Identity and Access Management (IAM) programs protect data security and privacy starting with user authentication and authorisation, often by using a single sign-on solution that incorporates multi-factor authentication, and then assigns users access rights to resources with identity management (IDM) solutions to continuously monitor access, to proving enforcement of and governance over “least privilege necessary” access rights.
As governments and industry standards organisations place greater focus on data privacy and security, organisations need to meet increasingly stringent compliance requirements. As organisations move mission-critical business operations to the cloud, robust Identity and Access Management (IAM) helps protect data from unauthorised access. With complex on-premises, hybrid, and cloud infrastructures, organisations struggle with IAM as more identities – human and non-human – interact with information. Identity and Access Management, at its core, is about ensuring that the right users have the right access to the right resources at the right time for the right reason.
What are identity and access?
Identity and access are two parts to the whole of governing how your users interact with data and applications across your information systems, networks, databases, and software.
What is identity?
In the old days, before the cloud, identity consisted solely of human users, such as employees or on-premises contractors. Digital transformation changes the way we define identity. Today, an identity can be any person, object, or code that interacts with your information.
For example, an on-premises employee is one type of identity that presents a certain set of risks, while a remote employee is an identity that presents a different set of risks. Meanwhile, robotic process automation, code that manages administrative tasks, is a different type of identity from an Internet of Things (IoT) device.
The proliferation of identities wreaks havoc on IT administrators as each one needs its own ID and way to authenticate, as well as its own set of rights within the ecosystem.
What is access?
After creating an identity, you need to determine what resources that identity can access. For example, each user – whether human or not – needs access to the resources that allow them to do their jobs.
Institutions of higher education offer an excellent example of how access can become complicated. For example, a university professor can hold multiple identities that require access to different resources. As instructors, professors need access to sensitive university information such as students’ grades and advisors. Meanwhile, many universities also allow faculty and staff to take classes for free. As students, professors should only have access to their own information, not that of their classmates.
Access cannot exist without identity. However, identity is useless without providing access to resources. As such, talking about one without the other creates an incomplete picture.
What are IAM risks?
The IAM risks inherent in modern IT infrastructures lead to several; security, privacy, operational, and compliance risks.
Information security risk
IAM risks increase as organisations create complex IT infrastructures. According to the 2019 Data Breach Investigations Report, 34 per cent of data breaches involved internal actors. Additionally, 15 per cent of data breaches involved authorised user privilege misuse. The report detailed that privilege misuse was one of the top three data breach patterns for the Financial and Insurance, Healthcare, Public Administration, Manufacturing, and Retail industries.
Although privacy and security are often used interchangeably, they are two different types of risk. Privacy involves giving people control over their personally identifiable information (PII). For example, Human Resources may need access to an employee’s medical history. However, that employee has the right to keep the information private from a manager. If your company is not managing access and identity effectively, you may be violating someone’s right to privacy.
IAM also protects you from operational risks such as embezzlement and fraud. Organisations use IAM to manage Segregation of Duties (SOD). For example, a person accessing Accounts Receivable should not access Accounts Payable. If the person can access both, the individual can create a fake vendor account and pay it from the corporate bank account without oversight.
Depending on your industry, you likely need to meet regulatory compliance requirements. Most regulations require organisations to limit access to data. For example, under the Health Insurance Portability and Accountability Act (HIPAA), a healthcare provider can face fines ranging from $100 to $50,000 per violation.
How is identity managed?
Identity Management (IDM) is the way that organisations identify, authenticate, and authorise users. IDM focuses on user authentication. In short, authentication ensures that a user is who they say they are. Authentication can include:
- Unique User Name
- Multi-Factor Authentication
- Single Sign-On
Problematically, as your organisation increases the number of resources, you also increase the number of applications to which you must authorise your users. For example, if you use a shared drive for collaboration and a sales enablement tool, your sales team members need access to at least two different services. As you add more Software-as-a-Service (SaaS) applications, you increase the number of tools to which you must authenticate users.
Most organisations manage their identity data by creating a warehouse, a large data repository that contains all ID information. After creating the warehouse, they connect it to their applications and environments. If you follow best practices, you also want to incorporate multi-factor authentication (MFA). MFA requires your users to use more than one of the following authentication methods: something you know (password), something you own (smartphone, token), or something you are (biometrics).
How is access managed?
Access is a bit different from identity, although still inherently interconnected. Access defines the resources an authenticated identity is authorised to use.
Your sales team, for example, needs access to collaborative shared drives and sales applications. Your marketing team needs access to collaborative shared drives and marketing applications. However, your sales team may not need to access the marketing applications, and the marketing team may not need to access the sales applications. To complicate access further, your sales team may only need to use certain modules within a marketing application or your marketing team may only need to use certain modules within a sales application.
As part of access management, IT administrators assign identities roles, groups, or attributes that define the resources users need. For example, all sales team members likely need the same access to the same resources. To provide access individually becomes overwhelming for IT administrators, so they create access definitions that aggregate similar users and then use those to define what resources users with those definitions can access. Then, when a new user is added who can use that definition, the IT provides that person all the access necessary.
IT administrators grant users privileges, which gives them permission to access information and the ability to interact with the data.
When we discuss the “Least Privilege Necessary” best practice, we mean that you allow a user to make the minimum amount of changes that they need to do their jobs. The salesperson may need access to the sales application and the ability to change information.
Problematically, users often accumulate privileges during the course of their employment, a phenomenon called “privilege creep.” As users move throughout the organisation or interact with departments other than their own, they often request access to new resources. While users sometimes need to retain this additional access, they often only need it for a short period of time. However, overburdened IT administrators can lose track of when they need to revoke the access, leaving these users with far more access than they need.
Why are identity and access management important?
Digital transformation shifts the security perimeter, moving it from firewalls to identity. As organisations integrate new technologies into their business models, they need to protect identity and access more proactively.
On an enterprise-level, you need to focus on creating and enforcing an IAM policy that limits the amount of information and applications with which your identities can interact. You also need to expand your definition of identity to align with non-human identities such as robotic process automation (RPA), IoT devices, service accounts, and programmatic functions.
Karen Walsh, organic content marketing manager, Saviynt