Before we delve into the definition and benefits of IAM, it's important to understand the difference between identification, authentication, and authorization.
The first involves the user “identifying” himself/ herself. This could be through a username, telephone number, or even an email address. Essentially, in this first step, the user is claiming to be someone.
Authentication, on the other hand, is all about verifying whether that person is indeed who they claim to be. This can be done through one of the following factors: something they know (for example, a password), something they have (like a smart card) and/ or something they are (such as a fingerprint). The combination of more than one factor is known as Multi-factor authentication (MFA).
Finally, in authorization, the level of permission the authenticated user has is determined. This means that the system will check whether User X has the privilege to access some or all of the resources.
In essence, this is what Identity and Access Management (IAM) is all about. It’s a combination of policies, procedures, and technologies that ensures the right users (i.e., individuals or machines) have access to the different resources (like, email or databases) for the right reasons at the right time.
Factoring in IAM can help organizations:
- Achieve compliance: These can include Sarbanes-Oxley (SOX), Gramm-Leach-Bliley Act (GBLA), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS) and General Data Protection Regulation (GDPR).
- Boost productivity: IAM tools can help develop automated workflows for joiners, movers, and leavers, thus helping businesses to reduce overheads.
- Better manage passwords: 80% of breaches are caused by passwords. IAM solutions can help enforce best practices and even reduce their use through Single sign-on (SSO).
- Mitigate Insider Threat: This can be achieved by implementing MFA, the use of approaches like Role-based access control (RBAC) to assign roles and responsibilities, the concept of least privilege, as well as facilitating monitoring and auditing.
- Obtain the goal of zero trust: Please refer to the video below.
So what are some of the common components of IAM?
- SSO: The idea behind this is that the user fulfills the requirement of entering his/ her password and/ or completing the MFA challenge once. The system then proceeds to authenticate and authorize the individual, after which he/ she will not prompted to enter their credentials again. A well-known example of its implementation is Google. Once you’ve logged into Gmail, there’s no need of introducing a password to use YouTube or any of the other apps. The benefits of SSO can range from reduced IT costs to increased productivity.
- Multi-factor authentication.
- Analytics and risk-based authentication: Here the IAM system leverages artificial intelligence (AI) to assess suspicious activity. During login, factors such as device (i.e., Is this mobile known?), location (i.e., Is this the usual timezone?), network (i.e., Is this a familiar IP?), and the sensitivity of the resource that needs to be accessed (i.e., Is the file sensitive or classified as unrestricted?) are analyzed. If the result is deemed as high risk, the user will almost certainly be required to authenticate using an additional factor.
- Zero Trust.
- RBAC: As mentioned earlier, RBAC is one of the approaches to controlling access based on the individual’s role within the organization. This means users can be grouped depending on their seniority or job description. Users within the same group (for instance, finance) will have the same rights and responsibilities. RBAC isn’t perfect, it has disadvantages. For instance, not everyone has a clear-cut responsibility, which means IT admins might struggle to assign people specific roles. Another challenge involves flexibility. User X from Employee Relations might be required to support Payroll for a few days. Managing permissions in such cases can be a hassle.
(Note: Other alternatives to RBAC include Attribute-Based Access Control (ABAC), Mandatory Access Control (MAC), and Discretionary Access Control (DAC), but none of them is a perfect solution. In some cases, they can be complemented.)
Next week we’ll explore the different information security standards.
This article is part of a project called Security Chronicles, written jointly with
Walter Buyu
.
