Identity and access management (IAM) ensures that the right people (identity) can access the right resources at the right times, for the right reasons (access management).
IAM processes and technologies make it easier for organizations to manage identities and control user access at granular levels. These systems also help organizations comply with rapidly changing regulations about how confidential information, such as medical and financial records, are stored and accessed.
Why IAM is important
Business leaders and IT departments are under increased regulatory and organizational pressure to protect access to corporate resources. Common challenges that organizations face include:
High-friction registration and access: Friction kills customer relationships. People are tired of creating and managing all of their user ID and password combinations and often abandon transactions due to high-friction registration and sign-on experiences. First impressions are important. If users have personalized, welcoming registration and sign-on experiences, they're much more likely to be interested in learning about the business. Engaging them at the appropriate time in the appropriate manner without overburdening them with questions makes them feel comfortable, and allowing them to authenticate in the ways most natural to them increases the chances of them returning to the site. Offering passwordless authentication options can also reduce the need for password resets and account lockouts and save organizations time and money.
Data breach threats: Keeping data secure and private isn't easy. Customers demand that the companies they do business with not only make their personal experiences enjoyable, but that those same companies keep their data safe from breaches and protect their privacy. They want to know how their personal information is secured and transmitted, and many say that they will stop doing business with a company that does not adequately secure their data or respect their privacy.
Meeting regulatory and compliance needs: As a result of the growing list of breaches, violations of customer privacy, and increasing consumer dissatisfaction, there's been an explosion of regulations related to data security and privacy. With these regulations, organizations are held accountable for protecting their data. Outsourcing data collection and processing to third-party software as a service (SaaS) providers does not absolve organizations from responsibility if data breaches occur. They must know what data they collect and what data their SaaS vendors collect, where that data is stored, who can access it, how long it should be retained, and how to delete it if requested or ordered to do so.
Modernizing legacy infrastructure: Merging modern IAM technology with existing legacy infrastructures isn't always easy. This new technology must seamlessly integrate with organizations' existing online resources while not seeming disjointed or misaligned with their brands. At the same time, many organizations are also in the process of migrating resources to the cloud. They have a mix of infrastructure platforms, such as legacy on-premise and private and public cloud environments, and are working to balance stability and change.
Situations putting organizations at risk
Many organizations unknowingly put their organizations, customers, and shareholders at risk when these situations exist:
Home-grown proprietary identity solutions: Many times, organizations have built customer-facing applications on a department-by-department or product basis. These applications initially work well for their intended purpose, but challenges come when those applications can no longer operate in their own silos. Perhaps the applications need to share information with a marketing tool, such as Marketo, or a customer relationship management (CRM) tool, such as Salesforce. This is when it starts to make sense to look for identity solutions that can easily connect to a wide variety of resources and support a wide range of use cases.
Multiple end-user repositories: Multiple repositories can exist for a variety of reasons. Perhaps there was a merger, or perhaps a new pilot application designed "just to test the waters" became wildly successful and entrenched. Regardless of how it happened, having data siloed in different repositories can create challenges. It's difficult to provide unified access to data and user preferences, share them across applications, and comply with government regulations when they're stored in different places.
No consistent authentication or single sign-on (SSO): If many different applications are responsible for authenticating users and storing information about them, there is often no way for the user to move from one application to another without encountering many different authentication processes. SSO not only improves the user experience, but it also decreases the likelihood that hackers will access their accounts.
Application-based authorization or account-based access control solutions: Similar to the lack of consistent authentication is the lack of consistent authorization. It is hard to ensure that enterprise-wide authorization policies are followed if each application team is responsible for implementing their own access policies. Taking a consistent approach to securing access to similar applications on a company-wide basis is best.
Manually handling customer consents: Many organizations have built their own systems for handling online consents. These systems often worked well when they were initially built. However, blanket consents are no longer acceptable, so what was once one consent is now ten. Manually handling each consent and ensuring they are appropriately stored can be time-consuming and not the best use of time for highly skilled development staff.
What should an IAM solution offer?
Single Sign-On (SSO) – SSO allows users to login once to gain access to all their applications and services whether they're in the cloud or data center. It prevents the frustration of repeated logins, which harm productivity in the enterprise and cause customer drop-off for e-commerce sites.
Multi-factor Authentication (MFA) –MFA improves security by requiring an added credential, such as a fingerprint (biometric), acceptance of a push notification via authenticator app, or a one-time password (OTS) delivered via text message or email. With MFA, even with login credentials, an attack will not succeed in gaining access to targeted resources.
Authorization – Authorization is used to determine the [authenticated] user's approved level of access. In the enterprise, entities are granted certain privileges related to what may be accessed, based on their roles, and such access may be extremely granular. For example, an accountant may have extensive privileges within most financial applications, but not those related to compensation.
IAM best practices
Organizations that follow IAM best practices have the following items in place:
Centralized identity storage: All of the identities, such as partner identities, administrator identities, and customer identities, are all in the same store. Artificially partitioning them doesn't make sense because identities will often take on more than one role. For example, a partner might need to be an administrator and an end user at the same time. Having a single store ultimately results in better, more consistent user experiences and makes it easier to manage identities as their roles, and the organization's relationship with them, evolves over time.
Self-registration: Marketing campaigns and digital collateral bring prospects to the organization's site where users are incentivized to self-register. They create new accounts, provide their contact information, and become more engaged with the company from then on. Allowing users to leverage existing identities and social logins to access sites improves their experience because they don't need to manage yet another identity.
Personalization and progressive profiling: After a user has registered, most organizations gather additional information about the user as the relationship grows. This information is often related to user status and activities or to credit cards and shipping addresses when items are purchased. Note that it's important to gather information only when it's needed and only when it's clear how it will be used.
Self-service profile management and user consent: Organizations that collect customer information need to be responsible stewards, which means that they only collect the information they need and securely store that information. They must be transparent as to what information they collect, how it will be used, and they need to get users' explicit consent to govern distribution and use of that information.
Passwordless authentication: When most users attempt to access an application, it's often easier for them to provide their fingerprints or speak into microphones than it is to remember and keep track of passwords. Passwordless authentication is not only often preferred, it's more secure. All communications are encrypted, and in many cases, public-key cryptography techniques are used and private keys never leave users' devices, which lessens the chances of someone intercepting them during transmission.
Contextual authentication: With contextual authentication, organizations can look at a variety of factors to better understand the risk when users attempt to authenticate. They determine whether the user has used the device before, if it's known as a risky IP address, the amount of time since the user last authenticated, and the geographical region to which the user belongs.