Today, IAM solutions offer a wide range of capabilities. Named using obscure acronyms such as PAM, MFA or SSO, it isn’t always easy to understand what they are – let alone whether you need them.
The goal of this blog is to explain these capabilities so you can understand when and why you might need them. This will help guide you towards an IAM solution that is right for your organisation.
Identity management
Identity management is fundamental to any IAM solution. Quite simply, it is the process of managing a central store of user identities. Administrators do not need to tell services about their users. Instead, the IAM solution automatically configures services with this user information.
The IAM solution gets this user information from business systems, such as the HR system, that know about the organisation’s people. Integrating these systems, and configuring the business logic, can be a significant project, requiring collaboration across the organisation.
As a result, some organisations, intimidated by the perceived effort, persevere with legacy approaches that are slow, costly and error prone. And because identity management is foundational to IAM, these organisations are unable to proceed on the IAM journey necessary for digital transformation and cybersecurity.
Access management
This includes access management, which is the process of deciding if a user is authorised to access a resource. Like identity management, an IAM solution also centralises access management, easing the administration of services.
These policies – which control who has access to what – ensure that users have access to the services that they need – no more and no less. Because these policies are usually determined by the user’s role in the organisation, most organisations use an approach called Role Based Access Control (RBAC). This avoids the need to manage users’ access rights individually.
Like identity management, configuring this business logic can be a complex. However, because the security of the organisation’s services depends on it, it’s also an incredibly important task.
Having got this far, you might think that identity and access management sounds like a lot of work. And it’s true: it does require time and investment. However, it also pays huge dividends, including:
- reduce costs: information and configuration are managed once in the IAM solution, simplifying service management.
- improve security: the centralisation of security-sensitive functions reduces the scope for error and shrinks the attack surface.
- enhance compliance and auditing: the business can demonstrate how it conforms to regulatory requirements.
- drive productivity: users get access to their services more quickly.
- increase transparency: usage of services can be monitored centrally.
These are transformational benefits that also open the door to other powerful capabilities.
Single sign-on
Single sign-on (SSO) extends access management by centralising authentication, in addition to authorisation. With SSO, services do not authenticate or authorise users. Instead, these functions are delegated to the IAM solution.
Users benefit because they authenticate to all their services using a single credential. And, depending on the organisation’s policy, they may only need to authenticate occasionally. This enables seamless access to their services, vastly improves the user experience.
Organisations benefit because the ease of SSO reduces the load on the helpdesk. It also reduces the number of credentials, so users are more likely to manage them securely.
Multifactor authentication
While SSO has tremendous benefits for both user and organisation, it creates a new risk. If a bad actor obtains the user’s credential, they can use it to access all the user’s services.
Multifactor authentication (MFA) protects against this by requiring the user authenticate using a supplementary credential, in addition to the primary credential.
Credentials come in three types: “what you know” (e.g., a password), “what you have” (e.g., an authenticator app on a smartphone) and “what you are” (e.g., a fingerprint). With MFA, at least two of these must be used.
Privileged Access Management
Privileged Access Management (PAM) extends access management by imposing stricter access controls for the most sensitive accounts. These can include:
- issuing users with temporary credentials valid for a specific service account.
- monitoring the user’s use of the service.
- detecting unauthorised or suspicious use.
PAM is most valuable in scenarios where compromise of the account or service could significantly disrupt the business.
Access Request and Recertification
An IAM solution should be fully automated. For example, a finance administrator’s right to access the finance system should be determined automatically by their role, using RBAC as previously discussed. However, sometimes this isn’t possible; for example, a contractor without an employment record in the HR system.
In these scenarios, automation can be supplemented with Access Request/Approval workflows. These allow a user to request access to a service. An approver (such as their manager or the service owner) can accept or decline the request.
To prevent users accumulating privileges, these workflows should be complemented with user recertification. This is the process of periodically certifying a user’s access rights. This recertification is usually performed by the service owner or the user’s manager.
Summary
In this post we’ve looked at the key IAM capabilities and seen how most organisations need a solution incorporating these capabilities. New Era’s IAM offering, Able+, does all this, and more, within a fully managed, cloud-based service.