What is IAM?

Identity and Access Management

Why is IAM important?

Identity and access management, or IAM, is the security discipline that makes it possible for the right entities (people or things) to use the right resources (applications or data) when they need to, without interference, using the devices they want to use. IAM is comprised of the systems and processes that allow IT administrators to assign a single digital identity to each entity, authenticate them when they log in, authorize them to access specified resources, and monitor and manage those identities throughout their lifecycle.

IAM is not just for employees anymore. Organizations must be able to provide secure access for contractors and business partners, remote and mobile users, and customers. With digital transformation, identities are also assigned to Internet of Things (IoT) devices, robots and pieces of code such as APIs or microservices. Multicloud hybrid IT environments and software as a service (SaaS) solutions further complicate the IAM landscape.

Because it stands between users and critical enterprise assets, identity and access management is a critical component of any enterprise security program. It helps protect against compromised user credentials and easily cracked passwords that are common network entry points for criminal hackers who want to plant ransomware or steal data.

Done well, IAM helps ensure business productivity and frictionless functioning of digital systems. Employees can work seamlessly no matter where they are, while centralized management makes sure they only access the specific resources they need for their jobs. And opening systems to customers, contractors and suppliers can increase efficiency and lower costs.


Types of User Authentication

A key task of IAM systems is to authenticate that an entity is who or what it purports to be. The most basic authentication happens when a person enters a username and password into a login screen. The IAM system checks a database to make sure they match what’s on record. Modern authentication solutions provide more sophisticated approaches to better protect assets.

Authentication vs authorization
One a user is verified by a system, it needs to know what information that user has access or authorization to view.


IAM implementation

True data security is not possible without a system to govern identity and access. When implemented properly, IAM solutions can increase productivity among workers by allowing access to data across multiple applications, locations and devices. It also allows for greater collaboration with other organizations, vendors and business partners.

The best approach to implementing an IAM solution is to do an audit of existing and legacy systems. Identify gaps and opportunities, and collaborate with stakeholders early and often. Map out all user types and access scenarios, and define a core set of objectives the IAM solution must meet.


Access management

In addition to assigning digital identities and authorization methods, IT administrators need a way to grant access rights and privileges to each entity. The best practice in access management today is “least privilege.” It means assigning each entity or application access rights to only those resources needed to complete a task or do a job, and only for the shortest amount of time necessary.

  • Privileged access management (PAM)
    Privileged access is reserved for users like admins or DevOps personnel who manage or make changes to applications, databases, systems or servers. Any compromise to these credentials can easily turn into a worst-case scenario. PAM solutions isolate these accounts and monitor activity to prevent credential theft or misuse of privileges. 

       More on privileged access management

 

  • Role-based access management (RBAC)
    Assigning access privileges based on a user’s job or role in an organization can simplify access management. Instead of assigning access privileges one by one, administrators can control access according to requirements of the job or job level. Additionally, RBAC controls can specify whether a class of user can view, create or modify files. 

      More on Role-based access management

The process or framework for collecting and analyzing identity data across an organization is called identity governance; having a robust identity governance program can help you meet regulatory requirements and control risk to your organization.


How IAM and other Security facets interact

IAM and AI
Artificial intelligence (AI) is playing an increasingly transformational role in identity and access management, enabling organizations to take a much more granular and adaptive approach to authentication and access management. AI also is essential to user and entity behavior analytics (UEBA) to identify suspicious activity. Indicators like malicious logins, large volumes of login attempts in a short period of time, unknown locations, unrecognized devices and whether or not a user is on the company’s virtual private network (VPN) can signal malicious activity. AI can flag these indicators for investigation in real or near-real time to thwart attempted hacks.

IAM, cloud and IDaaS

IAM from the cloud: Identity as a Service (IDaaS) and managed identity services.
A growing number of vendors are offering identity and access management services delivered from the cloud. One approach is known as Identity as a Service (IDaaS), and can be a standalone solution or complementary to existing on-premises IAM systems. With managed identity services, like other managed security services solutions, a security provider will monitor and manage enterprise IAM solutions running either on the cloud or on-premises.


IAM for the cloud.
Enterprises today have applications and data on premises, in traditional systems and private clouds, as well as one or more public cloud environments. The challenge is managing user access to resources wherever they are located, as seamlessly as possible. The ideal is an identity and access management system that can support SSO and MFA across hybrid multicloud environments.


IAM and BYOD
In today’s mobile world, where employees want the freedom to work from anywhere using their own mobile phones, tablets, laptops or wearables, organizations are adopting bring your own device (BYOD) programs to make it happen. IAM combined with unified endpoint management platforms can help organizations embrace mobility and adopt BYOD securely.   


IAM and IoT
It’s a well-known story. A hacker compromised an aquarium smart thermometer, gained access to the corporate network and stole customer data. The same thing has happened with network-connected CCTV cameras. The object lesson is that virtually any Internet of Things (IoT) device can be hacked, and without access management, the network is wide open to the hackers. Today’s IAM solutions address IoT devices as entities that need to be identified and authorized prior to network access.


The future of IAM

With remote work becoming the norm and mobile device usage at maximum penetration, the domain of identity and access management has greatly expanded. Unsecured networks and combined with unprecedented user expectations introduces an influx of new device connections, a flurry of requests for remote access to sensitive information, and the looming threat of phishing and other web-based attacks as users hit rogue sites.

Artificial intelligence (AI) is instrumental in the future of IAM because it has the ability to recognize patterns and to expand knowledge exponentially – at the same rate as risk.

With continuous authentication, the context of a user is constantly evaluated at every interaction. AI is able to analyze micro-interactions while considering time, place and even user movement, calculating at every point the level of potential risk. Next-gen AV software, host-based firewall, and/or endpoint detection and response (EDR) will continue to evolve and add even more security within an organization.