What is Identity & Access Management (IAM)?
It is about your USERS (read, employees)...and their identities and the respective Access.
As you already know that when any user's credentials (user name, passwords) are compromised, it opens a new gate for hackers to enter into your company's network and attack your most valuable data and resources. Identity and Access Management (IAM) is one such tool which is used by most companies to ward off the attackers, and to protect their data and people.
In a very simplistic way, you can say that IAM is framework of some security policies, processes, and technologies which enable your organization to manage the 'digital identities' of your users and to control their access to critical corporate information. It works by assigning your users with 'specific roles' and ensuring they have the right level of access to corporate resources and networks, so that they can carry out their roles effectively. Thus, IAM improves the user experience and security at the same time.
The core ideas of IAM is to assign one 'digital identity' to each individual or a device. On the basis of this digital identity, it modifies, and monitors access levels and privileges through each user’s access life cycle.
An IAM platform is capable of verifying and authenticating individuals on the basis of their 'roles' and 'contextual information' such as geography, time of day, or (trusted) networks, etc. They can capture and record login events of all users. They allow you to assign access privileges to your users or to remove them. If any change in the privileges of any users happens, it can monitor those too.
As I just said above, IAM is a great tool to build 'Role-Based Access Control (RBAC), as defined by their job title, level of authority, and responsibility within your business. However, you may not be aware that these platforms are also capable of automatically de-provisioning the access-rights of any user, if he or she departs from your organization or their role changes within organization. Thus they prevent many security risks.
-
What Are The Key Components Of An IAM Platform?
1. Single Sign-On (SSO)
SSO is a form of access control which allows your users to be authenticated with multiple software applications or systems using just ONE LOGIN and one set of credentials. For this to happen, the application or site that your user attempts to access relies on a trusted third party to verify that the user is who they say they are.
2. Multi-Factor Authentication (MFA)
Multi-factor authentication verifies your user's identity with requirements to enter 'multiple credentials' and provide various factors. For example, something the user knows (a password), something the user has (a token or code sent to the user via email or SMS, to a hardware token generator, or to an authenticator application installed on the user’s smartphone), something specific to the user, such as his biometric information.
3. Privileged Access Management (PAM)
The component is extremely important to protect those user accounts which require 'higher permission levels' to access to critical corporate resources and administrator-level controls. Reason is that such accounts are typically high-value targets for cybercriminals and pose high risk for your organization.
4. Risk-Based Authentication
This component enhances your security capabilities by assessing the RISK LEVEL at each login attempt by your users. Whenever an user attempts to log in to an application, this solution looks at 'contextual features' such as their current device, IP address, location, or network to assess their risk level. Based on its risk-assessment, it will decide whether to allow the user access to the application or prompt them to submit an additional authentication factor, or deny them access. This helps your company immediately identify potential security risks, gain deeper insight into user context, and increase security with additional authentication factors. Right!
5. Data Governance
An effective IAM solution offers you many great advantages. For example, they supplement your 'Data Governance' frameworks too. You know, Data Governance is a process that enables you to manage the availability, integrity, security, and usability of your data. This includes the use of 'data policies' and 'standards' around data usage to ensure that data is consistent, trustworthy, and does not get misused. Data governance can very well be an component of your IAM solution as artificial intelligence and machine learning tools rely on businesses having quality data.
6. Federated Identity Management
It is an 'authentication-sharing' process whereby your organization can share 'digital identities' with trusted partners. This enables your users to use the services of multiple partners using the same account or credentials. Single sign-on is an example of this process in practice, and has been explained above.
7. Zero-Trust Framework
It is all about moving away from the traditional idea of trusting 'everyone' or 'everything' that is connected to your network or behind a firewall. An IAM solution is crucial in ZERO-TRUST approach, as it allows your company to constantly assess and verify your people accessing its resources. Though, I can't say that Zero-Trust is a component of IAM platform. But IAM solution surely plays a vital role in the implementation of Zero Trust.
-
What is CIAM?This nothing but Customer Identity and Access Management...
It is also a very important part of your security framework. Because it focuses on your customers. It ensures that your customers are allowed to access certain areas of your network or an application, as it manages their identification information within your system. With CIAM, you can analyze the behavior of your customers to discover ways you can improve your services or applications.
Very much like IAM, it also help you in keeping your network, systems, and applications safe while simultaneously providing the access your customers need to perform tasks essential to your business’ success. In addition, CIAM addresses specific issues that have plagued organizations in the past. For example, CIAM combines 'back-end systems' that used to exist in silos into one solution. This gives your customers access to ALL THE SERVICES they have to engage with. Since, CIAM keeps all these systems unified under a single umbrella, it reduces security risks for your organization.
Components such as user (read, customers) management, MFA, and basic authentication, SSO all come together. In this way, your customers can enjoy a single sign-on (SSO) experience without compromising their own security or that of your organization. Whether you realize it or not, the fact is that your customers too want convenience (good user experience) and security of your service. CIAM shields your customer data by securing it with various access requirements. Further, CIAM puts customers in control of the information used to protect their data. If they need to make changes, they can do so, enhancing their security according to their comfort level. It builds their trust in your services.
CIAM also gives you the opportunity to examine the behavior of your customers as they interact with your applications. You can see which sections they access, when they gain access, and how much time they spend there. This is because a CIAM system can also incorporate a privileged access management (PAM) system that enables you to control where customers can go within an app or network. Their access information can be combined with your CRM system, allowing you to categorize customers according to their levels and types of engagement.
You are allowed to control various elements of the identity management process, including registering, providing identities to new customers, activating identities, and tracking, unlocking, deleting, resetting, and suspending them.
-
What is the difference between IAM and CIAM?
They may look same in their operations but they are not same. IAM belongs to your (internal) users whereas CIAM belongs to your (external) customers. Both use authentication systems, such as passwords, MFA, SSO, etc., but they are not same.
In real-life situations, IAM is relatively easier to implement and manage when it comes to securing the information of your users it grants access to. For example, if an employee has to log in to an area of your company’s network, your IAM system only have to provide a structure for the requirement of a username, password, and a biometric features. Once the user is inside, they have access to the resources they need. But IAM systems do not have to store much, if any, of their personal information in the system.
But in case of CIAM, your company's stakes are higher. Because your customers frequently have payment information or sensitive personal data (PII) that needs to be stored within your system. This may range from credit card information to medical records to Social Security numbers. Therefore, a CIAM system must have more stringent security measures in place.
Since there are many regulations which are concerned with the protection of customer data, your CIAM needs to allow your customers the access they need, but it should prohibit all other people including your admins from accessing the sensitive information of your customers. The Centralized User Management console of CIAM tools, can help you a great deal here.
-
This post is now reaching to a very interesting point...
I wish to touch upon the topic of Privileged identity management (PIM) here.
What is PIM?
PIM provides you the ability to CONTROL, MANAGE, and MONITOR the 'access privileges' that your users have to crucial resources within your organization. These may include important files, user accounts, documentation, and even application code and infrastructural elements such as databases and security systems. With PIM, you can easily identify all the privileged accounts and all the privileged identities at the same time.
You can think of security concerns if your organization is using a virtual private network (VPN). Without adequate access procedures, there is no way to limit who can sign-in to your network’s VPN.
Without a PIM system in place, there is no way of knowing who has access privileges. They can be granted by a number of people, and tracking down who gave access, who received it, and why can be very challenging. For example, if some critical resource has been access by someone using a set of private credentials, then you cannot accurately ascribe that event to exact identity of that someone. However, if you have PIM in place, you can always go back in time and see who had which privileges when. With PIM, you can watch who has been gained access and monitor their behavior. This can be done as a way to investigate an incident or in real time to observe how privileges are used. This can be a valuable tool in ascertaining the source of a breach and investigating how to prevent further incidents.
-
PIM vs PAM vs IAM
Here are 3-things:
1. Identity and Access Management
2. Privileged Access Management
3. Privileged Identity Management
These terminology is damn confusing with everyone. Let's try to differentiate these...
First, IAM deals with assigning ROLES to entire user groups according to departments within your organization.
Second, PAM is a systems that manage the ACCOUNTS of those with elevated permissions.
Third, PIM deals with managing which resources those (PEOPLE) with the rights to alter critical files, can access.
I hope it helps you...
-
Kindly write 
your comments on the posts or topics, because when you do that you help me greatly in 
designing new quality article/post on cybersecurity.
your comments on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.You can also share with all of us if the information shared here helps you in some manner.
Life is small and make the most of it!
Also take care of yourself and your beloved ones…
With thanks,
Meena R.
_____
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM