Guest Contribution by John Wilkinson
Identity and Access Management (IAM) is the umbrella term for the structures and processes within any organization that administer and manage its employees’ access to resources. It is important to note that IAM, strictly speaking, is a conceptual discipline. IAM solutions are the software implementations that actually enforce an organization’s IAM strategy and policies. For the purposes of this article, we will dive into IAM and solutions as they relate to IT resources.
At their most distilled, IAM solutions centralize, connect, and govern access to your systems, data, and resources. Think of them as the brains that oversee an organization’s IT environment. Centralizing identity information for each individual preserves their associated permissions and security to drive and facilitate automated processes. Standardizing and synchronizing your organization’s IAM establishes the creation of an accurate, easily managed database facilitating secure, proper access for all users.
IAM solutions help calibrate the perfect sweet spot between too-open access and too-rigid security for each user’s specific role within your organization’s unique environment and operations. A successful implementation provides you with management tools for IT resources and business processes. This ensures the right users have the right access to the right resources, right at their fingertips, regardless of where their role takes them.
Why is IAM Important? – Historical Context
Understanding the “Why?” of something serves as a crucial part of understanding the “What?”. So, why are IAM solutions important? For that, we turn to the historical context of business processes and technology.
Traditional business technology operated independently because it lacked the interconnectivity afforded to us today. This created disparate data silos that existed exclusively within specific systems. Forget transferring information from machine to machine, it was often confined to individual systems and software applications. Traditional business processes worked around these limitations, requiring excessive effort and paper trails to best ensure proper completion and record keeping.
“Siloing” refers to the act of isolating something (e.g. data) within self-contained structures or systems, sequestering it away from the whole environment – think grain silos on a farm.
When organizations rely on siloed resources and data, the resulting lack of interconnectivity constrains usage within the confines of an explicit boundary. For example, HR data’s utility would be limited to the HR system exclusively. Further, siloing often forces the creation of otherwise inefficient business and access processes as workarounds. These formal or ad hoc workarounds are not a remedy, but superficial bandages for broken structural bones.
Many of these workarounds may have once seemed sensible as pre-digital, legacy efforts – such as paper forms requiring running around for five stages of approval. However, the never-ending emergence of new technologies regularly renders them redundant or restrictive.
Manual IAM – You’ve Been Using it All Along
You may not realize it, but your organization already enforces various IAM policies and procedures – they just may not be automated or digitized. Below are a few examples demonstrating manual or paper-driven IAM processes that control and monitor access to resources:
- Signing out a company car by recording your name, the date, and the starting and ending mileage on a clipboard near the keys
- Entering individually assigned security codes into a combination lock to gain building access
- Submitting paper request forms for an employee’s expenditure approvals
IAM Today
Regardless of industry, size, or location, modern organizations require IT resources to complete daily functions: your HR department uses an HR system for employee information; your accounting department uses payroll software; sales use Customer Relationship Management (CRM) systems; marketing uses Content Management Systems (CMS); everyone accesses local or cloud storage for file and data sharing; and so on.
Utilizing these resources requires user accounts associated with individuals. To access a user account, an employee must authenticate their identity – often by entering username and password credentials. User accounts must be created, maintained, and deactivated over the course of their lifecycle, which most often correlates with the duration of that user’s employment.
Effectively leveraging IT resources amidst today’s expectations of immediacy requires instant access to applications, files, and data at any time, from any device, in any location. On top of all that, the never-ending onslaught of malicious digital entities in a world more connected than ever complicates traditional processes and access.
Thriving in today’s business world depends on optimized operations, data, and security. Inefficient processes add up fast to slow you down. Manually managing user account creation and provisioning, ad hoc requests, authentication, access reviews, security efforts and more burdens not only your IT staff but every employee who utilizes IT resources. Combining these challenges with increasingly demanding regulatory compliance (e.g. HIPAA, SOX, FERPA) and breach risks, every enterprise currently contends with the most rigorous environment ever.
Further, what type of accounts are used in daily operations? When roles with elevated permissions (e.g. directors, managers, specialty roles), conduct operations through their privileged accounts all the time, there is a much higher likelihood of those accounts becoming insecure and excessive activity may be carried out without notice. Privileged access management is critical to keeping your environment secure. If it’s not necessary to use a privileged account, don’t. It’s that simple. On the opposite end, generic accounts shared by multiple users eliminate insight. Overusing privileged and generic accounts does make management easier, in that none exists and everything is catastrophically less secure.
Failing to enact strict processes, policies, and security measures create chaos. Without such, your personnel’s access rights can quickly spiral out of control and, in turn, complicate everyone’s understanding of roles and responsibilities. This disorganization creates security risks, oversights, and negligence with the potential for serious ramifications.
An IAM solution is the best platform you can give to set your organization up for success. Automating your back-end management processes ensures proper execution of critical and menial tasks, provides safe access and reclaims the ability to reprioritize your people with more important tasks.
Check out the infographic below for some more stats on Identity & Access Management:
IAM Solutions Defined
IAM solutions are dynamic technologies that manage, integrate, and amalgamate user identities, account lifecycles, user permissions, and activities. In plain-er English – IAM solutions manage the who, what, where, when, why, and how as they relate to users operating across any organization’s “increasingly heterogenous technological environments” (Gartner).
The implementation of such a platform allows verified users to access necessary resources, IT professionals to focus on productive work instead of menial administrative tasks, and the organization as a whole to operate more efficiently. IAM gives an organization the ability to shift energy towards impactful, ROI-focused, and beneficial operations rather than be constrained by the management of its systems.
IAM Solution Components
There are four main components of any IAM solution:
1. Authentication Management
Authentication Management verifies identities and accordingly grants or denies initial access to systems. This is the “Identity” side of IAM and ensures that every user is who they say they are.
Traditional identity verification requires username and password credentials, but newer Multifactor Authentication (MFA) supports the use of one-time passwords (OTP), tokens, smartcards, and more. One of the most common current authentication methods is to sign in to Microsoft’s Active Directory (AD) when employees first log in to their computer.
2. Authorization Management
Authorization Management guarantees an authenticated user may only access the necessary applications and resources for their given role. This is the “Access Management” side of IAM and may incorporate additional elements such as Single Sign-On and Access Governance (AG) role models, which consists of a matrix enforcing Role-Based Access Control (RBAC).
Role models can be thought of as digital charts outlining hierarchical employee structures related to access. Single Sign-On (SSO) makes all of the users IT resources available after completing a single login to eliminate repetitive authentication attempts and poor password security when accessing various systems and apps.
3. Administration
Administration the automation of user account lifecycles: creating, modifying, disabling, and deleting user accounts for systems and applications. Whereas Authentication and Authorization Management oversees access security, Administration oversees the provisioning of resources. Linking source systems (e.g. HR systems such as UltiPro or WorkDay) to target systems (e.g. AD, O365, G Suite, SalesForce, Adobe), IAM solutions allow you to automate manual tasks for complete, end-to-end provisioning.
Administration coincides with the user account lifecycle, from setup on an employee’s first day to deactivation upon their departure. As employees’ roles change (e.g. promotions, re-orgs), IAM solutions will automatically reprovision and update resources and access accordingly. Ad hoc changes for things such as one-off projects can be handled by self-service functionality, allowing users to request access directly from their manager or the resource’s “owner”. Because IAM solutions provide administrative interfaces, technical knowledge is no longer required to provision users. Managers can simply approve a change and let the solution process the rest.
4. Monitoring & Auditing
These capabilities support internal, active management and reviewing an organization’s operations and processes via comprehensive activity logs. Activity logs may be used to compile business intelligence reporting and audit trails, perform access reviews, ensure correct roles and fix any inefficient IAM processes or issues.
IAM Execution
IAM solutions run on “authoritative data”, which is the most accurate and complete set containing your employee’s identity information. Organizations must provide authoritative data for an IAM solution. Authoritative data must be clean and entered in a consistent format or the automation will run into problems. Most identity data is stored in “source systems”, such as an HR system that contains personal/contact information, starting and ending dates, function/role, department, location, etc.
Think of source systems and data like a car battery – you can hook up all sorts of electrical functions and features, but as the source, the battery must provide enough clean electrical current for them to work. IAM processes can only by a run with clean, consistent, and complete data inputs. Using standard connectors between systems, IAM solutions can aggregate data from many different source systems before pushing it out to the connected targets.
Organizations must determine, in detail, which resources a given individual receives for their role and incorporate such into their AG model. IAM solutions rely on configurable triggers and processes to take this authoritative data and synchronize it across your entire IT environment. An assortment of fields and values are monitored for changes. When changes to source values occur, the IAM trigger monitoring such initiates an associated process to synchronize data according to the configured logic.
Individuals in an organization can have different identities, which are often stored separately within an IAM solution. Based on these identities, IAM can create and manage different user accounts for different employee types and role responsibilities. If a user needs to perform duties requiring elevated privileges (e.g. accessing payroll information), they should use a privileged account. To check their email or create a document, they should use their general user account without elevated privileges. Privileged access management better allows employees to operate with the user account that fits the situation.
Source systems still provide all of these identities’ information but do not assist with their proper management. An IAM solution acts on the authoritative data and is what makes all of these complex links between identities and users possible.
IAM Security
Security risks begin when an employee is hired with the handing off of newly created accounts and credentials to the day that employee leaves. Over the course of their employment, a user’s resource needs will likely change. Promotions, reorganizations, role changes, and ad hoc projects all contribute to shifting access needs. Over time, much of this access may become unnecessary or even a compliance risk, which translates into security concerns. It’s especially concerning if the access in question threatens sensitive information such as Personally Identifiable Information (PII), credit card or social security numbers, etc. This access accumulation is referred to as “permission bloat”. IAM solutions counteract “permission bloat” by restricting access to the employee’s needs depending on their role here and now.
Those risks don’t end even after the employee leaves unless you have a comprehensive and automated deprovisioning process. A deprovisioning process deals with cleaning up departing employees’ accounts and access. Without an IAM solution, securely tracking all of a given user’s accounts, credentials, and access (physical or digital) – let alone removing them all in a timely manner – becomes impossible.
When a user departs an organization, all of their associated accounts must be deactivated and deprovisioned. If not, the original user can still log into them with the same credentials even if they’ve departed your organization. A malicious ex-employee can take sensitive data (e.g. client information, intellectual property, account credentials) or damage your environment in worst-case scenarios. Ex-employees may access your IT resources until deactivation. That could be days, weeks, months, or even years. Failure to clean up accounts and access exposes cloud storage, customer data, upcoming projects, marketing materials, and more. Stalled deactivation is especially dangerous for cloud-hosted resources anyone can access from their personal devices.
“Orphaned Accounts”
The other primary reason for adhering to a standard deactivation process is to prevent the accumulation of “orphaned accounts”. Orphaned accounts are those no longer associated with an active user and remain in your environment. This digital detritus clutters your ability to accurately assess your environment while also taking up storage space. One of the most important processes of an IAM solution is cleaning these up.
Looking Towards the Future: IAM and the Cloud
Today, most businesses split their IT environment by incorporating cloud apps for their decreased maintenance costs, faster implementation, and access flexibility. However, these hybrid environments pose serious challenges to traditional business operations and “manual IAM”. Unmanaged cloud app usage invites security risks through the countless new openings in your IT environment – not to mention it can frustrate users with repetitive logins. Issues such as these are why cloud-based or web SSO functionality is so important.
IAM solutions with cloud-based/web Single Sign-On (SSO) functionality help bridge the gap in hybrid environments. An SSO’s central login portal gates all of the users IT resources behind a single login with strict security protocols and configurable access policies. Once authenticated, a user has all the access they need for their role in a portal that minimizes openings in the network and associated breach risks. For extra security, MFA may be added to SSO authentication.
Without some central, authoritative database operating as the go-between for your users and their resources, they will have to log in repeatedly to their accounts separated across your on-premise and cloud infrastructure. Managing all of these different accounts complicates daily usage as well as administration. Users have to juggle URLs, credential complexities, password expiries, automatic sign-outs, and other measures that – while providing security – prevent easy access and bring productivity to a grinding halt.
In order to develop a successful organization, your personnel must be enabled to be successful as individuals or teams. This requires access to the means and resources to complete daily duties (e.g. apps, shares, management tools, collaborative spaces) and the flexibility to act decisively when the moment requires. Complicated access requirements and bloated business processes do nothing but put the kibosh on your personnel’s productivity, their motivation, and everyone’s momentum.
IAM solutions have always ensured proper access, compliance, and security, but are now beginning to reap greater benefits from new data, diverse application interoperability, and business intelligence. As an active contributor to organizational growth, IAM solutions provide wide-ranging functionalities that empower users at every level.
Linking It All Together
Despite every groundbreaking and industry-disrupting technological breakthrough, the use of data remains the most significant constant across all of your IT resources.
By implementing verifiable identities, automated processes, access governance, and self-service capabilities, an IAM solution utilizes your organization’s data to construct its framework. This framework controls and monitors all of the aforementioned challenges regarding business processes, access, and security.
IAM solutions eliminate your organization’s dilemma of choosing between access and security through governance policies that enable user productivity and streamline operations. A successful implementation will both foster organizational efficiency and maintain detailed audit logs to review a user’s access and activity.
Without a significant change of inputs (e.g. employees, cash flow, supply/demand), the only possible way to achieve increased outputs is through organizational efficiency. IAM solutions provide the management tools to pursue that output increase – whether it is achieving a more flexible organization, more ambitious technological implementations, reinforcing security, elevated enterprise endeavors, or whatever goals and vision you have.
To recap, IAM solutions:
- Ensure users can access the resources they need.
- Restrict unnecessary or irregular access for security enforcement
- Provide management and IT with the tools and insights to perform complex administrative tasks and process optimization
- Automate processes and menial tasks, giving your organization the flexibility to reprioritize people with more impactful work
- Enforce security throughout the user account lifecycle – from provisioning and safely handing off accounts and credentials to rapid deactivation following departures
- Assist with audit preparation via sophisticated reporting and activity logs
Some IAM Solution Providers:
- Tools4ever
- Okta
- IBM
- Microsoft Azure
- Centrify
- PING Identity
- Identity Automation
- SailPoint
The bottom line, IAM solutions benefit everyone in your organization.
This holistic, organizationally-driven mindset is central to successfully implementing an IAM solution. From the start, regard IAM solutions as enablers for what they accomplish rather than purely a series of “set and forget” technical implementations dropped on the IT department to switch on. While processes are automated, IAM solutions require active management and configuration to achieve desired results – they execute what you tell them to. To best integrate with your organization’s needs and operations, your solution’s configuration must reflect them to be effective.
An IAM solution is thus one of the most intelligent and financially responsible decisions any modern business could make. A comprehensive technology plan acts as an organizational lever, allowing more accomplishment with less. If that premise is true, then Identity and Access Management is the fulcrum with which that multiplication achieves the greatest benefit.