Identity and Access Management: A Journey Through Time and Technology
ACCESS MANAGEMENT
The Flame of Security Has Burned for Millennia
While the term "Identity and Access Management" (IAM) may sound modern, the quest to protect valuable resources from unauthorized access stretches back through human history. From the early Pharaohs of Egypt safeguarding their treasures with traps and guards, to the digital age where firewalls and encryption are the weapons of defense, the need to ensure the security of data and systems is a constant.
The Evolution of IAM: From Simple to Complex
In the past, IAM was a relatively straightforward task. Identities were easily verified and access was controlled manually. With the advent of computing, access management became more complex. The first authentication tools, such as passwords and tokens, emerged, and access control systems began to develop.
The Digital Age and the Explosion of Challenges
The digital age, with its disruptive technologies like Cloud Computing, the Internet of Things, Big Data, and Artificial Intelligence, has brought new challenges to IAM. The amount of data to be protected has multiplied, identities have become more complex, and IT environments have expanded beyond the physical boundaries of companies.
The Need for Evolved Solutions
Traditional IAM tools, like passwords and tokens, are no longer sufficient to guarantee security in the digital age. A new type of solution is needed, one that can handle the complexity and dynamism of modern environments.
IAM 4.0: A New Approach to Security
IAM 4.0 emerges as a response to the challenges of the digital age. This new approach is based on four fundamental pillars:
User-Centric Identity: The user's identity becomes the center of the security strategy, focusing on user experience and ease of use.
Multi-Factor Authentication: Different authentication methods are combined to increase security and reduce the risk of fraud.
Adaptive Access: Access to resources is granted dynamically, based on the user's context and access needs.
Automation and Artificial Intelligence: Automation and artificial intelligence are used to optimize IAM processes and increase security efficiency.
1. Deciphering the Core Concepts
1.1 What is an Identity?
An identity is the digital representation of an entity (person, process, hardware) with a unique identifier and attributes that distinguish it among different resources. Examples of attributes include ID number, name, ID card number, social security number, email address, and other information specific to the entity.
1.2 Authoritative Sources
Every IAM system requires a data source with legitimate information to support decision-making and management of related entities. Examples include HR systems that contain all user identification information on the network or infrastructure, process, or facilities registration systems that identify entities such as hardware or processes within an organization.
1.3 Unique ID
The concept of a Unique ID serves as an identifier for identities, enabling unique identification and linking between resources. Some identity attributes can be used to create a Unique ID, such as a user's ID number, which can be formatted as FUN + ID number = FUN321. This creates a unique identity identification.
2. Scope of Identity and Access Management
2.1 Identity Governance and Administration
This is arguably one of the most important aspects, as it enables the management, monitoring, and control of all identities within an organization, as well as their relationship with existing assets that handle, store, transport, and discard information.
This includes processes, systems, profiles, identities, responsibilities, workflows, employees (employees, service providers, representatives or customers), assets, federated identities, information, organization and especially business rules. It is important to note that each of the above items has its own definition and role within an IAM system, but we will not discuss each of them in detail in this article, as it would take months to reach a consensus.
All of this information will be centralized and will benefit from the embedded intelligence of each market solution to help the organization achieve its goals, meet its vision, add value and enable new challenges.
2.2 Access Provisioning
We can say that there will always be an access management process for any organization, however basic, as people always need access to the organization's resources (physical or logical), which requires controlling this demand by identifying: who, what, when, where and how to access these resources.
This item is a major headache for operational areas, which are responsible for managing these accesses, mostly manually, but which are considered the most tedious and voluminous considering that access management is exponential: Users x Systems x Profiles.
With an IAM system, this entire process is automated, allowing operational teams to focus on what really matters, leaving aside the activities of creating, changing, and removing user access, as well as blocking, unblocking, or resetting passwords.
2.3 Self-Service
It is important that the IAM system provides the user, who in most cases is a non-technical person, with a business view of the services that the solution delivers, creating a unique experience and delivering usability in the solution.
For the functionalities of an IAM system, we can highlight some such as: access request, personal information registration, password reset request, access removal request, view access relationship or track your requests.
2.4 Authentication, Authorization, and Auditing
2.4.1 Authentication
Without a doubt, one of the most discussed concepts in today's connectivity is authentication, as all devices or entities connected to the network must be identified and their veracity guaranteed. Among all the concepts related to this item, perhaps the most desired is SSO (Single Sign-On).
SSO is a concept that uses a single authentication for multiple systems in a centralized database, without the user having to enter their credentials again.
There are several reasons for using this concept, and we can highlight some of the benefits of using IAM systems, which further support its use: Operational Efficiency, Risk Management, Password Synchronization and Identity Federation.
2.4.2 Authorization
After the user is identified through the use of the credential and authentication by the accessed resource, access is authorized, where the user is granted rights to access the resources authorized to him/her through access models such as DAC, MAC, RBAC or ABAC.
2.4.3 Auditing
Beyond the Tedious: Uncovering the Value of Auditing
Many may perceive auditing as a tedious process that merely highlights the shortcomings of an organization or the audited area. However, this perception is far from the truth! Auditing is a meticulous and structured analysis of the activities undertaken by a specific organization or department. Its primary objective is to ascertain whether these activities align with the previously planned and/or established objectives and to evaluate their efficiency and adherence to the organization's overall purpose.
In broader terms, auditing plays a crucial role in fostering the maturity of an organization and propelling it towards its objectives. You may be wondering how this aspect fits into the IAM system. Since auditing involves requesting evidence to conduct evaluations, the audited area needs to provide the necessary information. As the party responsible for the access management process, which is often manual in many cases, we encounter significant challenges in collecting all the evidence scattered across archaic spreadsheets and controls.
Revolutionizing Auditing with IAM Systems
With an IAM system, the entire auditing process becomes automated and is meticulously recorded through system logs. This enables customized queries to showcase controls, actions, activities, results, and everything related to the access management process. This empowers organizations to:
Effortlessly Gather Evidence: Say goodbye to the tedious manual collection of evidence. IAM systems automatically record all access-related activities, providing a comprehensive audit trail at your fingertips.
Conduct Granular Analysis: With detailed logs and customized queries, you can easily pinpoint specific events, users, or time periods for in-depth analysis, empowering you to uncover hidden insights and patterns.
Ensure Compliance: IAM systems can generate reports that demonstrate compliance with various regulations and standards, such as SOX, HIPAA, and PCI DSS, simplifying the auditing process and reducing the risk of non-compliance.
Drive Continuous Improvement: By identifying areas for improvement through auditing, organizations can make informed decisions to optimize their access management processes, bolstering security and efficiency.
Conclusion
Navigating the ever-evolving landscape of identity and access management presents constant challenges. It is crucial to remain vigilant against emerging threats while ensuring that security measures do not hinder business operations but rather enhance usability, performance, and overall security posture.
Before implementing an IAM system, it is essential to conduct a thorough analysis of the organization's needs and vision. This will help determine whether an IAM system is truly necessary, as in many cases, organizations may only require updates to their existing processes to adequately manage access-related risks and ensure business continuity.
By carefully assessing the organization's requirements and ensuring that technology is leveraged to drive business growth, several critical factors come into play for the successful implementation of an identity and access management system.
Author: Tchule Ribeiro is a distinguished cybersecurity professional with more than two decades of experience in the information technology domain. He has carved out a niche for himself as a seasoned leader in both cybersecurity and infrastructure management. Throughout his extensive career, Ribeiro has traversed a variety of dynamic industries, making significant contributions particularly in the finance and civil engineering sectors. Moreover, his expertise has been instrumental in the pharmaceutical and construction fields. Ribeiro's academic background lays a robust foundation for his professional endeavors, commencing with a Bachelor of Science in Computer Science, followed by an MBA in Computer Network Project Management, and further enhanced by qualifications in network technology and electronics. A passionate advocate for continuous learning and collaboration, Ribeiro is always eager to engage in discussions related to cybersecurity and infrastructure management, seeking opportunities to share his comprehensive experience and insights.