IDENTITY MANAGEMENT

What is Identity and Access Management (IAM) ?

It is a set of tools and technologies for controlling user access to critical information stored in computer systems. IAM in enterprise IT defines and manages the roles and access privileges of individual users and specifies the situations in which users could be granted certain privileges. The core objective of IAM systems is a unique digital identity for each individual whether it is a customer or employee.

IAM also controls the lifecycle aspect of maintaining identity i.e. create, maintain, modify and monitor. In summary, IAM grants access to the right user to the right asset given the right context. IAM systems provide a means of administering user access across the enterprise and to ensure compliance with policies of the corporate and regulators.

IAM tools and technologies

In its Tech Tide: Identity and Access Management, Q4 2017, Forrester Research identified six IAM technologies with low maturity, but high current business value:

API security supports IAM for use with B2B commerce, integration with cloud-native, microservices-based IAM architectures. Forrester sees “API security solutions being used for single sign-on (SSO) between mobile applications or user-managed access. This would allow security teams to manage IoT device authorization and personally identifiable data”.

Customer identity and access management (CIAM) allow "comprehensive management and authentication of users; self-service and profile management; and integration with CRM, ERP, and other customer management systems and databases," according to the report.

Identity analytics (IA) will allow security teams to detect and stop risky identity behaviors using rules, machine learning, and other statistical algorithms.

Identity as a service (IDaaS) includes "software-as-a-service (SaaS) solutions that offer SSO from a portal to all types of web applications and mobile applications as well as user account provisioning and access request management," according to the report

Identity management and governance (IMG) provides automated and repeatable ways to govern the identity life-cycle. This is important when it comes to compliance with identity and privacy regulations.

Risk-based authentication (RBA) solutions "take in the context of a user session and authentication and form a risk score. The firm can then prompt high-risk users for 2FA and allow low-risk users to authenticate with single factor (e.g., username plus password) credentials," according to the report.)

IAM systems must be flexible and robust enough to accommodate the complexities of today’s computing environment. Thereby identity management systems today should enable administrators to easily manage access privileges for different type of users i.e. domestic on-site employees and international off-site contractors in hybrid compute environments using software as a service (SaaS) applications including BYOD users across multiple operating systems and even internet of things (IoT) devices.

In recent years, identity-as-a-service (IDaaS) has evolved as a third-party managed service offered over the cloud on a subscription basis. These provide identity management to both on-premise and cloud-based systems.

Why IAM?

Identity and access management is a critical part of any enterprise security plan, as it is inextricably linked to the security and productivity of organizations in today’s digitally enabled economy. By automating many aspects of providing secure user access to enterprise networks and data, identity management systems relieve IT of mundane but important tasks and help them stay in compliance with government regulations. These are critical benefits, given that today, every IT position is a security position; there’s a persistent, global cybersecurity workforce shortage; and penalties for not being compliant with relevant regulations can cost an organization millions or even billions of dollars.

Benefits of IAM

Good IAM and associated practices can provide a significant competitive advantage in several ways. Given today’s interconnectedness, most businesses need to give access to internal systems users outside the organization. Opening up one’s network to customers, partners, suppliers, contractors increases efficiency and significantly lower operating costs.

Identity management systems can allow a company to extend access to its IT systems across an assorted on-premises applications, mobile apps, and SaaS tools without compromising security. Once you provide right access to entities outside the organization boundary, you can drive collaboration throughout your value chain and thereby enhance productivity, employee satisfaction and reduce costs.

Identity management can increase self-service and decrease number of calls to Call Centers.

An identity management system forms the basis of a secure network as you need to define access policies. Policies defines who has access to which data or other assets and under which conditions they should be allowed access to them.

How IAM works

IAM typically has four basic elements:

• ✓ An Identity Repository: It is a directory of personal data to define individual users
• ✓ Lifecycle Management Tools: A set of tools for adding, modifying and deleting user and user-related data
• ✓ Security Policies: A system that regulates user access and specifies access privileges
• ✓ An Auditing and Reporting system: To track all events and activities on the system.

A number of authentication methods for verifying the identity of a user has been in use including passwords, digital certificates, tokens and smart cards. As sophistication of hackers increase, identity management systems are implementing biometrics, artificial intelligence and risk-based authentication mechanisms to increase security defence.

At user level, recent user authentication methods like fingerprint identification are boosting the protection of identities in smartphones and other personal devices. Iris scanning and facial recognition are also becoming popular.

Some organizations are moving from two-factor to three-factor authentication i.e. combining something you know (your password), something you have (a smartphone), and something you are (facial recognition, iris scanning or fingerprint sensors).

Risk-based authentication dynamically applies right level of rigour to the authentication process as per current risk profile. The higher the risk, the authentication process becomes that much stringent for that user. Example: A change in a user’s geographic location or IP address could automatically trigger additional authentication requirements.

Federated identity management allows same digital IDs to be used across trusted partners. Single sign-on is an important part of federated ID management. A single sign-on standard lets the users who verify their identity on one network, website or app carry over that authenticated status when moving to another.

A successful implementation of IAM requires foresight and sound collaboration across departments. Companies that establish a cohesive identity management strategy—clear objectives, stakeholder buy-in, defined business processes—at the beginning usually get it right.

What are the cons of an IAM ?

Centralized operations invite hackers as they are an obvious target. Though single sign-on etc. identity management activities are laid bare as these systems have reduce complexity. What helps the administrators navigate the systems on a daily basis also makes it equally easy for hackers. Once compromised, the intruder can have a free run across multiple systems.

Reference: https://www.csoonline.com/article by James A. Martin and John K. Waters, CSO, 9 Oct, 2018