As we saw in our previous article about Multi-Factor Authentication (MFA), one of the key parts of security is ensuring the identity of the users accessing your corporate resources. This can be combined with other well-known technologies like Single Sign-On (SSO) to make that process not only as secured as possible but also as simple and transparent for the end-users, so they are not tempted to use easy and weak credentials.
But identity is just one piece, considering that once identified, you also need to ensure these users have access to the right resources and the required level of access and permissions.
This is where Identity and Access Management (IAM) comes into play. Identity and Access Management (also known as IAM, IdM, IdAM, and IDAM) is a security effort to help manage digital identities and control access to corporate resources. It is not a product per se but rather a framework including various well-known security processes, policies and technologies.
What does IAM do?
In short, IAM ensures the right people get access to the right resources as securely and transparently as possible from any desktop/mobile device.
Ensure the person is who they claim to be using a combination of well-proven security technologies like:
- Single Sign-On (SSO): Access multiple resources with one set of credentials
- Multi-Factor Authentication (MFA): Enforce stronger authentication by requiring a user to present additional authentication factors (e.g., PIN, token, One-Time Password, etc.)
- Certificates (e.g., smartcard) or Biometrics (e.g., fingerprint, face recognition): Alternative credentials instead of default everyday password
- Identity Federation: Allow use of credentials from different domains or organizations, for example, in large environments spread over different countries or regions and also in hybrid deployments where corporate resources are located and accessed both on-premises and in the cloud
Make sure that person is provided access to the right resources with the right permissions.
Once authenticated, Role-Based Access (RBA) and corporate policies are used to determine which access a given user needs to be granted for a specific resource or service.
For example, for a CRM used to process Sales orders, one salesperson could be granted the right to generate new orders while another like a Manager would be able to review/validate them.
Why do you need IAM?
- Centralize access control: Get a unique central view and control over all your resources
- Save time and money and reduce IT effort when providing access to corporate resources by streamlining the whole process
- Improve user experience: No need to manage several passwords to access multiple resources
- Enhance security: Eliminate data breaches, identity theft, and unauthorized access to corporate data
- Achieve regulatory compliance (e.g., GDPR, HIPAA)
- Collaborate: Provide access to external customers, partners, etc. without compromising security
What to consider when comparing IAM?
When choosing one that best fits your needs, keep the following in mind:
- Available authentication methods
- Digital certificates (e.g., smartcard, USB, file)
- Multi-Factor Authentication (MFA) options
- 2 Factor Authentication (2FA)
- Mobile Zero Sign-On (ZSO)
- Supported endpoints/devices
- Mobile: iOS, Android
- Desktop (Windows, MacOS), Linux
- Wearables (smartwatches, smart glasses)
- Integration with your current Identity Provider (IdP):
- On-premises: Microsoft Active Directory (AD), Lotus Domino, OpenLDAP
- Cloud-based: Azure Active Directory (Azure AD), Google Cloud (G Suite)
- Hybrid scenario: Azure AD Connect with on-premises Active Directory
- Compatibility with 3rd party vendor software
- On-premise solutions (e.g., Microsoft Exchange)
- Cloud-based SaaS solutions (e.g., Salesforce, Box)
- SAML 2.0 support for other product integrations
- Integration with your current UEM solution
- Ease of deployment and management of required software on your endpoints
- Cost effective
- For cloud-based services customer, best option may be their existing SaaS provider
- For others, you may want to check what your UEM vendor can offer
What is the best IAM for me?
Chances are you already have some IAM solution. Luckily this framework is flexible so you can add additional features to augment your specific needs.
Already “in da house”?
There are many ways to implement Identity and Access Management that will be ultimately determined by how/where your infrastructure is hosted:
- Hybrid (combination of on-premises and cloud-based)
If it is one of the latter two, you certainly have IAM available from your cloud provider. You just need to review what is already in place and determine what is yet to be implemented in order to assess your current needs for higher security.
(C) Rémi Frédéric Keusseyan, Global Head of Training, ISEC7 Group