The Components of IAM
Written by Paul Mezzera, Ravi Erukulla, and Ramesh Gupta of the CSA IAM Working Group.
As alluded to previously, IAM is a set of tools that implement a number of use cases. If broken down into access management and identity administration (and governance), there are several subcomponents that are important to understand.
Access management (AM) is known as the 'runtime' or 'time of access' component of IAM, where digital identities are authenticated to identify the entity attempting to access a resource and also to only allow the necessary access. Components include multi-factor authentication (MFA) where, in addition to a user ID and password, there is an additional factor to strengthen the authentication process. This is typically something you possess, such as a token or a device.
Another common AM component is implementing single sign-on (SSO), which establishes a secure session once authenticated that can enable access to multiple resources without having to re-authenticate for each resource. Standards such as SAML and OpenID-connect enable vendor-agnostic SSO integration across identity management solutions and resources and have been an important factor in the ability to scale to large numbers of users and applications.
Identity Governance and Administration
Identity Governance and Administration (IGA) addresses the administration and governance of identities and access rights (also known as access entitlements). IGA solutions include a user interface and workflow engine that provide the ability to request and approve access. This could include ad-hoc requests for specific resources and also role-based access, where these tools can define and manage the lifecycle of business and technical roles.
An important function of IGA is Access Certification, which automates the process of reviewing the access of identities, typically organized by company hierarchy, enabling managers to review and certify the access of their employees. This also enables regulatory compliance, as many laws exist that require any access to financial systems to be reviewed on a regular basis.
Another key component of IGA is the provisioning and de-provisioning process. IGA tools implement 'connectors' to target applications where access rights can be established to enable the right users to have the right access. It can be as basic as group-level access or, for more sophisticated applications such as ERP systems, can provide a fine-grained level of access control. For this case, IGA also defines segregation of duties (SOD) controls that ensure there are no toxic combinations of access within or across an organizations' applications.
IGA also enables user productivity by automatically provisioning the right access to users when they join an organization, based on pre-configured policies. This is known as birth-right access provisioning. It then enforces the least privilege model throughout the lifecycle of an identity, including the joiner, mover, and leaver stages.
Privileged Access Management
Another important component of IAM specifically addresses access to sensitive resources and users, referred to as Privileged Access Management (PAM). Capabilities have evolved over the last decade to include vaulting and rotation of administrative credentials and session recording, machine identity credentials (i.e. VMs and containers), and tools such as DevOps that require administrative credentials.
PAM was originally targeted toward system administrators such as database or operating system admins, but given that sensitive access has expanded to cloud assets, it is critical that PAM also support web-based access to administrative interfaces (i.e. IaaS admin consoles, SaaS admin consoles, etc.).
PAM is also evolving to support a just-in-time (JIT) access model, avoiding the need to have credentials vaulted and permanent accounts defined, which create a risk of being compromised. In the JIT model, an account is created dynamically, or a non-administrative account is given temporary administrative rights, for a specific time period and is then removed. This mitigates the risk of account compromise, given that there are fewer administrative accounts or the accounts that do exist do not have administrative rights.
In addition, there are specific IAM use cases geared towards consumers of the solutions being offered, commonly referred to as Customer IAM (CIAM). In addition to access management, IGA, and PAM, the consumer focus is typically an emphasis on user experience, where solutions provide toolkits or SDKs that allow organizations to customize the look and feel of the authentication experience.
Other use cases include adaptive access, where analytics and machine learning provide the ability to detect anomalies and enforce stronger access methods such as MFA when required. Also, given the emphasis on user experience, a workflow engine that provides templates to capture information during the customer journey is becoming an important feature, often referred to as progressive profiling. Furthermore, given the increase in privacy concerns and regulatory compliance, CIAM solutions are providing an interface to facilitate privacy and consent management, where customers can review and control their personal information and who it is shared with.
Although not core to IAM, there are a number of adjacent technologies that are important as organizations attempt to manage and secure access to resources, particularly in the cloud. One of these technologies is cloud infrastructure entitlement management (CIEM) which seeks to collect and normalize the thousands of permissions that reside within IaaS platforms, understand the access patterns, and make ML-based recommendations on how to trim excessive access that typically exists in these environments. More advanced IAM solutions implement these capabilities in addition to native capabilities within the cloud platforms and also cloud security posture management (CSPM) solutions.
Learn about the evolution of IAM and IAM's role in the cloud in Part 4.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.