Identity and Access Management has been around since the dawn of computers. In the early days it was about creating credentials physically on computers. Unfortunately, we are no longer in the good old days when beef burgers tasted like beef and pop music was better.
Times have changed but what are the fundamentals now of a good IAM solution, what functionality is required.
The Five Pillars
Marketing departments are always trying to come up with some fancy mnemonic or catch phrase to make things easy to remember, thankfully with this the phrase is simple it’s the 5As, Authentication, Authorisation, Auditing, Automation and Architecture. There are a lot of articles talking about 3As (generally the first three in the list) but Automation and Architecture are often overlooked.
Authentication
If you look up Authentication in the dictionary (or online) you get a definition similar to “the process of proving that something is real, true, or what people say it is”. The proving that something or someone is real and true is key. In the old days, when chocolate bars were as big as your hands, that was simply a matter of entering the correct username and password.
Now unless you have been living on an island cut off from the rest of the world, we know that passwords alone are not safe enough. Therefore, Multi Factor Authentication (MFA) plays a vital role in ensuring we have greater assurance in the user is genuine.
Despite many reports and articles from many marketing departments, passwords have not gone away, they still form a key part of Identity Management. As a result, password management is essential. Thankfully this functionality was built into most applications and directories decades ago. However, policies around this do still need to be considered.
These passwords policies often stated that passwords need to modified frequently by users, Help Desks become overrun with forgotten passwords tickets. This has lead to Self Service Password Reset (SSPR) capability being vitally important, especially in larger organisations.
To mitigate the number of passwords Single Sign On (and not forgetting its smaller cousin Single Sign Off) became a thing. This provides the user with the ability to authenticate once and then for a period of time, do not have to re-authenticate to use an application.
To sum up authentication costs of the following functionality
- Multi Factor Authentication
- Password Management
- Self Service Password Reset
- Single Sign On
Authorisation
Authorisation or Access Control is the ability to allow users (or devices) to have access only to the data, services or rights they are entitled to.
As number of users, applications and systems have grown the scale of the problem has grown by order of magnitudes over the years.
Role Based Access Control (RBAC) became a fundamental part of deciding on who should have access to what. Whilst still true to a point this was soon superseded by Attribute Based Access Control (ABAC). This is granting access not just on role but other information about a user such as location, type of laptop, hours of work etc.
Access was, and still is, a part of automation (more on this later) but modern Access Management (AM) tools have embraced the concepts of ABAC and used it to provide dynamic access controls granting or denying access based on live information about a user. This jump and tied with better authentication has drastically reduced the security risk.
What is often forgotten with Access Management, though it can be a specialism in itself ,is managing access for privilege users or Privilege Access Management (PAM). What is a privilege user can be a theoretical conversation based on one’s strictness to security, but in the most case its defined as administrator users who can configure, modify and perform tasks on systems general users cannot.
The aim of a PAM tool is to limit the tasks that the administrators can perform. Whilst it may seem restrictive, often an administrator can do too many administrator things inside and outside key systems. These wide ranging permissions make them a target for those dastardly criminals.
- RBAC
- ABAC
- Access Management
- Dynamic Access Policies
- Privilege Access Management
Auditing
Mention the word audit and most of us will shrink back into our shells are remember the days of when teachers used to audit (or mark) our homework. (Its either that or we remember our dodgy haircuts at the time).
Unfortunately, there is still an element of that with auditing in IAM, that checking to make sure users and things are behaving correctly. Nearly all regulations and compliance needs will state that there must be some form of auditing, especially around reporting on who has had access to what and when.
Administrators should have greater controls placed upon them. By monitoring individual administrator sessions it’s possible to analyse exactly what changes were made or what was accessed. This may seem harsh, but it can be used as a force of good by protecting administrators from harsh accusations and also to provide good training materials for future activities.
Auditing though has a softer gentler side than the overbearing school teacher image. By monitoring user activities its possible to improve the user experience. Knowing that a user behaves predictably helps provides a greater degree of trust during the authentication phase.
- Compliance
- Reporting
- Privilege Session Monitoring
- Identity Governance
- Behavourial Analytics
Automation
The first of the extra A’s on the traditional 3 A’s. Yet the automation is always one of the key drivers on an IAM project and one that potentially offers a great return on investment.
The automation of provisioning and deprovisioning accounts especially during the Joiners Movers Leavers process (JML) ensures that bulky time consumer operations can handle quickly and effectively. This is essential to enable new employees to become productive quicker. Often ignored is the improved security during the leavers process, by ensuring that accounts cannot be accessed when someone leavers.
Its not just JML, but Access Requests (ie. When someone wants access to a new application) can be streamlined by automation and reduce the burden on the IT support desks.
This functionality has traditionally been the realm of pure Identity Management tools over the years, yet now more non IAM tools provide this functionality and with careful and thoughtful design can meet the desired needs.
- JML
- Access Requests
Architecture
Technically is architecture part of IAM Functionality. Probably can be argued that it isn’t. However, the whole purpose of IAM is to integrate with many other systems, whether services, devices, applications or APIs (Application Interfaces).
Having a good architecture is fundamental to assure that IAM functions properly and securely. Integration between the IAM components themselves is essential
IAM as an industry has matured so that most integrations and compatibility is through standardised protocols such as SAML, Oauth, Fido and SCIM. Even so, not every application, system or device is standard and often involves some clever ways to integrate.
- Integration with user input feeds
- Integration with applications
- Integration with endpoints
- Integration between IAM products
- Integrating non-standard products
Summary
The array of functionality required for an IAM solution can seem quite bewildering. At first glance the 5As (Authentication, Authorisation, Auditing, Automation and Architecture) can be deemed to be straight forward even to the point of being obvious. As one delves a little deeper a world of technical minefields opens up, enough to make even the most experienced pause, take a deep breath and prepare themselves for what may lay ahead.
Thankfully with the IAM market being mature and with a considerable amount of consolidation over the years, the challenge becomes not one of being able to meet the challenge but knowing the best way to go about it.
That consolidation in the market has meant that now it’s possible with just one or two tools to meet the required functionality.
The best option may not always be to rush out and buy the shiniest new toy, despite the great reviews, impressive marketing and charming sales people. This is more important when budgets are tight. IAM functionality can often be met with a few simple cheap (and even free) techniques. Aligned with good policies and policy enforcement no banks have to be broken, no CFOs or Accountants will have heart attacks to make your IAM solution successful.
The best option is to understand what your options are, and then assess based on only what you need.