Modern identity and access management (IAM) is not just about the practice of creating identities in IT resources. IAM also encompasses the practice of ensuring, whenever possible, those identities are linked to and flow from a central identity provider.
Here, we’ll explain why centralized IAM is critical to organizational security and efficiency, how admins can use an IAM solution to provision users to all IT resources, and how they can take steps to automate that process.
Benefits of Central IAM
Central IAM helps IT admins avoid redundancy and sprawl that might lead to disparate identity stores in a number of servers, applications, and other resources.
For example, Harvard examined how to improve its IAM infrastructure and identified a number of drawbacks to its distributed approach. Staff found that a distributed (rather than centralized) approach led to diminished user productivity and experience, limited information sharing, avoidable administrative overhead, and a reduced security posture.
Beyond that, each point of authentication serves as a possible attack vector for an organization, so having tight control over each access point is critical to organizational security. As you’re selecting an IAM solution, these are the resources and considerations to keep in mind.
Considerations for User Resource Provisioning
Ideally, a central IAM solution should have the capability to provision users regardless of operating system — including Mac®, Windows®, and Linux® machines.
The most prevalent legacy directory solution, Microsoft® Active Directory® (AD), provisions users seamlessly to Windows machines, but it doesn’t have the same native capabilities for other operating systems. In organizations with heterogeneous environments, this becomes a challenge.
It might mean, for example, that a user has an Active Directory identity and a separate Mac identity, or that the admin has to purchase and manage a third-party solution to federate AD identities to Mac and other non-Windows systems. These approaches challenge the notion of central IAM, and they become more complex as users increasingly seek Mac machines in the enterprise.
Regardless of size, organizations likely have a suite of web applications. At the very least, they likely have an email client. Each of these apps requires the SAML protocol for authentication, which AD does not have native capability to support. A central IAM solution with native SAML capabilities, though, can ensure users leverage their core identities for email and other web applications.
An IAM solution capable of Just-in-Time provisioning allows admins to take SAML further and automate user account creation in SaaS apps, while SCIM provisioning allows admins to automate onboarding, offboarding, and syncing with those apps.
Some organizations maintain on-prem or other technical LDAP applications in addition to SAML applications, which means an LDAP-capable solution would also serve them well. Combined LDAP and SAML capabilities would ensure single sign-on for users in virtually all apps, which means their core identities are used for each.
In addition to authenticating users to a variety of applications, an IAM solution with RADIUS capabilities enables admins to provision the same core identity to WiFi networks and VPNs.
That way, users can enter their core credentials to access the company WiFi network — which is far more secure than an open network or shared credentials — as well as VPNs. VPNs are particularly useful for remote workers and those connecting to production servers, such as DevOps engineers.
4. Servers & Infrastructure
In addition to on-prem applications, an LDAP-capable solution would enable to access Kubernetes and Docker systems, Samba file servers, and NAS appliances — as well as cloud-hosted resources in AWS®, GCPTM, Azure®, and other Infrastructure-as-a-Service providers.
Although LDAP is no longer the core of IAM, it’s still an important component of a comprehensive strategy, especially as organizations “lift and shift” their LDAP apps to the cloud and invest in cloud infrastructure.
Once admins have determined how they will provision users to their IT resources, the next step is to automate those workflows as much as possible. Through the use of a central IdP, group permissions, and PowerShell and API automation tools, admins can reduce manual workflows and potentially even implement zero-touch deployment of machines.
The ideal state is one in which admins create the user once in the central directory, and that identity propagates automatically to all the resources where it’s authorized. Learn more about how to provision and manage user identities from an authoritative directory that adapts to any IT environment and user base.