Identity and Access Management (IAM) basically is the process, mechanization and strategy that manages digital identities and governs how those identities are applied to gain access to information. In other words, IAM is a procedure that facilitates the management of digital identities.
Digital identities are the people in an organization epitomized in the IT systems. They are a person’s online presence, containing personal recognition data. Every action, activity and function is generated as a result of those digital identities. Businesses could not operate without identities. IAM regulates and authenticates information and identities of people or users on computers.
To break it down further, Identity Management enables an organization to establish, preserve and discharge identities, or the attributes that define any individual within a particular context. Access Management gives only a specified population of people the right to carry out a particular action, in a particular manner.
Benefits of IAM
The way business is done today, being without an effective Identity and Access Management system can produce considerable liabilities with compliance, intensify losses from internal and external vulnerabilities, and compromise general safety measures.
With an increasingly progressive workforce, greater flow of information, new mobile devices and apps, and more employees in ever-changing roles, the business IT environment has met its match. Identities, access and privileges are harder than ever to manage. Security risks escalate when employees change roles, but their entitlements and access level aren’t cancelled. It makes hacking and gaining access to potentially confidential information easier to acquire, which could ultimately compromise the organization.
IAM solutions automatically deals with these issues. Systems will manage identities, access, and enable the user to make changes, such as passwords, that once required administrators to do. This controls the flow of work faster, decreases errors, and abuse. With a centralized directory system, identities, access privileges, etc. should automatically match the right employee, with the correct job title and access level.
Audit and Compliance
IAM auditing components are essentially another level of security. They ensure files of “who did what, when,” and important data is kept within the organization’s IT infrastructure, in order to maintain compliance, and support industry standards. Numerous federal regulatory entities exist, with the Sarbanes-Oxley Act key drivers of identity-relevant auditing constraints.
Typically, the audit process encompasses three phases.
- Audit generation – There are various infrastructure and components for different needs. Some identify unauthorized attempts to access the company’s IT databases; others reveal performance abnormalities; while others provide material to resolve problems.
- Data collection and storage – After the data is generated, it gets gathered and stored. Two approaches are possible. Either the data can be store in the same system as it was generated, or it can be transferred to a central storage location.
- Analysis and feedback – Data can be manipulated and analyzed automatically or by hand. The evaluation offers solutions or ways to make changes.
You do need to decide which type of design you want, as both have advantages and disadvantages. If the data is stored on the same system, it is readily available for modification. However, it is easier for someone to hack the audit system, alter and cover up the attack.
Obviously, storing it in a separate system lessens the opportunities of corrupting the data. Either way, these systems slash costs, and save time.
Single Sign On & Federation
Single Sign On
Normally, at any business the user has to login every time he or she wants to enter a website or business application. Usually, this requires multiple passwords, and the constant logins are frustrating. Forgotten passwords, or writing them down on note paper creates more chances of security breaches, and costs management additional money. Any way you look at it, the situation is not good.
The solution is single sign on (SSO), or the capability to login only once, and gain admission to numerous applications, simultaneously. It automatically maintains the user’s session, regardless of the workstation, or even if they travel.
While there are five kinds of SSO solutions, Federated Sign On is only being discussed.
Federation
Federation is a concept based on interorganizational trust. Federated sign on means the authentication undertaking is entrusted to another party. The trusting company must be confident the trusted business has comparable policies, ethics, and goals, and they are all followed. As long as the user has been validated by a federated authentication infrastructure constituent the other party doesn’t need to sign on again.
Multi-factor Authentication
Authentication basically is a process of verifying that an identity or entity is who or what it claims to be. This is often done by use of passwords, biometrics, which are a person’s unique physical and other traits that are detected and recorded by an electronic device as a means of confirming identity. An example would be fingerprints, or some other distinct pattern on a touch-sensitive display screen, computer or other device.
To authenticate identity, the individual produces substantiated credentials that meet the stipulations to access the application, or system, etc. he or she wishes to gain access to. Easing the sign on procedure is a way to rationalize the authentication structures, so multiple applications, services, and so on can depend on a unified place for authentication, and also synchronizes credentials. This limits the amount of credentials with every use, and enhances the user’s experience.
Multi-factor authentication takes the process of authenticating identities a step further. With constant threats of fraudulent online actions, it’s not enough to only have usernames and passwords protect your business. There needs to be a process that guarantees the authentication is fool-proof, and allows the system to evaluate and track the extent of risk factors related to transactions.
Multi-factor authentication is made to ensure the user is authentic. It not only protects against threats from phishing, Trojans, or proxy attacks, but will also execute risk profiling, and warrant real time fraud prevention and alters; then blocks any indications of fraud. It essentially applies more powerful security regulators, to protect businesses.
Role Management
Role management is a major element in dealing with governance and compliance agreements for user access to a company’s data and information. Roles maintain compliance by affiliating access dispensations to job functions, and by granting business connotation to subordinate entitlements, for review by managers and compliance staff.
Businesses are challenged because the number of roles demarcated is much greater than the amount that is ideal for them. Quite often, the number of roles is greater than the number of users. This is the result of not having a universal governance policy to characterize roles, and they are created anytime users need access to different applications and systems. Creating a thorough and accurate set of roles is one of the most essential, but challenging missions in executing role based access control. This is called role engineering, and found as one of the most expensive elements in achieving privilege management.
Two approaches of role engineering exist; top-down and bottom-up. Top-down starts with describing a specific job function, then establishing a role for the job function by correlating needed permissions. It’s very difficult because there are often masses of business processes, thousands of users, and millions of authorizations. Depending only on a top-down method usually isn’t feasible.
However, the bottom-up technique uses assigned permissions that already exist to devise roles. The bottom-up way aggregates present permissions into roles.
Fine grained Entitlements
Entitlements are a set of characteristics that stipulate the access rights and privileges of an authenticated user.
Fine grained Entitlements take it a step further than authentication. Normally, you are focused on who is permitted access into an application or network. With entitlement management the concentration changes to who is allowed to do what once they are in the application or network. Entitlements are built into each application a business has. They are used to support security of web services and applications, legacy applications, documents, files and physical security structures. It enables the user security and flexibility to collaborate.
By taking advantage of Fine grained entitlements you can universally oversee entitlements throughout various business applications. You wouldn’t need to hard code entitlements rationality inside each application. Entitlements can be centrally controlled. This will guarantee more dexterity and plasticity in applications.
What’s more, this methodology provides for firmer, and more refined security, specific to users’ needs.