What Is Identity and Access Management?IAM involves the people, technologies, policies and processes that help IT professionals manage and control digital identities and specify how each accesses different resources.
In real life, however, this is not as simple as it sounds. That's because IT professionals working in an enterprise need to make sure that they are providing the right level of access to every employee so that they can perform their jobs properly. However, there are just too many security risks involved when this process is taken for granted. Give an employee too much leeway into what types of documents, systems and platforms he or she can access, and there is a chance that documents, processes and information could fall into the wrong hands. (Read more about IAM and security in Identity and Access Management Provides Cloud Security Boost.)
This is the reason why identity and access management has become the business-critical process that it is today - and why in practice, it's often more complicated than it seems.
What Does Identity and Access Management Do?It's safe to say that the goal of identity and access management is to give the right people the right level of access at the right time.
To that end, IAM activities may be classified into four different categories:
This involves two different areas: one is authentication management and the other is session management. In authentication management, a user gives the system sufficient credentials in order to access the system or a resource, such as by logging into the email service using a username and password. Once this is successful, a session is created that stays valid until the user logs off or until the session times out or is terminated in other ways.
Authorization is the process that determines whether a user has the necessary credentials to perform an action. This happens after authentication and is governed by a set of rules and roles. The simplest way to authorize a user and allow an action is through access control lists, where a user or a resource may perform only the actions they have been given permission to carry out.
- User Management
This pertains to how user accounts, passwords, permissions and roles are managed in IAM from the time a user account is created until it is de-provisioned or terminated. In practice, most companies allow for delegated user administration, spreading the IAM work to concerned departments while also keeping some functions centralized with IT. There are also companies that allow for self-service user management, such as permitting the user to change his or her own password without having to go through the department head or to the IT department.
- Directories or Central User Repository
This is where all identity information is stored. The central user repository is also what delivers identity data to other resources and verifies the credentials submitted by various users.
Implementation: Best PracticesFor the most part, when you are building or implementing IAM in your organization, it helps to keep in mind how it benefits the company. By keeping these advantages in mind, you can implement a more robust IAM infrastructure that is more intuitive and effective.
Here are some advantages to implementing IAM systems:
- It simplifies things
In a big organization, you simply cannot have a lot of security systems in place. IAM takes all the existing data and systems and puts it all together. This is why it's important that when implementing an IAM system, the first step is to take note and review all the data distributed across all departments to determine what's relevant. For example, when an IAM system is first built, Employee 1922 might have records in finance (for payroll), HR (employee records) and marketing (where he or she works). This means that all the data from each department pertaining to Employee 1922 needs to be calibrated into just one system.
- It helps make collaboration possible
The best thing about having IAM is that you can assign people to grant access, establish roles, add members to the system, and even dictate what these people could do with the resources they can access.
- It makes operations more transparent
Because IAM is centralized, all users can see the access rights and policies in place, as well as what is required of the systems and the people involved. It can also give you a history of who was given access to what resources by whom. This makes auditing a breeze.
Implementing IAMCompanies looking to implement IAM must review the different tools available. And IAM should not just involve the IT department. In fact, most CIOs who've begun implementing IAM realize that for their initiatives to succeed, they should get the support and assistance of people outside of IT. There are a lot of tools available that not only simplify IAM, but also make it understandable to non-IT personnel. But remember that in using third-party tools, a company has to make sure it's getting what it pays for. For example, a couple of years ago, IAM solutions providers were in a consolidation frenzy. This meant that a company largely using Windows and Microsoft products buying an IAM solution from a vendor that is then bought up by Red Hat or Oracle might find that the solution they purchased has become worthless.
A good IAM should also maintain the perfect balance between security and service delivery. To do this, a solid security policy must be in place to govern all technology and procedures moving forward.