How to Get Identity & Access Management (IAM) Right, Finally

There is a movie I watched once in which Jackie Chan is the leading actor. This movie is called Who am I and it was about the character who lost his memory and his search to find out who he is. This reminds me of the current state of the IT industry where, due to the current COVID-19 pandemic, a lot of the workforce is working in a more decentralized fashion. This makes it much more important for companies to know who you are before they let you onto their network.

Even at the beginning of the computing age, there has always been some form of Identity and Access Management (IAM), and as computing systems became more complex, so has the need for IAM increased. With remote work becoming the new normal, IAM has become one of the trending topics in today’s IT environments. These days, IT decision makers have realized that IAM is now more important than ever, and with a lot of the formally in-house IT services moving to off-premises, there is a lot more focus on IAM.

IAM has become a core aspect of a company’s security architecture and crucial for managing digital identities. Through this framework, employees and third-party providers who need access can be identified, verified and gain access to enterprise infrastructure.

In the past, companies had security systems which were like a walled garden. A favorite example I like to use for comparison is an egg. A fresh egg has a hard outer shell but the insides are all gooey. There was no need for outside access into the gooey centre so the hard shell was enough. However, if the hard shell is cracked then all the gooey goodness leaks outside. There was a time when the legacy IAM essentially consisted of a username and password with no access management capabilities.

Learn More: Auth0 Expands Identity Management Platform with $103 Million Raise

How  IAM Has Evolved Over Time 

In the high-risk modern environment, legacy IAM models are no longer viable and can cost companies millions of dollars. Add to that, the advent of cloud services have compounded the threats to security.  

To keep up with the times, IAM has had to step up its game. First moving towards two-factor authentication (something you know and something you have). Yet, this is also fast becoming deficient due to the fact that employees are now working increasingly remotely and the fact that the BYOD (Bring Your Own Device) trend is more mainstream than ever. Turning the hard shell of security into more of a sieve. So to harden security defenses, IAM has to take on a leading role in the company’s security model.

For IAM to be able to work well, there has to be a method of identifying the entity needing access. That entity needs to be tracked throughout the time it has access to the company’s IT infrastructure. The company’s infrastructure might be complex, consisting of different networks and even third-party services so a common standard needs to be used. There are several such standards like SAML, OpenID, OAuth and others. Once the entity is identified then the access granted needs to be determined.

There are a couple of different models used in determining access. There is a policy-based access method in which a set of rules are established for a particular entity describing what they can or cannot access. Then there is a risk-based access method in which entities are given or denied access to services depending on the risk they present. 

Learn More: Oktas Guide to Risk-Based Authentication: Q&A With Hector Aguilar 

Road to IAM & How It Works 

Let’s illustrate how IAM works. For example, an entity called Joe Citizen is identified and logged into the company’s network. For a policy-based system, Joe could be anywhere and as long as the correct credentials are given, then Joe is allowed access. If the network uses a risk-based access method and Joe tries to log onto the network from an IP address or location, which is not the normal one then the access is automatically reduced until that IP address or location can be verified. 

I personally experienced this when I visited a different country and tried to access my bank account via the mobile phone application. My access was immediately revoked even though I had the right username and password and the only way I could regain access was to call the bank in question and go through all the security hoops to prove that I was who I said I was. Only then was I given access to my account. 

This means that the risk-based access model is inherently more flexible and secure against unknown situations that cannot be foreseen.  A good risk-based access model is often combined with some form of AI to determine the entities’ behavior patterns. 

Learn More: Amid Cutbacks in Cybersecurity Spending, Budgets Will Shift to IAM and Cloud

Build vs. Buy: Why You Should Opt for IDaaS Providers 

The biggest problem with IAM is that with complex multiple systems of internal company networks and third-party accesses, there is the situation of having all eggs in one basket. In other words, having a centralized IAM could increase the risk of security breaches if it is not done properly.

It is important that those implementing next-gen IAM architecture have the skill and knowledge to be able to do it properly. For that, there are quite a few vendors which provide IAM services, also known as IDaaS. Oracle, IBM and Microsoft are the biggest guns in this IDaaS market. Besides the incumbents, players like CA Technologies, OneLogin and SecureAuth also offer cloud-based IAM solutions.

Whether IAM is provided in-house or via an IDaaS providerOpens a new window , be sure to carefully plan out and decide what assets need which type of access. A good IDaas provider will include that as part of their service. Ensure that all hardware is taken into account, including mobile devices brought in by employees and partnered companies. These days mobile devices are really mobile computers and have the capability of stealthily compromising any network from the inside. Often without the knowledge of the owner of that device. Decide what form of identification is best for authentication of the entity. Single-factor authentication is definitely no longer viable and even two-factor authentication is becoming obsolete.

The industry now, especially with the capabilities of current and upcoming devices, is moving towards three-factor authentication. Three-factor authentication consists of something you know (pin or password), something you have (token, certificate or unique device) and something you are (iris, fingerprint scans or facial recognition). This may seem like something out of science fiction movies; however, it is fast becoming the new standard for security. So keep these best practices in mind when you are evaluating or migrating to next-gen cloud-based IAM solutions.  

Do you think in-house IAM is more costly than cloud-based solutions?  Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!