What is identity and access management and why is it an important IT security layer?

Identity and access management (IAM) is a collective term that covers products, processes, and policies used to manage user identities and regulate user access within an organisation.

Those users could be employees or customers, but regardless, the goal of an IAM system is to create one digital identity per individual that can then be managed, modified, and monitored throughout each user’s ‘access lifecycle’.

Whilst an individual will only have one digital identity, they may have multiple accounts within that identity and each account can have different access controls, both per resource and per context.

It’s important that your IAM provides any given identity with access to the right resources (applications, databases, networks, etc) and within the correct context.

How identity and access management works

IAM systems are designed to perform three key tasks. These include:

1. Identify
2. Authenticate
3. Authorise

Put simply, an IAM system should ensure that only the right people have access to the networks, computers, hardware, software, and IT resources they require to carry out their role.

To manage the access that people have, there are some key components that an IAM system needs to manage, modify, and monitor users’ access behaviour. These include:

• A database containing users’ identities and access privileges.
• IAM system management tools that allow IT managers to create, modify, monitor, and delete access profiles and privileges.
• A system for auditing login and access history.
• Allow for properly segmented definitions and access controls for every part of the business’s systems and data.
• Track user activities across all systems and data.
• Report on user activities.
• Enforce systems access policies.

IAM systems must be flexible and robust enough to accommodate the complexities of today’s computing environment.

If we look back 20 years, a company’s computing environment used to be largely on-premise. This is no longer the case. Managing the access and authentication of users on-premise was much more straight-forward. Jackson Shaw, Vice President of Product Management at IAM provider One Identity notes, “There used to be a security fence around the premises. Today, that fence isn’t there anymore.”

As a consequence, the IAM landscape is changing dramatically and businesses need to be much more agile in their approach to identity and access management.

A robust IAM system should enable administrators to easily manage access privileges for a variety of users and across a wide range of devices including various operating systems and even IoT devices. A company’s IAM should be enable centralised management of users in a way that is scalable across the enterprise.

Authenticating user access with an IAM

With IAM, enterprises can implement a range of digital authentication methods to prove digital identity and authorise access to corporate resources. These include:

• Unique passwords – The most common type of digital authentication is the unique password. To make passwords more secure, some organisations require longer or complex passwords that require a combination of letters, symbols, and numbers. Unless users can automatically gather their collection of passwords behind a single sign-on entry point, they typically find remembering unique passwords onerous. IAM systems can also include password management tools which can help to make this process less onerous for users.
• Pre-shared key (PSK) – PSK is another type of digital authentication where the password is shared among users authorised to access the same resources. A good example is a typical branch office Wi-Fi password where all members of staff (and potentially customers) need access. This type of authentication is less secure than individual passwords. A drawback with shared passwords like PSK is that frequently changing them can be cumbersome.
• Multi-Factor Authentication (MFA) – MFA is a simple and cost-effective solution for stronger authentication of IAM systems. Multi-factor or two-factor authentication (2FA) relies on the addition of an extra layer of security when accessing an IAM system. This can include a physical security token, key fob or third-party authentication application on your smartphone. MFA can also be tied in with biometric authentication where users are asked to provide multiple authentication methods – something a user knows (e.g. password/passphrase), something a user has (e.g. a key fob, token etc), or something a user is (e.g. fingerprint, facial recognition etc).
• Biometrics – Modern IAM systems use biometrics for more precise authentication. For instance, they collect a range of biometric characteristics, including fingerprints, irises, faces, palms, gaits, voices and, in some cases, DNA. As with all authentication methods, biometrics does have drawbacks. There are a lot of ethical implications to be considered when collecting biometric data and ensuring you store that information in a highly secure way can add to the cost of implementing such an access method.
• Behavioural authentication – When dealing with highly sensitive information and systems, organisations can use behavioural authentication to get far more granular and analyse keystroke dynamics or mouse-use characteristics. By applying artificial intelligence, a trend in IAM systems, organisations can quickly recognise if user or machine behaviour falls outside of the norm and can automatically lock down systems.

There is no doubt that biometric and behavioural authentication are more secure and, in many cases, more effective than passwords, however, the cost of these systems and the security implications must be carefully considered.

Benefits of Identity and Access Management systems

As we have already discussed, IAM systems have developed in order to cope with the increasing demands of access and authentication to key IT systems within a business.

Today, most organisations need to give access to users outside of the business to internal systems. Opening your network to customers, partners, suppliers, contractors, and of course, employees can increase efficiency and lower operating costs.

Using IAM technologies, businesses can initiate, capture, record and manage user identities and their related permissions in an automated manner, no matter whether they are in-house or external individuals.

Allowing users controlled access to the key areas of your IT systems using an IAM system can bring about the following benefits:

• Access privileges are granted according to policy, and all individuals and services are properly authenticated, authorised, and audited.
• Companies can extend access to its information systems across a variety of on-premises applications, mobile apps, and SaaS tools without compromising security.
• By providing greater access to outsiders, you can drive collaboration throughout your organisation, enhancing productivity, employee satisfaction, research and development, and, ultimately, revenue.
• Companies that effectively manage identities have greater control of user access, which reduces the risk of internal and external data breaches.
• Identity management can decrease the number of help-desk calls to IT support teams regarding password resets.
• An identity management system leads to more robust security as companies are required to define their access policies, specifically outlining who has access to which data resources and under which conditions they have access. An IAM framework can make it easier to enforce policies around user authentication, validation and privileges, and address issues relating to privilege creep.

Why IAM is an important security layer

IAM is critical to protecting sensitive enterprise systems, assets, and information from unauthorised access or use. An end-to-end IAM implementation will reduce the likelihood and impact of data breaches, and ensure that only legitimate, authenticated users have access. IAM is crucial to protect the following areas by only allowing authorised access:

Data and information – Sensitive customer, business, supplier, or other data, stored on local servers, in the cloud, or elsewhere.

Software and applications – Systems used by employees, customers, suppliers, partner businesses, and others.

Development, testing, staging, and operational platforms – All IT environments used for product and service development, launch, and operations.

Devices – Laptops, desktops, smartphones, tablets, IoT, and other devices.

Locations – Business locations including private office spaces, data centres, and secure locations.

Integrations – Data that is being transmitted, received, stored, or otherwise interacted with as it moves between different areas.

By implementing a robust IAM system, you can mitigate against these risks. An IAM means you can put in place more robust policies around user access and management, all of which can tie back to your cybersecurity framework.

Summary

IAM systems can undoubtedly help your business to improve overall security practices and give you the confidence that only authorised, authenticated users are able to interact with the systems and data they need to effectively perform their job roles.

The process of adopting an IAM system requires an in-depth audit of your current needs followed by the creation of a policy that outlines the roles and access requirements of all individuals connected with your business. Many IAM tools and solutions can help with the execution of these tasks.

When considering an IAM, make sure it fits within your current cybersecurity framework and ultimately simplifies the process of identity and access management.