Identity and access management (IAM) has become the cornerstone of enterprise security. IAM is critical to an organization’s successful IT security strategy as a framework of business procedures, policies, processes and technologies that manage user identities and access.
Organizations and enterprises today must have an IAM strategy in place to manage access to company resources while minimizing access creep and maximizing user experience, especially in an increasingly decentralized workplace.
There are four primary functions of IAM:
- Identity management: the process of user account creation and deletion
- Access management: the process of assigning or de-assigning user access to specific resources
- Identity governance: the policy-based centralized orchestration of user identity management and access control
- Privileged access management: which safeguards identities with special access or capabilities beyond regular users.
In this article, we will focus on the functions of access management.
What is access management?
Access management not only assigns and removes user access to resources but also identifies, controls, tracks and manages these accesses via designated policies, procedures, processes and tools.
When we break down access management, there are several genres to consider, including, but not limited to:
- Single sign-on (SSO)
- Multi-factor authentication (MFA) and adaptive MFA
- Workforce vs. consumer/customer
- B2B access management
- On-premises vs. cloud (SaaS) solutions
Single Sign-on (SSO)
SSO is the ability for a user to authenticate access to an entity (company, website, employer, etc.) using a single set of credentials for access to company resources, including multiple applications and websites.
Each user uses a unique user ID and password to authenticate access. The entity can then use one of multiple ways to authenticate and/or provide user details to these other applications and websites, including these methods:
- Federated SSO protocols, such as SAML and WS-Federation: standards-based methods for authenticating users across security domains
- Modern authentication standards, such as OAuth and OpenID Connect: token-based frameworks that also extend to mobile applications
- Passing custom headers: insertion of user attributes as headers that can be consumed by backend applications
- Injecting a different set of credentials: the ability to populate and submit a different user ID and password combination via injection in a form-login or insertion of a basic authentication header
- Integrated Windows Authentication (IWA): enables users to be logged into applications after logging into windows with their domain credentials. This is done via Kerberos or NTLM.
Multi-factor authentication & adaptive MFA
MFA is the ability for an application to enforce two or more pieces of information (factors) from a user before providing access.
This may be the user supplying their user ID and password, plus a one-time token/password (OTP) of some sort that can be delivered via multiple different methods (voice, SMS, email).
These factors are based on the following categories:
- Something You Know (password, PIN, etc.)
- Something You Have (cryptographic identification device, token)
- Something You Are (biometric)
Adaptive MFA extends the MFA capabilities to utilize user behavior and context into the decision. Adaptive MFA builds a risk profile of a user based on a matrix of variables. Using this risk profile, the application can generate additional authentication requirements before a user is allowed access.
Adaptive MFA is much more intuitive and real-time than traditional MFA, and can include factors such as geo-location, historical data, and identity assurance making the authentication system more secure.
Workforce vs. consumer access management
Traditionally, access management was relevant only to the workforce users. That means management of a company’s employee and contractor accesses needed to complete their daily tasks.
With the proliferation of data breaches, continued privacy concerns and fraud, IAM around customer/consumer identity and access management (CIAM) increased.
The power behind CIAM lies beyond securing and easing customer access to your applications, websites and portals—although it does that, too. Just as importantly, it provides access to your customer behaviors through data collection while customers interact with those sites. You can read a more thorough discussion on IAM vs CIAM here.
B2B access management
Access management has traditionally been thought of in reference to Business-to-employee (B2E) and business-to-consumer (B2C) contexts where the consumer is an employee or customer, respectively, accessing offered services.
As the security perimeter for organizations extends beyond their firewalls, so has the need to provide secure access, modern authentication, and self-service capabilities to their vendors, suppliers, and partner organizations as well. Doing so without the need to locally maintain and manage these extended user populations brought about the need for secure business-to-business (B2B) IAM.
Today, B2B IAM enables and supports initiatives to better connect B2B customer systems and supply chain services.
On-premises vs. cloud (SaaS) solutions
Access management solutions historically were built as on-premises systems for managing an enterprise’s corporate applications. With the increase in the enterprise for migration to the cloud, access management solutions have followed suit.
There are many benefits to these cloud-based solutions, including:
- Faster deployments
- Easy application integrations via Application Catalogs
- Reduced hardware requirements and application maintenance costs
- Solutions are easier to manage (reduced complexity)
- Reduced risk
The power of experience and expertise
At Sirius, we see identity as a business process built on cutting-edge technology. Through conversations and getting to know your IT and business leadership, we work with you to build out a program that is dynamic and scalable.
The cornerstone of a strong IAM security program includes adaptive multi-factor authentication and single sign-on capabilities. From that foundation, your organization is well-positioned to move toward a more mature, zero-trust approach to IAM that includes privileged access management (PAM), role-based access modeling, and user and entity behavioral analytics (UEBA).
Sirius Security offers professional services and world-class solutions to help you build a robust identity management strategy to authenticate users and control access.
For employees, contractors, and partners, that translates into an easy registration and log-in process as they access your applications and data. For customers, that means a better, frictionless experience.