An Overview of Identity And Access Management (IAM) and it’s Basic hygiene

• What’s an IAM?
  • In Security solutions, there is no silver bullet to defend critical assets i.e., there needs to be a layered defence to keep the adversaries at bay. One of the defence mechanisms that an organisation needs to include in its front door arsenal is the, Identity & Access Management (IAM) solution. IAM is best described by NCSC as below,

“ Identity and access management refers to the collection of policies, processes and systems which support binding an individual (or in some cases a system) to a set permissions within your system.”

So, simplistically, the application user’s or system’s identity is created & managed via the Identity management (IDM) component (i.e., user directory etc.), whereas the user’s access/permissions are managed via the Policy management component (viz., mapping users/systems to appropriate IAM user role/group).

• Who Manages the User Identities & Access control?
  • Depending on the Organisation’s strategy, the user identities are either managed by themselves as Identity Providers (IdP) or they rely on the trusted 3rd parties (viz., FaceBook, Google, Instagram etc.) to authenticate the user who they claim to be are. Once authenticated, the Relying Party (i.e., the Organisation) can control the Access Management as per their policies and procedures.

• Why rely on someone else for Identity assurance?
  • In the Financial services or mission critical industries the IDM aspect is managed internally thereby staying in control of their risks however this approach comes with the challenge of keeping up with the ever changing landscape around authentication methods (fingerprint, IRIS, behavioural biometrics etc.). There are few trusted 3rd parties who use cutting edge technologies in managing the user identities and creating a market for themselves by providing Authentication as a service (AaaS) capabilities. Once the Organisation is aligned to this AaaS model they provide modules/interfaces on their public facing web applications for authentication and thereby federating identity management to the trusted 3rd parties.
  • • Below is the Logical architecture supporting the above scenario of the application owner (service providing  organisation) acting as an IdP as well leveraging the trusted 3rd parties for authentication (where it doesn’t manage the user identities i.e., Federated Identity Management)

• Basic hygiene around this specific scenario of IAM Implementation:
  • Access Management : The access/permissions assigned to a user/system needs to adhere to one of the security’s golden principle – the principle of least privilege, thereby ensuring that the right level of access/permission is assigned to a user/system to perform their functions/duties. The application owner (SP) would need to manage any risks around access management.
  • User Management: There is a risk around user account misuse and hence the IDM owner would need to ensure that there are right processes followed around User management (JML – joiners/movers/leavers).
  • Privileged access Management: For operational reasons an organisation’s IT team needs to access applications & systems and they need to ensure that the access to the critical assets/data used for operational purposes (i.e., management plane) is managed correctly by having control policies and processes. This implies applying stronger authentication (preferably MFA) and ensuring that the correct systems/devices are used to perform these privileged activities.
  • Audit/Logging/Monitoring/Alerting (ALMA): If there is any way to get a feedback on the IAM solution then ALMA is, “the most critical aspect” to keep a check on the effectiveness of the controls and procedures put in place.

Conclusion:

Various Organisations are implementing IAM solutions in phases due regulatory and compliance reasons and there is an inevitable risk of getting things wrong due to stringent timelines, here we at CyberVyber our experienced CyberNinjas perform Security Assessment of your implementation and help you deliver high quality software.

So get in touch for a quick assessment of your IAM implementation!