Why is IAM important?

Identity and access management, or IAM, is the security discipline that makes it possible for the right entities (people or things) to use the right resources (applications or data) when they need to, without interference, using the devices they want to use. IAM is comprised of the systems and processes that allow IT administrators to assign a single digital identity to each entity, authenticate them when they log in, authorize them to access specified resources, and monitor and manage those identities throughout their lifecycle.

IAM is not just for employees anymore. Organizations must be able to provide secure access for contractors and business partners, remote and mobile users, and customers. With digital transformation, identities are also assigned to Internet of Things (IoT) devices, robots and pieces of code such as APIs or microservices. Multicloud hybrid IT environments and software as a service (SaaS) solutions further complicate the IAM landscape.

Because it stands between users and critical enterprise assets, identity and access management is a critical component of any enterprise security program. It helps protect against compromised user credentials and easily cracked passwords that are common network entry points for criminal hackers who want to plant ransomware or steal data.

Done well, IAM helps ensure business productivity and frictionless functioning of digital systems. Employees can work seamlessly no matter where they are, while centralized management makes sure they only access the specific resources they need for their jobs. And opening systems to customers, contractors and suppliers can increase efficiency and lower costs.

 


Types of User Authentication

A key task of IAM systems is to authenticate that an entity is who or what it purports to be. The most basic authentication happens when a person enters a username and password into a login screen. The IAM system checks a database to make sure they match what’s on record. Modern authentication solutions provide more sophisticated approaches to better protect assets.

Authentication vs authorization

One a user is verified by a system, it needs to know what information that user has access or authorization to view.

Single sign-on (SSO)

Single sign-on (SSO) solutions increase productivity and reduce friction for users. With one set of login credentials (username and password) entered one time, an individual can access multiple applications, switching between them seamlessly.

Multifactor authentication (MFA)

Multifactor authentication adds another layer of protection by requiring users to present two or more identifying credentials in addition to a username to gain access to applications. For example, you might be asked to enter a password and a temporary code sent by email or text message.

Biometric authentication

Biometric authorization, which can be used as one of the credentials for MFA, relies on a unique biological trait such as a fingerprint, retina, voice or face to verify identity. While biometrics offer strong authentication, they do require additional hardware, such as a fingerprint reader or scanner, and processing software.

Risk-based authentication

Also known as adaptive authentication, a risk-based authentication solution prompts a user for MFA only when it detects the presence of higher risk. This can be, for example, when the user’s location is different from what is expected, based on IP address, or malware is detected. 


IAM implementation

True data security is not possible without a system to govern identity and access. When implemented properly, IAM solutions can increase productivity among workers by allowing access to data across multiple applications, locations and devices. It also allows for greater collaboration with other organizations, vendors and business partners.

The best approach to implementing an IAM solution is to do an audit of existing and legacy systems. Identify gaps and opportunities, and collaborate with stakeholders early and often. Map out all user types and access scenarios, and define a core set of objectives the IAM solution must meet.


Access management

In addition to assigning digital identities and authorization methods, IT administrators need a way to grant access rights and privileges to each entity. The best practice in access management today is “least privilege.” It means assigning each entity or application access rights to only those resources needed to complete a task or do a job, and only for the shortest amount of time necessary.

  • Privileged access management (PAM)
    Privileged access is reserved for users like admins or DevOps personnel who manage or make changes to applications, databases, systems or servers. Any compromise to these credentials can easily turn into a worst-case scenario. PAM solutions isolate these accounts and monitor activity to prevent credential theft or misuse of privileges. 

       More on privileged access management

 

  • Role-based access management (RBAC)
    Assigning access privileges based on a user’s job or role in an organization can simplify access management. Instead of assigning access privileges one by one, administrators can control access according to requirements of the job or job level. Additionally, RBAC controls can specify whether a class of user can view, create or modify files. 

      More on Role-based access management

The process or framework for collecting and analyzing identity data across an organization is called identity governance; having a robust identity governance program can help you meet regulatory requirements and control risk to your organization.


How IAM and other Security facets interact

IAM and AI

Artificial intelligence (AI) is playing an increasingly transformational role in identity and access management, enabling organizations to take a much more granular and adaptive approach to authentication and access management. AI also is essential to user and entity behavior analytics (UEBA) to identify suspicious activity. Indicators like malicious logins, large volumes of login attempts in a short period of time, unknown locations, unrecognized devices and whether or not a user is on the company’s virtual private network (VPN) can signal malicious activity. AI can flag these indicators for investigation in real or near-real time to thwart attempted hacks.

 

IAM, cloud and IDaaS

IAM from the cloud: Identity as a Service (IDaaS) and managed identity services. A growing number of vendors are offering identity and access management services delivered from the cloud. One approach is known as Identity as a Service (IDaaS), and can be a standalone solution or complementary to existing on-premises IAM systems. With managed identity services, like other managed security services solutions, a security provider will monitor and manage enterprise IAM solutions running either on the cloud or on-premises.

IAM for the cloud. Enterprises today have applications and data on premises, in traditional systems and private clouds, as well as one or more public cloud environments. The challenge is managing user access to resources wherever they are located, as seamlessly as possible. The ideal is an identity and access management system that can support SSO and MFA across hybrid multicloud environments.

 

IAM and BYOD

In today’s mobile world, where employees want the freedom to work from anywhere using their own mobile phones, tablets, laptops or wearables, organizations are adopting bring your own device (BYOD) programs to make it happen. IAM combined with unified endpoint management platforms can help organizations embrace mobility and adopt BYOD securely.   

 

IAM and IoT

It’s a well-known story. A hacker compromised an aquarium smart thermometer, gained access to the corporate network and stole customer data. The same thing has happened with network-connected CCTV cameras. The object lesson is that virtually any Internet of Things (IoT) device can be hacked, and without access management, the network is wide open to the hackers. Today’s IAM solutions address IoT devices as entities that need to be identified and authorized prior to network access.


The future of IAM

With remote work becoming the norm and mobile device usage at maximum penetration, the domain of identity and access management has greatly expanded. Unsecured networks and combined with unprecedented user expectations introduces an influx of new device connections, a flurry of requests for remote access to sensitive information, and the looming threat of phishing and other web-based attacks as users hit rogue sites.

Artificial intelligence (AI) is instrumental in the future of IAM because it has the ability to recognize patterns and to expand knowledge exponentially – at the same rate as risk.

With continuous authentication, the context of a user is constantly evaluated at every interaction. AI is able to analyze micro-interactions while considering time, place and even user movement, calculating at every point the level of potential risk. Next-gen AV software, host-based firewall, and/or endpoint detection and response (EDR) will continue to evolve and add even more security within an organization.

Solutions

Identity and access management (IAM)

Securely connect every user to the right level of access.

Cloud access management and authentication

Infuse cloud IAM with deep context for risk-based authentication to enable frictionless, secure access for your consumers and workforce.

Identity governance and administration

Modernize your identity management and governance with identity analytics for a more secure future.

Privileged access management (PAM)

Reduce the risk of cyber attack and secure digital business with privileged access management, application control and endpoint privilege security.

Consumer identity and access management (CIAM)

Design engaging, modern and secure digital experiences for consumer identity and access management.

Hybrid access management system

Robust access management with direct connection to Verify SaaS to enable a hybrid IAM approach and simplify a gradual migration to IDaaS.

Resources

Blogs

Stay up-to-date with the latest trends and news about security.

Events

Join an upcoming event or webinar.

Tutorials

Expand your skills with free security tutorials.

IBM Security Podcast

Get IBM’s point of view on current and emerging security topics.