Identity and access management (IAM) is a security framework that helps organizations identify a network user and control their responsibilities and access rights, as well as the scenarios under which the privileges are issued or denied. IAM typically refers to authorization and authentication capabilities like:
Single sign-on (SSO) so you can give users the ability to sign on once and with a single set of credentials to gain access to multiple services and resources
Multi-factor authentication (MFA) so you can gain a greater level of assurance of a user’s identity by requiring the user to provide two or more factors as proof of identity
Access management so you can make sure only the right people gain access to the right resources
These capabilities are foundational to ensuring security in a world where network perimeters are no longer reliable or relevant. But equally important for many organizations are the following identity security capabilities:
These advanced capabilities provide additional protection against evolving threats, help you support compliance with a growing range of regulations and provide users with the experiences they expect.
What Is IAM's Purpose, and Why Is It Important?
Your users are no longer limited to employees protected by a firewall. As remote work has grown in popularity, you need the ability to give diverse workforce users access to resources from anywhere and on any device to ensure productivity doesn’t suffer.
Your customers are also interacting with you through a growing number of digital channels. As customer behavior has changed, you must now provide access to these users as well or risk losing your competitive edge.
These shifts in how work is done and purchasing decisions are made have pushed traditional security approaches to their breaking points. But security requirements aren’t the only thing that’s changed.
Your users—both workforce and customers—have grown accustomed to convenience. As a result, they expect quick and easy access to resources, services and goods, when and where they want them. While your workforce may be more inclined to make do with what’s provided, your customers can and will explore their options.
In today’s digital and borderless world, the traditional approach to perimeter security is no longer reliable or relevant. IAM shifts the boundary to the user and puts identity at the center of security. You’re able to ensure users are who they claim to be before you give them access to sensitive resources or data. But you can’t make the process too burdensome either. Striking the right balance between security and experience is critical, and IAM helps you do it.
Customer Identity & Access Management (CIAM): IAM Designed for Customer Use Cases
It’s nearly impossible—and perhaps even irresponsible—to talk about IAM without including at least a short discussion of customer IAM (CIAM). While many organizations find that IAM satisfies the requirements of providing secure workforce access, it often lacks the capabilities needed for customer use cases.
With CIAM, you gain capabilities that allow you to deliver exceptional customer experiences, including:
What’s the Difference Between Access Management and Identity Management?
When looking at IAM solutions, it’s often difficult to differentiate between identity management and access management, and in fact you might see both terms used to describe the overall IAM space. Arguably, they work hand in hand and both are needed to ensure you’re giving the right people access to the right things at the right time and for the right reasons.
But fundamentally, they aren’t one in the same. Identity management speaks to the process of authenticating users while access management is about authorizing users. Specifically, identity management combines digital attributes and entries in a database to create a unique identity for each user, which can be checked as a source of truth during authentication. Access management determines who can access a resource or database at any given time. The access management system manages the access portals through login pages and protocols while also guaranteeing that a specific user requesting access has proper clearance.
IAM as a whole gives you the ability to verify a user’s identity before they are provided access. In their simplest forms, identity management authenticates the user, then access management determines the person's level of authorization based on the user’s identity attributes.
What Are the Benefits of Identity Management?
Identity and access management helps you strike the ideal balance between security and experience. Additionally, it can help you save money and meet compliance requirements while enhancing your employee and customer experience. The main benefits of integrating IAM into your operations include:
IAM Enhances Security
Improved security is arguably the number one benefit that you stand to gain from IAM. Capabilities like multi-factor authentication reduce your reliance on passwords, which in turn reduces your risk of breach as a result of compromised credentials. As remote work becomes the norm and your IT team must manage an increasing number of apps and devices, you need new ways to protect against cyberattacks and data breaches. IAM helps you combat increasingly sophisticated threats with capabilities like API security and identity verification so you can feel confident that only the right people are accessing the right resources.
IAM Improves User Experience
By combining just-right security with seamless access, IAM helps you keep your workforce connected and your customers coming back for more. Single sign-on lets you give your users faster and easier access to the resources they need. When you combine SSO with adaptive authentication, you’re able to match authentication requirements to the access being requested. By stepping up security only when warranted, you minimize friction and deliver a better user experience. IAM advances like passwordless authentication further streamline access (without compromising security) by reducing or even eliminating the use of hard-to-keep-track-of passwords.
IAM Enables Workforce Productivity
Workforce users need to access a range of different applications to do their jobs. When access is impeded by forgotten passwords and restricted permissions, productivity suffers. IAM capabilities like SSO help work get done more efficiently by reducing the time it takes to log in and gain access to resources.
IAM Streamlines IT Workload
Speaking of forgotten passwords, it’s estimated that upwards of 50% of IT help desk calls are attributed to password resets and that a single password reset request costs companies an average of $70. IAM solutions minimize your reliance on passwords and the headaches that come with them. IAM also makes it easy to implement identity services and change privileges across your organization based on roles as well as more granular attributes.
IAM Supports Regulatory Compliance
By providing capabilities like API security, IAM eases compliance with Open Banking requirements. Similarly, privacy and consent management capabilities simplify compliance with data privacy regulations like GDPR and the California Consumer Protection Act (CCPA). With regulations on the rise across a range of industries, from financial to healthcare to retail, IAM gives you the agility to quickly adapt.
Types of Digital Authentication
There are many methods you can employ to prove your user’s identity. But not all digital authentication is created equally. Some types, like biometric, contextual and behavioral authentication, are not only more sophisticated and secure but also reduce user friction. Here’s a breakdown of some common digital authentication methods.
Pre-shared Key (PSK)
PSK is a digital authentication protocol where a password is shared among users accessing the same resources. Typical examples include a single network WiFi password shared by many workers in an office setting. While this practice is common and convenient, shared passwords are less secure than individual ones and expose you to threats like layer 2 and man-in-the-middle attacks. Digital certificates provide a more secure form of authentication than PSKs by tying identity to access so you know who or which device is using the network. They also eliminate the need for frequent password changes.
Unique passwords require a minimum number of characters and a complex combination of letters, symbols and numbers that makes them harder to compromise. But these requirements also make unique passwords a burden for your users to create and keep track of. In addition to creating a unique password for every application, users must come up with original passwords every 60-90 days. All of these factors lead to password fatigue and increase your security risks. In contrast, single sign-on lets your users access multiple resources with a single username and password combination.
Hardware tokens are small physical devices like a smart card, key fob or USB drive. The device itself contains an algorithm (a clock or a counter) and a seed record used to calculate a pseudorandom number. Users enter this number to prove they have the token, or they might press a key on the device, which generates a one-time passcode (OTP) and sends it to the server. The physical nature of hardware tokens makes them expensive and burdensome to roll out and puts them at risk of breakage, loss and theft. An easier and less costly alternative is mobile authentication that relies on soft tokens to generate an OTP for sign on.
While other forms of authentication rely on something your users know (passwords) or have (devices, tokens), biometric authentication uses characteristics of who your users are to prove identity. Examples of biometric authentication include fingerprints, facial recognition, voice recognition, hand geometry and retina or iris scans. These forms of authentication are more secure as they’re highly unique to the individual and harder to replicate, steal or compromise. They’re also growing in usage as mobile device, tablet and PC manufacturers have begun incorporating these technologies into devices. Additionally, the use of FIDO protocols provides stronger authentication by using standard public key cryptography. With FIDO, the biometric information never leaves the user’s device. This protects user privacy by making it impossible for online services to collaborate and track a user across services.
A form of risk-based authentication, contextual authentication uses information such as geolocation, IP address, time of day and device identifiers to determine whether a user’s identity is authentic or not. Typically, a user’s current context is compared to previously recorded context in order to spot inconsistencies and identify potential fraud. While these checks are invisible to the authorized user, they create a significant barrier to an attacker.
Another form of risk-based authentication, behavioral biometrics leverages machine learning to identify unique user behaviors like mouse characteristics and keystroke dynamics. By learning about how a user typically behaves and interacts, behavioral biometrics allow you to detect abnormal behavior that could indicate suspicious activity or a malicious attack. Because each person exhibits unique device behaviors, behavioral biometrics help you differentiate between the authorized user and a bad actor.
Multi-factor Authentication (MFA)
More secure than passwords and hardware tokens alone, multi-factor authentication requires users to provide at least two pieces of evidence to prove their identity. They must provide something they know, something they have or something they are, with only one form of evidence coming from each category. For example, an MFA authentication flow might require a user to sign on with a username and password (something they know). They might then need to complete authentication by confirming the request on a mobile app (something they have).
What Are the IAM Risks?
Any effective risk management strategy starts with identifying the potential risks you face. Information security analysts at KuppingerCole suggest evaluating your organization across these five areas to identify and mitigate potential risks, and set up your IAM initiatives for success.
1. Executive Support
Risks: If IAM lacks executive buy-in, it’s difficult to gain the financial and resource support needed throughout the organization to make IAM successful.
Issue: The identification of responsibilities is often the most complex challenge. You need top-down support for organizational shifts and decisions.
Mitigation: Executive support is much easier to gain when the business value can be explained in clear, simple terms. Executive sponsors need to be well informed and ready to influence the direction of IAM initiatives, as well as understand the purpose and objectives of the individual projects within them.
2. Business Involvement
Risks: Without business involvement, IAM projects suffer from unclear scope, scope creep and being overtaken by technology requirements.
Issue: The business needs to drive the programme and lead the technology, not vice versa.
Mitigation: In addition to meeting regulatory specifications and audit requirements, there are other IAM benefits that need to be communicated including gaining an overall view of users, the ability to quickly connect new business partners and added agility for the business. It’s important that the business environment is understood and mapped out before the technology can be deployed in the proper context.
Risks: IAM projects can be complex, making a “big bang” approach difficult to control. The multiplication of corporate identities requiring management has to be considered from the outset.
Issue: Even though the first implementations might only give a small set of functionality to a group of employees, they must be designed so they can scale.
Mitigation: IAM implementation should be broken down into individual and clearly scoped projects—not a single large one with unclear boundaries.
Risks: An IAM implementation can be stopped in its tracks by technology missteps like choosing the wrong product, trying to leverage existing failed products or letting the program be driven by vendors or other technology “experts.”
Issue: Technological expertise isn’t enough to make a successful IAM implementation. It requires a holistic understanding of the environment and a vested interest in the program’s success.
Mitigation: Ensure that system integrators, vendors and technical teams are leveraged and respected but that the implementation is ultimately guided and controlled by the business. Give technical teams a platform to express their concerns and take them on board, but do not allow them to constrain business requirements.
Risks: People are vital to IAM success. But individuals will have different understandings of how IAM functions based on their role and/or previous experience with technology. With conflicting views of what IAM should entail, projects can quickly become politicized, creating division and in-fighting between business and technical teams.
Issue: Departments need the ability to control access to their own systems. New user groups need to be easily onboarded.
Mitigation: Individuals and their respective needs and understandings must be considered from the beginning. Knowledge must be freely shared, progress communicated regularly and successes celebrated. Lastly and most importantly, IAM must be simple enough that it works for the end user.
What is the Future of IAM?
Trends in remote work, cybersecurity, data privacy and customer experience continue to shape IAM priorities. While the future is never entirely predictable, indicators point to six imminent shifts in identity security.
Greater Control Over Personal Data
Buoyed by consumer privacy regulations, customers are demanding more control over how their personal data is used and shared. To address this demand, new personal identity frameworks are evolving that give customers control over their identities and which attributes to share with service providers, as well as enable secure validation of identity without requiring excessive personal data.
Acceleration of Zero Trust
Zero Trust will become the foundation of enterprise security. As a security model that streamlines workflows and implements adaptive authentication, authorization and identity verification services, Zero Trust gives organizations a fundamentally stronger security posture to protect against evolving threats.
End of SSN as Secure Authenticator
More than $60 billion in fraudulent unemployment insurance claims plagued state-run unemployment agencies in the U.S. during and in the wake of the pandemic, highlighting the consequences of using social security numbers as a trusted authenticator. If we weren’t convinced before, this costly lesson underscores the imperative to eliminate the usage of SSN as a secure authentication factor.
More Secure Remote Work
Working from home at least part of the time is here to stay. But providing a seamless experience to remote workers presents challenges. IAM supports WFH by giving workers frictionless access through single sign-on and adaptive authentication. At the same time, you gain increased confidence that only the right people are accessing company resources and increased agility to further your cloud initiatives.
Rise of Passwordless Customer Authentication
In keeping with the trend toward working from home, consumers are also shopping from home more than ever. As the battle for customer experiences continues to wage, companies will transition customers to a passwordless experience to minimize friction without sacrificing security. Passwordless authentication lets customers authenticate with something other than risky passwords, like biometric push notifications on a trusted device.
More Pervasive AI and Machine Learning
As use of artificial intelligence becomes more widespread, it’s possible it could also become the new attack mechanism. To quickly identify suspicious activity and adapt access based on the level of risk, behavioral analytics and risk signals should be integrated into all access and lifecycle management flows. Not a cure-all, however, AI and machine learning are best used in combination with existing threat detection methods.
Get Help from IAM Experts
In today’s business environment, user experience is king, but security can’t be sacrificed. The right IAM solutions help you optimize both.
The PingOne Cloud Platform is a comprehensive, standards-based IAM platform designed for hybrid, multi-generational and multi-cloud environments. Providing comprehensive capabilities to support workforce and customer use cases, it empowers you to leverage unified digital identities and give all users and devices secure access to cloud, mobile, SaaS and on-premises applications and APIs.