What is IAM? Identity and Access Management Explained)
How can an organization secure access to its systems? System security is a combination of human and technological factors. In this article, we will focus exclusively on Identity and Access Management (IAM), what is IAM? Identity and access management is determining who is the user, what the user can access, and tracking the users’ actions. The latter part – what we will label accounting – is commonly known as Identity Governance and Administration (IGA). For the sake of simplicity, we will bundle IGA into the IAM framework.
About the Authors?
Hello! My name is Michael Gibbs, CEO and Founder of Go Cloud Architects. I’ve been working in technology for well over 25 years. We are dedicated to helping our clients build elite cloud computing careers. I’ve been working in technology for over 25 years, and I’ve spent 20 years of my career coaching or mentoring others to get their first tech job.
In my 25-tech career, I have worked in:
- Cloud computing
My name Is Isaac Kolensie. I have 20 years of experience in the IT Industry working in telecommunications, as a Network Engineer, Service Tech Support, and recently as an Identity and Access Management Engineer. During my career I have worked with IBM, ATT, and others; and have had the opportunity to work on a wide variety of projects offering design and implementation solutions. My focus for the last decade has been in the education sector implementing and supporting Identity and Access Management applications such as User Provisioning, Account and Role lifecycle management, Account Recertifications and Single Sign-On.
Let’s Get Started, What is IAM?
In the following paragraphs, we provide a high-level introduction to the three key components of Identity and Access Management (IAM). We follow this up by offering several use case scenarios to help better understand the practice of IAM.
Identification Of User
The first component is the identification (authentication) of the user. This means making sure the user is who they claim to be. This can be accomplished by various methods. This can be as simple as something you know, like a username and password. Additionally, we can also use a combination of something they have (device), something you are (biometrics), and somewhere they are (geolocations). The level of user identification should be based upon the value of the asset you’re protecting and the consequences of unauthorized access to the asset.
We will evaluate the strengths and weaknesses of each approach:
- Something you know i.e., password
- Strengths include simplicity and ease of use
- Weakness of this approach is it can be easily compromised
- Something you have and something you know, i.e username and password with multi-factor authentication i.e., (device or text message)
- Strengths – much stronger than username and password
- Weaknesses – complexity, user training
- Something you know and something you are (i.e., password and biometric)
- Strengths – stronger than other approaches
- Weaknesses – a lot of complexity, systems are not perfected yet
Authorization of User
The next component of IAM is determining the access of all users. This is known as authorization. Access is typically grouped into roles based on organizational functions or loosely defined job titles. Groups are saved and time-efficient because access is not applied to individuals. Authorization outlines what users can and cannot do once they have been authenticated. Authorization should follow authentication. Authentication does not necessarily mean automatic authorization. Most importantly, because at this point, the user has already gained access to resources. However, access should just be enough for users to perform their jobs.
Access could also be elevated by assigning privileges to a user account. Privileges can be assigned to human and non-human accounts. It is also accomplished by grouping elevated entitlements into roles. However, it is important to point out that these accounts need to be separate from regular accounts. In addition, to add another layer of security and mitigate risk, a multifactor factor authentication (MFA) could be used. MFA will ensure that when a user needs to perform tasks that require elevation, they will be challenged to provide another factor such as PIN or biometrics.
There are some weaknesses to authorization:
- Users can have excessive access or too fine-grained access
- Access not removed when users get promoted or change departments.
- Hackers target privileged accounts because they typically have the highest-level access.
- Enforces segregation of duties (SOD) by separating access based on job functions.
- Group users with similar access
- Least privilege, just enough access to perform a task
- Just the right access can be granted at onboarding
- Access is denied by default until access is requested, approved, and granted
Accounting of Users
The final component is accounting. This step ensures that after users have gained access to resources, all their actions and activities need to be always tracked. This is commonly known as audit or account recertification. User’s access needs to be audited to make sure that access is not excessive, and violations are reported and immediately remediated. In addition, account audits are used to make sure that companies meet regularity requirements such as healthcare or financial services.
We will also evaluate the strengths and weaknesses of accounting, strengths include:
- Identifying all types of access, including unused access
- Tracking and remediating excessive and unauthorized access
- Approval required if you user need access
Weaknesses to accounting may include:
- Approval can slow down access to critical resources by having too many approvers in the approval chain or are simply absent
- Some Approvers rubber stamping access
- Uninformed approvers – people not knowing what they are approving
What is IAM? Identity and Access Management Use Cases
Use case 1 – Secure access to organizational applications by using credentials
Let’s assume a corporation has a public website or popular apps that contain highly sensitive information. Users will be required to sign up at first. Once that is complete, they will need to provide a username and password before they can proceed or wish to access protected resources. After they authenticate successfully, access is granted but the users will still be restricted to some extent. Now supplementing username and password with additional factors of authentication such as biometric or verification codes can substantially improve security. In today’s world, multi-factor authentication has become essential – due to the weaknesses of only using a username and password we discussed earlier.
Use case 2 – Delegate selective access to corporate resources
The authorization use case deals fundamentally with trust and permissions. It is imperative to delegate adequate access to the right resources. These precautionary steps can prevent errors or unplanned outages. Authorizations or who is (allowed access) should be carefully planned based on experience, skills, or job functions. A typical approach is by organizing and restricting access of employees by grouping users with similar attributes.
Use case 3 – Segment access to cloud resources based on roles
Moreover, apply access controls in the cloud. Assign permissions to users in specialized IT roles based on what duties and tasks they can perform in the cloud. For example, in the cloud, restrict the dev team’s access to only development instances. Similarly, restrict the QA or test team to just the Test instances. Other use cases include preventing access for non-employees to delegated cloud resources. An example would be to use Amazon Cognito’s user pools (a user directory), to social sign-in with Facebook or Google but with specified access. Implement authorization in this use case effectively give access to restricted resources.
Use case 4 – Zero trust
Assume that those services, roles, users, or applications are untrusted. This model relies less and less on perimeter security and shifts to users, resources, and computers. In essence, wrap your security around these objects. Zero trust architecture asserts that every connection is a threat, including active sessions inside the network. Create secure access for the users.
In addition, use the zero-trust model to limit Internet of Things (IoT) devices and third parties in corporate networks. Hackers exploit IoT devices. Place IoT devices into separate groups or in virtual networks. Limit what contractors can do on the network and ensure they use MFA.
Use case 5 – Track the activities inside networks
Accounting in IAM is important because we can track and log all changes. A common use case could be to track changes made on applications or who has accessed them. This information can be useful to investigate data breaches or to conduct forensic investigations. This may also include tracking what approval was granted.
Identity and Access Management is a significant part of organizations. Organizations can leverage it as part of their security posture. Add firewalls at the perimeter, intrusion detection and prevention to monitor violations after that, and include access lists for controlling network traffic, etc. Use it as the last line of defense because internal security is where many organizations are more relaxed. At this stage, employees are hired, onboarded, and appraised. IAM could provide that two-way protection. Companies can keep internal users safe and protect themselves from disgruntled employees. Protect digital identities, continue to vet all users, and audit all activities. Finally, enforce the principle of least privilege.