What Is Identity and Access Management (IAM)?

Identity and access management (IAM) is a framework that enables organisations to ensure only the right people and devices have access to the right applications, resources, and systems at the right time.

IAM encompasses the various policies, services, and technologies that allow organisations to verify every user’s identity and level of access at all times. This verification can be conducted by a single product or spread across multiple processes, programs, and cloud services that provide admins with control and visibility over an individual’s access rights. 

To effectively manage access, organisations need to authenticate that a user is trustworthy and then authorise the level of access they should have.

What are authentication and authorisation?

Authentication is the process of confirming that a user is who they say they are. A user’s identity is most commonly verified through authentication factors like:

• Something they know: A knowledge factor that only the user should recall, such as their login credentials, a PIN code, or their mother’s maiden name.
• Something they have: A possession factor that only the user should have, such as a code on a verification mobile app or a security token.
• Something they are: A biometric factor that only the user could supply, such as their fingerprint, a retina scan, or voice recognition.

Authorisation is the process of providing a user with permission to access a specific function or resource. Authorisation permits a user to download a file from a server, for example, or gives them administrative access to a company application. A user must first authenticate their identity before they can then be authorised to access further resources, depending on the permissions granted to them.

Breaking down identity and access management

An identity and access management system is typically wide-ranging, allowing organisations to control access to corporate data and resources from multiple applications, devices, locations, and users. It allows organisations to capture and record user logins, manage all user identities, and oversee the process of assigning, granting, and removing access privileges.

IAM applies to many of an organisation’s environments, networks, and roles, and can cover users at all levels of the business across multiple locations. It can be used to provide access to internal networks or cloud-based services, a process that becomes more complicated for organisations deploying multi-cloud or hybrid architectures.

To address the complexities of IAM, organisations can work with an identity provider (IDP) to manage their digital identities and provide secure login processes.

Who are the typical IAM users?

An identity and access management system covers all types of users across an organisation’s landscape. These users can include:

• Employees: Organisations’ direct employees need to be authenticated when they request to access an application, corporate network, or server. An employee’s level of access is typically determined by their role and department. 
• Contractors: Individuals who are working with an organisation for a short period of time or on a one-off project can be granted access to specific applications or resources. These users typically have more restricted access than a traditional employee and should be offboarded as soon as their contract or project comes to an end.
• Customers: Organisations can manage their customers’ identities and profiles through customer identity and access management (CIAM) while connecting them to the applications and services they need. Proper CIAM ensures a seamless and secure customer experience across all channels.
• Partners: To streamline the work being done by multiple companies, organisations can give their partners’ users access to relevant applications or resources. 

For more information about CIAM, watch this video.

What are the resources covered by IAM?

IAM solutions monitor the resources that users require access to, including those that contain sensitive or business-critical data. Effective IAM is crucial to protecting corporate data and user identities and preventing unauthorised access to the following:

• Applications: IAM enables organisations to secure the identity of users when they log in to all business applications.
• APIs: IAM tools allow organisations to secure their modern mobile and web applications through API access management. Companies can then easily configure access policies and authorise internal and external users on their API resources.
• Cloud services: Cloud-based IAM solutions were designed to protect access to applications, services, and infrastructure that lives on the cloud. Cloud services like data storage and collaboration tools can all be protected with added layers of authentication and authorisation. 
• Corporate data: A key function of any IAM tool is to protect an organisation’s data. This includes the login credentials and personal information of all users, as well as sensitive corporate data.
• Multi-cloud or hybrid architectures: Organisations that run on a multi-cloud or hybrid architecture often use a separate vendor for IAM to cover their cloud and on-premises resources. Having a single, centralised IAM solution offers greater flexibility, freeing the organisation to continue to manage their access and identity requirements even if they change their cloud vendor or migrate fully away from on-prem solutions.
• Servers: Organisations can extend their identity and access control features to protect their servers and infrastructure, embedding security at the foundation.

What IAM tools and processes are there?

IAM systems are comprised of multiple tools and processes that simplify the task of provisioning and deprovisioning users, managing and monitoring evolving access rights, and preventing privilege creep and unauthorised access. Typical IAM tools include:

• Single sign-on (SSO): SSO solutions enable a user to use just one set of credentials to securely authenticate themselves across an organisation’s infrastructure, without having to log in to individual apps or resources. It removes the need for users to remember multiple passwords, which in turn reduces the risk of credentials being lost or stolen.
• Multi-factor authentication (MFA): MFA gives businesses the ability to verify with increased certainty that a user is who they claim to be. It requires a user to provide multiple pieces of authentication, which are typically combinations of knowledge, possession, and biometric factors.
• Lifecycle management (LCM): LCM lets organisations simplify the task of managing their growing user landscape of employees, contractors, customers, and partners. It moves away from manual provisioning in favor of an automated, contextual, policy-driven approach that provides a centralised view into which users have access to which systems and files. LCM can save IT and HR departments huge amounts of time while ensuring employees can access the tools and applications they need to work effectively.
• Centralised User and Device Directory: Consolidating users and devices within one central directory that connects to all your applications does away with the complexity of managing vast numbers of user passwords and multiple authentication policies across on-premises and cloud resources. It mitigates emerging identity attack risks, ensures users and passwords are secure, and takes control of password management by consolidating various password policies. This helps businesses to launch apps more quickly while reducing IT costs, increasing security, and meeting user demands.
• Access Gateways: With access gateways like Okta’s, organisations can apply modern security tools like SSO and MFA to their on-premises infrastructure. This extends cloud-based protection to on-prem apps without changing how they work. OAG, for example, provides simple app access for end-users while reducing the complexity of managing separate password and authentication policies across on-prem and cloud resources.
• IAM for your servers: Extending IAM to your infrastructure centralises access control, providing seamless access to on-premises, hybrid, and cloud infrastructures while reducing the risk of credential theft and account takeover. Tools like Okta’s Advanced Server Access (ASA) eliminate the need for static keys and make granular access decisions available for every user login request, such as the context of the device, session, and user information.

What makes for a successful IAM strategy?

Forrester’s 2019 IAM research outlines that organisations need to manage users’ access to sensitive applications and data without impacting business agility, user experience, or compliance requirements. This includes moving away from manual IAM processes, using IDaaS to ensure the ultimate ROI, and building a business case optimised for growth and gaining executive support.

To meet these goals, a successful IAM strategy:

• Takes into account the roles of artificial intelligence, behavior analytics, and biometrics to better equip organisations to meet the demands of the modern security landscape. 
• Provides for tighter control of resource access across modern environments like the cloud and the Internet of Things to prevent data compromise and leakage. 
• Maintains compliance, productivity, and security, including securing user identities regardless of when, where, and what device they use to access apps, networks, and systems. This is crucial to organisations rolling out remote work and dynamic workforce policies, and embarking on digital transformation.

Implementing the tools and processes of an IAM solution helps businesses to define clear and comprehensive access and audit policies. Having this structure in place reduces the risk of internal and external data theft and cyber attacks, which in turn helps businesses to comply with increasingly strict and stringent data regulations. 

IAM challenges

IAM is not without its challenges, especially if poorly implemented. Organisations must check that their IAM solution doesn’t leave holes and vulnerabilities in their security defences through issues like incomplete provisioning or weak automation processes.

• Provisioning and deprovisioning users and their access rights can become a challenge for organisations with sprawling workforces, too many admin accounts, and a large number of inactive users. This is where lifecycle management is crucial to closely monitoring access levels and immediately removing inactive users.
• Relying on passwords alone is increasingly dangerous, as users deploy weak passwords or don’t protect their login credentials effectively. 
• Biometrics, while being inherently secure, also pose challenges when stolen through data theft. It’s therefore important for organisations to not only know what biometric data they store on file, but also understand the biometric data they have, how and where it’s stored, and how to delete data they no longer require.

Today’s organisations are looking to implement security solutions that match the needs of their users while protecting their applications and resources across all their environments. An IAM system lets businesses give the right people the right level of access to data and systems at the right time.

Discover how Okta can help your organisation deploy a successful IAM strategy with our business case for IAM whitepaper and watch our webinar on IAM strategy in a post-pandemic world