Identity and Access Management
What is identity and access management?
Identity and access management (IAM) ensures that the right people (identity) can access the right resources at the right times, for the right reasons (access management).
IAM processes and technologies make it easier for organizations to manage identities and control user access at granular levels. These systems also help organizations comply with rapidly changing regulations about how confidential information, such as medical and financial records, are stored and accessed.
Situations putting organizations at risk
Many organizations unknowingly put their organizations, customers, and shareholders at risk when these situations exist:
- Home-grown proprietary identity solutions: Many times, organizations have built customer-facing applications on a department-by-department or product basis. These applications initially work well for their intended purpose, but challenges come when those applications can no longer operate in their own silos. Perhaps the applications need to share information with a marketing tool, such as Marketo, or a customer relationship management (CRM) tool, such as Salesforce. This is when it starts to make sense to look for identity solutions that can easily connect to a wide variety of resources and support a wide range of use cases.
- Multiple end-user repositories: Multiple repositories can exist for a variety of reasons. Perhaps there was a merger, or perhaps a new pilot application designed "just to test the waters" became wildly successful and entrenched. Regardless of how it happened, having data siloed in different repositories can create challenges. It's difficult to provide unified access to data and user preferences, share them across applications, and comply with government regulations when they're stored in different places.
- No consistent authentication or single sign-on (SSO): If many different applications are responsible for authenticating users and storing information about them, there is often no way for the user to move from one application to another without encountering many different authentication processes. SSO not only improves the user experience, but it also decreases the likelihood that hackers will access their accounts.
- Application-based authorization or account-based access control solutions: Similar to the lack of consistent authentication is the lack of consistent authorization. It is hard to ensure that enterprise-wide authorization policies are followed if each application team is responsible for implementing their own access policies. Taking a consistent approach to securing access to similar applications on a company-wide basis is best.
- Manually handling customer consents: Many organizations have built their own systems for handling online consents. These systems often worked well when they were initially built. However, blanket consents are no longer acceptable, so what was once one consent is now ten. Manually handling each consent and ensuring they are appropriately stored can be time-consuming and not the best use of time for highly skilled development staff.
What should an IAM solution offer?
Single Sign-On (SSO) – SSO allows users to login once to gain access to all their applications and services whether they're in the cloud or data center. It prevents the frustration of repeated logins, which harm productivity in the enterprise and cause customer drop-off for e-commerce sites.
Multi-factor Authentication (MFA) – MFA improves security by requiring an added credential, such as a fingerprint (biometric), acceptance of a push notification via authenticator app, or a one-time password (OTS) delivered via text message or email. With MFA, even with login credentials, an attack will not succeed in gaining access to targeted resources.
Authorization – Authorization is used to determine the [authenticated] user's approved level of access. In the enterprise, entities are granted certain privileges related to what may be accessed, based on their roles, and such access may be extremely granular. For example, an accountant may have extensive privileges within most financial applications, but not those related to compensation.
IAM best practices
Organizations that follow IAM best practices have the following items in place:
- Centralized identity storage: All of the identities, such as partner identities, administrator identities, and customer identities, are all in the same store. Artificially partitioning them doesn't make sense because identities will often take on more than one role. For example, a partner might need to be an administrator and an end user at the same time. Having a single store ultimately results in better, more consistent user experiences and makes it easier to manage identities as their roles, and the organization's relationship with them, evolves over time.
- Self-registration: Marketing campaigns and digital collateral bring prospects to the organization's site where users are incentivized to self-register. They create new accounts, provide their contact information, and become more engaged with the company from then on. Allowing users to leverage existing identities and social logins to access sites improves their experience because they don't need to manage yet another identity.
- Personalization and progressive profiling: After a user has registered, most organizations gather additional information about the user as the relationship grows. This information is often related to user status and activities or to credit cards and shipping addresses when items are purchased. Note that it's important to gather information only when it's needed and only when it's clear how it will be used.
- Self-service profile management and user consent: Organizations that collect customer information need to be responsible stewards, which means that they only collect the information they need and securely store that information. They must be transparent as to what information they collect, how it will be used, and they need to get users' explicit consent to govern distribution and use of that information.
- Passwordless authentication: When most users attempt to access an application, it's often easier for them to provide their fingerprints or speak into microphones than it is to remember and keep track of passwords. Passwordless authentication is not only often preferred, it's more secure. All communications are encrypted, and in many cases, public-key cryptography techniques are used and private keys never leave users' devices, which lessens the chances of someone intercepting them during transmission.
- Contextual authentication: With contextual authentication, organizations can look at a variety of factors to better understand the risk when users attempt to authenticate. They determine whether the user has used the device before, if it's known as a risky IP address, the amount of time since the user last authenticated, and the geographical region to which the user belongs.