Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
If in the past you would only need to keep your data and resources behind a firewall, nowadays, something more robust is needed. With data breaches becoming more and more common in the last years, IT departments are turning to Identity and Access Management (IAM). This guide is intended to help you understand the essential concepts, and to provide pointers for where to begin.
You will learn:
- What Identity and Access Management involves;
- How IAM works;
- Key components of IAM;
- IAM models;
- Benefits of implementing Identity and Access Management;
- Challenges and risks of IAM;
- An IAM implementation strategy.
What Is Identity and Access Management?
Identity and Access Management refers to a combination of processes, tools and policies which control access to your organization’s information. Its goal is to ensure that only the right people and devices can access the right systems at the right time.
There’s no single form of IAM – different organizations implement it in different ways, using different tools and measures.
For example, for a small business with 10 employees and relatively little sensitive information, IAM could be as simple as using two-factor authentication when people log on remotely. But for a global accountancy firm, it could include multi-factor authentication and a range of policies and automated processes that regulate what thousands of staff can see and do.
As the name suggests, Identity and Access Management is made up of two ‘parts’ which work seamlessly together:
- Identity: This is about verifying that people (or devices) trying to access your systems are who they say they are. Compared to a username and password – which only shows that someone knows those credentials – IAM tries to use additional methods to ensure that people are who they claim.
- Access: This is about controlling who can see what, once they’ve entered your environment. It’s partially about applying permissions and defining which software and information people can use and see. But it goes further. IAM automates onboarding and offboarding of users, and also monitors their behavior inside your environment to spot any suspicious activity.
To understand the value of IAM over traditional methods, compare the following login processes.
| Logging in with a username and password | Logging in with Identity and Access Management |
| An employee gets given a username and chooses a password.
Once they’re set up, they can log into your systems from any computer connected to the network, and view any files or software they have permissions for. A hacker only needs to find out that person’s password to access your entire environment. |
In addition to using their username and password, employees must provide additional information (such as biometrics) to get ‘into’ your network.
Once they’re inside, the system monitors which apps or data they view. It monitors for any suspicious behavior – such as trying to view files the individual doesn’t usually access. Even if a hacker steals a password, they have the problem of two-factor authentication. Even if they find a way in, the IAM system may spot unusual behavior and the account can be frozen. |
Identity and Access Management is increasingly common
IAM has evolved rapidly in recent years and is increasingly commonly used in organizations around the world. 57% of firms in the EMEA region were using multi-factor authentication in 2022.
That being said, deployment is still patchy. For example, only 39% of survey respondents said that more than two-fifths of their employees were using MFA for cloud-based applications.
How Does Identity and Access Management Work?
Every organization’s approach to IAM will be unique to them. The ‘flavor’ of IAM that you implement will depend on the sensitivity of information you hold, your tolerance to risk, and how your company works. That being said, Identity and Access Management will almost always comprise the following four features:
A centralized directory of all identities
A key pillar of any IAM system will be a central directory of all individual people and things (i.e., devices, bots, printers…) that have been given some form of access to your network. This includes employees, but it also includes contractors, business partners, interns, customers and anyone else who might at any point be given access.
Most organizations already have this in the form of Microsoft’s Active Directory or Google’s Identity Services.
The directory will include key details about each user’s identity, including information details such as:
- Name
- Username
- Business email account
- Personal/alternative email account
- Phone numbers
- Date of Birth
- Home address
- Main place of work
- Job role
- Direct reports
Authentication method
Today’s IT leaders can choose to implement a variety of different authentication methods. A key characteristic of IAM is that users will always need more than just a username and password to get into their work systems. There are numerous variations, but options include:
- Two-factor authentication: After logging in with a password, the user will then receive a text or email with a code. They must enter this code into the interface to prove they are who they say.
- Multi Factor authentication (MFA): Users must provide two or more forms of authentication. MFA commonly includes the use of biometrics (fingerprint scans, facial recognition or iris readers) to verify identity.
It’s also common for IAM solutions to support single sign on (SSO). SSO essentially allows users to log into several systems on the company’s network after just one signing in process. This makes the process of logging on smoother, and means people are more likely to comply with your security processes.
Another important trend in IAM is the ‘Zero Trust’ model. Essentially, any time a user (or device) makes a request to access a document or use an app, they must re-authenticate their identity.
Access control
Identity and Access Management aims to control what people can do once they’ve logged into your environment.
At the most basic level, this is about ensuring permissions levels are applied consistently and correctly:
- A systems administrator should have privileged access to your backend IT, but doesn’t need access to HR documents.
- A salesperson only needs access to your CRM system and their email account.
- A finance intern should only be given access to documents they need for specific tasks. But the CFO should be able to see almost every finance document.
Modern IAM systems go much further than just controlling permissions. One of their most important features is the ability to automate processes:
- Onboarding new staff to company systems should be as seamless as it is for people to sign up to consumer apps.
- The offboarding and account closure process should also be automatic. The ‘dead’ accounts of contractors, temp staff and former employees should be identified and closed as soon as those individuals no longer need access.
- Basic identity processes (changing a password, updating a home address) should be self-service and simple – without people needing to contact the IT service desk.
- Similarly, if individuals get promotions or move sideways within the business, the process of adjusting their access and permissions should be straightforward.
Monitoring and security
The final cornerstone of modern Identity and Access Management is the use of technology that can monitor behavior for the purposes of security. IAM systems can do things like:
- Identify location changes: Using machine learning, the system should learn about users’ typical location, and alert IT to any unusual activity. For example, if someone usually connects to your systems from the Paris region, but then unexpectedly connects from Jakarta, it should flag this.
- Identify changes in behavior patterns: IAM systems should be able to ‘spot’ changes in behavior. For example, say an employee mainly uses one folder in your file management system, but then suddenly starts trying to view many other folders that are unrelated to their job. This could be a sign their account has been hacked.
- Unusual device behavior: IAM systems can also spot unusual behavior in connected devices or systems. For example, if the settings on an internet-connected vibration monitor in one of your factories suddenly start being changed, then this could also be a sign of a breach.
Identity and Access Management Models
If you’re looking to introduce IAM at your organization, it’s important to consider your underlying ‘philosophy’ for access management. There are, broadly, four main approaches:
Discretionary Access Control (DAC)
In DAC, the owner of a resource (e.g., a folder, a database, an app) decides who can access it. People who wish to enter that area must contact the owner, who then gives or denies access. DAC can be a reasonable option at small organizations, but soon becomes unwieldy and inefficient the more data and users there are.
Mandatory Access Control (MAC)
With MAC, all resources are given a security label (e.g., Top Secret, Secret, Confidential, Internal, Public). Employees and other users are only able t see resources based on their security clearance level.
The drawback of MAC is that if a hacker can access the account of an individual with a high security clearance, they can then view all the files or resources that person has access to with ease.
Role-Based Access Control (RBAC)
In an RBAC system, an individual can access resources dependent on their job title or department. For instance, people in the HR department can view HR files, but they can’t see finance files.
The drawbacks of RBAC are similar to those of MAC. Once a hacker is ‘in’, they can view all files and folders that a users has access to.
Attribute-Based Access Control (ABAC)
With ABAC, access to resources is dependent on several factors associated with the individual and is highly customizable. An individual is given access to resources based on the subject (who they are), the object (files or apps they’re trying to open), and environmental attributes (where they are when they’re trying to access a resource).
ABAC is perhaps the most advanced approach to managing access. However, it is much more complex to set up than other systems. However, modern IAM platforms can make the process of launching ABAC easier. ABA may also use artificial intelligence to support some of the verification processes.
Benefits of Implementing Identity and Access Management
Introducing IAM at your organization can deliver multiple benefits around security, compliance and user experience:
More levels of defense
No network can ever be completely safe from hacking, but IAM makes environments more secure than traditional firewalls. Even if a hacker gets inside your environment, IAM access management policies make it harder for them to ‘move sideways’ and steal more of their victims’ information.
If traditional security is like a ring around your data, IAM is like an onion, with several layers of additional protection.
More likely to remain compliant
There are multiple pieces of legislation around the world which regulate data management and breaches. Using IAM reduces the risk of breaches. It also demonstrates that a firm has followed best practise if it ever gets audited.
Pragmatic solution for resource-constrained cybersecurity teams
IAM platforms help cybersecurity professionals manage and monitor their environments in a more effective way. The use of AI and ML to scan for unusual behavior and flag threats means IT teams are more likely to find breaches sooner.
Move beyond passwords
A 2023 study found that 75% of workers continue to use weak passwords. According to the most recent Verizon Data Breach Investigations Report, this kind of human error remains the top cause of breaches.
And this is why IAM can be so beneficial. While usernames and passwords are still used, it emphasizes the use of multi-factor authentication methods and single sign on. MFA means that even if a user chooses a weak password, they also need some other evidence that they are who they claim.
Meanwhile, SSO makes the process of logging into multiple systems smoother, meaning users only have to remember one password – and are therefore more likely to choose something more complex and harder to guess.
More efficient
IAM solutions are significantly more efficient than traditional IT security services. They automate tasks such as deleting unused accounts, while also facilitating self-service for users to solve minor administrative tasks.
Ready for the future of work
As people work remotely more often and use their own devices, IAM systems are much better suited to protecting your environments than, say, using VPNs. Similarly, as we increasingly use bots, internet connected devices and AI in the workplace, IAM solutions are better suited to monitoring these technologies and controlling what they can do.
Challenges and Risks of Identity and Access Management
Many IT departments can see the benefits of implementing IAM. Nevertheless, many struggle to fully implement this approach – as alluded to above. There are several reasons why Identity and Access Management projects flounder:
Major cultural change
Implementing IAM correctly requires an enormous change in organizational policies and procedures. The way that information is partitioned, the sense of ownership people have over ‘domains’, and the ways access is given (or taken away) must all change if you are to implement IAM. This can cause significant confusion and resistance.
Technological shift
Implementing IAM also requires a significant technological shift. Introducing biometrics and MFA, for instance, requires new hardware, testing, training and deployment.
Complexity
Introducing IAM can be highly complex. Particularly at larger organizations that use multiple IT systems, legacy databases, and various access hierarchies and permissions, introducing IAM is far from simply ‘plug and play’. Implementation projects can therefore be highly complex.
An IAM Implementation Strategy
Each organization’s approach to deploying Identity and Access Management will depend on factors unique to them. That being said, the following IAM implementation strategy can serve as a basis for your project roll out.
- Meet with stakeholders
A good quality IAM rollout is ultimately about change management – yet this is often overlooked. It’s very important to speak with different stakeholders, understand their security, identity and access pain points, and learn what they want and need from IAM. Identity and Access Management will affect people right across the organization, so it’s vital to get input from department heads, C-level execs and IT.
- A vision that aligns with business goals
To correctly roll out IAM, you need to ensure that it matches up with your organization’s business goals. At the very least, your IAM project should be about achieving higher levels of security. But ideally it should be consistent with your wider plans for remote work and digital transformation.
- Map your current identity and access landscape
To implement IAM, you need a complete understanding of all users, systems and devices that are connected to your network. This involves more than just reviewing your Active Directory – you need to map who has access to what, and what they use it for. This mapping process can be highly complex – particularly when you have people working remotely, or connected devices and bots.
- Map current access privileges and permissions
You also need a clear idea of who has access to what – and what your current security model looks like. You then need to think about how this will change once you implement IAM. For instance, if you’re shifting from Direct Access Control to Attribute-Based Access Control, you’ll need to plan for changes in people’s permissions rights.
- Deploy the technology
In many ways, deploying IAM technology is the easy part. Once your IAM platform is connected to all your software and hardware, it will need to be fine tuned to the needs of your business and your access model. It’s generally recommended to start slow – begin with one department, learn lessons, then roll out to the wider business.
- Continual training and awareness
As mentioned above, Identity and Access Management implementation is, ultimately, about change management. Regular training and communication about the change to logging on and access is vital to get people on board.
How Can Heimdal® Help?
Since privileged accounts have special permissions and are the ones close to the most critical data of an organization, they, of course, require special attention and management that only can be acquired through a powerful PAM strategy powered by an automated Privileged Access Management Solution that will properly manage the approval/denial flow to privileged sessions.
A PAM solution will enforce the principle of the least privilege and here’s the benefit of it being integrated with IAM:
A modern privileged access management (PAM) tool will go hand-in-hand with your IAM process, and will even boost its efficiency. So how can the right software help?
- Automatically scan and identify all privileged accounts;
- Enable just-in-time access to avoid standing privileges;
- Identify and remove all hard-coded credentials;
- Implement multi-factor authentication, one-time passwords, digital tokens, and other security protections;
- Access ongoing monitoring and behavioral analytics to shut down suspicious behavior.
FAQs
Which kinds of organizations need Identity and Access Management?
Any organization of any size can benefit from implementing IAM – from startups through to multinational businesses or public sector bodies. It is especially valuable for organizations that hold sensitive data, and which have relatively complex permissions and access hierarchies. IAM is also important at any organization where remote working is common, or where there are many different ‘entry points’ into the network (computers, smartphones, printers, IoT devices, chatbots…).
What is multi-factor authentication?
MFA is a form of access management which requires users to provide two or more pieces of ‘evidence’ that they are who they say they claim. It includes things they know (such as a password), things they have (such as a smartphone) and things they inherently ‘are’ (such as their fingerprint or other biometrics).
What are the 4 key components of Identity and Access Management?
Any IAM system will include: 1) a centralized directory of all identities, 2) authentication methods, 3) access control and 4) monitoring and security.
Who should be responsible for Identity and Access Management?
The underlying premises of IAM is that everyone in an organization should be taking responsibility for security and good cyber hygiene. While the implementation of IAM is usually led by cybersecurity or IT teams, it’s absolutely vital for stakeholders across the business to engage with the policies and procedures.
How is Identity and Access Management different from other security methods?
IAM is growing in popularity because it provides a far more comprehensive approach to keeping an organization’s data safe than other security stances. It is also especially well suited to a world where people work remotely more often, where work is carried out in both cloud and on-premises systems, and where far more devices and AI solutions are connected to a company’s network than in the past. IAM is able to handle these more complex security needs.
Heimdal® Privileged Access Management
- Automate the elevation of admin rights on request;
- Approve or reject escalations with one click;
- Provide a full audit trail into user behavior;
- Automatically de-escalate on infection;
Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.
