What is IAM? (Identity and Access Management)

Contents

An increasing volume of data is generated and consumed every day, and this has consequences for companies, governments, and other organizations. They have to manage the data of thousands and thousands of users with different access rights, across a wide range of platforms and systems. Whether the users are customers, corporate partners, employees, or cloud providers, they all rely on networks. In fact, identity management has grown to such an extent that it now often reaches far beyond an organization’s own infrastructure.

But that’s not the only reason why companies and governments have to be so careful about managing and maintaining data. They are also required to manage access rights on an ongoing basis to fulfill compliance regulations. The purpose of Identity and Access Management, or IAM for short, is to manage user identities and the associated access rights.

Due to the decentralization of systems, global cloud access and the increased use of mobile devices, IAM is becoming the most important data management solution. Without an Identity and Access Management system it is almost impossible to keep track of which users need which rights, why and when they need them, and how they use those access rights on their device. IAM provides a way of navigating through this labyrinth of data.

The most important terms of IAM

The larger a company, an organization or a government, the more identities, accesses, and authorizations it has to manage. This is where Identity and Access Management comes in useful. It simplifies and automates the collection, verification, and management of user identities and access rights. That alone is a huge help, but as well as this, IAM systems help organizations to fulfill their compliance obligations. They ensure that all individuals and services are correctly authenticated, authorized and verified, and that all access rights correspond to the defined policies and the user’s role within the company.

Thanks to IAM, users can quickly and securely access various systems, applications, cloud structures and so on. This process is known as provisioning. The opposite process – deprovisioning – can also be done via IAM. These principles form the basis of Identity and Access Management, which is based on roles and rules.

In many cases, accesses and access authorizations can be determined by users themselves. With self-service portals or fully automated sign-up and approval processes, all the responsible parties are nonetheless involved so that control and security never get out of hand.

Some IAM terms:

Access Management is about monitoring and controlling network access.
Context-aware Network Access Control is a policy-based method for accessing network resources which considers the user’s context.
Identity Lifecycle Management covers all the processes and technologies used to store, delete, and maintain digital identities.
Identity Synchronization ensures that different systems all receive the same information for a particular digital identity.
Multi-Factor Authentication (MFA) is an authentication method that requires more than one factor (password and username). Two-factor authentication is one example of this.
Risk-Based Authentication (RBA) is a flexible type of authentication which allows a user to log in to a network from a new location for instance.
Security Information and Event Management (SIEM) provides a broad overview of IT security, including any suspicious events and current attack trends.
User Behavior Analytics (UBA) involves analyzing user behavior to detect security threats.

The main role of IAM is to assign each user a digital identity. Once this identity has been established, it has to be maintained, updated and monitored. Identity and Access Management systems provide administrators with the tools they need to modify user roles within their network, monitor activities, generate reports, or simply enforce security policies.

Identity and Access Management – scope, functions, and tasks

IAM systems are designed to cover the access authorizations of an entire network, including all internal and external compliance regulations. Consequently, they include a wide range of technologies, tools, software, and apps, including password managers, provisioning software, and apps for security policies, reporting and IONOS Help: "How to create a monitoring policy".

IAM systems need these features to be flexible, powerful, and secure enough to meet today’s requirements. Simply authenticating or monitoring users in a system is no longer sufficient. That’s why Identity and Access Management now goes much further. It provides a simple way of managing user access rights independently of location or network, whether that means customers all over the world, or employees working from home. This applies to hybrid environments too, from SaaS computing to modern BYOD management. The functions of IAM make the system flexible enough to run on all common IT architectures: Windows, Mac, Android, iOS, UNIX, and IoT devices.

However, having so many possibilities also increases the security risk. The more complex an IT environment, the more complex the threat situation. At a basic level, IAM systems regulate access using conventional authentication methods like passwords, hardware tokens, digital certificates, and card systems. Modern Identity and Access Management systems use biometric authentication on top of this: fingerprints or facial recognition on smartphones for instance.

And nowadays, machine learning and artificial intelligence are also being used to ensure the best possible protection of user data. Let’s take a look at an example. Companies today rely on IAM systems that use Multi-Factor Authentication. The factors are: the password chosen by the user, the user’s smartphone, and the related authentication method (fingerprint, or face or iris scanning). That’s already three factors that verify the user’s identity.

IAM functions serve a practical purpose as well as ensuring security. For example, they have a mechanism that allows users to use a single login for several networks. This feature is particularly widely used in today’s smartphones. By logging in to just one account (Google or Facebook for example), users can access all kinds of apps which would otherwise require them to sign in. Private users really appreciate this, because it means they don’t have to set up new login details for each account.

This model is known as federated IAM. It relies on cooperation and trust between the parties. Providers like Google and Facebook vouch for their users by allowing them to use their account to log in to partner sites or apps. The technical function at work here is called Single Sign-On (SSO). Once verified, users can use the same identity to log in to multiple networks. Authentication between the different partners takes place in the background without the user realizing, via an identity protocol such as Security Assertion Markup Language.

The (big) advantage and (small) disadvantage of Identity and Access Management

The advantages of IAM can best be understood by considering the disadvantages of not using it, or of only using a very basic system. If a platform cannot clearly identify its users and assign them the appropriate rights, problems will arise very quickly. And the bigger the platform, the more problems there will be. Using a smart Identity and Access Management system simplifies and automates the process of collecting and controlling user data. It ensures compliance with policies and allows administrators to monitor user behavior and platform service performance.

The biggest benefit of IAM is its all-encompassing nature. Whether on a mobile device, a decentralized IT system or globally via the cloud, IAM can be used everywhere.

The slight drawback is that each organization has to find the right IAM system for its needs. IAM requirements are largely the same in all systems, so a single solution can fit all. However, each company has its own procedures, its own systems, tools, and priorities, and even its own philosophy. In fact, this is often a stumbling block that companies and governments encounter when implementing an IAM system. It has to be supported by every single department and not considered to be the responsibility of IT alone. For this to be possible, fundamental questions have to be answered in advance, for example, who should have access to what? The next questions to ask are “who will control access” and “what should happen if something is not correct”? In other words, it is essential that organizations take a holistic approach to defining roles and access rights.

After this, an architecture concept can be created. It’s important to remember that as well as users, there might be other systems, partners, associates, suppliers, customers, employees, and so on to take into account. Depending on the industry, it might also be necessary to define regulators and auditors, to scale the number of users for instance.

A centralized system like this is of course an attractive target for hackers. Consequently, newer IAM systems incorporate a tamper-proof blockchain to prevent cyber criminals from tracking or collecting login credentials.

Where are IAM systems used?

Identity and Access Management is used anywhere that users need to be authenticated and authorized. Nowadays, managing user identities and access rights for networks, applications, and other digital systems is the norm.

If a user wants to use a system or an app, they usually have to prove that they are authorized to do so. In most cases this means logging in with a username or an email address and a password. More modern systems use combinations of key cards, biometric authentication, and smartphones.

Note

You can think of IAM as the doorway to a network. In many instances, organizations are required to have this type of system to comply with the EU General Data Protection Regulation (GDPR) and other laws. Compliance breaches can be severely punished.

In fact, even for purely practical reasons, companies today cannot afford to operate without an IAM system. By automating so many aspects of identity management, IAM systems take pressure off IT departments. Helpdesk staff no longer have to manually deal with time-consuming processes like resetting user passwords.

Even more essentially, Identity and Access Management forces companies, governments, and other organizations to define comprehensive in-house data policies. At the end of the day, this is a good thing not just for the network, but in terms of data security overall.

Online Identity Theft

Many only know internet identity theft and similar crimes from movies or television. But stories of online fraudsters are not just mere phantasies of screenwriters; for many the experience is all too real. Online identity theft has become more and more of a problem over the past…

Data Protection
Security

Sashkinshutterstock

Mandatory Access Control (MAC): how does it work?

Data protection is very important, especially when it comes to high-security branches like the government and the military. Users in most organizations only have access to the data they need to do their job, and when it comes to highly sensitive data, it’s important to have a…

wk1003mikeShutterstock

What is FIDO2?

Passwords are not an ideal way to surf the World Wide Web safely. They are either so complex that they are hard to remember, or so simple that they can be guessed in next to no time. FIDO2 takes a different approach and relies on modern technology. The open standard has the…

Security