cloud career

What is IAM? (Identity and Access Management Explained)

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

What is IAM? Identity and Access Management Explained)

How can an organization secure access to its systems? System security is a combination of human and technological factors.  In this article, we will focus exclusively on Identity and Access Management (IAM), what is IAM? Identity and access management is determining who is the user, what the user can access, and tracking the users’ actions. The latter part – what we will label accounting – is commonly known as Identity Governance and Administration (IGA). For the sake of simplicity, we will bundle IGA into the IAM framework.

About the Authors?

Hello! My name is Michael Gibbs, CEO and Founder of Go Cloud Architects. I’ve been working in technology for well over 25 years. We are dedicated to helping our clients build elite cloud computing careers. I’ve been working in technology for over 25 years, and I’ve spent 20 years of my career coaching or mentoring others to get their first tech job.

In my 25-tech career, I have worked in:

  • Networking
  • Security
  • Cloud computing
  • Teaching
  • Coaching
  • Mentoring

My name Is Isaac Kolensie. I have 20 years of experience in the IT Industry working in telecommunications, as a Network Engineer, Service Tech Support, and recently as an Identity and Access Management Engineer. During my career I have worked with IBM, ATT, and others; and have had the opportunity to work on a wide variety of projects offering design and implementation solutions. My focus for the last decade has been in the education sector implementing and supporting Identity and Access Management applications such as User Provisioning, Account and Role lifecycle management, Account Recertifications and Single Sign-On. 

Let’s Get Started, What is IAM?

In the following paragraphs, we provide a high-level introduction to the three key components of Identity and Access Management (IAM). We follow this up by offering several use case scenarios to help better understand the practice of IAM.

What is IAM, overview

Identification Of User

The first component is the identification (authentication) of the user.  This means making sure the user is who they claim to be. This can be accomplished by various methods. This can be as simple as something you know, like a username and password. Additionally, we can also use a combination of something they have (device), something you are (biometrics), and somewhere they are (geolocations). The level of user identification should be based upon the value of the asset you’re protecting and the consequences of unauthorized access to the asset.

We will evaluate the strengths and weaknesses of each approach:

  1. Something you know i.e., password
    • Strengths include simplicity and ease of use
    • Weakness of this approach is it can be easily compromised
  2. Something you have and something you know, i.e username and password with multi-factor authentication i.e., (device or text message)
    • Strengths – much stronger than username and password
    • Weaknesses – complexity, user training
  3. Something you know and something you are (i.e., password and biometric)
    • Strengths – stronger than other approaches
    • Weaknesses – a lot of complexity, systems are not perfected yet

Authorization of User

The next component of IAM is determining the access of all users. This is known as authorization. Access is typically grouped into roles based on organizational functions or loosely defined job titles. Groups are saved and time-efficient because access is not applied to individuals. Authorization outlines what users can and cannot do once they have been authenticated. Authorization should follow authentication. Authentication does not necessarily mean automatic authorization. Most importantly, because at this point, the user has already gained access to resources. However, access should just be enough for users to perform their jobs.

Privileged access

Access could also be elevated by assigning privileges to a user account. Privileges can be assigned to human and non-human accounts. It is also accomplished by grouping elevated entitlements into roles. However, it is important to point out that these accounts need to be separate from regular accounts. In addition, to add another layer of security and mitigate risk, a multifactor factor authentication (MFA) could be used. MFA will ensure that when a user needs to perform tasks that require elevation, they will be challenged to provide another factor such as PIN or biometrics.

There are some weaknesses to authorization:

  1. Users can have excessive access or too fine-grained access
  2. Access not removed when users get promoted or change departments.
  3. Hackers target privileged accounts because they typically have the highest-level access.

Strengths:

  1. Enforces segregation of duties (SOD) by separating access based on job functions.
  2. Group users with similar access
  3. Least privilege, just enough access to perform a task
  4. Just the right access can be granted at onboarding
  5. Access is denied by default until access is requested, approved, and granted

Accounting of Users

The final component is accounting. This step ensures that after users have gained access to resources, all their actions and activities need to be always tracked. This is commonly known as audit or account recertification. User’s access needs to be audited to make sure that access is not excessive, and violations are reported and immediately remediated. In addition, account audits are used to make sure that companies meet regularity requirements such as healthcare or financial services.

We will also evaluate the strengths and weaknesses of accounting, strengths include:

  1. Identifying all types of access, including unused access
  2. Tracking and remediating excessive and unauthorized access
  3. Approval required if you user need access

Weaknesses to accounting may include:

  1. Approval can slow down access to critical resources by having too many approvers in the approval chain or are simply absent
  2. Some Approvers rubber stamping access
  3.  Uninformed approvers – people not knowing what they are approving

What is IAM? Identity and Access Management Use Cases

Use case 1 – Secure access to organizational applications by using credentials

Let’s assume a corporation has a public website or popular apps that contain highly sensitive information. Users will be required to sign up at first. Once that is complete, they will need to provide a username and password before they can proceed or wish to access protected resources. After they authenticate successfully, access is granted but the users will still be restricted to some extent. Now supplementing username and password with additional factors of authentication such as biometric or verification codes can substantially improve security.  In today’s world, multi-factor authentication has become essential –  due to the weaknesses of only using a username and password we discussed earlier.

What is IAM credentials

Use case 2 – Delegate selective access to corporate resources

The authorization use case deals fundamentally with trust and permissions. It is imperative to delegate adequate access to the right resources. These precautionary steps can prevent errors or unplanned outages. Authorizations or who is (allowed access) should be carefully planned based on experience, skills, or job functions.  A typical approach is by organizing and restricting access of employees by grouping users with similar attributes.

what is IAM, authorized users

Use case 3 – Segment access to cloud resources based on roles

Moreover, apply access controls in the cloud. Assign permissions to users in specialized IT roles based on what duties and tasks they can perform in the cloud. For example, in the cloud, restrict the dev team’s access to only development instances. Similarly, restrict the QA or test team to just the Test instances. Other use cases include preventing access for non-employees to delegated cloud resources. An example would be to use Amazon Cognito’s user pools (a user directory), to social sign-in with Facebook or Google but with specified access. Implement authorization in this use case effectively give access to restricted resources.

what is IAM, roles

Use case 4 – Zero trust

Assume that those services, roles, users, or applications are untrusted. This model relies less and less on perimeter security and shifts to users, resources, and computers. In essence, wrap your security around these objects. Zero trust architecture asserts that every connection is a threat, including active sessions inside the network. Create secure access for the users.

In addition, use the zero-trust model to limit Internet of Things (IoT) devices and third parties in corporate networks. Hackers exploit IoT devices. Place IoT devices into separate groups or in virtual networks.  Limit what contractors can do on the network and ensure they use MFA.

what is IAM, zero trust

Use case 5 – Track the activities inside networks

Accounting in IAM is important because we can track and log all changes. A common use case could be to track changes made on applications or who has accessed them. This information can be useful to investigate data breaches or to conduct forensic investigations. This may also include tracking what approval was granted.

Conclusion

Identity and Access Management is a significant part of organizations. Organizations can leverage it as part of their security posture. Add firewalls at the perimeter, intrusion detection and prevention to monitor violations after that, and include access lists for controlling network traffic, etc. Use it as the last line of defense because internal security is where many organizations are more relaxed. At this stage, employees are hired, onboarded, and appraised. IAM could provide that two-way protection. Companies can keep internal users safe and protect themselves from disgruntled employees. Protect digital identities, continue to vet all users, and audit all activities. Finally, enforce the principle of least privilege.

Cloud Architect Career Development Program

16-week (self-paced)

Hybrid Live Sessions and On-Demand

Slack Community

In-Depth labs

And More

Recent Articles

Subscribe To Our Newsletter

Get updates and learn from the best

About Our Founder

Michael Gibbs is the CEO of Go Cloud Careers, a global organization that provides training for elite cloud computing careers and places a strong emphasis on helping individuals achieve their dream technology career. He is an outspoken critic of single cloud reliance and was recently featured in Investors Business Daily, Information Week, Tech Target, Authority Magazine, authored articles in HomeBusinessMagazine, and has appeared on Inside Analysis and TechStrong TV. In 2013, after a successful career with Cisco Systems as a Global Systems Engineer, he founded Go Cloud Architects, an educational organization focused on helping individuals achieve their dream technology career.

Michael is a technology expert with 25 years of experience in networking, cloud computing, and IT security. After a successful career with Cisco Systems, where he served in senior leadership as the lead enterprise architect in the global healthcare consulting practice, Michael founded Go Cloud Architects. Michael is a highly requested speaker and industry thought leader who presents at key conferences throughout the world. A passionate educator with 20 years of experience in coaching and mentoring others; Michael is also a Cisco Certified Internetwork Expert, a Google Professional Cloud Architect and holds a Master’s of Science (MS) and Master’s of Business Administration (MBA) from Widener University.

About Our Company

Go Cloud Careers is an educational organization that builds high-performance cloud computing careers. Go Cloud is founded on one premise – we get you hired. While other organizations focus on certifications or just technical proficiency; Go Cloud students develop a practical and deep knowledge of the cloud computing roles and responsibilities to build an elite tech career.

In addition to technical competency, the core instructional emphasis includes teaching the skills necessary for elite technology roles. These include leadership skills, attitude, emotional intelligence, communication skills, presentation skills, sales skills, interview skills, and more. Go Cloud students finish with more than just certifications, and by combining these executive-level skills are more desirable to employers; and will ultimately be more effective in their careers long term.

How Can We Help You Reach Your Dream Career?

Career Development Programs

At Go Cloud Careers our goal is to improve the cloud computing community as a whole, by developing individuals to succeed in their roles. Our Career Development Programs are designed to help you get the best career at the fastest speed possible. These programs not only provide technical training, but also the much-overlooked soft skills and emotional intelligence that determine whether an individual can reach that dream career. In these group training programs, we provide a combination of live group training sessions, on-demand web-based content, and extensive labs. We also provide server access to our students, to build their own cloud architectures from the ground up. You can find more information on the programs by clicking the button below.

Cloud Architect Career Development Program

Cloud Engineer Career Development Program

Tech Career Accelerator Program

Our FREE Offerings Every Week

Free Webinars

Go Cloud Careers offers the “How to get your first cloud job webinar each week on Thursday. You can register for the next webinar here. We conduct a presentation in the beginning and afterward, participants can ask any questions they want. We will even help build a career plan LIVE on these free calls. We will talk about:

  • What employers desire
  • How to build a perfect resume
  • How to get your name out to the community
  • How to get hired
  • Things to do on your interview

Register for the How to Get Your First Cloud Job Webinar

With Our Compliments

Go Cloud Careers is truly excited to offer multiple FREE resources for AWS Certification training. These include:

We look forward to you joining our Go Cloud Careers community!

More To Explore

AWS

AWS VPC Security Best Practices

In today`s article, we’ll discuss different measures for AWS VPC security best practices. Security is different layers of protection in order not to get hacked. 

Do You Want To Get Cloud Hired or Cloud Promoted

Take A Look at Our Training Programs

Increase Your Potential30% Discount code "potential"

Depending on the metrics that you look at we are seeing inflation between 6% and 10% for a sustained period of time. With that in mind, we offer this discount with the goal for you to increase your earning and employment potential. 

%d bloggers like this: