Written by Kiran Kumar, Business analyst at Powerup Cloud Technologies
Contributor Agnel Bankien, Head – Marketing at Powerup Cloud Technologies
Introduction to IAM
In 1960 Fernando Corbató introduced passwords which instantly changed the world, with the use of passwords people were able to secure their files and share them across easily. However, as our network and storage started evolving passwords became harder to manage. This necessitated a system that could manage your access controls giving rise to the IAM(identity access management) system. The earliest form of IAM used spreadsheets to manage all the access controls; it was a significant improvement for the time but it still had ways to go. And as the internet grew IAMs systems became an integral part of the network and saw a huge increase in adoption from web applications. Yet IAM systems were still too expensive and complex to maintain with limited capabilities.
Coming back to 2021 in the day and age where 90% of the enterprises are using cloud in some form IAMs systems have transformed significantly and can perform much more complex tasks like authentication, authorization, policy implementation access control, etc. So let’s explore more about IAMs
How do you Define IAM?
Identity access management is simply a system that enables enterprises to define who can access particular content, tools, application features, etc, and manage roles like what actions can a particular user perform and assign the necessary permissions and resources to the user. IAM can work with multiple identities including people, software, hardware across robotics and IoT devices.
Why Organization should Adopt IAM
Since the onset of the pandemic, the majority of organizations have been forced to push their employees to work remotely without even being able to completely assess all the potential risk factors of it. With the risk of data breaches and security risks at an all-time high, there is a need for policies, guidelines, and risk limiters that can help mitigate these cyber threats by carefully managing and governing your company’s assets.
Additionally, IAMs have become a matter of compliance across various regions, international regulations like GDPR and also governance bodies across the world have made IAM a compulsory affair for the organization leveraging or working on payment cards as IAM enables the business to construct a strong authentication system and can ensure that the right person is accessing the right information at any point in time.
How does IAM Work?
To understand how IAM works we need to understand the structure of an IAM system before that, every IAM system needs these essential components to function properly
- Database with a list of users identities and defined privileges
- Tools required to manage and modify access controls
- And a system for log management.
The first step in an IAM journey is to define resources, such as user groups, federated users, roles, policies, and identifiers to identify these resources. Also, there are predefined roles in IAM systems that need to be assigned to users
Access approval approver this user can view, provide or revoke access approval requests and view configuration
Access approval config editor this user can update the access approval configuration
Principal: Principal coordinates with the service provider to raise requests and learn about new updates, features, etc.
However, these roles are not market standard and might vary from one provider to another.
To perform any kind of changes in your IAM setup from the service provider’s side a request needs to be raised by the principal through the console. And only the principals authenticated by the provider can raise these requests.
Authentication can be done by just logging in to the service provider’s console with your account ID and password. Sometimes you might also be required to provide additional security information like MFA Multi-Factor Authentication. Once the authentication is done request can be raised and for any request to be processed it must Include the below information
- The action that needs to be taken,
- The resources and users involved in the action their details
- The details about the environment
The next step is getting authorization to successfully complete the request, during the process the provider validates the information provided on the request with the policies that apply and decides whether the users involved can be allowed or denied and if the user is allowed then the provider checks what operations can the user perform like viewing, creating, editing, and, deleting
IAM Strategy and Approaches
Here are some of the strategies and best practices that need to be incorporated to set up a good IAM system.
RBAC or Role-Based Access Control
Under this approach, your existing groups, directories, and their attributes are mapped with the new directories, enabling them to control data access and add privileges based on the job roles or groups they belong to.
This approach requires its users to log in only once and they will have access to all the information in the system. While this adds to the system’s productivity gains of the system it’s best to fully understand the system by moving just one directory to this model.
The multi-Factor authentication approach just means that the user is authenticated by more than one factor since the onset of cloud computing the need for increased security has skyrocketed. MFA solution provides end-to-end encryption from IAM setup to the MFA app, making it impossible for external attacks.
CASB (Cloud Access Security Broker) Integration
IAM systems are usually integrated with CASBs as they focus on security after the login. CASB helps you detect if your account has been hacked and have an IAM solution deactivate the compromised account. CASBs can detect other types of security issues as well.
Benefits of IAM
How IAM Makes a Difference?
Enhanced security – This is one of the most prominent advantages of an IAM system. IAM lets you control user access to eliminate data breaches, theft, and illegal access into organizations’ networks and also prevent the spread of the compromised login credentials.
Streamlined Policy implementation – IAM lets you create, edit, and update your security policies in a centralized manner enabling you to simplify operation and save time.
Centralized Security Operations – IAM lets you manage all your security tickets through a single help desk and also sometimes automate it depending on the use case resulting in faster ticket resolutions.
Compliance – IAM is one of the key parameters on which the organizations are validated for industry regulations like GDPR and HIPAA and having an IAM strategy can help them meet the requirements faster.
Collaboration – With the increased number of remote workers, IAM provides organizations with safe and effective ways to manage their remote workers and promote collaboration between external vendors and suppliers.
Our Experience with IAM
I would look to share some of our experience from setting up an IAM system for a Product company
Our Client was one of India’s Largest Online Mutual Fund Investment Platforms. One of their challenges was that they had a standalone VPC with no centralized control for network admin and private access. Their customer monitoring tool called monit had feasibility issues with no centralized log storage amongst others. So LTI-Powerup helped them move their platform to GCP and built their access control around Cloud IAM for complete control over the network with secure access. With this setup, a customer could achieve a granular level of Monitoring for GKE and lay a strong foundation for their security practice with IAM at the core, and bring operational efficiency.
There is no doubt that IAM lifts your infrastructure security up a notch but IAM has its limitations. One of the common challenges of IAM is that whenever a new employee joins the organization the admin has to manually define all the access permissions. While it may sound simple, imagine scaling this for 1000s of users or if there is a major restructuring in the leadership it becomes very difficult for the administrators. Also using more than one cloud provider brings its problems and adds to the complexity
The most important thing that needs to be said is that organizations need to see IAM as an entry and not as a destination with IAM providing a strong foundation to your organization’s security practice they need to build on it by capturing and implementing best practices integrating other technologies like log management, automation to improve and effectively manage access to data.