Identity and access management (IAM) are more important than ever in an age when passwords can be hacked in minutes, corporate data breaches are a daily occurrence and cybercriminals have successfully infiltrated many top government and large-scale enterprise systems. It requires only one hacked set of credentials to gain entry into an enterprise network, and that’s just too easy for the bad guys.
A study by security firm Preempt noted that 35% of the passwords linked to a recent recent LinkedIn breach were identical to those used for other accounts. The remaining 65% could be cracked with unsophisticated brute force cracking hardware. The challenge for organizations, then, is to go beyond mere passwords to encompass all aspects of identity and access control, and that's where IAM comes in.
What is identity and access management?
Identity and access management encompasses the processes and technologies that make it possible to efficiently and accurately deliver secure access for authorized users to the systems, applications, and data they need, at any time, from any device, said Jim Ducharme, RSA's vice president of Identity Products. It’s the ability to see across an entire IT infrastructure, including the cloud, who has access to what, what they can do with that access, if it’s appropriate to their relationship with the organization, and to understand where security and non-compliance risks exist related to user access.
But there is more to IAM than that. Enterprise Identity Management also provides a way to streamline the on-boarding and off-boarding of users and their access to your systems and applications automatically as relationships change over time. Done correctly, it provides the means to dispense with commonplace phenomena such as inadequate or missing audit logs, privilege creep, privilege escalation attacks, and general identity chaos and password chaos.
“When IAM is done right, organizations can confidently deliver secure access in a world without boundaries,” said Ducharme.
Let’s start by differentiating identity management from the overall field of IAM. Identity management obviously deals with identities. An identity is manifested in attributes such as name, email address, data of birth, phone number, social security number, job position, etc. These attributes are collected in databases during registration processes of various kinds.
According to Petteri Ihalainen, vice president of Marketing and Mobile Services at IAM vendor Ubisecure, identity management is all about managing the attributes. In addition to yourself, various other people can create, update or delete these attributes – a supervisor, HR or IT manager can monitor and adjust these attributes as a part of employment, for example. So an identity management system is a small but vital element of IAM as a whole.
What about access management? It is all about yes or no decisions about who is granted access and to what. Users see this on the authentication side where the identity of the user has to be established. So it begins with an attempt to verify identity but it goes beyond that into access control decisions. If the required attributes are delivered, the yes/no decision can be made.
“Identity management is about managing the attributes related to the user,” said Ihalainen. “Access Management is about evaluating the attributes based on policies and making yes/no decisions.”
Integrated access management and bimodal identity access management solutions now appearing on the market make it much easier to achieve identity access compliance.
Cloud identity management
IAM systems can be based in the cloud, on premises or a hybrid of both. Ducharme said that leveraging cloud identity management has benefits such as faster adoption of new capabilities , reduced burden of infrastructure and administration management, as well as improved user experiences as users and applications move outside the walls of the enterprise.
“As the pace of adoption of cloud-based applications continues to increase, we will see more and more adoption of IAM in the cloud,” said Ducharme. “Many are seeking to reduce manpower and total cost of ownership by adopting cloud-based IAM solutions, often beginning with authentication, identity assurance and single sign-on.”
When evaluating cloud identity management, he said to find a solution that can bridge islands of identity to protect all your resources, on-premises and in the cloud. He cautions IT not to simply move their traditional identity management processes and methods over to the cloud. On-premises Single Sign On (SSO) and password management systems were typically surrounded by additional layers of enterprise security. Out in the cloud, they don’t have those same safeguards. Therefore, cloud IAM demands more advanced “continuous authentication” solutions and stronger means of identity assurance than passwords.
IAM security challenges
There are many challenges to overcome in setting up an identity and access management system. One of the principal ones is gaining control over islands of identity. In a typical organization, it’s tough to know where all the identity repositories exist due to shadow IT, consumerization of IT and more SaaS applications steadily coming into the fold. Organizations have to gain visibility into all parts of the IAM puzzle. Once you have visibility, you can effectively manage them from a centralized view that helps minimize risk.
Another challenge concerns the assignment of risk to users, applications and systems. That demands prioritization of people and data according to sensitivity and importance in order to focus on protecting what matters most, first.
Trying to boil the ocean upfront can delay achieving those quick wins and demonstrating the value of an IAM system,” said Ducharme. “Once you have assigned risk, you can leverage that identity intelligence in automation and make better informed access decisions in real-time.”
Prashant Padghan, senior research analyst at MarketsAndMarkets.com, also brought attention to the problem of attempting to manage user identities without having an appropriate data infrastructure. The use of directory and meta-directory systems, however, can help in storing user information. These systems include technologies used for storage, synchronization and virtualization of identity information present across multiple locations.
Additionally, management can be slow to provide input in defining roles and designations to organizational systems, applications, and its central identity repository.
“Accessing controls such as designations management and role-based access control are the key features required in identity and access management solutions. It allows system administrators to define multiple roles for an employee,” said Padghan. “Defining and maintaining these roles and designations requires significant inputs from the management, which can lead to complications if organizational requirements change.”
How to set up an IAM system for your network
The setup of IAM security is project-specific. But here are a few guidelines to follow for successful implementation, according to Padghan.
- Assess the current IT architecture and future requirements.
- List standard versus in-house applications with version details, that have to integrate with IAM.
- Ensure compatibility between the current OS, third party applications, web servers, and identity and access management tools.
- Integrate access control devices (including card readers and other access hardware) with IAM solutions.
- Clearly designate user roles and define each individual's or group’s access privileges and restrictions.
- Assess the required level of customization so IAM fits the enterprise.
- Verify that the system complies with any laws or regulatory requirements from local or federal government.
Identity and access management solutions and vendors
Major IAM vendors offer both enterprise identity management systems as well as cloud-based versions. Additionally, there are plenty of open source identity management solutions out there. Identity and access management vendors include the likes of RSA, Ubisecure, GlobalSign, AlertEnterprise, NetIQ, Ping Identity, IBM, Oracle, Okta, Microsoft, Centrify, Salesforce, SailPoint, OneLogin, Preemept and Covisint.
Their tools comprise all (or at least several) of the following areas: provisioning; directory services; audit, compliance and governance; SSO, password management; and authentication.
Figure: The key elements of identity and access management (courtesy of MaketsAndMarkets.com)
Provisioning: Provisioning maintains detailed audit information and updates user accounts with new policies based on business requirements. Provisioning provides employees, partners, clients, and other stakeholders with identity manageability features to access resources present on-premises or through the cloud, and guarantee that users can access applications and network resources that are necessary. Digital identity creation, change, termination, validation, approval, propagation and communication are the major features offered by provisioning products.
Directory services: A directory is a term used for the storage and management of identity information and its credentials. It includes technologies used for storage, synchronization and virtualization of identity information present across multiple locations. Directory services can be further categorized into storage, meta-directories and virtual directories.
Single sign-on: SSO is a form of authentication that allows users access to multiple computer platforms or applications present on premises of an organization or through cloud by using a single set of credentials for each system and application that users need to access. It comprises web and federated single sign-on, and Enterprise Single Sign-on (E-SSO).
Advanced authentication: Advanced authentication combines multi-factor credentials to avoid unwanted access and frauds. This is a scalable and flexible solution that incorporates both risk-based authentication and strong authentication. Advanced authentication includes technologies used for biometric recognition of identities and smart cards, which together form multi-factor authentication.
Password management: Password management solutions usually store encrypted passwords, requiring the users to create a master, single, ideally very strong password, which grants users access to their entire password database. Password management applications enable end users to reset passwords, which significantly lightens the help desk workload to address password reset requests. Password management applications help in managing passwords, streamlining helpdesk duties, synchronizing passwords with other systems, and strengthening data access policies.
Audit, compliance and governance: Audit, compliance, and governance help companies to document and audit their internal controls to prevent fraud. It includes events and activities associated with identities or resources, which are logged into a centralized repository. These solutions provide comprehensive support for auditing, including re-certification and central analysis of identity-related audit data. It includes revenues from technologies used for monitoring, logging and reporting access information as well as governance-related solutions.
Governance is an area that merits particular executive attention and oversight. Some business managers do no more than check compliance boxes without looking.
“Ineffective governance and user lifecycle controls have left users overprovisioned, increasing the number of unused accounts and the risk of insider threats,” said Ducharme. “This creates vulnerable identity islands open for attack.”
Identity and access management as a service
But the market is changing for both open source identity management and IAM products in general. Identity and Access Management as a Service (IDaaS) may have only accounted for less than 20% of the overall market at the end of 2016. But by 2020, it will gobble up 40% of all IAM purchases.
Gartner analyst Gregg Kreizman said IDaaS bypasses a lot of complexity and potential security gaps by being able to create connections one time to SaaS vendors for authentication, SSO and account management. Some of these services can also act as a bridge to on-premises identity management or access management tools. As a result, Kreizman said nearly half of those adopting IDaaS will use it to replace on-premises IAM.
Identity and access management best practices
The days of using 123 as a password are long behind us, or so we hope. The industry has been quick to adopt the practice of demanding longer passwords compromised of upper characters, lower characters, special characters and digits (ULSD).
But just as analytics can help security and IT professionals identity suspicious activity on the network, it can also aid the bad guys in identifying common user patterns with regard to password patterns and changes.
Research by Preempt makes it clear that just how easy it is to crack a password. Users either reuse the same passwords for multiple sites, rotate several passwords, or adjust them slightly when forced to change them such as adding a digit. The study also found that low complexity passwords could be cracked in less than a day, medium complexity passwords in under a week and high complexity passwords in less than a month.
Time required to crack passwords (10 characters) using standard hardware
Best practices, therefore, include:
- Enforcement of password expiration policy.
- Educate personnel on issues such as password strength, ULSD, password sharing, and common patterns to avoid.
- The use of additional means of authentication such as: two-factor authentication via a text to a cell-phone; and notification of suspicious logins.
What this all adds up to is that traditional approaches or how we did things last year may no longer be enough. Certainly, time-honored best security practices oftentimes should remain a firm part of organizational policy. But they should be regularly reviewed and their execution may have to be updated in light of how the field is evolving.
“What used to work just a couple of years ago won’t work today, so you have to reimagine your approach to identity and access management, and find ways to make IAM more continuous, proactive and intelligent,” said Ducharme. “This includes making authentication more convenient yet still secure, making sure to focus on what matters most in access certifications and stop overburdening the business with reports they don’t understand.”