IAM – what is identity and access management?

Adopting IAM technologies has many security and productivity benefits, but only some are relevant for most companies. We will discuss a few most common reasons to use IAM. 

Enhanced data protection 
According to Amazon Web Services (AWS) infrastructure security team, most ransomware attacks experienced by AWS customers in 2022 started by obtaining employee login credentials. IAM can stop bad actors in their tracks and minimize the risk of unauthorized access to critical business information by enforcing a multi-factor authentication policy for your workforce. 

Fewer Human Errors 
By automating the management of access rights to data, IAM helps companies eliminate account and permission misconfigurations. The automation also saves time and improves the productivity of security teams. 

More Secure Login Credentials 
While passwordless authentication is slowly gaining adoption, most business systems and applications still require passwords. One of the most useful IAM features is the ability to synchronize passwords between multiple systems and reset them via self-service. These capabilities reduce the number of “forgotten password” tickets sent to the IT helpdesk. Security teams can efficiently orchestrate and automate regular forced password changes, thus improving security. When all users across the company update passwords regularly and frequently, it reduces the window of opportunity for hackers to use stolen or guessed credentials successfully. 

Provable Regulatory Compliance
Compliance isn’t only about having secure processes and technologies in place – it’s also about demonstrating how these processes and technologies help protect your business and customers. Just because new compliance processes get put on paper doesn’t mean the workforce is following them. Many IAM vendors offer features to help you meet the requirements of industry regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley (SOX), Service Organization Control 2 (SOC2), and Payment Card Industry Data Security Standard (PCI-DSS).

Frictionless access to resources
Most IAM systems today implement single sign-on (SSO) technology, which benefits both users and IT practitioners. SSO allows security teams to store and manage all the login credentials and digital access rights in one place and ensure that those rights are consistent for all users and that the credentials are adequately secured. For your users, it reduces the number of passwords to remember and provides frictionless access to all the corporate resources and applications with a single login and no additional password challenges. 

How does IAM Work?

The IAM technologies vary significantly from company to company. Still, each IAM implementation typically provides several core functions, including user directory services, authentication, authorization, and identity lifecycle management. To perform those functions, IAM must securely store user identity, credentials, and user profile data and govern access to these records according to industry- or country-specific regulatory compliance requirements. IAM systems must also provide visibility and control to IT teams and business stakeholders through reporting and analytics services.   

As the IAM implementations mature, they add advanced mechanisms for granting and revoking access based on the user’s role in the company, in a specific team, or in a project. In addition, as a part of the overall security infrastructure, IAM often integrates with other security systems and tools, such as threat analytics or risk management. Finally, to help with efficiency and scale, IAM automates  processes of assigning and tracking user privileges.

Over time, IAM implementations can become very complex and labor-intensive, requiring IT personnel to have significant experience and subject matter expertise.

IAM Best Practices

If implementing IAM in 2022, keep in mind that the most significant attack vectors globally are compromised credentials and weak access policies. For example, according to the AWS infrastructure security team, about 20% of all cyberattacks on AWS infrastructure attempted between July and September 2022 were aimed at gaining unauthorized access to AWS EC2. In addition, the same team reported that 15% of all the attacks exploited weak policies through root credential usage and public and anonymous access to Amazon S3 buckets. Therefore, you should regard the IAM toolkit as part of your defense-in-depth strategy. Following the IAM best practices can significantly improve your overall security posture. We will highlight a few fundamental recommendations below, but it is a partial list.

Use advanced MFA for privileged user accounts 
Bad actors deliberately target the credentials of power users in your organization because these individuals have more access rights. While simple two-factor authentication (2FA), such as one-time passcode, is sufficient for most employees, you should consider more advanced options, like biometrics or hardware keys, for your C-suite and cloud admins. Turning on an MFA option for your privileged users is the most critical security measure, which should be on the top of your security checklist.

Implement least privileged access
Least privilege is the practice of limiting a user’s access level to only the resources the user requires to perform an authorized activity. This model applies to all users, including humans, applications, processes, systems, and connected devices. Many industry experts consider the principle of least privilege (also called the principle of minimal privilege or the principle of least authority) one of the most important cybersecurity best practices. 

Deny access by default 
Never leave your corporate resources unprotected, be it an application, a GitHub repo, an AWS EC2 instance, or an Amazon S3 bucket, even if they don’t hold any sensitive or critical data. Ideally, nothing your employees use for work should have access enabled by default, and then you can explicitly give access to individual users or roles.

Conduct user access reviews regularly 
Regularly reviewing your users’ access privileges is an important part of access management, Also known as user access reviews (UAR), they should happen periodically, removing unnecessary, outdated, excessive, and erroneous privileges. Performing regular access reviews helps you protect your organization’s digital assets from potential breaches and fraud and keep your organization compliant.

Continuously monitor security configuration
Subtle changes in your configuration can often be the first sign that your company is under attack.Many IAM systems can alert your team to changes that open up excessive access, open a service ticket, or attempt self-remediation. You can also integrate IAM with security posture management tools for advanced alert aggregation and automated remediation. Continuous monitoring should be a part of your overall defense-in-depth strategy.

Use roles to control access 
Whenever possible, avoid granting each employee rights explicitly at the individual level. Modern access management tools allow you to associate access rights with job roles or group membership in a user directory. Both approaches make it easier to design consistent access levels for many employees with similar responsibilities. They are also scalable — when a user is added to or removed from a role or group, the change can propagate to all the systems automatically. Roles are more practical than groups, as they allow you to tailor them to specific job functions and customize access for each employee through membership in multiple roles.

What Tools do I Need to Implement for IAM?

Establishing best practices from day one makes a big difference in securing your company’s information. We recommend a few advanced tools your team may need to accomplish that.  Note that the list below is not exhaustive, but it will give you a good headstart. 

MFA
Multi-factor Authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to a resource, such as an application, a cloud service, or a database record. Rather than just asking for a username and password, MFA requires one or more verification factors, making it harder for malicious actors to get into your system.

Automated provisioning and de-provisioning
Granting and revoking access to various company resources occur in companies daily. Typically it happens when employees join or leave the company, change their roles or move teams. While it is possible to change access privileges manually, it does not scale and, more importantly, exposes your business to unnecessary risk. Manual processes are more likely to cause excessive access situations or allow former employees or contractors to access systems beyond their departure date. Unfortunately, this situation is very common; the good news is that it is easy to avoid with automation.  

Security policy enforcement 
A security policy defines what types of activities can be performed by what actors on your systems. Security policy enforcement allows you to put your policies into action by performing two functions: detecting violations and taking action when they occur. 

Identity analytics and reporting
Identity analytics and reporting capability give your team and stakeholders visibility into your identity infrastructure and its performance. It analyses identity data, summarizes and extracts relevant information, and visualizes identity information via reports and dashboards. You can use the information extracted from identity data to assess the risk level or to initiate actions, such as starting the remediation process. 

SoD
Separation of duties (SoD), also known as segregation of duties, is the concept of having more than one person required to complete a task. Organizations use this administrative control to prevent fraud, sabotage, theft, misuse of information, and other security compromises.