Modern-day security breaches like the SolarWinds or T-Mobile attacks are not one-off events; they are prime examples of how someone can steal your organization’s credentials and use them to gain illegitimate privileged access to sensitive assets. Data breaches happen daily, and in too many places at once to keep count. They remind us that, regardless of our information security investments, business-critical resources can be compromised if access is not protected.
Organizations depend on a variety of systems, applications and devices to run their operations, and users require access to these resources to do their jobs efficiently. Managing this can be a challenge, especially in large corporations with hundreds or thousands of users requiring personalized access. Identity and access management adds a layer of security by tracking, managing and securing the identities of individuals and their associated data. It helps keep track of who is who, so that people can access the information they are authorized to see and make the transactions they are permitted to make.
What is identity management?
Identity management is the process of managing user identities and access privileges in a centralized way. It involves recording and controlling identities within an organization and enforcing identity governance policies. Simply put, your online identity is the profile that identifies who you are when using a network, whereas your access refers to what permissions you have once you’re logged in. Together, they form an important part of how you interact with technology – it’s how computers know it’s really you attempting to log in instead of someone else.
Identity management in action
Through identity and access management (IAM), only specified users in an organization are allowed to access and handle sensitive information. Here are a few examples of identity management at work:
- Identity creation and maintenance: By creating automated workflows for scenarios like a new hire or a role transition, IAM centralizes the identity and access management life cycle of a company’s employees. This improves processing time for access and identity changes and reduces errors.
- Entitlement management: Life-cycle entitlements are assigned to individuals and their roles. For example, a production operator is able to view an online work procedure but may not be allowed to modify it. On the other hand, a supervisor will have the authority not only to view but to modify the file or create new ones.
- Identity proofing: Identity is at the core of a citizen’s everyday actions. Once the state has implemented a civil register, IAM enables governments to grant people the right to access their data (birth certificate, driver’s licence, etc.) and prove their identity.
A number of identity and access management systems use role-based access control (RBAC). Under this approach, there are predefined job roles with specific sets of access privileges. For instance, if an HR employee is put in charge of training, it makes little sense to also give them access to pay role and salary files. There are many other forms of automatic access control that each come with a variety of features and technology.
Common features of identity management
Many different forms of identity management software exist on the market and there is no official definition of what they must and must not include. However, a couple of essential features stand out:
- Single sign-on (SSO): This is when users can access multiple applications and services from a single location, avoiding the need for different usernames and passwords.
- Two-factor authentication: This involves verifying someone’s identity not just with their username and password, but also with another piece of information like a PIN or a token.
Other features of identity management may include automatic provisioning of user accounts, password management, workflow, and compliance and audit services. In recent years, a new generation of identity management technologies has emerged, which focuses on ease of use in addition to security. Some examples are biometric authentication (such as fingerprints or facial recognition), multi-factor authentication (requiring several verification factors), and identity federation, whereby the responsibility for an individual’s or entity’s authentication is delegated to a trusted external party. SSO is an important aspect of federated ID management.
These key features of identity management are shared by nearly all of today’s identity management systems (IMS). An IMS is an online platform that helps organizations manage a range of identities in a secure and efficient manner. It integrates with various other systems within an organization, such as HR systems, e-commerce platforms and accounting software.
How does identity management work?
Broadly speaking, identity management systems perform three main tasks: identification, authentication and authorization. This enables the right people, depending on their job functions, to access the tools they need to perform their assigned duties – without granting them access to those they don’t need.
Identity and access – what’s the difference? The terms “identity management” and “access management” are often used interchangeably, but they are two distinct concepts. The crucial difference is that identity management deals with user accounts (authentication) while access management deals with permissions and privileges (authorization).
Let’s take an example. When a user enters their login credentials, their identity is being checked against a database to verify if the entered credentials match the ones stored in the database – this is authentication. Once the user’s identity has been established, they are then granted access to the resources their account is cleared for – that’s authorization.
Identity management: what’s in it for you?
An identity management system is a valuable tool for protecting the information and resources of organizations of any size. It allows you to securely store user data and manage user access privileges, providing a secure and reliable way to keep your operations running smoothly.
The benefits of identity management include the following:
- Increased security: An IMS helps protect your organization from unauthorized access and theft of user data.
- Improved efficiency: With an IMS, you can efficiently manage user login procedures and track user activity across multiple platforms using a single set of credentials.
- Reduced processing time/cost: An IMS’s automated workflows allow you to easily manage and administer user accounts, saving time and money on administrative tasks.
- Enhanced compliance: With an IMS, you can easily ensure compliance with regulations and standards, such as GDPR and HIPAA (see below).
Deploying an identity management system
The implementation of a sound identity management solution does not guarantee complete security, but adopting the following principles can make you less vulnerable to breaches and attacks from malicious actors. Here are a few tips to consider:
- Implement strong authentication methods (such as multi-factor authentication) to reduce the risk of unauthorized access.
- Regularly review access control policies to ensure that only authorized users have access to sensitive information and resources.
- Monitor and audit access to sensitive information and resources to detect and prevent unauthorized access.
- Frequently update user accounts to ensure they remain relevant and accurate.
- Implement a password management solution to reduce the risk of password-related security incidents, such as password reuse or password theft.
What it means for compliance
If identity and access management processes are not effectively controlled, you may be in non-compliance with industry standards or government regulations. The world is moving towards stricter regulations and standards for identity management – such as the European GDPR (which requires explicit consent from users for data collection) and the NIST 800-63 Digital Identity Guidelines in the US (a roadmap for IAM best practices).
Several protocols exist to support strong IAM policies by securing data and ensuring its integrity during transfer. Generally known as “Authentication, Authorization, Accounting”, or AAA, these identity and access management protocols provide security standards to simplify access management, aid compliance and create a uniform system for managing interactions between users and systems.
Although ISO compliance is not a legal requirement, ISO standards naturally align with the regulations of various sector. So complying with ISO/IEC 27001 for information security can prevent your organization from getting into legal trouble over crucial aspects of identity management. Based around segregation of duty and a “one user, one ID” policy, it demonstrates that your corporate information is appropriately controlled.
ISO/IEC 27001 Information security management systems
ISO/IEC 24760-1 IT security and privacy – A framework for identity management
ISO/IEC 27018 Protection of personally identifiable information (PII) in public clouds acting as PII processors
Towards advanced identity management
Complex compliance and security requirements are putting organizations under pressure more than ever before to protect their information, and challenge conventional ways of managing users’ identities. Half a decade ago, passwords were as close as you would get to a digital identity. But modern approaches to authentication require more than just a password. The widespread adoption of cloud computing, whose scalability and flexibility make it an attractive proposition for most organizations, has placed a new layer of stress on information security.
Today, passwordless logins using biometrics or multi-factor authentication provide an alternative to traditional authentication – but that’s not enough. When it comes to securing data in multi-cloud environments, IT professionals view encryption as a critical security control. Storing identities on a blockchain has emerged as a solution that can provide immutable records of a given system without a centralized authority to manage them. As we contemplate our IAM future, it may not be long before blockchain-based identity systems become the norm for keeping a user’s data safe and secure.
Disclaimer: PECB has obtained permission to publish the articles written by ISO.