IAM is an acronym for Identity and Access Management.
Identity and Access Management is an information security framework which focuses on the security of the digital identities in a workplace and enables an administrator to maintain control over the access to the company resources, both physical and digital.
The term is also usually split up as Identity Management and Access Management.
The digital identities are secured, protected, maintained and controlled by the user as well the administrator. However, the administrator has more control than the user. Digital Identity is a part of Identity management framework.
The access controls, on the other hand, are completely secured, managed and controlled by the administrator. A user will always need to contact the administrator to request any changes to their access privileges. This falls into the Access Management framework.
However, Identity and access management work in tandem which is why they are recognized and function as a single framework.
Why do businesses need IAM?
Entrepreneurs and IT companies are more than aware that information security is the single biggest challenge at the moment. According to a recent study by Panda Security, 230,000 new malware samples are launched each day in 2015.
The report further stated that Trojans and PUPs (Potentially Unwanted Programs) were the most powerful malware of 2015 and Trojans were the main source of malware at 51.45 per cent.
Report by Javelin Strategy says Identity Theft has caused a loss of $112 billion in the past six years.
Forrester Research’s Wave report for Q3 2016 also said that 80% of security breaches involved privileged credentials.
A business already invests in a multitude of information security services such as traditional security setup or security services over the cloud, disaster recovery services, backup and restore services and many other minor applications critical to security. Hence, at times, investing in other services which solely focuses on identity and access is usually ignored.
However, due to the growing popularity and use of Cloud computing, Big data and BYOD, identity and access management steps in as an absolutely necessary security measure.
Businesses have departments and the employees working in one department usually do not have the access privileges to the other departments floor, room, systems, and applications.
It is not uncommon to see the new employee’s joining in or some existing employees leaving the company from time to time. It is necessary to create new digital identities and configure access privileges for new employees while removing the digital identities permanently from the system and revoking access rights of the outgoing and former employees. Failure to do so can allow them to access applications or files they are no longer authorized to access.
It is essential that a business imposes restrictions and clearly defines and describes the roles along with access privileges for every employee to ensure the security of data, so it doesn’t leave the company and neither does it allow an unauthorized outsider to access it. Having an Identity and Access Management solution can immensely help a business by increasing its security.
What is expected of an IAM solution?
An enterprise is expected to manage the login credentials of hundreds and thousands of employee’s. However, the digital identity comprises of far more than just a username and password. It is possible that it may also contain a person’s personal information and contact details.
Therefore, it is imperative that a business, with the help of an Identity and Access Management solution, maintains a central repository of the details.
This repository can be effectively managed and can allow addition, modification or removal of details.
Contrary to what some may perceive, identity and access management is not limited to creating, modifying and deleting the digital identities. Other functions include:
A method of verification of the identity of a user. Over the years, the means of authentication has progressed from the use of passwords. Present verification means can also include biometrics such as fingerprint or retina, gesture or a drawing pattern on the touchscreen interface, a third means of added authentication besides the existing password (eg. Two-factor authentication).
An administrator may decide what systems, equipments or applications a user is authorized to access. For instance, despite all employees being a part of the same company, an employee from department A may not be authorized to access department B’s room, its systems or applications.
Some roles may come with its own preset authorized accesses. Having rights assigned to a role makes a process easier and faster since no setup is required after the creation of ID & defining the user’s role. More authorizations can always be added later.
Delegation allows an administrator, manager or supervisor to delegate certain tasks to users who can manage those tasks on the supervisor’s behalf. When the administrator delegates the task, the user usually also gets the access in order to perform them.
Standardization is very critical in the field of Information Technology since it ensures optimization of the interoperability, compatibility and quality of a product or service which is created in accordance with the groups, companies, user’s and the government.
As mentioned by ISO, some of the standardizations include:
- ISO/IEC 24760-1:2011, Information technology — Security techniques — A framework for identity management — Part 1: Terminology and concepts
- ISO/IEC 24760-2:2015, Information technology — Security techniques — A framework for identity management — Part 2: Reference architecture and requirements
- ISO/IEC 29115:2013, Information technology — Security techniques — Entity authentication assurance framework
- ISO/IEC 27002:2013, Information technology — Security techniques — Code of practice for information security controls
IAM Product Vendors
In the past couple of years, the line between a user’s personal and professional life has been slowly vanishing. This can be attributed to smartphones and tablets which allow users to work from essentially anywhere, combined with the powerful cloud computing technology that enables the business applications to be pushed and delivered as mobile applications or directly through the web interface.
Some of the most well known Identity and Access Management solution vendors include RSA, Dell, IBM, Oracle, Microsoft, Salesforce. There are more than a hundred vendors apart from the ones mentioned.