Identity and Access Management, or IAM, encompasses all of the policies, methods, systems and technologies used in an enterprise to ensure that the right users can gain access to the right resources.
IAM encompasses a wide variety of technologies and solutions, including Single Sign-On, Multi-Factor Authentication, Passwordless Authentication and more. IAM is also sometimes referred to as Identity Management or Access Management, with Gartner changing the name of the space to the latter in 2018.
Access Management (AM) is usually contrasted with the role of Identity Governance and Administration (IGA.) The latter is more focused on managing identities, onboarding and offboarding users, and includes non-technological solutions such as security policy compliance i.e. certification of user access rights. In contrast, AM is usually more focused on the processes of authenticating and authorising users, and is more technologically-focused. When discussing IAM, however, there can be overlaps with IGA.
What does an IAM solution include?
Single Sign-On (SSO)
SSO is a system where one set of credentials is used to gain access to multiple apps, systems, and/or networks, without requiring the credentials to be entered again. This is usually achieved by using SAML or OIDC, security protocols which allow Identity Providers (IdPs) and Service Providers (SPs) to securely verify the identity of a user.
Details of the user’s identity are usually taken by using a corporate directory as a single source of truth, which is used by the IdP to form a single identity which can be used across multiple cloud apps. As well as saving time entering and resetting credentials, this also removes passwords as a potential attack vector for a data breach.
Identification, Authentication and Authorisation
Identification, Authentication and Authorisation are all separate stages involved in IAM when a user accesses their account.
- Identification is the stage at which a user presents their identity to be verified by the Identity Provider.
- Authentication is the stage at which the Identity Provider verifies that the user matches the identity.
- Authorisation is the stage at which the user is granted access to the Service Provider relevant to their privileges.
Depending on the specific system at use, these may be handled by different entities – for example, the Identity Provider and Service Provider may be the same, or the latter may be a third party to which authentication is delegated.
Often used as a part of SSO, passwordless authentication is the verification of users’ identities without requiring a password. This is often achieved using security protocols like SAML and OIDC, which allow Identity Providers and Service Providers to securely communicate with one another. A security token passed between the two allows access without requiring a password at any stage. Another extremely secure method is FIDO2, often used with hardware keys using USB, Bluetooth or NFC, which provide another ‘unphishable’ method of access to corporate directories.
In order for this to work, the Service Provider will have to have an app which is compatible with one of the security protocols used by the Identity Provider. However, where this is not the case, some IdPs can offer a passwordless experience, through password vaulting and forwarding.
Password Vaulting and Forwarding
For apps that are not yet compatible, or incompatible, with open security standards such as SAML and OIDC, an enterprise password manager may be used to provide secure web authentication. In this system, passwords for each app are securely stored in an encrypted vault, with these credentials auto filled into login forms via a browser extension when the user accesses an app via. While this is not a true Passwordless system like token-based authentication, the user experience is fundamentally the same, and it is still significantly more convenient and secure than requiring employees to manage their own credentials, as strong password hygiene is much easier to maintain. This can also be used for secure web authentication on some older applications and on-premises desktop apps, where
token-based security protocols such as SAML may not be supported.
Multi-Factor Authentication, or MFA, is increasingly used as an additional security measure in IAM. With MFA, more than one factor (type of evidence) is required for the user to be authenticated. By far the most three common factors are:
- Something the user knows – e.g., a password or pin number
- Something the user has – e.g. a physical token or registered device
- Something the user is – e.g., a fingerprint scanner
With MFA, the two pieces of evidence must also be from separate factors. For example, a password and a pin number would not qualify as MFA, as these are both the same factor (something the user knows.) Increasing the number of factors adds an extra authentication layer to prove the identity of the user.
Sometimes, systems also make use of other factors, such as something the user does, like the time and location of identification, although these are less common.
User Lifecycle Management
One of the challenges posed by the migration to the cloud is the need to onboard large numbers of users, offboard ex-employees, and adjust the access permissions of users as their roles within the business change. An effective IAM solution helps to automate and control user access, making sure that the right people have access to the right apps at the right time. In addition, these should also adhere to the Principle of Least Privilege, where users are only granted access to the resources they require to do their job.
Some Single Sign-On solutions also enable policies that can be configured to perform
Just-In-Time Provisioning (JIT), where users can be automatically onboarded to new apps without having to undergo a registration process, with the IdP and SP using their details from the Active Directory.
Identity Management vs Access Management
The two components of IAM, Identity Management and Access Management, are frequently intertwined but nonetheless perform different roles within the space. While the difference can be understood on a basic level as authentication vs authorisation respectively, there are other aspects which are important to know.
While authentication is an important part of Identity Management, it does not end there. Provisioning and deprovisioning users is a crucial task for enterprises, both for efficiency and security. Effective user lifecycle management will not only make onboarding new staff easier, but also prevents the significant security risks posed by employees who leave the business and do not have their access revoked accordingly.
User monitoring and analytics is another important factor involved in Identity Management. The issues of Shadow IT can pose security challenges where IT departments are unable to protect against data breaches adequately, since they are unaware of the software being used. Being able to monitor the use of cloud apps more efficiently not only helps mitigate this risk, but also allows for data to be collected and analysed to make more informed decisions about the future use of software within the enterprise
In contrast to Identity Management, the heart of Access Management is the authorisation process. While all users gaining access will be authenticated, they will need to have their permissions and privileges managed to ensure appropriate access.
The Principle of Least Privilege is a fundamental security standard which directs much of the ideas involved in Access Management. This states that users should be given the minimum levels of privileges and access that requires them to do their job. By restricting the number of users with additional access beyond the norm to as low a number as possible, the whole system is made more secure, with fewer attack vectors for privileged access.
As security challenges for enterprises increase, Zero Trust Security models are becoming increasingly common. Contrasted with ‘Castle and Moat’ systems, where users are verified before gaining access to the network but left free when inside, a Zero Trust network will only authorise users to access specific areas. As a whole, the network is usually compartmentalised into many separate areas requiring further authorisation.
Why is IAM needed?
The migration of enterprises to the cloud has led to significant cost benefits for enterprises, but the proliferation of cloud apps also means the proliferation of identities. Each new app used by a department means a new set of credentials required for everybody who uses it, all of which present an additional security risk.
Authentication methods requiring a username and password are particularly problematic. Needing to constantly enter in credentials, along with frequent helpdesk calls for resets, cost an average of £280 per year for each employee in lost productivity. They are also far less secure than other forms of authentication, since they are inherently vulnerable to malicious attacks – especially when the increasing number of passwords means employees are more likely to reuse them.
How IAM solves problems
The Verizon Data Breach Investigations report found that 81% of hacking-related data breaches took advantage of passwords as an attack vector. Hackers employ a variety of different methods to compromise user identities that rely on a password for authentication, but a robust IAM solution can prevent these from being used.
Brute force attacks and credential stuffing
Brute force attacks involve forcing huge volumes of password guesses, hoping to arrive at the correct result through sheer force of numbers. As the name implies, this is quite a simplistic method, but it continues to be an effective one against systems which are not adequately defended. Credential stuffing is another password attack type, where known compromised credentials from previous data breaches are used to gain access to multiple different apps and services. Credential stuffing’s success relies on the common end-user practice of re-using the same password across different cloud apps.
IAM solutions can help guard against these dangers in a variety of ways. In a system with Passwordless Authentication using SAML or OIDC, no password is used at all, and an access token is generated instead, rendering the attacks useless. For apps that are not compatible with SAML or OIDC, SSO solutions which include an enterprise password management function can generate strong, unique passwords for applications, with the ability to not disclose these to the end-user, significantly mitigating the risk of such an attack being successful.
Social engineering and phishing
Social engineering comprises a variety of methods used to either guess passwords using information known about the user, or to convince them to hand over their credentials voluntarily. This is also often related to Phishing, which is responsible for nearly a third of all cybersecurity breaches alone. These attacks are not only becoming more common, but also increasingly sophisticated, with replica pages that appear genuine used to harvest credentials. IAM solutions that use Single Sign-On and Passwordless Authentication help mitigate this threat, since there is either no password or it is undisclosed to the user.
As well as security advantages, many of the systems involved in IAM make for a smoother experience for employees, helping to increase efficiency and productivity. Passwordless authentication helps to reduce the time wasted by employees logging into applications, as well as the time taken by IT departments dealing with password reset requests.
The proliferation of shadow IT in enterprises means that the average stack of cloud apps used in an organisation can be many times larger than is believed by the CIO, or is known to the IT department. This poses significant security risks when corporate data is stored in the cloud without the knowledge of IT departments. This becomes particularly problematic if the enterprise believes themselves to be protected by MFA, SSO or other security measures which are, in reality, not established on the apps their teams are actually using. Single
Sign-On solutions that provide the ability to detect cloud apps being logged into by users can help mitigate this risk, enabling these applications to be easily included within the SSO.
Onboarding and Offboarding
Single Sign-On can help provision new employees with access much more quickly than through manual provisioning and account creation. With the addition of just-in-time provisioning, some IdPs can integrate the registration process into their Single Sign-On solutions, providing an automatic registration when the user accesses the app for the first time. More importantly, employees who leave the organisation can have their application access quickly revoked, even when working remotely.
IAM tools and technologies
IdPs act as third parties to provide SSO to enterprises, allowing them to adopt Passwordless Authentication as a key pillar of their IAM strategy. By using the existing corporate directory as a Single Source of Truth, IdPs can quickly and securely authenticate users, providing them with one identity which can be used across all of the apps the employee uses.
The use of SAML and OIDC-compatible cloud apps allows for the most secure transmission of data between users, IdPs, and SPs. These allow authentication tokens to be passed between the three parties instead of passwords, greatly increasing security and rendering many hacking methods used in malicious attacks ineffective.
Requiring multi-factor authentication with registered devices, biometrics and other measures can greatly increase security for enterprises. Requiring more than one factor for access means that for a data breach to take place, both will need to be compromised, greatly mitigating the risk of malicious attacks and weak passwords.
Some IdPs and software can allow for a far greater control of Access Management by giving IT departments greater visibility over the apps being used within the business. Shadow IT is a challenge facing most organisations, with the number of apps in use typically being far greater than those managed or authorised by IT departments.
Implementing IAM in Enterprise organisations
Most enterprises will require the use of an IdP to implement their IAM strategy, which will provide secure authentication and allow SSO with the full range of apps used by employees. Identity as a Service (IdaaS) providers also offer additional products which can provide extra security measures such as Multi-Factor Authentication.
Choosing an IdP will rely on many factors, such as the range of products offered, and how widely compatible the service is with the suite of apps used by the business. Not all apps are compatible with protocols such as SAML and OIDC, although some IdPs can provide a passwordless experience for these apps, together with legacy Windows desktop apps.
IdPs can typically leverage the existing corporate directory and use it as the Single Source of Truth for user identity. Individual apps may need to be configured initially to accept SAML or OIDC requests, but users can usually be onboarded immediately once the configuration is completed – and even immediately registered to new apps with just-in-time provisioning.
How My1Login delivers IAM
My1Login provides enterprises with many of the services to form a comprehensive, effective and secure IAM solution. Primarily, My1Login is the Identity Provider that delivers Single Sign-On and Passwordless Authentication, greatly mitigating against the risk of data breaches by eliminating many of the problems associated with username and password credentials.
My1Login’s Single Sign-On solution uses token-based authentication to allow seamless and secure access to cloud apps. Where security protocols are unsupported, Secure Web Authentication is used to provide a passwordless experience, providing unparalleled compatibility with cloud applications, and even legacy desktop apps and mainframes.
My1Login has the configuration option to automatically detect cloud apps being logged into by end-users, allowing these to be easily added to, or excluded from, the Single Sign-On system and giving IT departments far greater awareness of Shadow IT. In addition, My1Login provides Just-In-Time Provisioning for a wide variety of cloud apps, allowing for rapid onboarding of new users.