Difference between revisions of "Identity and access management"

In cyber-security, identity and access management (alternatively known by its abbreviation, IAM, as well as identification and access management or, simply, identity management; more narrowly known as user management; hereinafter, IAM) is practice and a set of concepts based on that practice of granting each user of some system a right system-user role.

The goal of IAM can be stated as to "enable the right individuals to access the right resources at the right times, and for the right reasons" (as quoted in Wikipedia. IAM combines business processes, policies, and technologies.

User management

User management defines the ability for administrator(s) to manage user access to various IT resources like systems, devices, applications, storage systems, networks, SaaS services, and more. User management is a core part to any directory service and is a basic security essential for any organization. User management enables admins to control user access and on-board and off-board users to and from IT resources. Subsequently a directory service will then authenticate, authorize, and audit user access to IT resources based on what the IT admin had dictated.

Traditionally, standalone user management has been grounded with on-prem servers, databases, and closed virtual private networks (VPN). However, recent trends are seeing a shift towards cloud-based IAM, granting administrators greater control over digital assets.

Components

1. Directory: Directory services connect users to the IT resources they need. As the core user store, the directory is the foundation of any identity, access, and device management program. There are two primary classifications of directories — the on-premises directory, such as the legacy service Microsoft Active Directory, and the cloud directory platform.
2. Directory extension: Because conventional on-prem directories are ill-equipped to manage many of today’s resources (e.g., Mac, Linux, SaaS, IaaS), a whole category of solutions has been created to extend credentials to other platforms and locations.
3. SSO: Single sign-on solutions strive to consolidate the plethora of web application accounts and resources into one login process via the web browser. This category is also known as first-generation IDaaS (Identity-as-a-Service).
4. Privileged account management: Some directories don’t provide sufficient security or management of critical systems like databases and network infrastructure. Privileged account management has sprung up to fill the void. These systems provide more stringent access controls, including the ability to manage systems and tightly control access to high-value IT resources.
5. Password managers/vaults: End users need to remember so many passwords that a category of solutions has emerged to help. Password vaults store the passwords to your websites and can generate secure passwords for you.
6. Multi-factor Authentication (MFA or 2FA): Passwords are an imperfect form of identity protection. To prevent the breach of high-value resources, a second method of authentication is essential.

Challenges

Vulnerable identities

Credential theft drives breaches — but everyone likes to say, “It will never happen to me.” However, more than one in four data breach victims last year were small businesses. (Source: “2020 Data Breach Investigations Report.” Verizon. Accessed Oct. 6, 2020. https://enterprise.verizon.com/resources/reports/2020/2020-data-breachinvestigations-report.pdf)

Clearly, greater security and stronger authentication are paramount for every organization, large or small. These are some steps you can take to fortify your identities:

• Enforce strong identity controls, including strict password requirements.
• Require multi-factor authentication on devices, applications, and other high-value access points.
• Train employees to use strong, unique passwords, and train them to recognize phishing attempts.
• Encourage users to implement a password manager.

Identity sprawl

Think about all the accounts and passwords the average person has today: email, social media, banking, and on and on. The average internet user has a whopping 150 online accounts — and growing.

This is called identity sprawl, and it’s even worse at workplaces where you have to factor in a variety of internal and SaaS-based apps. Users have a different account for Slack, M365, Salesforce, GitHub, Google Workplace, and more. Aside from being a headache from a compliance perspective, identity sprawl hurts companies in two big ways:

1. Identity sprawl decreases security. "People average 150 accounts, but only 5 passwords." — Telesign. Identity sprawl creates a chaotic environment that is difficult to secure. When an employee leaves, instead of being able to deprovision access to all resources with one click, IT must be meticulous and deprovision access individually for each resource. One mistake, one oversight, and someone has access who shouldn’t. To hackers, identity sprawl looks a lot like opportunity.
2. Decentralized identities reduce efficiency. At the user level, identity sprawl leads users to spend more time logging in and to reuse their passwords (and to ring the help desk when they inevitably can’t remember which password goes to which account). LastPass even discovered that the average user ends up wasting 36 minutes a month just on typing passwords. (Source: “The Password Exposé.” LastPass. Accessed Oct. 6, 2020. https://lp-cdn.lastpass.com/lporcamedia/document-library/lastpass/pdf/en/LastPassEnterprise-The-Password-Expose-Ebook-v2.pdf) On the admin side, it’s even worse. IT loses centralized control. They make a change in the central user directory, and it ends up propagating to only some IT resources. This requires admins to keep track of which resources require separate control. The solution is to consolidate identities, but our next challenge — legacy IAM solutions — is a major roadblock toward that goal.

Legacy identity management solutions

Microsoft Active Directory has served valiantly as a core identity provider since its release with Windows 2000. It earned an early stronghold on the market that’s still in place, but a lot has changed since 1999. In fact, the dominance of Microsoft AD is the single biggest reason for identity sprawl. AD doesn’t effectively manage devices that don’t run Windows — and the number of Mac and Linux devices has been on the uptick year after year.

AD is also poorly equipped to authenticate SaaS-based identities and other cloud resources. The result is a multiplicity of unmanaged identities. So identity sprawl stems directly from companies where the IT department’s hands are tied because they still have to use AD.

The other major legacy directory in place at companies is OpenLDAP.

LDAP is better with Linux and Unix systems than AD, but it has the same difficulties managing cloud infrastructure. Furthermore, OpenLDAP is partial to LDAP, and so other ascendent protocols like SAML, OAuth, and the re-emerged RADIUS are out of reach. Same with the ability to manage Windows and Mac devices.

Ultimately, as long as these legacy systems continue to lock companies into their identity management solutions, IT will be unable to keep up with the changing identity landscape.

Shadow IT

Shadow IT refers to systems and solutions implemented inside organizations without the IT department’s knowledge or approval. Shadow IT is:

• Widespread — 80% of workers use non-permitted SaaS apps. Check out this case study to learn more.
• Risky — More than 1 in 4 shadow IT apps is high-risk. Check out this case study to learn more.
• Expensive — Shadow IT accounts for 30-40% of IT spend.

Check out this case study to learn more. In other words, shadow IT is a major factor contributing to the identity crisis that IT faces today. Whether it's for collaboration, communication, or the transfer of files, shadow IT means more unmanaged identities.

Ultimately, you likely can’t eliminate shadow IT all together. The approach to mitigate it involves training employees about shadow IT and eliminating the need for shadow IT by improving your IT infrastructure to better accommodate and manage the types of apps and IT resources that are likely to be implemented by rogue innovators.

Vendor lock-in

The market to manage your identities has never been so competitive.

As a result, one of the more subtle factors working against identity management is vendor lock-in. This refers to all of the companies that are trying to woo you and your organization into using their platforms (often for free) so that you become dependent on their services. Eventually, this means they can lock you into paying for their other services. As TechBeacon put it, once you’re locked in, “it can be hard to port to another vendor’s platform without considerable effort and cost”. (Source: Vijayan, Jaikumar. “Serverless vendor lock-in: Should you be worried?” TechBeacon. Accessed Oct. 6, 2020. https://techbeacon.com/enterprise-it/serverless-vendor-lock-should-you-be-worried)

Microsoft, Google, Amazon — they all know that if they lock up your corporate identities now, you’ll be beholden to them later. These are savvy businesses. Why do you think that they offer so many valuable services for free? For them, storing your identities (on their infrastructure) means additional revenue elsewhere and locking you into their ecosystem.

For Microsoft, it’s Windows, M365, and Azure. For Google, it’s Google Workspace, Chrome/Android, and Google Cloud Platform. For Amazon, it’s AWS and buying goods and services. They design their infrastructures to be funnels — funnels that eventually guide you to paying for their services and excluding alternatives.

Don’t be a pawn in another player’s game. Understand that your identities are perceived as long-term corporate assets and protect them.

Strategy quality

Use this checklist to assess your current IAM strategy:

• Centralized Management
• Single Sign-On
• Manage by Groups Requirements
• Compatible with Windows, Mac, & Linux
• Extensible to the Cloud
• Cross-platform Device Management
• Unique Wi-Fi credentials for each user
• Multi-Factor Authentication
• Password Complexity Management
• Secure Passwords (i.e. not clear text or encrypted)
• Uses Core Protocols such as LDAP, SAML, RADIUS, SSH, REST
• Automated Provisioning and Deprovisioning
• SSH Key Management
• IAM platform utilizes zero-trust security practices

Poor

(0-5) If you’re in this range, then your IAM strategy is actively hurting your company’s efficiency and security. You likely don’t have an identity provider or need to scrap your existing one. Giving your IAM strategy a makeover should be your top priority.

Fair

(6-8) You’re keeping your head above water, but you’re not able to think about the future. Your IAM strategy is either causing lapses in security or has incompatibility with critical resources. Survey your needs and consider making a major change.

Good

(9-11) If you scored in this range, that means your IAM strategy is serving you well. Still, all it takes is one missing plate in your armor for a hacker to deal a costly strike. Keep reading to find ways to address your IAM solution’s shortcomings.

Excellent

(12-14) Give yourself a pat on the back. You’ve already got a high-functioning IAM strategy. Focus your efforts on staying ahead of the curve and being prepared for the changes coming in the identity market.

See also

Related lectures

• System-User Roles.