Identity and access management (IAM) tools protect business resources against cybersecurity threats by ensuring that users are who they say they are and that they are allowed to use the resource they are accessing.
Nearly 80% of organizations have had some type of identity-related security breach within the past two years, and that number isn’t going anywhere but up. Often, that’s because stealing or compromising identities is the fastest and easiest path to infiltrating a corporate network to steal information, demand ransom, deposit malicious payloads or stop infrastructure from working at all.
The world of remote work and reliance on the cloud, while good for employee morale, productivity and cost reduction, may be contributing to this upward trend. Without some way to protect valid user identities, businesses across the board are in for more of the same. In most cases, the solution is implementing some type of IAM solution.
What Is Identity and Access Management?
Identity and access management is the process of protecting business resources against cybersecurity threats by controlling user identities and access to resources, typically through the use of tools and services. This security component, which is considered foundational today, uses role-based access control to define and enforce how users are identified in a system; assign levels of access to users or groups of users; define the right level of protection and access for sensitive data, locations and systems; provision and deprovision users; and manage the user account lifecycle.
Features also typically include:
- Single sign-on (SSO): allows users to authenticate their identity with one set of credentials on multiple systems within an organization.
- Multifactor authentication (MFA): an authentication method requiring users to provide two or more verification factors to gain access to a resource.
- Identity analytics: identifies and blocks suspicious identity activities, often using machine learning.
- Directory services: centralizes and consolidates credential management and synchronization.
- Risk-based authentication: uses algorithms to determine risks of user actions, and blocks and reports actions with high risk scores.
- Identity governance and administration (IGA): helps automate workflows and manage permissions in an IAM solution and connects IAM functions to meet audit and compliance requirements.
- Support for federation between on-premises and cloud resources: helps users easily and securely move between environments.
It’s important to note that while IAM is similar to privileged access management (PAM), the two aren’t exactly the same. While IAM focuses on managing user access, PAM controls how organizations define, monitor and manage privileged access across their systems, applications and infrastructure. In many cases, organizations choose to implement both IAM and PAM solutions, because while they have different focuses, both are important to a solid identity governance strategy. Typically, these solutions are separate, but there are some vendors offering combination solutions, often achieved through partnerships with one another.
Benefits of Identity and Access Management
- Helps boost adherance to and validation of regulatory compliance requirements.
- Reduces the identity-related burdens of cybersecurity teams by providing centralized management and enabling policy-based approach to identity management.
- Improves user experience by enabling single sign-on, which reduces the number of passwords that must be managed.
The functionality provided by IAM tools delivers a number of business benefits. First, the tools simplify compliance efforts by offering governance over user identities, as well as the data they have access to. Auditing of a business’ compliance posture becomes easier with an IAM system in place. Cybersecurity professionals, meanwhile, gain the ability to apply identity policies to ensure that users as well as outside parties with access to company resources have access only to what they should have access to. Many IAM tools use artificial intelligence and auomation to ease administrative tasks. Users, for their part, also benefit from IAM tools because they deliver single sign-on, which reduces the number of passwords that must be created and maintained.
How Does Identity and Access Management Work?
At a basic level, IAM solutions are designed to identify, authenticate and authorize users and then determine whether those users are permitted to access the resources they need. Here’s how it works:
- Identify: To identify users, most IAM solutions rely on a database or directory of identity details and information. This central repository is often the definitive verification point for all credentials.
- Authenticate: Authentication confirms that users are who they say they are. End users typically are validated with services such as SSO, pre-shared key (PSK) or MFA.
- Authorize: This process gives users permission to access a specific resource or function. It typically uses role-based access control to grant specific access rights to specific users.
Together, these functions provide the bare bones of a single solution for managing user access and permissions. Most IAM solutions combine these capabilities with complementary functions for creating, monitoring and deleting access privileges and a system for auditing login and access history.
Different Types of Identity and Access Management Solutions
While all IAM solutions strive to allow the right individuals to access the right resources at the right times for the right reasons, there are four basic ways to deploy them: on premises, in the cloud, as an on-premises/cloud hybrid or as a managed service. Depending on an organization’s size, compliance requirements, time and cost issues, and IT expertise, one may make more sense than others. Often, IAM vendors offer more than one of these options.
- On premises: An IAM solution deployed and managed in a customer’s physical environment is often considered the most secure option, since it can’t be accessed from anywhere other than the internal network, giving businesses full control over the data, hardware and software. These solutions also can operate without external network access, so if internet connections fail, the system can keep running. At the same time, on-premises solutions require companies to use their own servers and maintain the solution themselves.
- In the cloud: IAM in the cloud is exponentially scalable and makes it easier to centralize identity over multiple services. IAM services in the cloud also can be accessed from anywhere.
- Hybrid: IAM solutions that operate both in the cloud and on premises provide greater flexibility. The hybrid approach is ideal for organizations that want to use cloud resources for some of their infrastructure and applications and on-premises solutions for more secure workloads and data.
- As a managed service: IAM solutions provided and managed by a managed services provider is a new option, but one that many organizations are considering. Companies pay a monthly operating expense that includes the hardware, software, maintenance and support.
Examples of Identity and Access Management in Action
Fostering Customer Confidence
A boutique asset management firm that builds personalized investment portfolios for its customers needed a way to maintain full identity security after moving its wealth management platform to the cloud. Accessible from a wide range of user devices, the wealth management platform serves as a portal to a full suite of applications and tools including its proprietary portfolio analysis software. To ensure full identity security and maintain customer confidence, the company chose to deploy a more holistic, uniform authentication framework that included single-sign-on capabilities to protect access to on-premises, multicloud and mobile applications both inside and outside its network. Ultimately, the company chose IBM Security Verify Access virtual appliances hosted on an Amazon virtual private cloud environment, managed by a security services provider.
Consolidating and Upgrading Identity Management Companywide
A multinational conglomerate that had accumulated a handful of identity management solutions over the years needed a way to consolidate and modernize its IAM security. Over the past four years, the company has consolidated the identity program for each business unit under one identity governance team using SailPoint’s IAM platform. The SailPoint platform also has enabled the company to securely manage access for nearly 2 million employees and significantly improved the user experience. Help desk tickets for password resets also have declined from 10,000 to several hundred requests annually, saving the company $2 million per year.
Securing Citizen Access to Government Resources
Citizens in a North American coastal city were frustrated with the need to create a separate login and password for each government service they needed. With a clear need to streamline the process with single sign-on (SSO) for all government services, city officials looked for a solution. It was a challenging issue, since each government system had its own repository of customers, data and transactions, with different login mechanisms. Officials settled on a personalization portal fueled by the ForgeRock Identity Platform with single sign-on and services for IAM, all using least-privilege access. As a result, the systems are now fully connected, with fully protected customer identity and data.
Managing Identities in a Hybrid IT Environment
Over time, a large global manufacturer had transitioned much of its data to the cloud while keeping other systems and data on premises. When the company decided to extend Microsoft Office 365 and other critical applications to employees across the company a few years ago, the situation got much more complicated. Because some on-premises systems were firmly embedded and unable to be moved to the cloud, the company needed to find a way to streamline identity and security across all of its assets. Using the Okta Identity Cloud and Access Gateway, the company integrated and secured user access to more than 300 applications. Today, thousands of users can now access relevant apps using single sign-on.
Streamlining and Securing Customer and Employee Access
A telecom company serving remote communities wanted to streamline the way its employees accessed internal resources and its customers accessed its customer portal along with wireless, internet, cable TV and streaming services while maintaining security. The first step was implementing and integrating PingFederate and PingAccess with Active Directory, both from Ping Identity, to give its employees secure access to resources. The next step was using the same technology to provide single sign-on and access management for its customers, integrating it with the company’s identity data store. A separate data store holds each system’s specific identity attributes, which are linked to the independent identity via the universally unique identifier (UUID). Today, customers can create one profile, username and password to access all services securely.
IAM capabilities are table-stakes today for all organizations. In addition of protecting users and companies from identity theft, privacy abuses and account takeover, IAM solutions also improve user experience. There are other ways to secure identities, however. If inclined, an organization can attempt to build their own, using a framework like the Identity Defined Security Framework, from the Identity Defined Security Alliance.