IAM: What is it? An Explanation of Identity and Access Management

Identity and Access Management Definition

A set of procedures, policies, and tools for defining and managing the roles and access privileges of individual network entities (users and devices) to a variety of cloud and on-premises applications is known as identity and access management (IAM).  

Customers, partners, and employees are all users; Computers, smartphones, routers, servers, controllers, and sensors are all examples of devices. One digital identity per person or item is the primary goal of IAM systems. Throughout the access lifecycle of each user or device, that digital identity must be maintained, modified, and monitored.

As a result, granting access to enterprise assets to which users and devices have access rights in a particular context is the overarching objective of identity management. This includes timely offboarding of users and devices, onboarding of systems and users, and authorization of permissions.

According to Andras Cser, VP and IAM analyst at Forrester Research, "since COVID has made physical boundaries irrelevant, identity has become more important." In addition to giving outside users greater access to their internal systems, more companies are moving toward remote users. Identity has emerged as the foundation for customer acquisition, management, and retention as digital transformation accelerates, he asserts. According to Gartner's most recent 2021 Planning Guide for IAM report, disruption caused by COVID has revealed weaknesses in many organizations' IAM architecture and greatly accelerated IAM evolution. IAM now powers the economy. 

Identity and Access Management tools

Administrators can change a user's role, track user activities, create reports on those activities, and enforce policies on an ongoing basis with the tools and technologies provided by IAM systems. These systems are made to make it possible to manage user access across an entire business and make sure that corporate policies and government regulations are followed.

"70% of global business executives plan to increase spending on IAM for their workforce over the next 12 months, as a continuation of remote work increases demand on IT and security teams," according to a March 2021 study of over 1,300 executives sponsored by Ping Identity. In addition, they discovered that, since the pandemic began, more than half of the surveyed businesses have made investments in brand-new IAM products.

Top  Identity and Access Management tools include:

1. CloudKnox Permissions Management Platform
2. CyberArk
3. ForgeRock
4. Okta
5. Microsoft Azure Active Directory
6. Ping Identity Intelligent Identity Platform
7. OneLogin Trusted Experience Platform
8. SailPoint

IAM components

A typical identity management system used to have four fundamental components: 

• a repository of personal data used by the system to identify individual users, also known as an identity directory
• a set of tools that can be used to add, change, and delete that data (related to access lifecycle management)
• a system for controlling and controlling user access
• A system for reporting and auditing

Passwords, digital certificates, hardware tokens, and smartphone software tokens are just a few of the authentication methods used to verify a user's or device's identity in the past when regulating user access. These latter types of tokens first appeared in 2005 and can now be used with apps from Google, Microsoft, Cisco/Duo, Authy, and numerous other IAM vendors on iOS and Android smartphones. Biometric elements and support for the Fast Identity Alliance (FIDO) are two modern approaches.

Strong usernames and passwords no longer cut it in today's complex computing environments with increased security risks. The inclusion of multifactor authentication (MFA) into IAM products has been the most significant modification. Currently, biometrics, risk-based authentication, machine learning, and artificial intelligence are frequently incorporated into identity management systems.

Identity and Access Management's role in Security

IAM plays a number of important roles in the security "stack" of an organization, but these roles are spread out among a variety of groups, including development teams, IT infrastructure, operations managers, the legal department, and others. According to Gartner's planning guide, “IAM teams are no longer making all the related decisions about IAM.”

First things first, managing a secure network requires more than just IAM strategies. They require businesses to define their access policies, specifying who has access to which applications and data resources and under what conditions.

Since access control policies have changed over time, many businesses have overlapping rules and role definitions that are often out-of-date and, in some cases, provisioned incorrectly. In order to avoid migrating a mess, you must clean up your identities and revoke all additional privileges that users do not require, according to Cser. This means that upfront design takes more time.

Second, IAM must integrate with all aspects of the business, such as analytics, business intelligence, partner and customer portals, and marketing solutions. Otherwise, IAM quickly loses its significance, claims Cser. IAM should use the same continuous value delivery model that many DevOps cloud teams use to deliver software, according to Gartner. However, many enterprise IT companies have not approached IAM in this manner in the past.

Next, IAM includes authenticating non-human entities like application keys, APIs, secrets, agents, and containers in addition to protecting users. In order to bring together all stakeholders, Gartner suggests making these items "first-class citizens" and managing them appropriately through cross-functional teams. One area in which IAM is rapidly evolving is this one.

Last but not least, adaptive authentication and MFA tools must be tightly integrated with IAM. In the past, authentication was viewed as a binary choice made at the time of login, such as when signing into a VPN. That is conventional thinking. In order to stop account takeovers and subtle phishing attacks, today's IAM needs to be more granular. According to Gartner, it is best to implement adaptive multi-factor authentication (MFA) for all users and to have an evolving authorization model that allows safe remote access. According to Gartner's planning guide, "adaptive access is just the beginning of smarter authentication solutions." This both increases trust and improves overall usability. Digital signatures and identity orchestrations are not supported by the majority of these products, nor is fraud detection based on passive biometric collections. These safeguards are required as a result of new and more sophisticated account takeover attacks.

Identity and Access Management Standards

The availability of numerous open standards to track and utilize is both a positive and negative aspect of IAM. These standards are a great place to start, but according to Gartner's planning guide, businesses need to go beyond simply adopting specific open standards and be more nuanced about how to do so and be better at managing access. The guide stated, “For instance, the IAM team ought to develop best practice documents on how these standards are integrated and utilized across all applications, devices, and users.”

Security Assertion Markup Language, or SAML, is frequently used to send authorization messages among trusted partners. An XML framework for exchanging security assertions between security authorities is outlined in this open specification. SAML makes it possible for various vendor platforms that offer authentication and authorization services to communicate with one another. However, there are other open-standard identity protocols besides SAML. OpenID, Web Services Trust (WS-Trust), and WS-Federation (which has corporate backing from Microsoft and IBM) are some of the others. OAuth also lets third-party services like Facebook use a user's account information without revealing the password.

The widespread adoption of FIDO by a variety of IAM vendors, device manufacturers, and operating systems has been the most significant alteration to identity standards since 2013. Using a variety of biometric methods, smartphone profiles, and hardware security keys, it offers methods for completely eliminating passwords.

Identity and Access Management Implementation Challenges

Even though IAM is present throughout an organization's security stack, it does not cover all aspects. How users' "birthright access" policies change is one issue. When a user starts working for a company, they are given these access rights. According to Cser, "delegating this to the right people and managers becomes an issue" because the options for granting this access to new employees, contractors, and partners touch on numerous departments. Changes in access rights should be automatically detected by IAM systems, but they rarely are.

Steve Brasen, research director at EMA, wrote in a blog post that this level of automation becomes important, especially when we consider automated onboarding and offboarding of users, user self-service, and continuous proof of compliance. It is impossible to manually adjust access privileges and controls for hundreds or thousands of users. For instance, not having automated "leaving" procedures and not periodically auditing them will almost certainly not result in the complete removal of unneeded access rights.

According to Cser, "you can't do this with Excel spreadsheets or other manual methods." Additionally, "the underlying complexity of user onboarding hasn't gotten any better over time, even as IAM products have gotten better at handling workflows and business processes," Cser states.

Additionally, despite the popularity of zero-trust networks right now, the problem lies in the inability to continuously monitor these trust relationships as new applications are integrated into an organization's infrastructure. After an individual log in, we must monitor their actions and examine behavior baselines. According to Cser, there are numerous opportunities for false positives, such as when a user breaks their finger, which can damage these trust relationships. 

IAM teams must also be familiar with a variety of cloud architectures. Take a look at Microsoft Azure, Google Cloud Platform, and Amazon Web Services (AWS) instances of IAM security best practices. It won't be easy to bridge the security gaps between these cloud providers, and integrating these practices with an organization's network and applications infrastructure won't be easy.

Finally, any new applications must incorporate identity management right from the start. The user advises selecting a target app with care so that it can serve as a model for IAM and identity governance pilots before expanding to other enterprise apps.

Identity and Access Management Concepts and Terms

There are a few key terms in the identity management industry that should be familiar with:

Access management:  The procedures and technologies used to control and monitor network access are referred to as access management. The best ID management systems for both on-premises and cloud-based systems include access management features like authentication, authorization, trust, and security auditing.

Active Directory (AD): AD: Active Directory As a user-identity directory service for Windows domain networks, Microsoft developed AD. Despite being proprietary, AD is widely used because it is integrated into the Windows Server operating system.

Biometric Authentication: a security procedure that uses the individual characteristics of each user to verify their identity. Fingerprint sensors, facial recognition, and scanning of the iris and retina are all biometric authentication technologies.

Context-Aware Network Access Control: A policy-based approach to granting access to network resources based on the user's current context is known as context-aware network access control. A user, for instance, would be denied access if they attempted to authenticate from an IP address that had not been whitelisted. 

Credential: a user's biometric information, such as a fingerprint or iris scan, or a public key infrastructure (PKI) certificate, which the user uses to gain access to a network.

De-provisioning: the procedure of terminating access rights and removing an identity from an ID repository.

Digital Identity: The ID itself, along with information about the user and their access rights. It's because endpoints, like smartphones and laptops, can have their own digital identities.

Entitlement: the set of characteristics that define an authenticated security principal's access rights and privileges.

IDaaS (Identity as a Service): Identity and access management functionality is provided to on-premises and/or cloud-based systems by cloud-based IDaaS.

Identity lifecycle management: The term refers to the entire set of procedures and technologies for maintaining and updating digital identities, much like access lifecycle management. Identity synchronization, provisioning, de-provisioning, and ongoing management of user attributes, credentials, and entitlements are all parts of identity lifecycle management. 

Identity synchronization: The procedure of ensuring that a given digital ID's data is consistent across multiple identity stores, such as those created through an acquisition.

Lightweight Directory Access Protocol (LDAP): For managing and accessing a distributed directory service like Microsoft's AD, LDAP is an open standards-based protocol.

MFA, or Multi-Factor Authentication: When authentication to a network or system requires more than one factor, such as a username and password, MFA is used. Receiving a code via SMS to a smartphone, inserting a smart card or USB stick, or meeting a biometric authentication requirement like a fingerprint scan are all required additional steps.

Reset your password: In this context, it refers to a feature of an ID management system that enables users to re-establish their own passwords, reducing support calls and relieving administrators of their responsibilities. Users frequently use a browser to access the reset application. To confirm the user's identity, the application asks for a secret word or a series of questions.

Management Of Privileged Accounts: Account management, auditing, and data access based on user privileges are all referred to by this term. In general, a privileged user has administrative access to systems because of their position or function. For instance, a privileged user would have the ability to create and delete user accounts and roles.

Provisioning: The procedure of creating identities, defining their access rights, and including them in an ID repository.

Rba, or Risk-Based Authentication: Risk-based authentication dynamically adjusts authentication requirements in response to the user's current circumstance at the time of authentication. For instance, when users attempt to authenticate from a location or IP address that they have never previously associated with, they may encounter additional authentication requirements.

Security principal: A digital identity that includes one or more credentials that can be verified and given permission to use the network.

SSO (Single Sign-On): SSO is a type of access control for multiple systems that are related but distinct. A user can access a system or system without having to use different credentials by using a single username and password.

Analytics of user behavior (UBA): UBA technologies automatically apply algorithms and analysis to patterns of user behavior to identify significant anomalies that may indicate potential security threats. UBA is distinct from other security technologies that concentrate on tracking security events or devices. UEBA is another name for UBA, which is sometimes combined with entity behavior analytics.