Five Considerations for Successful Identity and Access Management Architecture
In this article
The pillars of IAM
Architecting an effective Identity and Access Management (IAM) capability for the enterprise requires carefully balancing the organization's risk management requirements against the need to not overcomplicate the end-user experience. With the requirements imposed by diverse technologies like remote network access, public cloud infrastructure, software-as-a-service, Internet of Things and mobile devices, today's IAM often involves integration of multiple identity sources and tools leading to additional complication. Under these conditions, architecture requires a holistic approach that carefully selects processes and technologies that work well together. What might this architectural approach look like?
Effective IAM seeks to ensure that the right level of access is given to the right enterprise resources: the right people, in the right context and at the right time. Achieving this objective requires integration of processes and technologies around five important capabilities:
- Lifecycle and governance
- Federation, Single Sign-on (SSO) and Multi-factor Authentication (MFA)
- Network Access Control (NAC)
- Privileged Account Management (PAM)
Understanding these capabilities, and how they interact with each other, is a significant first step toward building an IAM strategy that effectively balances risk management and user experience.
Associating identity with entitlement – lifecycle and governance
Digital identities are the central source of truth for all IAM components. The people, processes and technologies that fit together to manage and govern these digital identities provide the foundation for effective IAM. Lifecycle refers to the policies, processes and technologies for provisioning, modification and de-provisioning of digital identities in an organization.
Governance is responsible for establishing the requirements for identities and assuring their reliability in line with the business objectives and risk landscape of the organization. Together, lifecycle and governance provide a foundation for all other IAM components by defining digital identities and specifying how they must be managed.
Establishment of an IAM governance council, made up of stakeholders responsible for creating IAM policies for the organization, is often the first step of setting up an IAM program. To be effective, this council must be broad enough to exert authority throughout the organization. It also must be authorized to establish policies that mitigate risk while being highly visible throughout the organization. Simple executive sponsorship may not be enough.
Such policies affect each of the other four components of IAM. They define requirements for authentication and authorization, including privileged authentication throughout the enterprise. They embody the organization's risk tolerance in the application of NAC and encryption. As such, lifecycle and governance are a critical starting point for the development of a comprehensive IAM program.
Verifying identity – federation, Single Sign-on (SSO) and Multi-factor Authentication (MFA)
Assuring that users who access enterprise resources are who they say they are is one of the primary functions of IAM. With the proliferation of applications and services on premise and in the cloud, users must keep up with an ever-growing number of identities and access credentials.
This can create a significant security risk as users tend to adopt insecure methods for keeping track of credentials (e.g. unencrypted document on devices, handwritten Post-It notes on monitors, etc.) A compromise of credentials represents one of the most common causes of cybersecurity breaches today. Tools such as federation, SSO and MFA allow organizations to reduce this risk while simplifying user interaction.
Federation refers to establishing trust between identity providers to allow a user or system to authenticate to one domain and seamlessly access other trusted domains without re-authenticating. It can allow for authentication across different organizations with an extension of trust. It can also prevent having to manage (and have users keep track of) duplicate identities. At the same time, federation comes with risks of its own. For example, when federation extends trust between organizations, it can potentially expose sensitive information [AP3] across organization boundaries.
SSO goes a step further than federation. It relies upon an application to provide a single, uniform identity that can be used for authentication and authorization across multiple systems. Organizations rely upon SSO technologies to unify the process of authenticating to enterprise resources whether they reside on premise, in the cloud, or are provided as a service. SSO reduces risk by providing users with a single set of credentials and by providing a central place where authentication and authorization can be tracked.
MFA helps to mitigate identity risk by requiring additional authentication methods combined with credentials for authentication. Selection of an MFA technology requires striking a balance between the level of risk mitigation required and the level of burden placed upon users.
Controlling access to the enterprise edge – Network Access Control (NAC)
NAC provides access management by requiring authentication and authorization before allowing access to the network. It provides granular visibility into who is on the network and their associated devices. Through a function called posturing, it can allow visibility and control into what kind of device is connecting and how that device is configured.
NAC "puts the teeth" into IAM by acting as a crucial control point at the edge of the enterprise. It controls the logical networks a device can access, can quarantine devices and can "kick them off" the network. NAC can interact with other elements of the network and security architecture to apply access control lists, integrate with unified threat management, and provide APIs that connect with other products for automation and orchestration.
Enforcing principle of least privilege – Privileged Access Management (PAM)
A fourth significant component of IAM is Privileged Access Management (PAM), or controls on privileged access to applications, networks and systems. System and user accounts are the basic unit of enforcement in PAM. As a best practice, accounts are assigned as granularly as possible to control and track access to resources in the enterprise.
Effective PAM aligns closely with the separation of duties within an organization. User accounts get only as much access to technology resources as they need for completion of the tasks associated with their purpose. System administrators or users with administrative functions are added to roles that extend their privileges or use secondary accounts with administrative privileges to perform functions. Non-user accounts called "service accounts" are used for resource-to-resource communications such as API calls.
PAM connects closely with the other elements of IAM. Governance is needed to develop policies that define the access to be provided, align the deployed controls with the risks and ensure consistency across the enterprise. SSO and NAC work together with PAM to remove gaps that could allow unauthorized escalation of privileges and to ensure that user experience does not become unnecessarily tedious.
Protecting data at rest and in transit – encryption
Encryption is the fifth critical pillar of IAM. While NAC establishes boundaries that prevent unauthorized connections, encryption protects access to data and communications regardless of where they reside. This can include data in transit and data at rest inside or outside of the traditional network perimeter. In this way, encryption supports holistic IAM architecture by adding a tool to the architect's IAM toolbox – placing controls on data and communications that would otherwise be difficult to protect.
Holistic IAM architecture also provides answers to several of the most significant challenges in securely deploying encryption. Encryption of data-at-rest only really applies when the unauthorized user does not have sufficient permissions to access the data in the first place. Effective governance must ensure that access privileges are not granted too broadly. PAM ensures that unauthorized users cannot escalate their privileges to decrypt the data. Likewise, holistic architecture is needed to protect encryption's Achilles' heel: key management. Effective PAM is the only way to ensure that private keys remain accessible only when needed for administration purposes.
With the critical role identity plays within an organization, thinking holistically about IAM architecture is necessary to secure the enterprise. Each of the five pillars covered above should be considered with capability gaps and overlaps identified. With our holistic methodology and our broad range of subject-matter expertise, we can help you through your IAM journey. Leave a comment below or connect with me directly to get started today.