Identity and access management (IAM) is the practice of making sure that people and entities with digital identities have the right level of access to enterprise resources like networks and databases. User roles and access privileges are defined and managed through an IAM system.
An IAM solution allows IT administrators to securely and effectively manage users' digital identities and related access privileges. With IAM, administrators can set up and modify user roles, track and report on user activity, and enforce corporate and regulatory compliance policies to protect data security and privacy.
An IAM solution might be a collection of several processes and tools, including a network access control (NAC) solution. IT administrators use NAC solutions to control access to networks through capabilities such as policy lifecycle management, guest networking access, and security posture checks. IAM solutions can be delivered as cloud services or deployed on-premises, or they can be hybrid solutions--both on-premises and in the cloud. Many businesses choose cloud-based applications for IAM because they are easier to implement, update, and manage.
A digital identity is a central source of truth in identity and access management. It refers to the credentials that a user needs to gain access to resources online or on an enterprise network. IAM solutions match these credentials, known as authentication factors, to users or entities that are requesting access to applications, primarily at the Layer 7 level. The factors help verify that users are who they say they are.
Three of the most commonly used authentication factors for IAM are something that the user knows (such as a password); something the user has (such as a smartphone); and something the user is (a physical property, such as a thumbprint). A user typically needs to provide a combination of authentication factors for an authenticator application to confirm their identity and grant them access to the protected resources they are privileged to view or use.
Many enterprises use two-factor authentication (2FA), which is a basic form of multi-factor authentication (MFA). The 2FA process requires a user to provide a username and password, and then enter a code generated by the 2FA application or respond to a notification on a device such as a smartphone.
With an IAM system, businesses can apply the same security policies across the enterprise. Using tools such as a NAC solution allows them to restrict which users can access resources and when. That helps greatly reduce the chance that unauthorized parties will see--or accidentally or intentionally misuse--sensitive data.
IAM methods like single sign-on (SSO) and MFA also reduce the risk that user credentials will be compromised or abused, as users don't need to create and keep track of multiple passwords. And because users need evidence-based authorization--like security questions, one-time passwords, or inherent factors like thumbprints--to access protected resources, there is less chance a malicious actor will gain access to critical resources.
IAM systems can help organizations meet the requirements of many compliance mandates related to data security and privacy. For example, IAM can aid in Health Insurance Portability and Accountability Act (HIPAA) compliance, which requires organizations that handle protected health information to implement secure electronic access to health data.
Businesses can use IAM methods like SSO, MFA, role-based access control (RBAC), and "least privileges" (giving users and entities such as software applications the minimal amount of access required to perform a task) to meet the HIPAA mandate.
IAM is also useful to financial services institutions, which need to comply with the Sarbanes-Oxley Act (SOX). Section 404 mandates that businesses implement, test, and document adequate internal controls for preparing financial reports and protecting the integrity of the financial data in those reports. Enforcement of segregation of duties (SoD) policies is one of the many ways that IAM tools and systems can help businesses adhere to SOX requirements.
With security measures like SSO, MFA, or RBAC, organizations can enhance security while also reducing barriers that prevent workers from being productive. Employees get fast access to the resources they need to do their jobs from wherever they need to work. With IAM, employees can feel more confident they are working in a secure environment.
An IAM system that enables automated user provisioning also makes it easy for employees to request and gain authorized access to different resources when needed--without burdening IT or making IT a bottleneck to employee productivity.
IAM solutions can automate and standardize many tasks related to identity, authentication, and authorization management. That means IT administrators can devote their time to more value-adding tasks for the business. Additionally, many IAM services are now cloud-based, so the need to purchase, implement, and maintain on-premises infrastructure for IAM can be greatly reduced or eliminated.
IAM systems are designed to allow or block access to protected data and applications. More sophisticated IAM solutions allow businesses to get even more granular with permissions. For example, they can set conditions on the time of a day that a specific user can access a service, and from what location.
An organization may use an IAM solution to limit which users can access platforms used for the development, staging, and testing of products and services.
Many businesses use IAM to enhance their data security, setting strict permissions for which users can create, change, or delete data, and who can transmit it. By applying RBAC, for example, a temporary employee may not be allowed to send or receive any data outside of the company's systems.
IAM systems provide reports that help organizations prove their compliance with data security and privacy regulations. Insights from these reports can help businesses improve security processes and reduce risks. The insights also help them better understand what resources workers need to be the most productive in their jobs.
With MFA, users are asked to provide a combination of authentication factors to verify their identities. In addition to usernames and passwords, enterprises commonly use the time-based one-time password (TOTP) method, which requires users to provide a temporary passcode that has been sent via SMS, phone call, or email. Other MFA systems require users to provide biometric authentication of their identity--also referred to as inherent factors--such as a fingerprint or facial ID scan. Cisco Duo includes best-in-class MFA capabilities.
SSO is an identification system commonly used in enterprises to verify users' identities. It allows an authorized user to securely log in to multiple SaaS applications and websites using only one set of credentials (username and password). SSO can be viewed as an automated version of MFA. SSO systems authenticate users with MFA and then, using software tokens, share that authentication with multiple applications. SSO can also be used to prevent access to designated assets or locations, such as outside websites and platforms. Cisco Duo includes SSO that enables secure access to a wide range of applications.
The upside of using the SSO approach for IAM--aside from a more seamless login process for end users--is that it gives IT administrators the ability to set permissions, regulate user access, and provision and deprovision users with ease.
Federation allows for SSO without passwords. Using a standard identity protocol, like Security Assertion Markup Language (SAML) or WS-Federation, a federation server presents a token (identity data) to a system or application with which it has an established trust relationship. Because of that trust, users can then move freely between connected domains without having to reauthenticate.
Many large enterprises use RBAC, which is a method for restricting access to networks, sensitive data, and critical applications based on a person's role and responsibilities within an organization. RBAC is also known as access governance. Defined roles in RBAC may include end users, administrators, or third-party contractors. A role can be based on a user's authority, location, responsibility, or job competency. Sometimes roles are grouped together--for example, Marketing or Sales--so users with similar responsibilities in an organization who frequently collaborate can access the same assets.
By applying a zero trust security framework as part of RBAC, where very strict access controls are maintained with all users who request access to work assets, businesses can further prevent unauthorized access--and even contain breaches and reduce the risk of an attacker's lateral movement through the network.
IAM solutions with basic capabilities for managing user access to company resources can be easily set up "out of the box." But if your organization is large and complex, you might need a more advanced solution or a combination of systems and tools.
Before investing in an IAM system, thoroughly consider what your business needs today--as well as what it might need in the future. Think about IT infrastructure needs in addition to the capabilities of the solution itself. Two important questions include: Will the solution be easy to maintain? And will it scale to meet our business needs as we add more applications and users?
Before you invest in an IAM solution, confirm that it is compatible with your current operating system, third-party applications, and web servers. You may want to create a list of all the applications you'll need to integrate with the IAM, so that nothing is overlooked.
Also confirm that the IAM system you want to implement complies with any applicable local and federal regulatory requirements. An IAM solution should enhance compliance--not create more potential risks for your business.
Shifting to a new way of authenticating and authorizing users may require change management. Consider rolling out the new IAM solution to select areas of the business first--such as finance--before implementing it throughout the entire organization.
Keep in mind that IAM will impact everyone and everything that needs to access the company's IT resources. To help encourage adoption of the new IAM tools and processes, take time to first get buy-in from all key stakeholders.
You will want to track the effectiveness of your IAM solution and determine whether the system is delivering a return on investment. Once your system is up and running, consider tracking and regularly reporting on the time it takes to provision new users, the number of password resets, and the number of potential SoD violations.
In a complex network that has private IT infrastructure, or in an Internet of Things (IoT) and operational technology (OT) environment, using an IAM system alone to manage user access to IT assets could actually create a security risk. More specifically, it could leave the organization open to botnet attacks.
A NAC solution can enhance security in these environments. For example, it can apply defined profiling and access policies for various IoT device categories. And it can mitigate network threats by enforcing security policies that block, isolate, and repair noncompliant machines, without administrator attention.