Call it Identity Management (IDM), Identity Access Management (IdAM), or even IAM; IT is responsible for its implementation and ongoing maintenance.
No surprise there, given that practically all processes and functions in a modern enterprise, regardless of industry or location, require IT involvement.
An IdAM solution, whether on-premise or in the cloud (identity as-a-service – IdaaS, for example), is necessary to ensure that the correct users can access only the data they are permitted to access. Does your enterprise need it? Well, it depends. Does Azure’s Active Directory (AD) satisfy all you need for IdAM? Does your current solution meet security or compliance requirements for your industry and location? For example, in the event of an audit or e-discovery requirement, can you currently determine who has permission to access specific data or provide a log of who accessed it in the past?
These are questions YOU must answer before implementing or upgrading an IdAM solution. In addition, of course, security is essential. A perfectly managed data repository (containing, users, groups, policies, permissions, etc.) is worthless if it’s easily hacked or is vulnerable in any way.
Broadly speaking, there are four key aspects to IdAM solutions that ensure only validated users can access enterprise data and resources.
1. User Management
This process begins with user creation and ends with user deletion (when an employee leaves the company, for example). As part of the user lifecycle, user roles (including administration) and data provisioning (what data the user can access) are defined. Password management or authentication methods are also decided. Self-service options such as password resets are sometimes automated to reduce maintenance workloads. The company will determine the level of ‘trust’ assigned to each user at the setup stage.
2. Central User Repository
Data synchronization is a primary consideration here to ensure any changes and logs are updated to all enterprise assets in real-time, i.e., old passwords no longer work after update or access is blocked if the employee leaves the company.
Authentication methods can adhere to the simple user and password combo, use a single sign-on (SSO), involve multi-factor authentication, session management, or password services using tokens, for example. Some companies favor biometric solutions, but whatever you decide on, aim for security rather than convenience.
Once a user’s identity is confirmed, the level of access is determined. Authorization methods are many and varied, linked to authentication methods defined earlier. Companies can, of course, also allow access based on roles, rules, policies, attributes, or remote permissions. For example, only members of the HR department can access data on employee salaries, and the receptionist has no authorization to view engineering specs. Elements of AI or analytics are also possible to prevent ‘suspicious’ access.
Is IdAM Necessary?
While IdAM is often perceived as an admin function, security and compliance are better reasons for adopting it. In today’s business environment, password sprawl is a common problem, and a drive towards a single sign-on environment could save users a lot of time when accessing resources as an employee. Given the myriad of devices and services that require a sign on – having one password to rule them all with multi-factor authentication based on device or IP address, for example, will provide prompt yet secure access to the correct users. Or you could continue having a unique identity for each service, website, and app. Which approach is best?
If implemented correctly, IdAM will increase efficiency, enhance the user experience, and reduce IT support tickets. Automation is an added benefit, allowing IT to focus on their objectives. Risk is reduced, and full tracking is possible to satisfy audit and compliance requirements. It can also ensure a smooth transition and secure monitoring of a BYOD or CYOD environment as IdAM solutions typically work across all platforms. All of these benefits reduce costs, often a deciding factor when deciding on new technologies. Not that IdAM is new, but it’s still not ubiquitous, despite the obvious advantages.
In conclusion, while I’ve covered the basics of IdAM, The National Cybersecurity Center of Excellence (NCCoE) has released the NIST Cybersecurity Practice Guide SP 1800-2, Identity and Access Management (IdAM). The NCCoE also offers some use cases by industry for IdAM on its website that are of benefit to all enterprises, including those not located in the USA. The information is worth reviewing before selecting the best solution for your requirements. PCMag offers its selections for the best IDM solutions for 2020 if you need some tips in this area.
Your company cannot afford to ignore IdAM, as protecting user credentials no longer involves just the on-premise network but any connected devices and online services and enterprise applications. Users are often remote and could include remote contractors, suppliers, and customers who access a common data resource or service. Can you really afford not to review possible IdAM benefits?