Everything You Need to Know About Identity & Access Management

Key Points

  • Identity & access management is an essential component of every business’s IT security strategy.
  • An identity & access management software grants IT users quick and easy access rights to different systems.
  • Improving IT security and boosting efficiency brings great advantages to the entire company.
  • Identity & access management software is indispensable in meeting increasing legal demands and industry standards related to IT security.

Contents

What Is Identity & Access Management?

The term “identity and access management” (IAM) does not comprise a specifically defined field of activities. The functions an IAM software should provide are commonly based on the functional ranges of current market products. Some of the fields covered by IAM include:

Identity federation 
How identities can be used across technological boundaries, e.g. between different companies or between local IT systems and the cloud.

Single sign-on
This feature, also known as “SSO”, allows users to authenticate themselves just once and then use this authentication for a variety of systems, thereby eliminating the need for multiple logins.

Provisioning
Provisioning is the process of automatically creating and/or assigning resources, such as user accounts and access rights, based on workflows and policies.

Workflows
In IAM, workflows are used to control processes. There is usually a distinction between approval workflows (in which data owners grant access to certain data) and provisioning workflows (technical processes that are orchestrated to provide certain resources).

Role-based system
With a role-based access system, IAM enables users to obtain the access rights they need automatically and lose them again once they are no longer needed. This is based (among other things) on the company’s structure, i.e. its departments, location or job position of users.

Self-service
As the name suggests, a self-service feature allows users to request services on their own. This may include anything from access rights requests, to changing user data, to resetting passwords.

Executive Summary:
IAM is not a clearly defined term. It comprises a multitude of possible functions for controlling user accounts and access rights.

What Is User Lifecycle Management?

User lifecycle management can be understood as one feature included in identity & access management. ULM overlaps with provisioning and workflow functions. The term is fairly self-explanatory: It is about managing the life cycles of users. A user’s lifecycle begins when the user joins the company and ends when the user leaves. Along with other IAM functions, ULM ensures that users are always equipped with the necessary user accounts and access rights throughout their time at the organization. User lifecycle management is an integral component of IAM (and not a specific module that can be switched on or off) and ensures that:

  • User identities are created
  • Access rights are assigned or revoked
  • User accounts are deactivated

ULM is often directed by third-party systems. The events in a user lifecycle (entry, data changes, transfer or leaving) are often transmitted automatically via an interface between a personnel management system (HR software) and the IAM system.

What Is Identity & Access Management Software?

Identity and access management systems belong in the category of IT security products. Identity & access management software usually models some or all of the aforementioned features and functionalities. Sometimes, these solutions will consist of several products, each of which models specific functions. The solutions are intertwined to some extent.

Producers will use different products for:

  • Central management of user data (in the past, this would be in so-called “meta-directories” based on outdated directory services),
  • Workflows and provisioning (in the form of proprietary workflow designers and connectors)
  • Access management (for different functions for managing user privileges, so-called “access governance products”)
  • Access management for so-called “unorganized data” on file servers or in collaboration solutions, like SharePoint.

Solutions that are able to model all of these features in one product are of great advantage:

  • All data is available and up-to-date at all times and there is no need to synchronize data between different products (less risk of errors).
  • The user interface and all terms used are uniform. This makes it easier for users to understand the solution.
  • Users only have to learn how to use one application. Solutions that consist of several products require users to receive multiple trainings.

Executive Summary:
Identity & access management solutions model the possible functions of IAM. The solution stack of many providers is based on several independent products. Solutions that are able to model all functions in one product are of particular advantage.

[WEBINAR]Top 5 Security Risks in Access Management

Register for free

[WEBINAR] Top 5 Security Risks in Access Management

REGISTER NOW FOR FREE

What Features Must an Identity & Access Management Software Provide?

This is entirely dependent on the individual goals each company wishes to achieve and on how their IT infrastructures are built. In recent times, some features have gained significance, while other features and approaches have become outdated. Below is a summary of important features:

  • User lifecycle management must be fully implemented. All processes should be based on the digital identities of users. Systems that only operate on a technical level (e.g. based on Active Directory users) are only somewhat suitable.
  • The concept must incorporate data ownership and workflows. Data ownership means being able to define managers who are in charge of resources and can decide whether access to these resources should be granted or rejected. There must be approval workflows in place for any types of changes.
  • It should be possible to implement role concepts directly from within the software. At the same time, the role concept should not become too dominant. Products that do not allow for a flexible management of individual access rights will soon count more roles than users, thus making the entire concept obsolete.
  • System integration plays an important part in ensuring that IAM works from start to finish. On the one hand, direct interfaces to third-party systems increase data quality and reduce the rate of errors; on the other hand, it also frees helpdesk from having to conduct routine tasks such as user creation.
  • It must be possible to keep detailed and comprehensive documentation of any changes. Reporting options must be available to the same extent. It must be possible to retrace changes in a structured manner (e.g. through search and filter options). Basing the documentation of changes on free text, for instance, makes an effective search impossible.

Side note
An example of outdated features are old SSO solutions. Due to modern authorization protocols, such as OAuth and OpenID Connect, classic SSO solutions that save user name and password in a vault and enter these automatically into the login screen of an application are now considered obsolete.

Executive Summary:
The importance of individual features always depends on the concrete goals you wish to achieve with an identity & access management software. There are some features which are generally considered important and others which have recently lost importance.

Why Do I need Identity & Access Management Software?

Common goals which are to be achieved by introducing an IAM software may include:

Better IT security
Automation and effective reporting significantly improve IT security. With IAM, users are only able to access the business data they actually need to perform their job duties. This procedure is also referred to as the “Need to Know Principle” or “POLP (Principle of Least Privilege).

Better use of resources.
A lot of helpdesk and second level management time is wasted on routine processes involved in user management. By automating many of these processes, IAM software can help to put these resources to better use.

Compliance
There are numerous legal regulations in place that demand a very high level of IT security. Identities and access rights form the basis for many other measures and are therefore an integral part of these demands. Regulations include, among others, the European GDPR, KRITIS, MaRisk, PCI-DSS and more.

Executive Summary:
Improve IT security. Put resources to better use. Comply with regulations and laws.

Improve IT Security and Boost Efficiency

Learn more about tenfold Identity and Access Management

Start free trial

What Can Go Wrong With IAM Projects?

There are several reasons why an IAM project might turn out to be unsuccessful and have to be terminated. These reasons come down to the same fundamental risks involved in the implementation of any other IT project. Upon closer examination, it turns out that, in most cases, failure happens due to one of these three reasons:

The wrong approach
The most common problem we encounter in IAM projects is wanting to take on too much at once. Successful projects are implemented one step by step, whereby each step should be put to operation immediately once implemented. New functions are thus added gradually, but continuously, to the IAM system. Trying to model all workflows and integrate all systems at once will often result in failure to meet time and budget plans. The worst case scenario a system that is 90% implemented, but in which no individual feature can be used productively on its own.

Wrong expectations
Abide by the rule of 90/10. 10% of the budget should be consumed by 90% of the planned functionalities. 90% of the budget should be used for the remaining 10% of features. A conscious decision must therefore be made as to whether 10% of functionality are really necessary, or if perhaps processes can be adapted instead. What this means in numbers is that the focus should lie on the 1,000 processes per month that are automatically handled by IAM, and not on the one special process that occurs three times a year.

The wrong software
IAM projects fail because the software used is not suited to the organization. There are cases where medium-sized companies opt for a product that does not provide the necessary features and flexibility and cases where medium-sized companies opt for a full-featured IAM suite that can never be fully implemented due to its complexity and, in the end, provides only minimal benefits.

Which Criteria Are Most Relevant for Selecting an Appropriate Identity & Access Management Software?

The range of functions some software products provide is downright enchanting. However, it is important not to lose focus and to consider all factors that are crucial for a successful introduction of an IAM software:

Scope of functions
Of course, the functional scope of the software plays a major role. To avoid being blinded by the seeming magic of some products, it advisable to formulate the specific requirements in detail and then compare different products.

Standardization
This is a key point: The software should provide as many functions as possible “out-of-the-box”. The configuration should be kept as simple as possible via the user interface. Many providers rely heavily on individualization through customer-specific programming. These products should be avoided because the costs of operating them are disproportionately high and the quality is rather poor. Projects are therefore often delayed and rarely meet expectations in terms of functionality.

Usability
An IAM project is only successful if the software is modern and user-friendly. If users find it difficult to use the solution (regardless of whether they work for the IT department or any other department), they will not accept the software and the project will fail.

Integration options
The software should provide many extension modules, which in turn model all important functions via standards. Important systems include Active Directory, the used groupware solution (e.g. Exchange) and any central business applications. Integration options for connecting to HR software should be as generic as possible.

Expansion
The software should provide expansion options. If the potential of the provided standard scope is exhausted and the software is unable to model certain important and unchangeable workflows, the project should not fail due to this.

Ecosystem of the producer
For the project to be successful, it is important that the selected provider has a vital ecosystem in terms of sales and implementation partners, reference customers and technology partners. The more experience with the product distributed among various companies, the higher the chances of successfully implementing an IAM project with the selected partner.

 

[WHITEPAPER] Best Practices For Access Management In Microsoft® Environments

Get our free whitepaper now

Download

[WHITEPAPER] Best Practices For Access Management
In Microsoft® Environments

Get our free whitepaper now

Download