What provides an integrated method of managing users and their access to various applications?

Identity and Access Management (IAM) is a vital component of an organization's data security, acting as a centralized hub where an organization can define and manage who has access to which systems, data or resources at which time. In short, IAM is a framework of policies and technologies to control access to data and safeguard sensitive data against possible attacks. It ensures that the proper people in an enterprise have the appropriate access to technology resources. IAM systems fall under the overarching umbrellas of IT security and data management.

Identity and access management is a crucial part of minimizing data breaches and mitigating business risk. If a company doesn’t know who has access to which systems or data, or can’t manage that access reliably, the consequences can be enormous. Customer trust, regulatory compliance and financial performance can all be damaged by data breaches (and potentially even more once so the era of GDPR begins later this year).

But apart from the serious security implications, having a good IAM system can reduce IT, admin and helpdesk costs, not to mention enhancing employee productivity and making control and audit much easier.

Advantages of a centralized identity and access management system

It’s possible to build identity and access management into each individual application, requiring user authentication whenever a particular system is accessed. But this approach has several potential problems:

• It’s almost impossible to enforce policies consistently across an organization with fragmented systems
• Manually managing access and permissions makes the system very hard to scale, not to mention prone to human error that can have potentially damaging consequences
• Making it hard for users to navigate different access systems can stifle business productivity, and increase workload for IT and helpdesk teams

To overcome these issues, centralized identity and access management systems exist which provide a single platform from which to monitor and manage user permissions across an organization.

But implementing and managing these systems can sometimes create even more challenges. Not least among these is the challenge of integrating multiple different data sources into a single IAM system.

Integrating multiple data sources into identity and access management systems

IAM systems can often be reliant on multiple other data sources for information. Take as just one example an organization’s HR system - you can imagine how the IAM system might need to know when an employee leaves, so their access credentials can be automatically revoked.

And when one change is made in one system, that change may result in updates to permissions in many, many (sometimes thousands of) other systems.

A further complicating factor is that these systems can be located anywhere - in the cloud (or multiple clouds), on-premise, or frequently a combination of all the above.

It’s critical that the IAM system can ingest data from any source - no matter where it is located - in the correct format, so that the system can respond to new data and adjust access permissions across every application accordingly.

Different data formats can cause IAM problems

The problems start when not all of the sources that feed data into the IAM system store that data in exactly the same format. The IAM system can be strict about what data it ingests, and it needs to understand exactly what data it is receiving, and what that means.

This has often meant a need for a large development team to prepare, clean and manage multiple data streams. Building in-house scripts to transform and integrate data into IAM is expensive (as it requires highly skilled developers), time-consuming (not only to build, but also to comprehensively test and deploy) and risky (with scripts becoming too complex and unwieldy over time, or one person with all the knowledge leaving the company).

Data integration for identity and access management

Building in a data integration solution to your IAM architecture can avoid many of these problems.

A data integration platform can bring:

• Reliable, constantly up to date access management
• Seamless integration of different data sources, and transforming that data into a standardized format that is compatible with the IAM system, means knowing that user information and permissions are always accurate and current.
• A single source of truth
• Synchronising information from a variety of systems enables business-wide consistency and auditability, helping to ensure security and regulatory compliance.
• More efficient workflows with more power to less technical teams
• An intuitive interface brings more control to business (as opposed to highly technical) users. Managing and maintaining user permissions becomes easier and more efficient when it doesn’t have to be done by expensive developers.
• Flexibility to work how you need
• A data integration tool which offers both the speed and convenience of pre-built connections, and the power of working directly in code, brings the best of both worlds. The technical team can focus their efforts on where they make the most impact, with the tools they need, and can minimise duplication of work by creating reusable templates for business users to work with.
• Time and money savings with automation
• Automating data transformations, processes and reporting reduces unnecessary duplication of work, and makes scaling your system to accommodate new users and applications possible.
• Less human error with better transparency
• Find and fix any problems quickly, with full visibility into the data integration processes and automated error notifications.
• Minimized business risk with standardized processes
• Avoid the problem of knowledge silos, and the inherent risk of valuable employees leaving. With standardized processes, and full auditability, it’s simple for others to see what is happening and to ensure business continuity.

Using a data integration platform to integrate multiple data sources into an identity and access management system can bring all these benefits, and ensure your IAM system performs to the best of its capability. 

Identity and Access Management (IAM), also called identity management, refers to the IT security discipline, framework, and solutions for managing digital identities. Identity management encompasses the provisioning and de-provisioning of identities, securing and authentication of identities, and the authorization to access resources and/or perform certain actions. While a person (user) has only one singular digital identity, they may have many different accounts representing them. Each account can have different access controls, both per resource and per context.

The overarching goal for IAM is to ensure that any given identity has access to the right resources (applications, databases, networks, etc.) and within the correct context

Identity management is a foundational security component to help ensure users have the access they need, and that systems, data, and applications are inaccessible to unauthorized users.

Identity and access management organizational policies define:

• How users are identified and the roles they are then assigned

• The systems, information, and other areas protected by IAM

• The correct levels of protection and access for sensitive data, systems, information, and locations

• Adding, removing, and amending individuals in the IAM system

• Adding, removing, and amending a role’s access rights in the IAM system
  

IAM is typically implemented through centralized technology that either replaces or deeply integrates with existing access and sign on systems. It uses a central directory of users, roles, and predefined permission levels to grant access rights to individuals based on their user role and need to access certain systems, applications, and data.

Most IAM technology applies “role-based access control (RBAC) — using predefined job roles to control access to individual systems and information. As users join or change roles in the enterprise, their job role is updated, which should impact their access rights.

For example, employees working in HR may have access to different systems and employee data based on their job roles, as follows:

An identity management system typically involves the following areas:

• Employee data—such as through an HR system, directories (i.e. Active Directory), and more—used to define and identify individual users

• Tools to add, modify, and delete users

• Password management tools and workflows

• Integration with or replacement of the existing login system(s)

• Enforcement of user access rights to certain systems and information

• Auditing and reporting for visibility into how systems and information are being used

IAM systems should:

• Record, capture, and authenticate user login information (usernames, passwords, certificates, etc.)

• Manage the employee database of users and job roles

• Allow for addition, deletion, and change of individual users and broader job roles

• Provide a history of login and systems access for audit purposes

• Allow for properly-segmented definitions and access controls for every part of the business’s systems and data

• Track user activities across all systems and data

• Report on user activities

• Enforce systems access policies

There are many technologies to simplify password management and other aspects of IAM. A few common types of solutions that are used as part of an IAM program include:

Single Sign On (SSO)

An access and login system that allows users to authenticate themselves once and then grants them access to all the software, systems, and data they need without having to log into each of those areas individually.

This system uses a combination of something the user knows (e.g. a password), something the user has (e.g. a security token), and something the user is (e.g. a fingerprint) to authenticate individuals and grant them access.

This system typically integrates with the employee database and pre-defined job roles to establish and provide the access employees need to perform their roles.

IAM technology can be provided on-premises, through a cloud-based model (i.e. identity-as-a-service, or IDaaS), or via a hybrid cloud setup. Practical applications of IAM, and how it is implemented, differ from organization to organization, and will also be shaped by applicable regulatory and compliance initiatives.

Sophisticated IAM technology can move beyond simply allowing or blocking access to data and systems. For example IAM can:

• Restrict access to subsets of data: Specific roles can access only certain parts of systems, databases, and information.

• Only allow view access: Roles can only view data, they cannot add, update, or amend it.

• Only permit access on certain platforms: Users may have access to operational systems, but not development or testing platforms.

• Only allow access to create, amend, or delete data, not to transmit it: Some roles may not be able to send or receive data outside the system, meaning it cannot be exposed to other third parties and applications.

Ultimately, there are many ways to implement IAM policies to define and enforce exactly how individual roles can access systems and data, based on a company’s specific needs.

IAM is critical to protecting sensitive enterprise systems, assets, and information from unauthorized access or use. An end-to-end IAM implementation will reduce the likelihood and impact of data breaches, and ensure that only legitimate, authenticated users have access. IAM is crucial to protect the following areas by only allowing authorized access:

Data and information

Sensitive customer, business, supplier, or other data, stored on local servers, in the cloud, or elsewhere.

Systems used by employees, customers, suppliers, partner businesses, and others.

All IT environments used for product and service development, launch, and operations.

Laptops, desktops, smartphones, tablets, IoT, and other devices.

Business locations including private office spaces, data centers, and secure locations.

Data that is being transmitted, received, stored, or otherwise interacted with as it moves between different areas.

While some folks treat privileged identity management (PIM)—also called privileged access management (PAM) or just privilege management—as a sub-category within IAM, others consider PAM its own entity. Nevertheless, for holistic identity governance that controls both non-privileged and privileged identities, IAM and PAM both need to be mature programs that work and communicate with each other.

While IAM enables organizations to provision/de-provision identities, authenticate them, and authorize their access to resources and certain actions, it lacks the ability to layer on granular controls (such as enforcing the security principle of least privilege) when it comes to privileged identities and privileged access and permissions.

With an IAM solution alone, permissions and privileges are generally granted in broad strokes to far too many people, accounts, applications, etc. So, while IAM solutions allow IT teams to address ‘who has access to what?’, PIM/PAM solutions must be layered on to address such questions as “is that the appropriate amount of access?”, and “are those privileged activities appropriate?“

Since privilege misuse or abuse is recognized to be a key ingredient of almost all security breaches today, integrating the critical PAM piece with an IAM implementation is essential. The higher the degree of the integration between identity and access management with privilege management, the more streamlined the control and auditing over all privileged and non-privileged accounts and access.

IAM is a central practice to protecting sensitive business data and systems. Implemented well, IAM provides confidence that only authorized, authenticated users are able to interact with the systems and data they need to effectively perform their job roles.

While any IAM implementation will start with an audit of an organization’s needs (defining roles, access requirements, etc.) and creation of a policy, there are many different IAM tools and solutions that can help you execute on an IAM program. Any tools you select should meet the use cases for your environment.

Also consider prioritizing those tools that can provide highly automated workflows to simplify IAM administration, and identity management tools that integrate well with other systems and security technologies (such as PAM). The more seamless the tool fits within your own environment and with other security tools, the more likely you are to close security gaps and improve business operations.

• Privacy
• Security
• Manage Cookies
• WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.