What is Identity and Access Management(IAM)?
IAM is the collection of technologies, processes and practices that regulate who is authenticated and able to sign in, and what resources or information that person is authorized and allowed to view. The internal workings of access management typically breakdown into a few different functions:
- Identity management: The creation and maintenance of digital identities within a given IT system using a set of useful characteristics.
- Access Management: The monitoring and management of how different user identities may access system data and resources.
- Authentication: Taking user-provided data to compare against identity characteristics to determine whether or not a user has access to your systems.
- Authorization: Assigning roles or other definitions to identities to determine who can access what resources for different purposes.
As we can see here, identity, authentication and authorization are different but related processes that fall under the umbrella of IAM. Breaking that down more granularly, we can see there are several tasks that IAM security accomplishes daily:
- The creation of digital identities with features that serve the interests of the system from an access, security or compliance perspective–including items like username, passwords, biometric data, and so forth.
- Identification of users through an sign-on process through user input, usually from a variety of sources. This can include entering a password to scanning a fingerprint or using a facial recognition scan.
- Defining user roles and groups to access system resources. Groups and roles allow for more broadly applied security and privacy controls that match different responsibilities in your organization.
- Access for specific identities or groups of users through a process of authorization.
- Disallowing access to private resources based on user role.
- Tracking and recording system events in an audit log to provide both a security and diagnostic tool for administrators as well as a record of compliance (if necessary).
With the evolution of cloud platforms and online applications, the notion of a “user role” has become a little more complicated. Employees and customers, for example, will often use a similar system, and many platforms will have tiered access for accounts that cover multiple services.
With this in mind, we can further break down the different kinds of identities that might be in place with a typical IAM solution:
- Workforce Identities: Typically, you’ll use access management to help create digital identities and roles for your workforce to properly access data they need to do their jobs–all while keeping them from accessing mission-critical data that isn’t part of their job description. Workforce identification is critical for compliance and data integrity and can protect your organization against security issues like insider threats or theft.
Workforce identities also play a role in integrating outside platforms for productivity or collaboration. Platforms like WordPress or Asana allow you to use many features with other workforce technologies, and a workforce identification and authorization can help manage user identities and access across both internal and third-party solutions.
- Customer Identity: Customer access isn’t just an extension of workforce access. If you have external applications, it is essential to have access controls in place to keep users isolated to the features they have access to and to prevent hackers from finding ways to elevate permissions or steal credentials. Additionally, customer management can also be used as a data gathering and insight tool by requiring users to provide in-depth information about their needs, preferences, shopping/use habits and more.
Why is IAM Necessary?
It’s one thing to say that having a solution in place is “useful” (as you will see here). More importantly, IAM is often necessary, if from nothing more than a security and customer protection standpoint. Most cybersecurity and risk management compliance frameworks will say that access control is incredibly useful because it not only provides security measures but also streamlines communication and data access inside and outside the organization. This is because
- IAM allows access to be determined by system-wide policies rather than piecemeal rules.
- IAM allows for automation across several levels of access and centralizes the update, upgrade or revocation of such access.
- IAM can centralize control over things like reporting, audits and documentation to guarantee compliance, particularly in rigorous frameworks like GDPR or those attached to healthcare or government and defense work.
What Are the Benefits of IAM?
Effective IAM streamlines authentication and authorization across a host of contexts, including web and mobile apps. It also functions as a key part of a zero-trust architecture. Instead of trusting your network perimeter, a zero-trust IAM can ensure user identity and access management on the level of the user, rather than a device location or device credentials.
Different Types of Technologies in Identity Access Management
With that in mind, several technologies play a role in both aspects of IAM:
- Single Sign-On (SSO): This scheme gives users the ability to log into several different systems with a single identity through a single portal.
- Multi-Factor Authentication (MFA): You can combine several different authentication types (passwords, biometrics, etc.) tied to a single identity to strengthen access management.
- OAuth: OAuth is an open and distributed authorization framework that allows users to enter credentials once to use multiple systems. Unlike SSO, however, OAuth generates authorization tokens based on the user identity. These tokens pass from one system to another and attest to your identity and authentication, which helps minimize security risks across distributed systems.
- OpenID Connect (OIDC): OIDC is an identity layer built on OAuth that expands identity management to a wide range of user experiences, including web and Java apps as well as mobile phone apps.
- Biometrics: Biometric markers like facial scans, fingerprints, voice recognition scans and even iris scans are becoming more accessible even for consumers and provide a secure way to augment traditional methods like passwords. These are especially useful for users with distributed mobile technology like laptops, phones and tablets.
These technologies are all part of the comprehensive practice of authenticating and protecting digital identities across several different types of authentication, including:
- Knowledge: Username and password combinations, PINs.
- Ownership: Security Tokens, One-Time Passwords (OTPs), authentication apps and devices.
- Inherence: Biometrics (fingerprints, iris scans, facial recognition).
How Can Enterprises Implement IAM?
Implementing IAM, like implementing almost any security and compliance tool, can be more than just an organization requirement. If you think about it as part of your overall business and security strategy, it quickly becomes clear that IAM can help shape workforce and IT priorities in positive ways.
That being said, there are several questions and best practices to consider when adopting and implementing an IAM solution:
- Make sure to take inventory of user contexts: Will your system share access with customers and clients? What outside security features (antivirus, firewalls, etc.) will impact access from remote locations? How will your internal access portals function as opposed to public-facing user access forms?
- Outline how your business goals are best supported by specific infrastructure: Most businesses are turning to the cloud, but that doesn’t mean that your decision-making is done. Determine if you’re looking for public or private cloud or on-prem vs. hybrid cloud environments. Also, how unique is your system? Can you work with an out-of-the-box tool, or do you need a custom solution?
- Understand the roadmap for compliance: Regulations in your industry will almost assuredly involve some form of IAM. This regulatory obligation will shape just how you adopt IAM and the kinds of identity management and authentication measures you may use.
- Streamline access without compromising security: Streamlining means paying attention to user experience–features like passwordless authentication, easy access through mobile devices and inclusion of compliant biometrics can make access easier for users and maintenance simpler for your IT department.
- Reduce shadow IT: Are your employees relying heavily on public, third-party apps? Your IAM strategy will have to consolidate access behind specific platforms, and, if necessary, integrate with third-party systems properly. That means enterprise accounts tied to work identities and no business data on public servers.
Secure, Passwordless IAM with 1Kosmos BlockID
IAM is quickly moving into new, more secure paradigms, including passwordless access and biometric authentication. 1Kosmos BlockID is the only standards-based and passwordless authentication identity platform that uses blockchain technology to create an indisputable identity for continuous authentication. This means secure, compliant IAM across multiple systems that contribute to, rather than hampers, user experience and productive IT management.
We accomplish this through a combination of innovative techniques and technologies:
One Unified Platform Protects Workers and Customers
1Kosmos BlockID is a cloud service that addresses both the workforce and the consumer/citizen needs to enroll, register, and authenticate securely and efficiently.
Our API-based architecture allows ready integration with existing applications and services with low risk and no disruption.
Distributed Ledger Provides High Security
1Kosmos BlockID reusable distributed digital identity is stored in a private immutable distributed ledger that is invulnerable to tampering and accessible only via private-public key pair under control of the owner.
We eliminate honeypots and keep PII out of reach from hackers. Only an owner can access their digital identity and determine what information is shared at each point of access via industry-certified APIs.
Standards Compliance For Interoperability, Risk Avoidance
The 1Kosmos BlockID platform is NIST 800.63.3 and FIDO2 certified and complies with a broad range of security standards supporting verification and portability.
We are certified to support up to identity Assertion Level 2 and Authentication Assurance Level 2 providing to eliminate identity blindspots and impostors from accessing services.
Cloud Deployment Enables Quick Set Up
1Kosmos BlockID supports Windows, Mac, Unix, SAML, OIDC, and oAuth and requires no custom components or firewall rule changes.
Our identity proofing and authentication solutions are enterprise-ready! They take only minutes to connect to any cloud service and are up and running in days.
Advanced Real Biometrics Detects Spoofs and Fakes
The 1Kosmos BlockID Liveness test verifies from a blink and a smile that a facial scan is from a living person versus a photo, video, or mask.
Our LiveID sets a higher bar for “what you are” per the NIST guidelines of IAL2 and in support of multi-factor authentication and industry mandates such as PSD2 and Strong Customer Authentication.
Learn more about 1Kosmos Passwordless Enterprise authentication. Also remember to sign up for our newsletter to stay abreast of 1Kosmos products, events and updates.