What is IAM
As this in-depth article states, “Identity and Access Management (IAM) is a framework of business processes, policies, and technologies that facilitates the management of electronic or digital identities.” Our previous post further defines IAM as:
Access management gives authorized users access to the right services while preventing access to unauthorized users. It hinges on the concept of providing the right access at the right time. And it may encompass anyone or any system authorized to handle company data, both people and systems. IAM is for employees and third parties such as vendors, contractors, and customers.
The following are some of the primary IAM tools including access management software with their benefits:
1. Single Sign-On (SSO) + IAM
Single sign-on is an identity and access management software that refers to the ability of an employee to log in once using one set of credentials (username and password) and have access to all authorized systems and applications. SSO increases and simplifies security when properly used because users log in once and only use one set of credentials.
SSO also slightly increases employee productivity. It has significant benefits for IT, greatly simplifying issuing and managing credentials and determining who has access to what data. One of the secondary benefits of SSO is that it eliminates password fatigue. And reducing password fatigue increases software adoption rates across the organization. SSO also creates opportunities for analytics that can help an organization demonstrate that it is handling identity and access management appropriately according to specified compliance requirements.
2. Multi-Factor Authentication (MFA) + IAM
MFA is a core component of a strong IAM policy. MFA requires users to provide two or more verification factors to access resources such as applications, online accounts, or VPNs. MFA ensures users are who they say they are by requiring that they provide at least two pieces of evidence to prove their identity. Each piece of evidence must come from a different category—something they know, something they have, or something they are. MFA is particularly beneficial in reducing the possibility of unauthorized access if an account is compromised.
Ease of use is a primary consideration for implementing MFA in an organization. The IAM policy should balance usability and security. Making MFA overly restrictive also restricts productivity.
Organizations should also plan for situations when employees may not have access to their mobile phones or have disabilities that limit access. Organizations implementing MFA would also take care to institute and foster a culture of compliance with MFA.
3. User Lifecycle Management (ULM) + IAM
ULM refers to a strategic solution that facilitates enterprise administration, replacing multiple online identities with a single, secure, trusted, and efficiently managed credential for each user—one user, one identity, and one infrastructure. To fulfill regulatory requirements, many enterprises implement a ULM strategy with a common infrastructure to launch, centrally configure, manage, and report on the various components of the ULM solution.
Consider these ULM features.
Smart provisioning systems can automatically assign the right level of access to each employee upon hire. Then as employees change projects or roles, entitlements and permissions change automatically in real-time, eliminating backlogs.
A geo-fence can control the locations where users or systems can access sensitive information.
ULM facilitates the decommissioning of user accounts when employees or contractors leave or no longer require access. Up to 40% of employees log into their accounts after their termination dates. Thus decommissioning these accounts, particularly privileged access accounts, is a critical security protocol.
How to Implement IAM
IAM can be implemented in-house, by a third party, or as a hybrid model. IAM tools are generally implemented within an organization in a particular order, depending on an organization’s IAM maturity level. Determining an organization’s IAM maturity level relies on several factors. Gartner’s maturity levels are:
According to Gartner, if an organization doesn’t have any IAM technology in place and the organization proceeds in a decentralized, ad hoc method, its IAM maturity level would be in the initial phase. An organization with IAM architecture embedded within its enterprise architecture and optimized IAM governance would be at the operational excellence maturity level of IAM (optimized). Most organizations fall somewhere in between.
Compared to other IT systems that don’t require much discovery (e.g., upgrading other types of software or firewalls), IAM is not a standalone application. All other company applications and systems should connect to IAM to work as designed and properly secure an organization’s data and access.
Thus, the first step for any organization implementing, upgrading IAM, or moving from an on-premises solution to the cloud is to conduct an IAM audit to determine maturity level and document processes, architecture, and infrastructure design. The importance of this step cannot be overstated.
During one such audit, SecurIT discovered unnecessary provisioning of Office 365 licenses to the tune of over $1M in organization savings. On the flip side, large organizations that choose to skip the audit and address issues as they come up during implementation can find timelines drawn out by years and costs expanded by the millions.
Conducting an audit, assessment, and discovery, preferably by a third party, will ensure an organization’s IAM roadmap is accurate both from a budget and timeline perspective.