Identity and access management (IAM) may be the most important function IT performs. It’s how you ensure people have access to the resources they need to get their jobs done, while also keeping those same people (and the corporate digital assets they access) secure.
Done well, IAM means the mailroom clerk doesn’t have access to the company’s financial records, but your CFO does. Done poorly, it can be catastrophic for a company, depending on what kind of access that identity was given.
In an increasingly hybrid workplace, getting identity and access management right is more important to IT departments than ever before. Read on to learn everything you need to know about what IAM is, and how to architect an IAM system.
What is Identity and Access Management?
According to Gartner, “IAM is the security discipline that enables the right individuals to access the right resources at the right times and for the right reasons.” In other words, it’s a category of IT solutions that securely manages and connects users to IT resources like devices, applications, files, networks, and more using unique user profiles, called identities.
An identity can be configured for each unique user, giving them controlled access to things like WiFi and company servers, while restricting access for digital assets they don’t need to do their job.
You achieve IAM using core directory services platforms, which store and federate user identities to a wide variety of IT resources. Those resources also look to the core directory services database, called identity providers (IdPs), as the single source of truth for authenticating and authorizing user access. IdPs streamline the IAM process by giving IT teams a one-stop shop for device and user management.
Do You Need Identity Access Management?
Simply put, with hybrid workplaces and remote employees becoming the norm, not having an IAM strategy is no longer an option. With identity compromises as the number one cause of data breaches, IAM is also, perhaps, the number one security tool. Remote environments have forced companies’ overall IT strategy to move from network-based to people-based.
Today, IT’s main job is determining how best to protect remote workers’ identities while helping them securely access the resources they need to work. IAM drives that idea, because it’s all about individual, personal security.
A holistic cloud IAM platform includes directory services and single sign-on capabilities that connect users to their IT resources through Zero Trust principles, while giving IT significant control over identities. A modern IAM platform provides users with a single identity to remember and use, while giving IT admins the highest level of control and centralization.
While there are obvious initial benefits to IAM, it may not feel necessary for every enterprise, even though it is. Let’s get into some of the benefits and challenges to understand why all organizations can benefit from IAM.
Identity access management represents the perfect marriage of productivity, security, and access to best-in-class tools.
With IAM, employees use a predetermined “identity” to gain secure access to the IT resources they need to do their job. The primary benefit for these end users is that processes are streamlined and smooth, allowing them to quickly get access to new resources via a single set of credentials in order to get work done faster. They no longer have to remember (or worse, reuse) passwords for each resource they access, and the overall login experience is improved dramatically.
On the flipside, IAM gives IT one centralized place to control these assets from. Today’s IT admins have to be able to maintain visibility and control on Windows, Mac, and Linux endpoints, connect users to a large number of on-prem and web resources, and integrate with the cloud, all while maintaining data security.
SaaS-based IAM solutions such as next generation Identity-as-a-Service (IDaaS) give admins a unified control platform to manage all these factors in one place. An admin can login remotely to their IAM platform and provision or deprovision users, create or edit user identities, create policies for access and step-up authentication, and manage troubleshooting, all without leaving the application.
Cloud-based identity and access management solutions also increase data security and support compliance initiatives such as GDPR, PCI, and HIPAA. It’s reported that 60% of small to medium-sized enterprises (SMEs) go under within six months of a cyberattack, making security more critical than ever before. IAM gives IT admins the control to secure digital assets and protect their company from cyberattacks.
The newly diversified workplace with remote employees working on multiple platforms has complicated the IAM landscape.
In the past, IAM systems were easier to manage, because users needed only two or three resources to do their job, and the workplace was dominated by Windows systems which were all located on-prem. Users also came into a physical office where IT could control the network and overall environment.
IAM began to evolve as macOS and Linux gained popularity in the workplace as Windows alternatives. Then came Salesforce, Google Apps (aka Google Workspace), and other web applications that could replace on-prem, Windows-based applications.
On-prem file storage alternatives arrived after that, such as Samba File Servers and NAS appliances, or cloud storage solutions from vendors like Box™ or Dropbox™. Even the network itself evolved from a wired connection to wireless via Wi-Fi.
All of these changes have made IAM incredibly complex. Outdated, legacy solutions like Microsoft Active Directory (AD) are still the core identity management solution in most IT organizations, but AD isn’t designed to support non-Windows or cloud-based IT resources.
As a result, IT has to either manage non-Windows resources independently, or use third-party AD add-ons (e.g., web application SSO, directory extensions) that only add more complexity.
Thankfully, there are newer, cloud-based directories and modern IAM solutions that can easily replace an on-prem AD-based IAM program for a simpler, more comprehensive approach.
How to Implement IAM Systems
There are six components to the traditional identity and access management landscape, and while each is a separate topic, they build on one another to develop a holistic IAM strategy. Tying these systems together in a sequential order helps to avoid gaps in management, which can hinder security.
However, it’s important to note that more modern IAM providers have combined other aspects of IT administration, like device and network management, with the traditional components of IAM. These modern directory platforms provide a more complete solution that enables IT administrators to grant secure access and manage a single identity for virtually all IT resources.
1. Start with Directory Services
Let’s go back to the mailroom clerk and the accountant. Each has their own identity in an IT infrastructure. They both need access to certain resources in order to do their jobs, but for data security purposes, there are also resources they do not need access to.
A directory service takes care of this by storing a user’s credentials. Each time the mailroom clerk accesses an application, the directory service authenticates him/her to that application. On the IT admin side, the directory provides the means to organize identities into logical groups, which can then have policies including conditional access applied against them that govern access and distribute security configurations.
The directory also logs all of these interactions to ensure that compliance statutes are met. Since the directory of identities and resources underlies your entire infrastructure, we consider it the foundation of identity and access management.
2. Increase Functionality Using Directory Extensions
Once you’ve established a directory services strategy, you may find your current applications are archaic, and don’t have all the functionality you need to support a remote workforce. Directory extensions were created to fill in the gaps of conventional directory services.
Extensions add to the functionality of an existing directory, allowing it to connect to platforms, devices, and applications it otherwise couldn’t. Extensions also increase the functionality of directory services by integrating in-device management/MDM services, and controlling user access.
If you’re still working with hard-wired directory services, an extension may be the easiest first step to complete your IAM process. However, modern solutions like cloud directory platforms have revolutionized the directory industry, and offer a streamlined approach to managing access and controlling non-Windows-based IT resources, eliminating the need for extensions altogether.
3. Give the Right Level of Access with Privileged Access Management
IT infrastructure consists of many servers, networks, and other assets. While directory services connect users to these assets, privileged access management (PAM) determines what a user is allowed — or not allowed — to access within these higher value, more critical applications and IT systems.
The accountant and the mailroom clerk may both have access to the company’s financial system, for example, but PAM ensures the clerk can only see his own pay stubs, while the accountant may have administrative privileges in the same application.
As more critical infrastructure shifts to cloud-based Infrastructure-as-a-Service (IaaS) platforms, privileged access management is more important than ever. Secure access to the digital applications and underlying systems that run organizations is at the top of IT’s list of job functions.
4. Streamline Access to Web Apps with Single Sign-On (SSO)
Once you’ve developed your directory services and PAM approaches, you can shift gears to components that add security and convenience for both IT admins and end users. Single sign-on is one of them.
A single user likely needs access to a multitude of applications to work remotely, like Google Workspace, Microsoft 365, GitHub, Slack, Salesforce, or Dropbox, to name a few. Since you would need a different username and password for each application, this creates productivity and security challenges. This is why SSO solutions grew alongside the increase in web-based applications over the past two decades.
SSO connects one identity, managed by the underlying directory service, to the various web-based applications they need access to, instead of a user having to create multiple identities. From a users’ perspective, they only have to sign in to one application with a single username and password to get access to all their web-based applications.
For IT admins, single sign-on means fewer locked account requests/password resets from users who can’t remember all their various usernames and passwords. It also increases security by reducing the chances that users use weak passwords or reuse passwords across multiple accounts.
Perhaps the biggest boon on the IT admin’s side with modern SSO solutions is automated provisioning and deprovisioning of users, often referred to as User Lifecycle Management (ULM). In addition, top-tier SSO solutions are adding features such as conditional access and multi-factor authentication to improve security of the SSO implementation overall.
SSO is a part of IAM that increases convenience for users, lessens IT’s workload through automated provisioning/deprovisioning, and helps improve security for a remote environment.
5. Increase Convenience without Sacrificing Security Using Password Vaults
In this traditional approach to IAM, password vaults play an important role to further password security by making it easier for end users to leverage strong, complex passwords for virtually all of their IT resources.
Password vaults allow users to store their password credentials, making it easier to access the large number of applications they might need which aren’t able to leverage the SAML protocol for SSO. While SSO is designed exclusively for web applications that support SAML, password vaults can store and manage credentials for any kind of account, which can create a “faux” single sign-on experience that extends beyond web applications.
These vaults can also generate long, complex passwords that are much more secure, and users don’t have to remember them because they’re automatically provided at login by the password application. This approach requires them to remember a single password to access the many, which can be protected with multi-factor authentication to further secure access to these assets. Some solutions can even integrate password management and SSO into the directory.
By providing a safe place to store passwords and encouraging these more complicated credentials, vaults are a helpful tool in maintaining IAM security.
6. Fortify Login Processes with Multi-Factor Authentication (MFA)
The final element to IAM security–to make logins as secure as possible–is multi-factor authentication. MFA increases security by requiring additional information above and beyond a username and complex password in order to authenticate access.
Generally, MFA requires the user to input information they know (such as a username and password), and a second factor like something they have (like a smartphone or a YubiKey) or something they are (like a fingerprint or retina scan) in order to log in.
While a username and password may be easily compromised in a data leak or other cyber security breach, MFA is virtually incorruptible and can be easily implemented, making it one of the most critical components to securing IAM. With modern push technology, MFA has become even easier with just the tap of a button on a smartphone as the “second” factor.
Ultimately, IAM focuses on managing and protecting each access transaction by first managing and protecting the identity of the person enacting that transaction. The six-step approach above, developed over years as new solutions emerged, showcases the underlying strategy IAM advocates for:
- Minimizing the number of “identities” each user must use (and remember)
- Extending this core group of identities to as many IT resources as possible over secure channels
- Protecting each identity by forcing each access transaction to validate that the person using that identity is who they say they are, along with the entire transmission (device, network, application)
However, the layered approach above does not achieve the ideal IAM strategy: a single set of credentials, to access all IT resources. It also puts a heavy burden on IT admins to set up, maintain, and secure each “layer” of the strategy, which often involves the support of independent technologies, and must be tightly integrated to function.
The end user must still use multiple identities to do their job, which can frustrate and defeat the purpose of each layer of security and efficiency, while the IT admin is stretched and may not be able to maintain the entire system on their own.
The challenges outlined above have led the development of more modern solutions that consolidate all aspects of the traditional IAM strategy into a single platform. Often cloud-based to support end users no matter where they work, these directory platforms are able to provide the directory services that can create a single, secure identity; management services to extend that identity to applications, devices, networks, servers, and more; and security services that protect each access transaction using the principles of Zero Trust security.
Cloud Directory Platform: An Optimized IAM Solution
Remote and hybrid workplace models necessitate a new generation of technology that integrates with cloud-forward organizations. In the identity and access management market, this tech is called a Cloud Directory Platform.
A modern Cloud Directory Platform offers a modern, efficient, cloud-based approach to IAM by converging directory services, privileged account management, directory extension, web app SSO, and multi-factor authentication into one optimized SaaS-based solution.
A Cloud Directory Platform offers centralized identities instantly mapped to IT resources like devices, applications, and networks, regardless of platform, provider, location, or protocol. These IAM solutions leverage multiple protocols such as LDAP, RADIUS, SAML, and SCIM so IT organizations can seamlessly provision and deprovision, while users have secure, frictionless access to their resources.
JumpCloud Directory Platform: Modern IAM
If you’re interested in learning more about how to implement an IAM solution, drop us a note. We’d love to chat about how you can leverage JumpCloud’s Cloud Directory Platform, or try it yourself by signing up for a free account. Your first 10 users and 10 systems are free. If you have any questions, access our in-app chat 24×7 during the first 10 days and a customer success engineer will be there to help.