IAM Framework: 5 Key Components, Pros, and Cons
What Is an IAM Framework?
Identity and Access Management (IAM) is a technology framework that includes technologies, processes, and policies designed to grant individuals access to the company assets they are authorized to work on. It also enables security teams to manage and monitor access control across the enterprise, identify anomalies, and protect company assets from internal and external threats.
How Does an Identity and Access Management Framework Work?
People in the IT world often confuse identity management with access management, using these terms interchangeably. However, they are two separate concepts—the reason for the confusion is the identity, and access management frameworks usually combine these in a single product. It is necessary to understand how each aspect works before understanding how IAM platforms work.
What is identity management?
Identity management is the technique of classifying users, groups, and devices in an enterprise network. The main objective of identity management is to classify network resources to enable administrators to apply roles and policies.
How to manage identities
A typical way to identify network resources is to assign usernames and passwords. A username is a general identification tag, often known to other users, while the password is a secret known only to the owner. After successfully authenticating, the organization can be confident that a user is legitimate (assuming the account wasn’t compromised).
Additional identification methods include:
- Classifying resources according to domain name system (DNS) names.
- Classifying resources based on IP addresses.
- Classifying resources based on access control addresses.
However, these approaches aren’t always secure. The latest, most secure identity management methods use sophisticated technologies like Blockchain to authenticate devices and entities.
Managing access to resources
After identifying the resources, the next step is to apply access control policies to each resource. Access management allows the IT admin to determine what users and entities within the network have access permissions that let them connect to specific resources. For instance, users in the finance department should have access permissions to financial data and systems like a payroll application— users in other departments should not.
A common practice is to group several identities based on device type or business function in an approach called role-based access control (RBAC). RBAC applies the same access policy to all identities within a given group rather than creating new policies for each user. RBAC reduces the number of access policies required to manage user access in an IAM framework.
5 Key Components of an IAM Framework
A typical IAM solution has the following main components:
1. User Management
User management involves creating and configuring roles. This defines what each group of users is allowed to access. User management maps roles and configurations to individuals and makes sure that:
- The correct roles are applied when a person joins the company.
- Roles are appropriately changed when a person changes jobs.
- Roles are deleted when a person leaves the company.
Authentication confirms that users really are who they say they are. Traditionally, this was done using standard passwords. Today passwords are considered an insecure authentication mechanism and are complemented, or completely replaced, by other authentication factors. Modern IAM solutions provide multi-factor authentication with advanced options that can prevent the compromise of credentials and accounts.
When authentication is granted, authorization takes over. IAM systems typically support static authorization in the form of role-based access control (RBAC) and dynamic authorization that depends on the context and environmental factors using attribute-based access control (ABAC). It enforces business policies to ensure only the right people have access to critical assets under the right conditions.
4. Central User Repository
A user repository is the source of truth for identifying users. User configuration changes are stored here, along with other information to support single sign-on (SSO) and interoperability with other identity systems. Storing use data in a central location improves manageability.
5. Monitoring and Auditing
A key function of IAM systems is to enable monitoring, tracking, and reporting on user activity. The types of data and metrics that are monitored or audited include:
- Password resets
- Orphan accounts
- Activity in privileged accounts
- Number of roles per account or user
- Privileges associated with application- and system-wide accounts
- Login failures
- Separation of duties (SoD) violations
- Activity by service accounts (non-human identities)
Benefits and Drawbacks of IAM Frameworks
The main benefits of IAM frameworks include:
- Clarifying and enforcing policies stating who can access privileged systems and information.
- Reducing the risk of external and internal security threats.
- Reducing the time and cost of securing access.
- Improving the ability of security teams to identify, investigate, and respond to unauthorized access.
- Improving agility by making it easy to apply new access policies and change policies.
- Improving user experience by enabling fast, self-service access to authorized resources.
The main drawbacks of IAM include:
- On-premise IAM solutions are expensive and difficult to implement (however, in the cloud, IAM is typically provided free by the cloud provider)
- IAM solutions do not prevent insider threats—if a trusted insider turns against the organization, they can abuse their IAM access to do damage.
- A central user store is a single point of failure and becomes a prime target for cyber attackers. If it is compromised, attackers have access to the entire enterprise.
Learn more in our detailed guide to IAM frameworks (coming soon)
Implementing IAM Framework in the Enterprise
Before deploying an IAM system, organizations must determine who will define, enforce, and monitor identity and access policies. Because IAM affects all departments and all types of users, including in-house employees, contractors, and customers, the IAM team should be in contact with all relevant stakeholders to understand their requirements.
An important framework for designing and implementing IAM is SP-010, created by Open Security Architecture (OSA). This framework defines how organizational roles interact with IAM components, as well as systems that depend on IAM. In this framework, policy enforcement and policy making are separate because they are handled by various elements within the IAM framework.
Follow these steps to implement IAM in an enterprise environment:
- Create lists of applications, services, components, and other elements with which users need to interact. This can help you ensure that your usage assumptions are correct and select the required features in an IAM product or service.
- Identify access flows in your current environment, including cloud-based and on-premises applications.
- Identify federated access requirements, for example, there may be a need for single sign-on (SSO) or sharing of access and authorization data between applications, both inside and outside the organization.
- Identify required access control features, including MFA; privileged accounts; access for external contractors, customers, and service accounts; automated provisioning of user accounts; and required protocols or standards such as OAuth, SAML, or OIDC.
- Implement a solution gradually in the organization, starting with non-critical systems and transitioning to mission-critical environments.
- Monitor and evaluate the solution to see if IAM controls are effective and enable a feedback loop of continuous improvement.
Related content: Read our guide to IAM architecture (coming soon)
IAM Framework with Pathlock
The Pathlock Security Platform builds on existing Role-Based Access Controls (RBAC) to create a security layer based on the context of access, such as time, device, location, IP address, etc. Using Attribute-Based Access Control (ABAC), Pathlock allows you to restrict and/or mask user access to sensitive data at the page and field level inside your ERP applications. This gives security teams the controls they need to not only determine risk but also mitigate it across ERP applications.
Pathlock also enables you to monitor authorization usage in real time. The platform’s adaptive security provides a 360° view over authorization and behavior-based user activity to detect SoD violations while providing steps for remediation.
Schedule a demo with our security experts to find out how Pathlock’s adaptive security enhances data security and compliance within your ERP applications.