Identity and Access Management (IAM) is an integral component of your overall security program. In its simplest form, it can be defined as proving an entity’s identity through a process of authentication and then providing access to the requested AND authorized resources.
For many organizations, some on-prem LDAP and/or Active Directory addressed a subset of the IAM requirements and was sufficient. Still, as cloud utilization has increased, the traditional on-prem directory model is usually insufficient to address the desired business functionality, security posture, and risk profile.
It is important to use consistent terms when talking through the various components that can make up an IAM strategy. Some of the common areas that should be considered for your strategy are Single Sign-On, Multifactor Authentication, Privileged Access Management/Privileged Identity Management, and Identity Governance (and Administration).
Single sign-on is the function that allows individuals to use a single identity element to identify themselves to multiple disparate applications or services, regardless of location (on-prem or cloud). Typically, there will be an Identity Provider (IdP) that acts as the directory of identities and can either serve as the “Source of Truth” itself, or it may be linked to an HRMS to act as the “Source of Truth.”
The application or service, typically identified as a Service Provider (SP) in the context of SSO, will authenticate the identity element with the IdP. There are more complex scenarios depending on things like service catalogs, etc. Still, fundamentally, the key is that a user uses a single identity when authenticating themselves to any business application or service, regardless of where the application lives (on-prem or cloud) or if it’s a corporate application/service or a 3rd-party corporate sanctioned application.
Multi-factor authentication is the authentication method that allows or, better yet requires, multiple factors to be used to validate the authenticity of a user authentication request. While MFA can be used without SSO, in that scenario, it dramatically increases the frustration levels for users and increases the complexity of the solution.
SSO and MFA are a great combination to improve efficiency, reduce user friction, and address many vulnerabilities that exist with non-MFA authentication systems. The factors that can be combined to authenticate a user are typically “something you know, something you have, and something you are.”
Access (or Privileged Identity) Management (PAM/PIM) is the component of IAM focused on managing and protecting privileged identities. Traditional examples would be System Administrators that have privileged accounts used for managing infrastructure, but these lines have blurred over time.
Current examples include privileged access to managing cloud environments, database administrators, application administrators or any other access to systems, applications, or networks that provides a business-critical service or contains business-critical data. Privileged access/identities typically have the technical rights to make significant changes up to and including deletion of services, applications, and data. Privileged access/identity management solutions vary in function, but essentially, they reduce the risk from those accounts by enforcing process and procedure in how and when they are used. This can include functions such as account check-in/check-out functionality with detailed logging associated for the one-time use of the account, etc.
Identity Governance or Identity Governance and Administration (IGA) is the process of governance around identity and access provisioning, de-provisioning, and overall ongoing access management. The onboarding of a new employee or an employee transferring job function/role typically creates an inflection point of change where an electronic identity must be created and associated with a specific employee or contractor, and access rights must be provisioned and/or changed.
Following a governance process allows an organization to adhere to the principle of least privilege access throughout the lifetime of the user entity within the organization. Without governance, access is typically over-provisioned at onboarding, and/or privilege creep occurs over time. In a possible worst-case scenario, the user entity retains access to critical systems and/or data after employment or a contract has been completed. Without governance around identity, an organization is likely assuming risk to business-critical systems, applications, and data.
All of the above items are referenced directly in the CIS Top 20 Critical Security Controls, including CIS Control 4 (Controlled Use of Administrative Privileges), CIS Control 14 (Controlled Access Based on the Need to Know), and CIS Control 16 (Account Monitoring and Control). Additionally, components of IAM are referenced in MANY of the sub-controls throughout the Top 20 Critical Security Controls.
Overall, IAM is also an area that can become a business enabler and efficiency driver, since it removes the requirement and frustration for users who manage multiple identities and credential pairs (usernames and passwords). This in itself increases your security posture and reduces risk purely by reducing the multitude of “identities” that your users must manage, since that leads to re-use of passwords and weak passwords in general, which exposes your users to threats from “brute-force” attacks, such credential stuffing or password spray attacks.
These are types of attacks involve using either lists of known compromised usernames/passwords from other security incidents or lists of commonly used passwords to attempt to authenticate against a corporate service, such as email using automation and scripting until they gain access. This is unfortunately very common and successful.
IAM can be as simple or complex as the scope of your requirements dictate and may include SSO, MFA, PAM, Governance, and more and can be deployed in an architecture that supports multi-Cloud and/or On-prem Identity.
IAM is a key tenet of Zero Trust Architecture (ZTA). We can help your organization design and execute your Identity and Access Management strategy.