Identity and access management, or IAM, is the security discipline that makes it possible for the right entities (people or things) to use the right resources (applications or data) when they need to, without interference, using the devices they want to use. IAM is comprised of the systems and processes that allow IT administrators to assign a single digital identity to each entity, authenticate them when they log in, authorize them to access specified resources, and monitor and manage those identities throughout their lifecycle.
IAM is not just for employees anymore. Organizations must be able to provide secure access for contractors and business partners, remote and mobile users, and customers. With digital transformation, identities are also assigned to Internet of Things (IoT) devices, robots and pieces of code such as APIs or microservices. Multicloud hybrid IT environments and software as a service (SaaS) solutions further complicate the IAM landscape.
Because it stands between users and critical enterprise assets, identity and access management is a critical component of any enterprise security program. It helps protect against compromised user credentials and easily cracked passwords that are common network entry points for criminal hackers who want to plant ransomware or steal data.
Done well, IAM helps ensure business productivity and frictionless functioning of digital systems. Employees can work seamlessly no matter where they are, while centralized management makes sure they only access the specific resources they need for their jobs. And opening systems to customers, contractors and suppliers can increase efficiency and lower costs.
A key task of IAM systems is to authenticate that an entity is who or what it purports to be. The most basic authentication happens when a person enters a username and password into a login screen. The IAM system checks a database to make sure they match what’s on record. Modern authentication solutions provide more sophisticated approaches to better protect assets.
Authentication vs authorization
One a user is verified by a system, it needs to know what information that user has access or authorization to view.
Single sign-on (SSO) solutions increase productivity and reduce friction for users. With one set of login credentials (username and password) entered one time, an individual can access multiple applications, switching between them seamlessly.
Multifactor authentication (MFA) adds another layer of protection by requiring users to present two or more identifying credentials in addition to a username to gain access to applications. For example, you might be asked to enter a password and a temporary code sent by email or text message.
Also known as adaptive authentication, a risk-based authentication solution prompts a user for MFA only when it detects the presence of higher risk. This can be, for example, when the user’s location is different from what is expected, based on IP address, or malware is detected.
True data security is not possible without a system to govern identity and access. When implemented properly, IAM solutions can increase productivity among workers by allowing access to data across multiple applications, locations and devices. It also allows for greater collaboration with other organizations, vendors and business partners.
The best approach to implementing an IAM solution is to do an audit of existing and legacy systems. Identify gaps and opportunities, and collaborate with stakeholders early and often. Map out all user types and access scenarios, and define a core set of objectives the IAM solution must meet.
In addition to assigning digital identities and authorization methods, IT administrators need a way to grant access rights and privileges to each entity. The best practice in access management today is “least privilege.” It means assigning each entity or application access rights to only those resources needed to complete a task or do a job, and only for the shortest amount of time necessary.
The process or framework for collecting and analyzing identity data across an organization is called identity governance; having a robust identity governance program can help you meet regulatory requirements and control risk to your organization.
IAM and AI
Artificial intelligence (AI) is playing an increasingly transformational role in identity and access management, enabling organizations to take a much more granular and adaptive approach to authentication and access management. AI also is essential to user and entity behavior analytics (UEBA) to identify suspicious activity. Indicators like malicious logins, large volumes of login attempts in a short period of time, unknown locations, unrecognized devices and whether or not a user is on the company’s virtual private network (VPN) can signal malicious activity. AI can flag these indicators for investigation in real or near-real time to thwart attempted hacks.
IAM, cloud and IDaaS
IAM from the cloud: Identity as a Service (IDaaS) and managed identity services.
A growing number of vendors are offering identity and access management services delivered from the cloud. One approach is known as Identity as a Service (IDaaS), and can be a standalone solution or complementary to existing on-premises IAM systems. With managed identity services, like other managed security services solutions, a security provider will monitor and manage enterprise IAM solutions running either on the cloud or on-premises.
IAM for the cloud.
Enterprises today have applications and data on premises, in traditional systems and private clouds, as well as one or more public cloud environments. The challenge is managing user access to resources wherever they are located, as seamlessly as possible. The ideal is an identity and access management system that can support SSO and MFA across hybrid multicloud environments.
IAM and BYOD
In today’s mobile world, where employees want the freedom to work from anywhere using their own mobile phones, tablets, laptops or wearables, organizations are adopting bring your own device (BYOD) programs to make it happen. IAM combined with unified endpoint management platforms can help organizations embrace mobility and adopt BYOD securely.
IAM and IoT
It’s a well-known story. A hacker compromised an aquarium smart thermometer, gained access to the corporate network and stole customer data. The same thing has happened with network-connected CCTV cameras. The object lesson is that virtually any Internet of Things (IoT) device can be hacked, and without access management, the network is wide open to the hackers. Today’s IAM solutions address IoT devices as entities that need to be identified and authorized prior to network access.
With remote work becoming the norm and mobile device usage at maximum penetration, the domain of identity and access management has greatly expanded. Unsecured networks and combined with unprecedented user expectations introduces an influx of new device connections, a flurry of requests for remote access to sensitive information, and the looming threat of phishing and other web-based attacks as users hit rogue sites.
Artificial intelligence (AI) is instrumental in the future of IAM because it has the ability to recognize patterns and to expand knowledge exponentially – at the same rate as risk.
With continuous authentication, the context of a user is constantly evaluated at every interaction. AI is able to analyze micro-interactions while considering time, place and even user movement, calculating at every point the level of potential risk. Next-gen AV software, host-based firewall, and/or endpoint detection and response (EDR) will continue to evolve and add even more security within an organization.
Infuse cloud IAM with deep context for risk-based authentication to enable frictionless, secure access for your consumers and workforce.
Modernize your identity management and governance with identity analytics for a more secure future.
Reduce the risk of cyber attack and secure digital business with privileged access management, application control and endpoint privilege security.
Design engaging, modern and secure digital experiences for consumer identity and access management.
Read the X-Force® Threat Intelligence Index to understand the threat landscape and get recommendations to help you bolster your security strategy for the future.
The Cost of a Data Breach Report explores financial impacts and security measures that can help your organization avoid a data breach, or in the event of a breach, mitigate costs.
Learn why the IBM CIO office turned to IBM Security Verify for next-generation digital authentication across its workforce and clients.