Identity and Access management (IAM)

Identity Access Management

Identity and Access management (IAM)

What is the role of IAM?

An IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS.

A simple examples of IAM at work. 

When a user enters his login credentials, his identity would be checked against a database to verify if the entered credentials match the ones stored in the database. For example, when a contributor logs into a content management system, he’s allowed to post his work.

What are the 4 components of IAM?

IAM components can be classified into four major categories: authentication, authorisation, user management, and central user repository. (Authentication is the module through which a user provides sufficient credentials to gain initial access to an application system of a particular resource)

The top 7 identity and access management risks

An IAM system introduces risks to the enterprise, but the consensus is the benefits of IAM outweigh the drawbacks. What are some of the issues that might arise?

When evaluating an identity and access management platform, the benefits far outweigh any drawbacks. That said, you must consider a few identity and access management risks when designing an IAM implementation and ongoing maintenance processes. Let’s look at some of the more common risks associated with IAM deployments:

  1. Centralized management creates a single, centralized target.
    As you begin to centralize the management of usernames and authentication mechanisms, the process creates a much bigger and centralized security target. Thus, great care must be taken to properly secure an IAM platformusing various network-based security tools.
  2. Improper management of network/application/data access. Another potential misstep is the management of role-based access control (RBAC) within an organization. RBAC is a method used by admins to bundle multiple users into groups based on their need to access similar resources. While the use of access groups is a great way to reduce the number of access policies that need to be created and maintained, many businesses lump too many users into a single group. The result is some users gain access to applications and services they don’t need. In a best-case scenario, this leads to a situation where user access isn’t nearly as stringent as it could be. In worst-case scenarios, this can result in having users with inappropriate separation of duties, which can lead to access control compliance violations.
  3. Who forms access rules? IT vs. business leaders. While the IT department may have a fairly solid grasp on what type of access users, groups and departments need, getting input from business or department leaders in order to create the policy is highly recommended. Doing so can help zero in on who needs access to which corporate apps and data.
  4. Insufficient process automation. When it comes to access management, there are many moving parts. If repetitive processes are not automated, it can lead to a situation where admins neglect to execute certain processes in a reasonable amount of time. User offboarding is a perfect example of where a lack of automation can lead to security threats for employees who leave the company but their authentication and access to corporate resources remain in place.
  5. Failing to plan for scalability. As businesses grow and technology needs change, IAM platforms must scale to meet new demands. In certain situations, IAM products or deployment methodologies can limit the level at which a platform can scale.
  6. Lack of management training. Identity and access management can consist of a complex set of processes. Add to this the fact that automation streamlines repetitive processes and reduces the amount of administrator overhead required to perform common IAM tasks. Because of the complexities and complications inherent in automation, admins must be trained to set up automation steps and ensure they’re functioning properly. Any errors in automation processes can negatively impact large numbers of users.
  7. Lack of scheduled access management auditing. As businesses pivot toward new goals and objectives, employees often require modifications in access rules. While adding policy that grants access to new apps or data is usually not a problem, revoking access to previously required resources is a common problem. If regularly scheduled audits are not performed, it can lead to a situation where users/groups have access to apps and data that they no longer need.
Effective processes to protect against these types of IAM risks is essential. These include the necessary firewall and intrusion prevention system protections, as well as the creation of a strict access policy that significantly limits who has access to manage the platform. Proper training and regular communication with business/department leaders are also important steps toward keeping an IAM platform running smoothly and with processes that ensure that employees receive the exact access they require and nothing more.