorizations to the offboarding of that user as needed in a timely fashion,” according to Yassir Abousselham, senior vice president and chief security officer for Okta, an enterprise identity and access management provider.
IAM systems provide administrators with the tools and technologies to change a user’s role, track user activities, create reports on those activities, and enforce policies on an ongoing basis. These systems are designed to provide a means of administering user access across an entire enterprise and to ensure compliance with corporate policies and government regulations.
Identity and management technologies include (but aren’t limited to) password-management tools, provisioning software, security-policy enforcement applications, reporting and monitoring apps and identity repositories. Identity management systems are available for on-premises systems, such as Microsoft SharePoint, as well as for cloud-based systems, such as Microsoft Office 365.
In its Tech Tide: Identity and Access Management, Q4 2017, Forrester Research identified six IAM technologies with low maturity, but high current business value:
API security enables IAM for use with B2B commerce, integration with the cloud, and microservices-based IAM architectures. Forrester sees API security solutions being used for single sign-on (SSO) between mobile applications or user-managed access. This would allow security teams to manage IoT device authorization and personally identifiable data.
Customer identity and access management (CIAM) allow “comprehensive management and authentication of users; self-service and profile management; and integration with CRM, ERP, and other customer management systems and databases,” according to the report.
Identity analytics (IA) will allow security teams to detect and stop risky identity behaviors using rules, machine learning, and other statistical algorithms.
Identity as a service (IDaaS) includes “software-as-a-service (SaaS) solutions that
offer SSO from a portal to web applications and native mobile applications as well as some level of user account provisioning and access request management,” according to the report
Identity management and governance (IMG) provides automated and repeatable ways to govern the identity life cycle. This is important when it comes to compliance with identity and privacy regulations.
Risk-based authentication (RBA) solutions “take in the context of a user session and authentication and form a risk score. The firm can then prompt high-risk users for 2FA and allow low-risk users to authenticate with single factor (e.g., username plus password) credentials,” according to the report. (For more on authentication, see “Ready for more secure authentication? Try these password alternatives and enhancements.”)
IAM systems must be flexible and robust enough to accommodate the complexities of today’s computing environment. One reason: An enterprise’s computing environment used to be largely on-premises, and identity management systems authenticated and tracked users as they worked on-premises, says Jackson Shaw, vice president of product management for identity and access management provider One Identity. “There used to be a security fence around the premises,” Shaw noted. “Today, that fence isn’t there anymore.”
As a consequence, identity management systems today should enable administrators to easily manage access privileges for a variety of users, including domestic on-site employees and international off-site contractors; hybrid compute environments that encompass on-premise computing, software as a service (SaaS) applications and shadow IT and BYOD users; and computing architectures that include UNIX, Windows, Macintosh, iOS, Android and even internet of things (IoT) devices.
Ultimately, the identity and access management system should enable centralized management of users “in a consistent and scalable way across the enterprise,” says Abousselham.
In recent years, identity-as-a-service (IDaaS) has evolved as a third-party managed service offered over the cloud on a subscription basis, providing identity management to a customers’ on-premises and cloud-based systems.
Why do I need IAM?
Identity and access management is a critical part of any enterprise security plan, as it is inextricably linked to the security and productivity of organizations in today’s digitally enabled economy.
Compromised user credentials often serve as an entry point into an organization’s network and its information assets. Enterprises use identity management to safeguard their information assets against the rising threats of ransomware, criminal hacking, phishing and other malware attacks. Global ransomware damage costs alone are expected to exceed $5 billion this year, up 15 percent from 2016, Cybersecurity Ventures predicted.
In many organizations, users sometimes have more access privileges than necessary. A robust IAM system can add an important layer of protection by ensuring a consistent application of user access rules and policies across an organization.
Identity and access management systems can enhance business productivity. The systems’ central management capabilities can reduce the complexity and cost of safeguarding user credentials and access. At the same time, identity management systems enable workers to be more productive (while staying secure) in a variety of environments, whether they’re working from home, the office, or on the road.
What IAM means for compliance management
Many governments require enterprises to care about identity management. Regulations such as Sarbanes-Oxley, Gramm-Leach-Bliley, and HIPAA hold organizations accountable for controlling access to customer and employee information. Identity management systems can help organizations comply with those regulations.
The General Data Protection Regulation (GDPR) is a more recent regulation that requires strong security and user access controls. GDPR mandates that organizations safeguard the personal data and privacy of European Union citizens. Effective May 2018, the GDPR affects every company that does business in EU countries and/or has European citizens as customers.
On March 1, 2017, the state of New York’s Department of Financial Services (NYDFS) new cybersecurity regulations went into effect. The regulations prescribe many requirements for the security operations of financial services companies that operate in New York, including the need to monitor the activities of authorized users and maintain audit logs—something identity management systems typically do.
By automating many aspects of providing secure user access to enterprise networks and data, identity management systems relieve IT of mundane but important tasks and help them stay in compliance with government regulations. These are critical benefits, given that today, every IT position is a security position; there’s a persistent, global cybersecurity workforce shortage; and penalties for not being compliant with relevant regulations can cost an organization millions or even billions of dollars.
What are the benefits of IAM systems
Implementing identity and access management and associated best practices can give you a significant competitive advantage in several ways. Nowadays, most businesses need to give users outside the organization access to internal systems. Opening your network to customers, partners, suppliers, contractors and, of course, employees can increase efficiency and lower operating costs.
Identity management systems can allow a company to extend access to its information systems across a variety of on-premises applications, mobile apps, and SaaS tools without compromising security. By providing greater access to outsiders, you can drive collaboration throughout your organization, enhancing productivity, employee satisfaction, research and development, and, ultimately, revenue.
Identity management can decrease the number of help-desk calls to IT support teams regarding password resets. Identity management systems allow administrators to automate these and other time-consuming, costly tasks.
An identity management system can be a cornerstone of a secure network, because managing user identity is an essential piece of the access-control picture. An identity management system all but requires companies to define their access policies, specifically outlining who has access to which data resources and under which conditions they have access.
Consequently, well-managed identities mean greater control of user access, which translates into a reduced risk of internal and external breaches. This is important because, along with the rising threats of external threats, internal attacks are all too frequent. Approximately 60 percent of all data breaches are caused by an organization’s own employees, according to IBM’s 2016 Cyber Security Intelligence Index. Of those, 75 percent were malicious in intent; 25 percent were accidental.
As mentioned previously, IAM system can bolster regulatory compliance by providing the tools to implement comprehensive security, audit and access policies. Many systems now provide features designed to ensure that an organization is in compliance.
How IAM works
In years past, a typical identity management system comprised four basic elements: a directory of the personal data the system uses to define individual users (think of it as an identity repository); a set of tools for adding, modifying and deleting that data (related to access lifecycle management); a system that regulates user access (enforcement of security policies and access privileges); and an auditing and reporting system (to verify what’s happening on your system).
Regulating user access has traditionally involved a number of authentication methods for verifying the identity of a user, including passwords, digital certificates, tokens and smart cards. Hardware tokens and credit-card-sized smart cards served as one component in two-factor authentication, which combines something you know (your password) with something you have (the token or the card) to verify your identity. A smart card carries an embedded integrated circuit chip that can be either a secure microcontroller or equivalent intelligence with internal memory or a memory chip alone. Software tokens, which can exist on any device with storage capability, from a USB drive to a cell phone, emerged in 2005.
In today’s complex compute environments, along with heightened security threats, a strong user name and password doesn’t cut it anymore. Today, identity management systems often incorporate elements of biometrics, machine learning and artificial intelligence, and risk-based authentication.
At the user level, recent user authentication methods are helping to better protect identities. For example, the popularity of Touch ID-enabled iPhones has familiarized many people with using their fingerprints as an authentication method. Newer Windows 10 computers offer fingerprint sensors or iris scanning for biometric user authentication. The next iPhone, due out later this year, is rumored to include iris scanning or facial recognition to authenticate users instead of fingerprint scanning.
The move to multi-factor authentication
Some organizations are moving from two-factor to three-factor authentication, says Abousselham, combining something you know (your password), something you have (a smartphone), and something you are (facial recognition, iris scanning or fingerprint sensors). “When you go from two-factor to three, you have more assurance that you’re dealing with the correct user,” he says.
At the administration level, today’s identity management systems offer more advanced user auditing and reporting, thanks to technologies such as context-aware network access control and risk-based authentication (RBA).
Context-aware network access control is policy-based. It predetermines an event as well as its outcome based on various attributes, says Joe Diamond, Okta’s director of products. For example, if an IP address isn’t whitelisted, it may be blocked. Or if there isn’t a certificate that indicates a device is managed, then context-aware network access control might step-up the authentication process.
By comparison, RBA is more dynamic and is often enabled by some level of AI. With RBA, “you’re starting to open up risk scoring and machine learning to an authentication event,” Diamond says.
Risk-based authentication dynamically applies various levels of strictness to authentication processes according to the current risk profile. The higher the risk, the more restrictive the authentication process becomes for a user. A change in a user’s geographic location or IP address may trigger additional authentication requirements before that user can access the company’s information resources.
What is federated identity management?
Federated identity management lets you share digital IDs with trusted partners. It’s an authentication-sharing mechanism that allows users to employ the same user name, password or other ID to gain access to more than one network
Single sign-on (SSO) is an important part of federated ID management. A single sign-on standard lets people who verify their identity on one network, website or app carry over that authenticated status when moving to another. The model works only among cooperating organizations—known as trusted partners—that essentially vouch for each other’s users.
Are IAM platforms based on open standards?
Authorization messages between trusted partners are often sent using Security Assertion Markup Language (SAML). This open specification defines an XML framework for exchanging security assertions among security authorities. SAML achieves interoperability across different vendor platforms that provide authentication and authorization services.
SAML isn’t the only open-standard identity protocol, however. Others include OpenID, WS-Trust (short for Web Services Trust) and WS-Federation (which have corporate backing from Microsoft and IBM), and OAuth (pronounced “Oh-Auth”), which lets a user’s account information be used by third-party services such as Facebook without exposing the password.
What are the challenges or risks of implementing IAM?
Dimensional Research released a report, Assessment of Identity and Access Management in 2018, in October 2018 based on a survey of more than 1,000 IT security professionals. Sponsored by IAM solution provider One Identity, the report asked those professionals about their biggest IAM challenges.
Not surprisingly, 59 percent said that data protection was their biggest concern about their organization using IAM. Only 15 percent said they were completely confident their organization would not be hacked due to their access control system.
IAM systems hold the keys to some of a company’s most valuable assets and critical systems, so the consequences of an IAM system failing are great. Specific concerns include disgruntled employees sharing sensitive data (27 percent), the CIO is interviewed on TV because of a data breach due to bad IAM, and finding their username/password lists posted to the dark web.
“The concept of putting all your eggs in one basket is scary,” says One Identity’s Shaw, “but if you don’t unify the fundamentals of IAM you will never reduce risk. So the correct path is to arrive at a single approach (not necessarily a single solution) that provides all the scope, security and oversight you need (and were probably struggling to get with older projects) across everything, all user types, and all access scenarios.”
Security professionals are also concerned about integrating IAM with legacy systems (50 percent), moving to the cloud (44 percent), and employees using unapproved technology (43 percent).
Much of that concern stems not from the current IAM technology itself, but with their organization’s ability to implement it well, believes Shaw. “People have always been doing IAM (i.e., authentication, authorization and administration). It’s just that now they are beginning to realize that doing those things poorly puts them at heightened risk and leaves the door open to bad actors doing bad things,” he says.
“The biggest challenge is that old practices that were put in place to secure legacy systems simply don’t work with newer technologies and practices,” Shaw adds, “so often people have to reinvent the wheel and create duplicate workloads and redundant tasks. If the legacy practice was done poorly, trying to reinvent it on a newer paradigm will go poorly as well.”
Shaw sees confidence and trust in IAM growing as companies gain experience administering the solutions, but that depends on how well that administration is executed. “Organizations are more-and-more learning that they can actually unify their administration approach, streamline operations, remove much of the workload from IT and place it in the hands of the line-of-business, and place themselves in an audit-ready stance rather than a reactive stance,” he says.
A successful implementation of identity and access management requires forethought and collaboration across departments. Companies that establish a cohesive identity management strategy—clear objectives, stakeholder buy-in, defined business processes—before they begin the project are likely to be most successful. Identity management works best “when you have human resources, IT, security and other departments involved,” says Shaw.
Often, identity information may come from multiple repositories, such as Microsoft Active Directory (AD) or human resources applications. An identity management system must be able to synchronize the user identity information across all these systems, providing a single source of truth.
Given the shortage of IT people today, identity and access management systems must enable an organization to manage a variety of users in different situations and computing environments—automatically and in real-time. Manually adjusting access privileges and controls for hundreds or thousands of users isn’t feasible.
For example, de-provisioning access privileges for departing employees can fall through the cracks, especially when done manually, which is too often the case. Reporting an employee’s departure from the company and then automatically de-provisioning access across all the apps, services and hardware he or she used requires an automated, comprehensive identity management solution.
Authentication must also be easy for users to perform, it must be easy for IT to deploy, and above all it must be secure, Abousselham says. This accounts for why mobile devices are “becoming the center of user authentication,” he added, “because smartphones can provide a user’s current geolocation, IP address and other information that can be leveraged for authentication purposes.”
One risk worth keeping in mind: Centralized operations present tempting targets to hackers and crackers. By putting a dashboard over all of a company’s identity management activities, these systems reduce complexity for more than the administrators. Once compromised, they could allow an intruder to create IDs with extensive privileges and access to many resources.
What IAM terms should I know?
Buzzwords come and go, but a few key terms in the identity management space are worth knowing:
- Access management: Access management refers to the processes and technologies used to control and monitor network access. Access management features, such as authentication, authorization, trust and security auditing, are part and parcel of the top ID management systems for both on-premises and cloud-based systems.
- Active Directory (AD): Microsoft developed AD as a user-identity directory service for Windows domain networks. Though proprietary, AD is included in the Windows Server operating system and is thus widely deployed.
- Biometric authentication: A security process for authenticating users that relies upon the user’s unique characteristics. Biometric authentication technologies include fingerprint sensors, iris and retina scanning, and facial recognition.
- Context-aware network access control: Context-aware network access control is a policy-based method of granting access to network resources according to the current context of the user seeking access. For example, a user attempting to authenticate from an IP address that hasn’t been whitelisted would be blocked.
- Credential: An identifier employed by the user to gain access to a network such as the user’s password, public key infrastructure (PKI) certificate, or biometric information (fingerprint, iris scan).
- De-provisioning: The process of removing an identity from an ID repository and terminating access privileges.
- Digital identity: The ID itself, including the description of the user and his/her/its access privileges. (“Its” because an endpoint, such as a laptop or smartphone, can have its own digital identity.)
- Entitlement: The set of attributes that specify the access rights and privileges of an authenticated security principal.
- Identity as a Service (IDaaS): Cloud-based IDaaS offers identity and access management functionality to an organization’s systems that reside on-premises and/or in the cloud.
- Identity lifecycle management: Similar to access lifecycle management, the term refers to the entire set of processes and technologies for maintaining and updating digital identities. Identity lifecycle management includes identity synchronization, provisioning, de-provisioning, and the ongoing management of user attributes, credentials and entitlements.
- Identity synchronization: The process of ensuring that multiple identity stores—say, the result of an acquisition—contain consistent data for a given digital ID.
- Lightweight Directory Access Protocol (LDAP): LDAP is open standards-based protocol for managing and accessing a distributed directory service, such as Microsoft’s AD
- Multi-factor authentication (MFA): MFA is when more than just a single factor, such as a user name and password, is required for authentication to a network or system. At least one additional step is also required, such as receiving a code sent via SMS to a smartphone, inserting a smart card or USB stick, or satisfying a biometric authentication requirement, such as a fingerprint scan.
- Password reset: In this context, it’s a feature of an ID management system that allows users to re-establish their own passwords, relieving the administrators of the job and cutting support calls. The reset application is often accessed by the user through a browser. The application asks for a secret word or a set of questions to verify the user’s identity.
- Privileged account management: This term refers to managing and auditing accounts and data access based on the privileges of the user. In general terms, because of his or her job or function, a privileged user has been granted administrative access to systems. A privileged user, for example, would be able set up and delete user accounts and roles.Provisioning: The process of creating identities, defining their access privileges and adding them to an ID repository.
- Risk-based authentication (RBA): Risk-based authentication dynamically adjusts authentication requirements based on the user’s situation at the moment authentication is attempted. For example, when users attempt to authenticate from a geographic location or IP address not previously associated with them, those users may face additional authentication requirements.
- Security principal: A digital identity with one or more credentials that can be authenticated and authorized to interact with the network.
- Single sign-on (SSO): A type of access control for multiple related but separate systems. With a single username and password, a user can access a system or systems without using different credentials.
- User behavior analytics (UBA): UBA technologies examine patterns of user behavior and automatically apply algorithms and analysis to detect important anomalies that may indicate potential security threats. UBA differs from other security technologies, which focus on tracking devices or security events. UBA is also sometimes grouped with entity behavior analytics and known as UEBA.
The identity and access management vendor landscape is a crowded one, consisting of both pureplay providers such as Okta and OneLogin and large vendors such as IBM, Microsoft and Oracle. Below is a list of leading players based on Gartner’s Magic Quadrant for Access Management, Worldwide, which was published in June 2017.
- Atos (Evidan)
- CA Technologies
- IBM Security Identity and Access Assurance
- I-Spring Innovations
- Micro Focus
- Microsoft Azure Active Directory
- Optimal idM
- Oracle Identity Cloud Service