Table of Contents
Key Takeaways:
- Identity and Access Management (IAM) is crucial for securing access to digital resources, encompassing devices, applications, and data across various platforms.
- IAM consists of four main components: Authentication, Authorization, Administration, and Auditing and Reporting.
- Advanced tools like Single Sign-On (SSO), Multifactor Authentication (MFA), and Identity Governance and Administration (IGA) are employed in IAM to enhance security and user experience.
- IAM systems ensure that users are accurately identified (Authentication) and granted appropriate access levels (Authorization) to company resources.
- Regular Auditing and Reporting within IAM systems is key for maintaining security integrity and compliance with regulatory standards.
This is Part 3 of the “Identity and Access Management (IAM)” blog series. You should read Part 1 and Part 2 for greater context and understanding.
There is no limit to what Identity and Access Management systems can do, as some might think. They apply to mobile devices, electronic tools, storage rooms, IoT devices, etc. The deployment of IAM can take place on the company’s premises, in the cloud, or as a service provided by a third party.
Four Main Components of IAM
The four main components of IAM include: Authentication, Authorization, Administration, and Auditing and Reporting.
1. Authentication
This process actively verifies the identity of employees or users by requesting their unique identifiers and necessary credentials to prove the authenticity of each user. This can include usernames, emails, passwords, biometric features like fingerprint or facial recognition, and electronic access like swipe cards, smartcards, RFID, etc. It is possible to use certificates as a source of authentication, as well as multifactor authentication (MFA).
If the user supplies the correct credential, they can actively access the resources or tools within their permitted jurisdictions. Permissions can be given alongside times of access, and the system can create a session that logs all activities performed by the user. However, when the user has a stipulated time allocated by the system, they will be logged out automatically once the given time elapses. In a scenario where the session or access has no allotted time, the session actively ends when the user manually logs out. The process of authentication is often referred to as AuthN.
2. Authorization
This is the act of granting access to tools and resources. While the above (authentication) confirms the user’s identity, authorization creates the boundary and jurisdiction where the user can operate. The authorization framework actively distinguishes User A’s access from User B’s. This framework controls role-based access in the IAM system and is commonly referred to as AuthZ.
3. Administration
This component of the IAM system manages users’ accounts, groups, permissions, and password policies. It monitors the creation and modification of users’ accounts. For security reasons, it ensures that accounts use strong passwords and prompts users to change their passwords before a successful attack is launched. The administration is the framework on which other frameworks are built. It is the sub-system that makes authorization and authentication possible. The management of different groups, departments, and users forms the foundation. It ensures authorization to various resources and tools once users have been authenticated. Administration manages users’ accounts and permissions to groups. Authorization enforces the permission granted to these groups and users while the users won’t gain access to the whole system in the first place without authentication.
4. Auditing and Reporting (A&R)
The previously mentioned components primarily address users’ account creation and authentication during login. They also determine the resources or tools that users are authorized to access. While all of these are critical functionality of an IAM system, the A&R focuses on what users use their given access for, what they do with the data or resources they accessed, and how this helps the organization to track and detect unauthorized or suspicious activities.
Auditing and reporting as a component deals with examining, recording, and adequately reporting users’ access logs and all security-related activities within the system. This keeps the system safe and supports further compliance with necessary regulations guiding the business. Depending on the industry, there are different rules and regulations to follow, with many mandating continuous auditing and reporting just to protect users’ data. This includes regulations such as CPRA, HIPAA, PCI DSS, GDPR, etc.
Top IAM Tools or Sub-Components
IAM is part of a modern cybersecurity strategy that ensures secure control of users’ access to sensitive data, materials, and even hardware. Below are some of the top tools IAM employs. These tools actively hold importance for all organizations, regardless of the size of employees. They actively help protect sensitive data and applications from falling into the wrong hands through the extra layer of security they provide. The tools below aren’t a complete collection, but they cover a good number of them.
- Single Sign-On (SSO)
- Certificate-based Authentication
- Two-Factor Authentification (2FA)
- Multifactor Authentication (MFA)
- Identity Governance and Administration (IGA)
- Certificate-based Access Control (CBAC)
- What is Identity as a Service (IDaaS)
- Privileged Access Management (PAM)
- Identity and Access Analytics (IAA)
1. What is Single Sign-On (SSO)?
SSO is an authentication method or service. It enables users to utilize one set of login credentials or claims for accessing multiple resources, applications, tools, or platforms. SSO is a type of authentication that makes user identity management easier across various applications. It provides users with a seamless experience, reducing the stress of continuously re-entering passwords and usernames/emails while aiding productivity.
SSO, also known as “identity federation,” falls under the classification of the “federation identity management system.” Small and midsize organizations and individuals can use SSO to ease the management of multiple credentials or log in details. Many social platforms and SaaS platforms actively utilize this same authentication system.
2. What is Certificate-based Authentication?
This authentication method is similar to the above but doesn’t require an email/username and password for logging into the IAM system. Instead, it relies on a digital certificate issued by a trusted certificate authority (CA). The certificate authority signs the digital certificate containing the user’s public key, which has the user’s identity information. The purpose of an email and password is for a user to prove their identity using knowledge-based proof. Certificate-based authentication solves the same problem of proof by using a certificate containing the user’s identity and is secure by cryptography, making it unfalsifiable. Cryptography as a technology is also used in verifiable credentials, another term for certification that can be used for identity confirmation or claim confirmation.
3. What is Two-Factor Authentication (2FA)?
The term Two-Factor Authentication (2FA) refers to two-step verification or a dual procedure for confirming that the user is indeed who they claim to be. It automatically requires users to provide two distinct authentication factors to verify themselves. One option could be a username/email and password combination, while the other option could involve a one-time password (OTP) sent to a mobile number or an authentication app.
2FA actively aims to protect the user’s details and the data they are accessing by adding a layer of security to the authentication process. 2FA asks for an additional code, OTP, security questions, a security token, or biometric proof (i.e., a fingerprint or facial scan). Most enterprises recommend 2FA because it is more secure than single-factor authentication (SFA). Single-factor means users can gain access by providing only one-step verification. An example of single-factor authentication is using an email/username and a password only to log into a platform. In summary, this simple sentence actively captures the essence of “2FA”: “Are you who you say you are?” If yes, then prove it twice. Bad actors and hackers can hardly prove this on their own.
4. What is Multifactor Authentication (MFA)?
The phrase “multifactor authentication” and “two-factor authentication” are similar because MFA itself refers to any authentication with two or more security layers. MFA has the same attribute as 2FA, with the difference being that the layers of security aren’t limited to two. The combination of these factors introduces multiple layers of complexity for a hacker. It guarantees the security of the users’ accounts and data.
5. Identity Governance and Administration (IGA)
A system like this helps businesses and organizations reduce the risk of human errors in their identity and access management (IAM) systems. IGA automates identity management and access control processes from a centralized computer or system. For enterprises with hundreds of employees, manual processes can easily lead to oversight and errors. Errors relating to access control can be deadly. They can give the wrong person access to sensitive data, leading to data breaches that result in legal issues and fines for the company.
To avoid issues such as those above, identity governance and administration (IGA) has been set up. This ensures that the right person actively obtains the right access for the right reasons at the right time. It helps companies comply with industry regulations such as CPRA, GDPR, PCI DSS, GLBA, NERP CIP, etc. IGA provides an automated solution in the IAM system, eliminating human errors and reducing time spent manually assigning access to hundreds and thousands of staff. As a result of IGA, new employees no longer need to wait for days to gain access to the necessary tools. Manually allocating access often leads to this common occurrence.
6. What is Certificate-based Access Control (CBAC)?
This IAM tool uses a digital certificate for access control, specifically for authorization purposes. It differs from certificate-based authentication, which primarily focuses on the process of logging in. However, certificates issued by trusted certificate authorities or identity service providers only list claims and proofs of identity. The certificate for CBAC goes a step further by including information about the identity owner’s roles. It also specifies the different resources they can access within the IAM system. For example, one cryptographically secured certificate contains:
- The name of the staff
- The staff’s public key
- The certificate expiration date
- The certificate serial number
- The issuer’s name and contact information
- The issuer’s digital signature
- Certificate revocation status
- Other necessary personally identifiable information (PII).
The second certificate contains all the same information as the first certificate. However, it adds the user’s department, including the software applications they can access and the folders they can sort data by. Specifically, CBAC uses the second certificate, whereas authentication utilizes the first certificate.
7. What is Identity as a Service (IDaaS)?
Managing an in-house identity of users can be tedious, and it will need a substantial IT infrastructure. Utilizing IDaaS as a third-party service reduces both the risks and the significant financial commitment. It is associated with establishing and managing the infrastructure and human resources required. IDaaS is a cloud-based service that provides companies with secure identity and access management, relieving them of managing an on-premise identity management infrastructure. IDaaS is subscription-based, and companies are to choose according to the size of their organization.
8. Privileged Access Management (PAM)
In simple terms, PAM manages privileged users, implementing processes and policies to safeguard the system against the abuse of authority. It protects the system by preventing unauthorized access to critical privileges within the company’s IAM system. However, who exactly qualifies as a privileged user in an IAM system?
Privileged users have powerful controls and can directly access sensitive user data, personally identifiable information (PII), financial information, health information, credit card information, etc. This access is crucial since a privileged user holds the ability to access highly exclusive data. Mishandling such data can jeopardize the entire operations of the company. Examples of privileged users, also known as “super users,” include administrators, system engineers, network engineers, etc. Privileged accounts are crucial to the successful running of an IAM system. While the general IAM system manages all users’ accounts, privilege account management (PAM) ensures that the right user gains access to the right privileged accounts.
Systems are put in place to consciously monitor the resources, data, and devices visited or accessed by each privileged user. Users with access to devices can access employees’ computers, including the CEO’s. This naturally appears as a huge risk as the privileged user can decide to misuse this authority for a selfish, harmful, or corrupt purpose. However, the system and tools actively monitor, manage, and log the activities of each privileged user to facilitate auditing by the relevant authorities. In summary, PAM monitors and manages critical access to all systems, applications, and data.
9. Identity and Access Analytics (IAA)
IAA gives a general overview of users’ activities within the organization or the IAM system to detect irregularities and potential security threats. The IAM tool employs data analysis techniques to examine user activities, such as user identities, granted authorization, events, and activity logs.
IAA provides deep insight into what is happening within the system, including everything a user accesses. It keeps the admins well-informed about the state of the IAM system. They can easily detect when an unauthorized user gains access to different parts of the system.
Data protection is of priority to IAM as it makes compliance with different industry regulations possible. IAA makes it easier by giving real-time insight into user behavior, online patterns, and general activities. Having real-time insight into users’ activities simplifies auditing and reporting, supporting compliance with regulations.
Conclusion
The previous parts of this blog series have repeatedly proven that IAM is not an option for organizations but rather an absolute necessity with various benefits. More significantly, the many tools and components listed in this article work together to create a functional IAM system. This system ensures the security of an organization’s data while providing access to the appropriate individuals, resources, and data for the right reasons at the right time.
Identity.com
As a blockchain technology company creating solutions in the identity management ecosystem, we know the impact and importance of IAM in an organization. More reason Identity.com doesn’t take a back seat in contributing to this future via identity management systems and protocols. We also belong to the World Wide Web Consortium (W3C), the standards body for the World Wide Web.
The work of Identity.com as a future-oriented company is helping many businesses by giving their customers a hassle-free identity verification process. Identity.com is an open-source ecosystem providing access to on-chain and secure identity verification. Our solutions improve the user experience and reduce onboarding friction through reusable and interoperable gateway passes. Please get in touch or see our FAQs page for more information about how we can help you with identity verification and general KYC processes.