What is IAM? (AKA: Back to the basics)

-

Image by Dayne Topkin <https://unsplash.com/@dtopkin1> via <https://unsplash.com/photos/u5Zt-HoocrM>

In previous articles, we directly dived into some quite-specific concepts of Identity and Access Management (IAM). I'm aware, however, that we are yet to set a basic scenery with the main components of the IAM domain. Kind of a chapter 0 defining the building blocks. Let's take the time to do that, without going into excruciating details for now (although we will cover them in later articles).

So: What is IAM? 

We know that in the domain of Information Security, Identity and Access Management is the field that aims to ensure that the right users have appropriate access to different resources (data, applications, etc.). In other words, it guarantees that these users can only access what they have been authorized for, in line with risk-based decisions made by the owners of those resources.

But what does it all mean? How do we achieve this, and what are the different components of such an enterprise?

Although very often we find them muddled and mixed up (especially in real-world situations), IAM has five clearly distinguishable pillars:

  1. Identity Management (IdM) is the way in which the organization (or system) knows about who might access resources. It's the processes around identifying these individuals (which might be users, services, or any other possible type of actor), sufficiently validating their identity, gathering and handling information about them, and running them through the identity lifecycle, including onboarding, change and offboarding (AKA: the Joiner-Mover-Leaver processes). This pillar is probably the most critical one, since it's a dependency for all the others. It has a lot of implications in terms of regulations (what information you can manage, why you do it, how you do it...) and it needs to be well thought-out so that the information is relevant for your long-term vision (Example: if you already manage 50,000 employee identities and you then decide that you need to introduce a new attribute to identify their Job Profile, this change will be much harder than identifying this need at the beginning).
  2. Authentication (AuthN) is the process of validating, at one point in time, the identity of the user accessing a resource. In other words, it's verifying that the user is who they say they are. There are many ways to do this, ranging from the user providing a username and password that we store, to requiring the user to confirm a push notification on their phone. There is also non-interactive authentication, mainly for services to prove their identity, even though there will be no human user actively providing that proof-of-identity in real time.
  3. Authorization (AuthZ), also known as Access Management (AM), is the process of defining which users are entitled to access which resources. In other words, defining "who can do what" according to our risk appetite. There are also multiple methods to do this, from simple lists of users who can do X, to automatic rules that get evaluated in real-time to decide whether the user should have access or not. It will be very important to choose the right one, depending on the complexity, size and dynamism of our organization, or we will find ourselves paying the price in the form of an unmanageable and less-than-secure authorization setup.
  4. Access Provisioning, is the often-disregarded area of IAM. It is the piece that makes it all useful and valuable, by making those decisions of "who can do what" available to the applications. Let's say you have defined that "John can access our monthly financial statements". But... how do the different systems which allow accessing financial statements know that John is authorized to do so? Access Provisioning is about putting this information in the right places, or communicating it to these systems so the appropriate access can be enforced. The different ramifications and possibilities for this capability are as many as organizations exist, but in future articles we will cover the different approaches and what they mean.
  5. Governance, also known as Access Control (AC), is the set of practices for controlling that all the aforementioned pillars work as expected towards reducing the risk that the organization is exposed to. It has not purpose by itself, but as measurement devices to ensure that all the other components work reasonably well. IAM Governance ensures that we are adhering to the principle of Least Privilege (that is, that we are granting authorization on a need-to-access basis). For example: How are we making sure that employees leaving the organization are properly removed from all systems? (maybe it's an automated process, maybe a manual review every Monday). And how are we making sure that those controls themselves don't fail? It might lead to controls on top of controls on top of controls... Up to which point? How much risk-reduction and how effective and exhaustive do we need these to be? Well, that will depend on the risk appetite of our organization and the applicable regulatory and legal obligations. Remember that absolute assurance, is never possible; we're always going for reasonable assurance (more on that in later articles).

Every organization needs to think carefully about all five of these capabilities. If you overlook just one of them, the whole thing collapses. If you have very strong and restrictive authorization policies, but your authentication is a joke and anyone can impersonate anyone, you basically have nothing. If you have extremely strong authentication but their is no identity verification when signing up to your environment, you basically have nothing.

These pillars form the chain securing your IAM function and, like any chain, it will only be as weak as the weakest of its links. It's up to us to make sure we're confident and comfortable with the strength that we have imprinted in them, so that when the situation will tighten the chain (and it will), it can take the tension without breaking.

Comments

Post a Comment

Popular posts from this blog

Understanding IAM Governance (AKA: How we monitor, control and decide)

-
Image
I remember when I first heard about Corporate Governance as a young engineer fresh out of college. I simply could not make sense of the concept and what it meant. It seemed to me like empty words which ultimately meant "ensure we do the right thing". Pffff. Useless! Of course we will do the right thing! Every employee and every organization makes plans to do the right thing! Anything else would be ridiculous, right? Right now, many of my readers are shaking their heads in pity for the naivety of my younger self. Because we now know that "doing the right thing" does not happen magically, and it certainly does not persist magically. It needs to be carefully defined, planned, communicated, enforced, controlled, monitored, and reviewed. However, I'd ask for a little bit of compassion for this younger (and dumber) version of me because, in my current experience, I have seen that so many people fail to grasp the meaning of Corporate Governance and, in our current conc
Read more

How to establish a trust anchor (AKA: Digital onboarding of remote employees)

-
Image
The following scenario should sound familiar for most of the readers who had to work from home during the recent pandemic. Your day starts and you sit down in front of your workstation. You turn it on and you are prompted for your credentials. Some form of more-or-less sophisticated multi-factor authentication (MFA) helps ensure that you indeed are who you're claiming to be. That way, your organization makes sure that only the right people can access its resources. Putting aside the many challenges that this scenario presents under the hood, the truth is that we know quite well how to solve them. We know what methods, technologies and practices can be employed, and which can't or shouldn't. However, the recent pandemic has uncovered a fundamental weakness, common to most organizations. Before 2020, the typical process would go as follows. I want to work from home, so I'll need to have access to the company network or systems from my home office. But wait! In order to do
Read more

Of Entities, Identities and User Accounts (AKA: I need to know who IAM)

-
Image
I often see that the concepts of Entity , Identity and Form of Identity are assumed as understood by all parties, and yet rarely with the same definition for all. These are not specific to the realm of IAM, with the first two being universal and the latter being simply derived from their physical-world counterparts. The problem is, as we will see, that not having a clear understanding of what they mean and their importance, will lead us to make design mistakes which will have an impact in our security and governance. Let's go step by step and try to understand each of these terms, in the physical world, to map them later to the digital one. Entity An Entity is defined as "something that exists independently, not as part of a whole". This is the foremost node in the identity chain. John Smith  is an entity (a car is also an entity, as is a service or an application , in the digital world, but let's stay with John as a simpler example, for now). John can't be mor
Read more