Identity and access management (IAM) is a framework of business processes, policies and technologies that facilitates the management of electronic or digital identities. With an IAM framework in place, information technology (IT) managers can control user access to critical information within their organizations. Systems used for IAM include single sign-on systems, two-factor authentication, multifactor authentication and privileged access management. These technologies also provide the ability to securely store identity and profile data as well as data governance functions to ensure that only data that is necessary and relevant is shared.
Importance:
Companies need IAM to provide online security and to increase employee productivity.
Security. Traditional security often has one point of failure - the password. If a user's password is breached - or worse yet, the email address for their password recoveries - your organization becomes vulnerable to attack. IAM services narrow the points of failure and backstops them with tools to catch mistakes when they're made.
Productivity. Once you log on to your main IAM portal, your employee no longer has to worry about having the right password or right access level to perform their duties. Not only does every employee get access to the perfect suite of tools for their job, their access can be managed as a group or role instead of individually, reducing the workload on your IT professionals.
Identity and Access Management Architecture
In the below image, we can see the flow of internal and external users accessing the applications hosted in web tier of an organisation. Internal/external users are challenged to provide credentials for authentication using SSO authentication page.
Here, user authentication mechanism can be configured using Forms, X509 Certificate based MFA, Oauth, and SAML 2.0. Post authentication, SSO services will validate the users for application authorisation and redirect them to corresponding application target pages based on their attributes definitions and provisioning roles.
IAM administrator is responsible for framing user profiles/policies/workflows and protect web application resource using SSO component and define the provisioning roles.
For example, let us say, finance department, in an organisation has a provisioning role defined as “finance managers provisioning role” in IAM . On assigning the “finance managers provisioning role,” a user will gain access to all the applications associated with that provisioning role. Similarly, when the same user is de-provisioned from the “finance managers provisioning role,” the same user will loose access to those applications.
Here, we are using common user store for both SSO services and Identity Manager. This user store is used to manage user identities from Identity Manager component.
IAM Workflow
1. Identity management: Create, update, revoke and restore identities and user provisiong to applications or endpoints.
2. Authentication: Validating user credentials while accessing protected resources.
3. Authorization : Allowing or denying access to protected resources for user.
4. Single Sign-On (SSO): using the existing authentication session tokens to access multiple applications within the same domain, multi-domain environment and federation.
IAM Tasks and Tools:
Manage user identities
IAM systems can be the sole directory used to create, modify, and delete users, or it may integrate with one or more other directories and synchronize with them. Identity and access management can also create new identities for users who need a specialized type of access to an organization's tools.
Provisioning and deprovisioning users
Specifying which tools and access levels (editor, viewer, administrator) to grant a user is called provisioning. IAM tools allow IT departments to provision users by role, department, or other grouping in consultation with the managers of that department. Since it is time consuming to specify each individual’s access to every resource, identity management systems enable provisioning via policies defined based on role-based access control (RBAC). Users are assigned one or more roles, usually based on job function, and the RBAC IAM system automatically grants them access. Provisioning also works in reverse; to avoid security risks presented by ex-employees retaining access to systems, IAM allows your organization to quickly remove their access.
Authenticating users
IAM systems authenticate a user by confirming that they are who they say they are. Today, secure authentication means multi-factor authentication (MFA) and, preferably, adaptive authentication.
Authorizing users
Access management ensures a user is granted the exact level and type of access to a tool that they're entitled to. Users can also be portioned into groups or roles so large cohorts of users can be granted the same privileges.
Reporting
IAM tools generate reports after most actions taken on the platform (like login time, systems accessed, and type of authentication) to ensure compliance and assess security risks.
Single Sign-On
Identity and access management solutions with single sign-on (SSO) allow users to authenticate their identity with one portal instead of many different resources. Once authenticated, the IAM system acts as the source of identity truth for the other resources available to the user, removing the requirement for the user to remember several passwords.
Benefits of IAM
IAM technologies can be used to initiate, capture, record and manage user identities and their related access permissions in an automated manner. An organization gains the following IAM benefits:
Access privileges are granted according to policy, and all individuals and services are properly authenticated, authorized and audited.
Companies that properly manage identities have greater control of user access, which reduces the risk of internal and external data breaches.
Automating IAM systems allows businesses to operate more efficiently by decreasing the effort, time and money that would be required to manually manage access to their networks.
In terms of security, the use of an IAM framework can make it easier to enforce policies around user authentication, validation and privileges, and address issues regarding privilege creep.
IAM systems help companies better comply with government regulations by allowing them to show corporate information is not being misused. Companies can also demonstrate that any data needed for auditing can be made available on demand.
The Tech Platform