Identity And Access Management (IAM) – A Complete Guide

Describing Identity Management

Identity Management (IDM), or Identity Access Management (IAM), is a user access management tool that controls the process of defining and managing all roles, access rights, or privileges for all of your network users. 

IAM ensures that all of your users have the correct access to the resources that they need to do their daily work.

But... there is a lot more to it...

Identity Management typically means controlling the access for every individual in your organization to software applications and third-party resources or services that your company uses.

Additionally, IDM controls the circumstances in which users are granted/denied privileges to those assets through access policies.

Should Erin have access to our WordPress site? Should she be a Standard User, an Editor, or should she have Administrative Access to WordPress, but nothing else?

IAM Example

Let's take a look at how an IAM Solution might look in a typical E-Commerce company with 20-100 employees. 

In this example, we are only going to take a look at 6 sample employees, and we are assuming this company is only using about 6 applications. In all likelihood, they are using many more. 

Each employee may or may not have access to each application, and if they do have access, they may have a different set of rights, or entitlements within that application. 

Additionally, this company is utilizing four "Roles" which can be used to auto-assign users specific applications based on that job role, also known as Role-Based Access Control.

This kind of control and visability allows the IT team to limit the number of elevated accounts that could potentially be compromised, and see who has what access to applications, and at what level of access, at all times. 

This process is somewhat easy to manage with a handful of applications, and a handful of Users.

However ...

According to the 2020 Blissfully annual report, small businesses today use over 100 different applications, with large companies using more than 200 on average!

To complicate things, each of these Applications may have 2-20 different privileged role levels.

When you consider the number of Applications businesses use today, multiplied by 20, 200, or 2000 employees, consultants, and partners, managing who has access to what becomes an overwhelming task.

The User Management Solution For More Industries

Traditionally Identity Management products have been a crucial part of large Enterprise IT environments. However, they were typically restricted to the largest businesses, that is, until now.

As cybersecurity concerns continue to escalate and technology becomes more affordable (as well as critical), IAM is becoming a vital part of every organization's security foundation regardless of size.

The overarching goal of Identity Management is to create an easy to use, centralized solution that grants secure access to systems across all corporate networks.  That's an idea even a business with two people needs to have a solution for. 

By creating trackable and auditable identities for every user, companies of any size can maintain compliance with outside regulators. Once that digital identity has been created, it must be maintained, modified, and monitored throughout the user's lifecycle, this process can be laborious with only a few users, without centralized management.

What are the steps of Identity Management?

The IAM process begins with on-boarding a new user to your network and providing the appropriate access to company resources.

After onboarding, users can create access requests for additional resources. Access requests from users may be processed or declined. 

These changes to a user's rights for applications and network resources will change throughout their lifetime in the network/company Also known as the user lifecycle.

Finally, when a user leaves the network, the off-boarding of that user is needed in a timely fashion.

What do Identity Management products and services do?

IAM systems provide administrators the tools and technologies needed to change a user's role, track user activities, create reports on those activities, and enforce organizational policies on an ongoing basis.

IAM is designed to provide a way of administering user access across an entire organization.

Additionally, IAM is often used to ensure compliance with corporate policies and government regulations.

What Do Identity management systems Include?

Identity and management technologies include, but aren't limited to:

• Password-Management Tools
• Single Sign-On tools
• Multi-Factor Authentication
• Provisioning Software
• Access Control Policy Enforcement Applications
• Reporting and Monitoring Applications
• Identity Repositories.

Identity Management Systems are available in on-premises systems, as well as cloud-based systems.

How do IAM systems work?

In the past, typical IAM systems were comprised of four essential parts:

1. A directory of personal data the system uses to define individual users.
2. A set of tools for adding, modifying, and deleting that data.
3. A system that regulates user access.
4. An auditing and reporting system.

Regulating user access has traditionally involved several authentication methods for verifying the identity.

Typically, authentication would be completed using a combination of passwords, digital certificates, tokens, and devices or smart cards.

Hardware tokens and smart cards have served as one component in two-factor authentication, which combines something you know, like your password, with something you have, the token or the smart card.

To verify your identity, a smart card carries an embedded integrated circuit chip that can be either a secure microcontroller, similar intelligence with internal memory, or a memory chip alone.

Software tokens can exist on any device with storage capabilities like a USB drive to a cell phone.

In today's complex environments, along with heightened security threats, a strong user name and password no longer cut it.

Today, Identity and Access Management Systems incorporate elements of biometrics, machine learning, artificial intelligence, and risk-based authentication, to tighten security measures.

At the user level, authentication methods provide better protection for user identities.

What makes a good IAM system?

IAM systems must be flexible and robust, to handle the complexities of today's computing environment.

One reason IAMs have become more complex is the current standard of most organization's computing environments.

Previously, users mostly worked with on-premises identity Management Solutions that authenticated and tracked users as they worked on-premises (in the building).

There used to be a security wall around the premises, but today, that wall isn't there anymore.

Today, Identity Management Systems must enable administrators to easily manage access privileges for a variety of users.

Today's users are within hybrid environments that encompass on-premises computing, software as a service (SaaS) applications, shadow IT, partners, and work from home users.

Today's computing architectures include UNIX, Windows, Macintosh, iOS, Android, and even internet of things (IoT) devices.

Ultimately, the Identity and Access Management System should create a centralized and scalable architecture across your entire business.

Recently, identity-as-a-service (IDaaS) providers such as IDHub, have evolved as third-party managed services, offered within cloud environments on a subscription basis.

Do I need an IAM system?

The short answer, most likely, yes.

Identity and Access Management is a vital part of any organization's security plan.

According to McAfee, the cost of cybercrime  in 2020 was nearly 1 Trillion dollars.

The benefits of Identity Management are not just security.

The productivity of an organization can make or break a business in today's digitally enabled world.

Some of the latest data shows that Users are wasting up to 30% of their time resetting their passwords.

Additionally, your IT departments are routinely spending 50% of their time resetting passwords for users.

IDM for Cybersecurity

The FBI's report on cyber-crime for 2020 shows the total number of victims due to password phishing is not only the number one crime, it beats out the next three combined.

Compromised user credentials often serve as an entry point into an organization's system and network, resulting in access to its information and assets.

Organizations use Identity and Access Management to protect their digital information against the rising threats of ransomware, criminal hacking, phishing, and all other malware attacks.

Global ransomware damage costs alone are estimated to have exceeded $20 billion in 2020.

In many organizations, users will sometimes have more access privileges than necessary.

A vigorous IAM system will eliminate passwords.

Users without passwords add an important level of protection, ensuring consistent user access rules and policies across the whole organization.

What IAM means for compliance management

Most governments require organizations to care about Identity Management.

Regulatory bodies such as Sarbanes-Oxley, Gramm-Leach-Bliley, and HIPAA hold organizations accountable for protecting access to customer and employee information.

Identity Management Systems help organizations comply with these regulations.

The General Data Protection Regulation (GDPR) is a recent regulation that requires strong security and user access controls.

GDPR mandates that organizations protect the personal data and privacy of European Union citizens.

As of May 2018, the GDPR affects every organization that does business within EU countries and/or has European customers.

On March 1st, 2017, the New York's Department of Financial Services (NYDFS) new cybersecurity regulations went into effect.

The NYDFS regulations determine the requirements for the security operations of financial services companies that operate in New York.

The NYDFS regulations include the need to monitor the activities of authorized users and maintain audit logs, something Identity Management Systems normally perform.

By automating user access to networks and data, Identity Management Systems assist or completely relieve IT support from that responsibility.

Global cybersecurity workforce shortages, combined with the penalties for non-compliance with industry regulations, can cost an organization millions if not, billions of dollars.

The Future of IAM and IDM

As the world of IAM and Privileged Identity Management becomes more mainstream, systems are improving upon pre-existing standards both in speed and usability.

The newest IDM solutions are taking identity out of the hands of the IT department, and putting it into the hands of regular employees.

Advanced Privileged Identity Management tools are providing ways for managers, HR, and users to create custom workflows, shared resources, custom forms, and self-service requests for both applications and service requests to give them access to control systems like never before.

Additional Advantages of Using Identity Management

Implementing an Identity and Access Management System and associated best practices can give your organization a significant competitive advantage.

Nowadays, organizations need to grant users outside the organization access to internal systems.

Opening your network to customers, partners, suppliers, contractors, and employees will increase efficiency and lower operating costs.

Identity and Access Management Systems allow an organization to extend access to its information systems across a variety of on-premises applications, mobile apps, and SaaS tools, without having to compromise security.

Providing greater access to outsiders can drive collaboration throughout the organization, enhancing productivity, employee satisfaction, research and development, and revenue.

IAM can decrease the volume of calls the IT support help-desk team gets, freeing them up to work on other projects.

Identity and Access Management Systems allow administrators to automate time-consuming and costly tasks.

Well-managed identities mean greater control of user access. This translates into a reduced risk of internal and external breaches.

This is important because, along with the rising of external threats, internal attacks are becoming more frequent.

Approximately 60 percent of all data breaches are caused by an organization's own employees, according to IBM's 2016 Cyber Security Intelligence Index.

Of the attacks caused by internal breaches, 75% were malicious in intent, and 25% percent were accidental. Restricting users' access to only what they need, when they need it, can remove the risk of preventable accidental damage.

Quality IAM Systems designed today provide scalable features to ensure that an organization can grow quickly, and when needed, stay compliant.

The move to multi-factor Authentication

As if we hadn't had enough change, most organizations are transitioning from two-factor to three-factor authentication methods.

Three-factor or multi-factor authentication combines multiple verification methods.

Multi-factor usually includes something you or your system knows, like your username and password, with something you have (typically a smartphone or tablet), and finally, something about you...

Bio-metric scanning including facial recognition, iris scanning, or fingerprint sensors, are all part of the new multi-factor authentication.

Sophisticated IAM features

At the administration level, today's Identity and Access Management Systems offer more advanced user auditing and reporting tools, such as context-aware network access control and risk-based authentication (RBA).

Context-aware network access control is based on pre-determined policies.

For example, IP addresses that are not on a whitelist can be blocked.

If devices do not have certificates indicating they are managed, context-aware network access can enhance the authentication process.

Risk-based Authentication, RBA, is more dynamic and usually enabled with some level of artificial intelligence.

RBA combines risk scoring with machine learning to user authentication by dynamically applying various levels of strictness.

With RBA, the higher the risk, the more restrictive the authentication process will be for a user.

A change in a user's geographic location or IP address would trigger additional authentication requirements before the user can access the company's network or system.

What is federated identity management?

Federated Identity Management allows a user to share digital IDs with trusted partners.

It's an authentication-sharing instrument that allows users to use the same user name, password, or other ID to gain access to more than one network.

Single Sign-On (SSO) is an important feature of federated ID management.

A single sign-on standard allows users who verify their identity on one network, website, or app, to carry over that authenticated status when moving from network to network.

The single sign-on model works only among cooperating organizations, known as trusted partners, which essentially vouch for each other's users.

Open-Source Identity Management Tools?

Authorization messages between trusted partners are usually sent using Security Assertion Markup Language (SAML).

SAML defines an XML framework for exchanging security assertions among security authorities.

SAML achieves interoperability across different vendor platforms that provide authentication and authorization services.

SAML isn't the only open-standard identity protocol. Others include OpenID, WS-Trust and WS-Federation, and OAuth, which lets a user's account information be used by third-party services such as Facebook, without exposing the user's password.

What are the challenges or risks of implementing IAM?

Successful implementation of Identity and Access Management, requires planning and collaboration across all departments.

Organizations that establish a cohesive Identity and Access Management strategy, consisting of clear objectives, stakeholder buy-in, and defined business processes, before they begin the project, are more likely to be most successful.

Identity and Access Management works best when you have human resources, IT, security, and all other departments involved.

Identity information can come from multiple places, such as Microsoft Active Directory (AD) or a human resources app.

An Identity Management System must be able to synchronize the user identity information across all these systems, providing a single source of truth.

With the shortage of qualified IT security people, the importance of quality Identity and access management systems has risen drastically.

IAM systems must allow an organization to manage a variety of users in different situations and environments, automatically and in real-time.

Manually adjusting access privileges and controls for hundreds or thousands of users isn't feasible or economical.

For example, de-provisioning departing employees can fall through the cracks, especially when needing to be done manually.

Reporting an employee's departure from the company and then automatically de-provisioning access across all the apps, services, and hardware they used, requires an automated and comprehensive Identity and Access Management solution.

For authentication to be successful, it must consist of three things:

1. Easy for users to adopt and perform
2. Easy for IT to deploy
3. Most importantly, it must be secure

The Importance of devices for Identity Management

Mobile devices have become the center for authentication.

Smartphones, tablets, and even smart devices provide valuable information that can be used during authentication.

Devices routinely provide:

• Current Geolocation
• IP Address
• Browser
• Other Identifiable Data

What IAM terms should I know?

Industry buzzwords come and go, but a few key terms in the Identity and Access Management space are worth knowing:

• Access Management: Refers to the processes and technologies used to control and monitor network access. Access management features, such as authentication, authorization, trust, and security auditing are part and parcel of the top ID management systems for both on-premises and cloud-based systems.
• Access Control Policy: An internal document that is created to define the company's policies, procedures, protocols, and security considerations for all user and device connectivity to your business network
• Active Directory (AD): Microsoft developed AD as a user-identity directory service for Windows domain networks. Though proprietary, AD is included in the Windows Server Operating System and is thus widely deployed.
• Biometric Authentication: A security process for authenticating users that relies upon the user's unique characteristics. Biometric authentication technologies include fingerprint sensors, iris, and retina scanning, and facial recognition.
• Context-Aware Network Access Control: This is a policy-based method of granting access to network resources according to the current context of the user seeking access.
• Credential: An identifier employed by the user to gain access to a network such as a user's password, public key infrastructure (PKI) certificate, or biometric information (fingerprint, iris scan).
• De-Provisioning: The process of removing an identity from an ID repository and removing access privileges.
• Digital Identity: The ID of a person, including the description of the user and their access privileges.
• Entitlement: The set of attributes that specify the access rights and privileges of an authenticated security principal.
• Identity as a Service (IDaaS): Cloud-based IDaaS offers Identity and Access Management functionality to an organization's systems that reside on-premises and/or in the cloud.
• Identity Lifecycle Management: Refers to the entire set of processes and technologies for maintaining and updating digital identities.
• Identity Synchronization: The process of ensuring that multiple identity stores contain consistent data for a given digital ID.
• Lightweight Directory Access Protocol (LDAP): This is an open standards-based protocol for managing and accessing a distributed directory service.
• Multi-Factor Authentication (MFA): MFA is when more than a single factor, such as a user name and password, is required for authentication to a network or system. At least one additional step is also required, such as receiving a code sent via SMS to a smartphone, inserting a smart card or USB stick, or satisfying a biometric authentication requirement, such as a fingerprint scan.
• Password Reset: In this context, it's a feature of an ID management system that allows users to re-establish their own passwords, relieving the administrators of the job and cutting support calls. The reset application is often accessed by the user through a browser. The application asks for a secret word or a set of questions to verify the user's identity.
• Privileged Account Management: Refers to managing and auditing accounts and data access based on the privileges of the user. A privileged user, for example, would be able to set up and delete user accounts and roles.
• Provisioning: The process of creating identities, defining their access privileges, and adding them to an ID repository.
• Risk-Based Authentication (RBA): Risk-based Authentication dynamically adjusts authentication requirements based on the user's situation at the moment Authentication is attempted.
• Security Principal: A digital identity with one or more credentials that can be authenticated and authorized to interact with the network.
• Single Sign-On (SSO): A type of access control for multiple related but separate systems. With a single username and password, a user can access systems without using different credentials.
• User Behavior Analytics (UBA): UBA technologies examine patterns of user behavior and automatically apply algorithms and analysis to detect important anomalies that may indicate potential security threats. UBA differs from other security technologies, which focus on tracking devices or security events.