Who are you, and why are you here?
What’s stopping me from walking into your living room right now, pouring myself a glass of whiskey, and putting on my favourite Netflix show? (The Office US btw)
You don’t know who I am, you haven’t granted me access to your home, and you haven’t given me permission to drink your whiskey or use your Netflix account. Why is it that we are so much better at applying identity and access management in our personal space than businesses in their digital space?
Identity: A human representation of all your accounts in an organisation.
Accounts: An object that grants permission to a system.
What is Identity and Access Management (IAM)?
Simply put, Identity and Access Management is a framework of policies and technologies that allows the right people, software, and applications, to have the appropriate level of access to enterprise resources at the right time. This process should begin from a user’s onboarding, throughout their access lifecycle, and finish after their offboarding.
IAM aims to solve two major security issues:
• Identifying and authenticating users, and
• Authorizing those users for the correct level of access within an organization, at the right time.
Identity Management and Authentication
In the past IT Administrators had to create accounts manually and assign access to systems based on a form or a ticket fill out by a manager. If that person left, the IT Admin would have to go into each system to disable or remove that account. That became very time consuming and if the organization were growing, management of applications, roles, and users would spiral out of control.
With an IAM system in place, it enables an organization to automate these onboarding and off boarding tasks, reducing the workload of the IT Admin which in turn enables these staff members to work on more complex IT projects pushing the business forward.
In its most basic form, digital identities can be authenticated with just a username and password. At its peak, a strong Identity Authentication consists of multiple factors to create what we know as Multi-Factor Authentication (MFA) or Second Factor Authentication (2FA).
Including additional authentication methods such as mobile authenticator apps, physical tokens, biometrics, and more, you can ensure you are making it much harder for compromised accounts to be used by the wrong people.
Access and Authorization
Now that we have established who you are, it’s time to determine what you can do.
In an IAM system, access rules are created and defined by the business, those rules or roles are then assigned to users either by birthright or by a request and approval processes. This concept is called Role-Based Access Control (RBAC) and is a key pillar in any IAM framework.
These roles then grant the user access to the respective system with the relevant permissions to do their day-to-day work.
You could be the new sales guy, you might be moving into a new role within the company, or maybe you’re a third-party accountant. Whoever you are, IAM systems have the power enforce and maintain what information and systems you have access to.
Details on a RBAC structure will be covered in a future blog.
Compliance and Governance
It’s that time of the year where you sit down with your manager and review your progress. Turns out all your hard work has been recognized and a promotion is in order (yay!). You get a new job title, manager, and responsibilities.
But what happens to your account? More specifically, will you still have administrator access, or access to that backend server that was crucial in your previous role but not so much now? Is it time for your account to get a promotion too?
With IAM, because it is the one sum of all your accounts it becomes a useful platform to perform User Access Reviews (UAR), sometimes known as Access Attestations. This is the process in which your accounts and their permissions are reviewed by you, your manager, and the application owner. This is most commonly done every 6 months, 1 year and/or every time your job position changes.
What if you don’t use Identity and Access Management?
It’s your funeral. No, seriously.
Having a robust IAM system in place will enhance your security by reducing the damage from compromised credentials and insider threat.
IAM will see organizations reap the benefits of less IT support tickets, and a more streamlined user experience.
Compliance and regulatory standards like Sarbanes-Oxley (SOX), General Data Protection Regulation (GDPR), and Payment Card Industry Data Security Standard (PCI) can be met with more ease when using IAM.
And if that’s not enough, you can share your organizations digital space with vendors, suppliers, and other third parties whilst knowing exactly what they are doing.
So, what now?
Identity and Access Management solutions are one of the best assets you can have in your organization for their ease, efficiency, and most importantly, their security!
We have only scratched the surface of the true potential of IAM.
If you’re interested in knowing more about how we can help you solve your problems, reach out to us at firstname.lastname@example.org.