Identity and access management (IAM) stands for the central management of users and access rights across systems, applications and in the cloud. In this article, we are going to discuss the functionalities of IAM and examine why they are important factors of compliance,cybersecurity and resource efficiency.
Identity and access management is a means of managing user accounts and privileges for systems and programs in a compliant manner. IAM allows you to open the corporate network up to external partners, clients and suppliers without riskingsecurity breaches.
Identity access management is based around user identities. Central IAM functions include user authentication and authorization.
The system ascertains the user’s identity, usually through a combination of user name and password or by retrieving biometric data (authentication). The established identity is associated with certain access rights (authorization).
Modern IAM systems also support federated identities, meaning that identity information can be exchanged and managed across technical boundaries (e.g., between computers and the cloud).
How Does Identity Access Management Work?
The term “identity and access management” does not stand for a clearly defined system. IAM solutions cover a range of functionalities, though the exactscope of functionalities will vary from one product to the next.
IAM solutions allow companies to manage users and permissions for different systems and applications within one central platform. One key component of IAM is automation, which is achieved by standardizing processes and workflows.
Automatic User Management
Not only does manual access management, as is the common approach in many companies, tie up far too many resources, it also causes immense cybersecurity risks. To reduce the workload of IT admins and to mitigate the risk of internal data theft or abuse, IAM focuses on automating recurring processes.
At least 90% of recurring processes in most midsize and large companies are standardizable.
The software monitors and updates user rights for the entire duration of a person’s user lifecycle (from joining to leaving date) and keeps detailed logs of every change made to that user and his or her permissions.
Roles and Access Profiles
Roles are a fundamental part of most access management tools. Role-based access control, or RBAC, is when the software automatically assigns default rights to users based on certain attributes (such as department or location) and automatically removes these rights again when the attributes change (e.g. when someone switches to another department).
Manage Connected Systems in One Central Platform
Identity and access management systems can be regarded as “brokers” between Microsoft’s on-prem services, Microsoft’s cloud services and external systems. The IAM tool triggers the necessary actions in each system automatically and in real time.
Why Do We Need Identity & Access Management?
WHO has permission to do WHAT in your network? If you’re still thinking about the answer, chances are the level of data security in your company is notwhere it should be. The biggest threat to sensitive data is not the infamous hoodie-wearing hacker, living out his grudge against humanity from the safety of his parents’ basement. No, the greatest threat to sensitive information comes from within: It is your employee, your coworker, your friend. It’s Miss Nelsen from HR.
We’re not accusing Miss Nelson of stealing data on purpose (although, who knows…). Fact is, even the most loyal of employees can quickly turn into an inside threat, simply by having too many access rights.
IAM Improves Cybersecurity
Ransomware is a huge cybersecurity threat. An example: During the cybersecurity seminar, Brandon from HR spent most of his time admiring Anna from Marketing, rather than paying attention to the lecture. Not long after, he received a phishing email containing a malicious link and clicked on it, not thinking twice. Oops! Brandon, you really should have paid more attention.
Before he has time to realize his mistake, Brandon has already unleashed the trojan upon the system, where it proceeds to encrypt all files Brandon has access to. The incurred damages are grand – not to mention the damage done to the company’s image (and Brandon’s image). Now, although an IAM tool cannot stop Brandon from clicking the link, it can indeed help to considerably limit the extent of the damages incurred.
How so? Well, if you can ensure that employees only ever have accessto files theyreally need to do their jobs (principle of least privilege), the trojan can only encrypt those files, and no more.
IAM & Compliance
Improving cybersecurity and optimizing the use of resources are very good reasons for investing into an identity access management system. The third and perhaps most important reason is compliance.
IAM tools are a great and reliable way of fulfilling both internal and external compliance regulations. Such regulations include, but are not limited to, the GDPR and PCI-DSS, as well as TISAX in Germany or HIPAA and the SOX Act in the USA.
Identity Access Management for Microsoft
Since nearly all IT departments around the globe use Microsoft® Windows, it goes without saying (but we’ll say it anyway) that IAM tools must be compatible with Microsoft. A connection with Active Directory poses one of the most central factors in the ability to automate and standardize processes and workflows.
In the not-too-distant past, the only thing that required protection was information contained within the company network, since all services then were kept on-prem. Today, however, there is hardly a company that does not deploy cloud services of some sort. To cater to these new and considerably more complexIT structures, IAM solutions:
support hybrid environments that use both on-premise systems and SaaS programs.
guarantee excellent access management, both internally (employees/remote work) and externally (partners).
allow centralized access management for IT architectures where different operating systems and/or different endpoints are used (e.g., UNIX, Windows, iOS, Android, and Mac devices).
Identity Access Management and Azure AD
Of equal importance as the interface to your on-premises AD is the integration with Azure AD, Microsoft’s cloud-based directory service. Azure AD is used to manage the privileges and identities of your Microsoft services, as well as external SaaS (software as a service) applications.
Microsoft’s provided standard tools do NOT enable you to control access to sensitive information in the cloud in great detail.
An interface between Azure AD or other cloud services (such as Exchange Online or Sharepoint Online) and the employed IAM system allows you to control Microsoft 365 group memberships and to assign resources in the cloud automatically.
Identity and Access Management Software
So far, we have learnt that IAM is a generic term that comprises applications and processes relevant to the management of identities, privileges and access to different systems, applications and resources, both on-premises and in the cloud.
Which solution best suits your organization depends entirely on how the organization is structured. Different solutions will comprise different software components or products that can model different functions.
Our blogpost IAM Software Solutions Comparedwill give you an overview of prevalent IAM product categories and examines why complex IAM solutions are not always the best choice.
[FREE WHITE PAPER] IAM Software Products Compared
Read our white paper to learn about the different types of IAM products available on the market.
The main objective of identity and access management solutions is to provide a central platform for managing user accounts and privileges. However, before it can assign a privilege to a user, the IAM system must first authenticate the user.
Authentication means the user must prove his or her identity to the system without doubt. This can be done using:
a combination of user name and password (e.g. when logging in),
verification of biometric data (e.g. fingerprint), a keycard or token, or
Once successfully authenticated, the system gives the user his or her rights. The user is now authorized to access certain resources in the network and in the cloud (systems, programs, files, shared items, etc.)
Many IAM systems use so-called access profiles/roles to assign privileges. Role-based access control means resources and privileges in/for different target systems are grouped together and linked to the associated organizational unit. Privileges are thus provided on the basis of an organization’s structure.
[FREE WHITE PAPER] Access management for ISO 27001
IAM systems often have virtual user interfaces, or self-service portals, where users can request services and IT resources themselves. These might include requests for additional privileges which are not included in the role-based standard set, changes to user data or requests for password-reset.
As soon as a user has submitted a request, the program automatically starts the approval workflow. As part of this workflow, the system first prompts the associated data owner to either approve or reject the user’s request. If approved, the system then proceeds to execute the provisioningworkflow, in which the user is granted access the requested resource.
Outdated and/or incorrect privileges make organizations more vulnerable to data theft and abuse. To counter this problem and ensure privileges are always up-to-date, IAM tools do not rely on ULM alone, but employ another process on top of that called recertification, also known as user access reviews.
Recertification is an automated process in which the IAM system regularly prompts data owners to review the permissions they are responsible for. The data owners must then either reconfirm these permissions or remove them.
Learn more about why recertification is so important for data and cybersecurity in our blogpost.
User Lifecycle Management
User lifecycle management, or ULM, stands for the management of user lifecycles, from start to finish (joining to leaving date). ULM ensures that users have precisely those user accounts and privileges they need to do their jobs during all stages of their career and throughout their time at the company.
ULM also ensures users never have more privileges than needed to perform their job duties. This is known as the need-to-know principle or principle of least privilege (PoLP).
Automatic Import of User Data
Many IAM tools now allow you to import user data automatically from HR databases (SAP HCM, etc.). The advantage here is that you no longer have to enter user data manually. Instead, joiner-mover-leaverprocesses or other types of changes to data are transmitted automatically from the HR system to your IAM tool via an interface. To learn more, read our blogpost on importing HR data.
Identity and Access Management Providers
IAM tools are no different to other products. Providers should have sufficient experience with their product and be well-networked, as complex IT projects require support.
Not only should providers be able to produce a list of reference customers, but also have access to a stable network of sales and technology partners. Why? The more experience with projects across various business they have, the more likely it is the provider will be able to successfully implement your project.
Implementation of IAM Software
Implementing your selected identity and access management tool is a big deal and needs to be well planned. Do not try to accomplish too much at once. Instead, keep in mind the wise words of Momo’s friend, Beppo Roadsweeper:
You must never think of the whole street at once, understand? You must only concentrate on the next step, the next breath, the next stroke of the broom, and the next, and the next. Nothing else. That way you enjoy your work, which is important, because then you make a good job of it. And that’s how it ought to be. And all at once, before you know it, you find you’ve swept the whole street clean, bit by bit. (Source)
Successful IT projects are implemented one step at a time. And each step that has been implemented should be put into operation immediately. This approach allows you to add functions to the IAM system gradually. Gradually, but steadily.
If you try to implement all workflows and systems in onestep, you will probably not be able to keep to your time and budget plans. Worst case is, you’ll end up with a system that is 90% implemented, but you cannot use any of its functions productively.
tenfold for Mid-Market Organizations
We believe that access management should be easy, not complicated. That is why we have made it our objective to translate complex matter into comprehensible,user-friendly matter. We want to make sure tenfold can be used by everyone, from IT admins to HR to end users.
[FREE WHITE PAPER] IAM for Mid-Market Organizations
What IAM features do SMBs need in day-to-day business? Read our comprehensive guide to get answers.