Identity and Access Management (IAM) is a technology framework that includes technologies, processes, and policies designed to grant individuals access to the company assets they are authorized to work on. It also enables security teams to manage and monitor access control across the enterprise, identify anomalies, and protect company assets from internal and external threats.
People in the IT world often confuse identity management with access management, using these terms interchangeably. However, they are two separate concepts—the reason for the confusion is the identity, and access management frameworks usually combine these in a single product. It is necessary to understand how each aspect works before understanding how IAM platforms work.
Identity management is the technique of classifying users, groups, and devices in an enterprise network. The main objective of identity management is to classify network resources to enable administrators to apply roles and policies.
A typical way to identify network resources is to assign usernames and passwords. A username is a general identification tag, often known to other users, while the password is a secret known only to the owner. After successfully authenticating, the organization can be confident that a user is legitimate (assuming the account wasn’t compromised).
Additional identification methods include:
However, these approaches aren’t always secure. The latest, most secure identity management methods use sophisticated technologies like Blockchain to authenticate devices and entities.
After identifying the resources, the next step is to apply access control policies to each resource. Access management allows the IT admin to determine what users and entities within the network have access permissions that let them connect to specific resources. For instance, users in the finance department should have access permissions to financial data and systems like a payroll application— users in other departments should not.
A common practice is to group several identities based on device type or business function in an approach called role-based access control (RBAC). RBAC applies the same access policy to all identities within a given group rather than creating new policies for each user. RBAC reduces the number of access policies required to manage user access in an IAM framework.
A typical IAM solution has the following main components:
User management involves creating and configuring roles. This defines what each group of users is allowed to access. User management maps roles and configurations to individuals and makes sure that:
Authentication confirms that users really are who they say they are. Traditionally, this was done using standard passwords. Today passwords are considered an insecure authentication mechanism and are complemented, or completely replaced, by other authentication factors. Modern IAM solutions provide multi-factor authentication with advanced options that can prevent the compromise of credentials and accounts.
When authentication is granted, authorization takes over. IAM systems typically support static authorization in the form of role-based access control (RBAC) and dynamic authorization that depends on the context and environmental factors using attribute-based access control (ABAC). It enforces business policies to ensure only the right people have access to critical assets under the right conditions.
A user repository is the source of truth for identifying users. User configuration changes are stored here, along with other information to support single sign-on (SSO) and interoperability with other identity systems. Storing use data in a central location improves manageability.
A key function of IAM systems is to enable monitoring, tracking, and reporting on user activity. The types of data and metrics that are monitored or audited include:
Pathlock Data Sheet
Learn how Pathlock enhances SAP’s role-based access controls with attribute-based access controls & enables dynamic security policies.
The main benefits of IAM frameworks include:
The main drawbacks of IAM include:
Learn more in our detailed guide to IAM frameworks
Before deploying an IAM system, organizations must determine who will define, enforce, and monitor identity and access policies. Because IAM affects all departments and all types of users, including in-house employees, contractors, and customers, the IAM team should be in contact with all relevant stakeholders to understand their requirements.
An important framework for designing and implementing IAM is SP-010, created by Open Security Architecture (OSA). This framework defines how organizational roles interact with IAM components, as well as systems that depend on IAM. In this framework, policy enforcement and policy making are separate because they are handled by various elements within the IAM framework.
Follow these steps to implement IAM in an enterprise environment:
Related content: Read IAM Automation: The Key to Future-Proofing Your Organization’s Security
The Pathlock Security Platform builds on existing Role-Based Access Controls (RBAC) to create a security layer based on the context of access, such as time, device, location, IP address, etc. Using Attribute-Based Access Control (ABAC), Pathlock allows you to restrict and/or mask user access to sensitive data at the page and field level inside your ERP applications. This gives security teams the controls they need to not only determine risk but also mitigate it across ERP applications.
Pathlock also enables you to monitor authorization usage in real time. The platform’s adaptive security provides a 360° view over authorization and behavior-based user activity to detect SoD violations while providing steps for remediation.
Schedule a demo with our security experts to find out how Pathlock’s adaptive security enhances data security and compliance within your ERP applications.
Share