What is IAM?
Identity and access management (IAM) is a cornerstone of modern IT architecture and comprises of essential security features and protocols; which businesses should at the least aware of and ideally, be actively implementing.
In simple terms, IAM is the safeguard as to who can access what information within an organisation – or even across, in IT system federations and networks. It is the means used to establish and manage user identities and access rights to IT services by restricting the entire set from being replicated, and controlled with a coherent set of policies enforced across the connected IT infrastructure. In fact, modern IAM inherently transforms legacy and often insular IT service landscapes into a network of connected and cooperating solutions.
However, modern IAM solutions really start to shine and deliver value when combined with two key components of a good IT security policy: Multi-factor authentication (MFA) and Single Sign-On (SSO). Multi-factor authentication adds an additional level of security by requiring more than one source of identity authentication (the first being the password associated with a username). Single sign-on enables users to use the same identity (and authentication process) across many different compatible IT services.
Benefits of good IAM controls
Increased Identity Protection
Modern cyber security techniques used by attackers include stealing, guessing, or even calculating passwords, are all done with relative ease. However with MFA adding at least one more “things to do”, known as 2FA, Two Factor Authentication, MFA requires another entirely different activity before accepting that the person attempting to use the requested user identity is in fact the intended person to use that identity. MFA comes in many shapes or forms:
- One time access codes being either sent via text to a registered mobile phone (e.g. in online banking)
- One time access codes being generated by apps on smartphones (e.g. HMRC)
- Smart cards bearing certificates and PIN numbers (Estonian government)
All forms of MFA – if implemented correctly – make it much, much harder for attackers to gain access to user identities.
Reducing Cybersecurity Incident Risks
Single sign-on enables users to use the same identity across connected IT services, and supports implementing much stricter security requirements for user identity access – strong passwords, and MFA typically. Consider this example: The more credit cards and debit cards a person owns, with each requiring a PIN to pay electronically for goods, a very human coping strategy will emerge: to use the same PIN for them all. The same happens with passwords for the umptieth IT service a person needs to use: too many services inevitably can lead to a user using the same password. This leaves the affected user accounts (or credit/debit cards) at a very real risk. Reducing this complexity provides greater simplification and and together with MFA and other user identity restrictive measures – delivers increased security service in the entire IT landscape.
Centralised Identity Management and Access Control Policies
Consider a simple example: A company contracting external services (e.g. a business travel booking services such as KeyTravel) has several employees leaving. With a modern IAM solution in place, these employees’ IT identities are centrally managed and registered as invalid – job done. Without this feature, each of these need to be manually removed everywhere, one by one, application by application. And it gets worse with every new service brought into the fold – as you can image – the CISO’s nightmare if not properly managed and controlled.
Enhanced User Experience
Modern IAM with SSO provides a better experience for users of services by separating authentication (vetting valid access to a user identity) from authorisation (allowing access to certain features of an IT application) requires users to remember only one user identity across many services. Good technical examples of SSO are so called “social logins” where one can use their Facebook, LinkedIn, Google or other identities to access publicly available services. (The fact that these often come with having to share personal information with the service in exchange for free access to it is a business decision, not a technical requirement.) Another much less known example is a global academic network of wireless access called “eduroam” – academics of participating institutions can access wireless networks and thus host, home and public services on the Internet wherever they are worldwide, using only their home institution’s user identity – across hundreds of thousands of academic institutes worldwide!
Regulatory Compliance (e.g. GDPR and DPA 2018)
Companies today face tighter and more stringent requirements on access to, and sharing of, data that by law does not belong to them – typically personal data of individuals. Both GDPR and the Data Protection Act 2018 forces companies to significantly improve their data protection provisions, or face very serious and often existential risk of fines up to 4% of their gross profit for misconduct.
Proper implementation of IAM helps to tighten control over who, how and when certain data is being accessed, and how the data is used and shared across platforms. Deploying a modern IAM with 2FA and SSO centralises control and more importantly storage and access to personal information on one centralised service, rather spreading it across multiple IT services employed.
Lowered IT costs
IAM integrates many functionalities of identity authentication, which minimises costs when it comes to keeping your business environment safe and secure.
Example 1: Large enterprises using AWS
Global enterprises rely on AWS to support the development of their innovative solutions, as they move their important applications, to take advantage of the cost benefits and agility of the 160 services offered in AWS portfolio. Furthermore, AWS provides a global availability so business apps can be accessed from anywhere, safe and secure.
The pharmaceutical company Merck is running regulated workloads on the AWS Cloud. They use AWS CloudTrail specifically, to log every change to its system, enabling it to provide auditors with details of all revisions. They also utilise AWS Config to show auditors specific configurations history. All this is tied together by using AWS IAM to control who and at which level has access to that information on AWS – worldwide.
Moderna Therapeutics runs daily drug manufacturing GxP in the AWS Cloud in order to reduce costs and increase agility. They are using SAP on the AWS Cloud in order to reduce cost of having an on-premise hardware. GxP and SAP are connected to AWS IAM providing users who need access to both applications a unified user identity experience.
Example 2: Small Enterprises using Microsoft Azure
The ambition for UK based TV studio all3media is to deliver on demand content optimised in the digital format for the platform used by the consumers, thus tailoring the viewing experience.
Microsoft Azure offers all3media with the platform to utilise the built-in content delivery network to provide the content close to where the roaming user currently is located. Another feature Azure offers allows the user to use the same identity across their multiple digital platforms – mobile phone, tablet, XBox, and Smart TV by integrating Azure AD (Active Directory) and Azure AD FS for SSO. Additionally, by integrating Microsoft Live as an identity provider, all3media makes user onboarding and access much easier by allowing users to use their existing digital (social) platform identities with their service instead of creating (yet) another username and password to remember.
Request a free IAM audit
The Digital Craftsmen team offer a free audit for business who are managing compliance programs providing a detailed report with recommendations and priorities actions if required.. The audit will utilise best practice in IdM standards and guidelines, the benchmark for IAM professionals.
Contact the Craftsmen team now on +44(0)20 3756 7706 or email sal[email protected]
Further information on our range of free security and vulnerability audits can be found here.