What is Identity and Access Management?
Identity and access management, or IAM, is the combination of business processes, policies, and technology solutions that enable an enterprise to manage the roles and privileges for personal users and devices to be able to access business systems. At Clear Skye, we like Gartner’s definition of IAM: “The discipline that enables the right individuals to access the right resources at the right times for the right reasons.”
Let’s take a look at why IAM is important for today’s enterprises, where IAM has benefits as well as limitations, and what the future landscape for IAM looks like.
Why IAM Is Important
Businesses of all sizes face pressure to protect access to corporate resources. These resources includes physical assets (whether it’s technology such laptops and servers or a company’s products) as well as the wide range of business applications that workers use every day to access intellectual property or confidential information. Businesses need to protect against external and internal threats as well as against on-premises and remote threats — and, increasingly, they must prove to government regulators, industry standards organizations, and even their customers that they are taking the necessary steps to protect access.
IAM solutions provide this type of protection by offering role-based access to corporate systems. Roles can be defined based on an employee’s job title and authority; in addition, roles can be assigned to applications or devices that may also require access to corporate systems. Third parties such as contractors or customers can also be granted limited access.
Common Capabilities of IAM
Identity and Access Management includes a product set of capabilities, many of which are covered by industry analysts as their own solution markets. The most common grouping of capabilities is as follows:
- Access Management — This focuses on users physically logging into company applications. Key features include strong authentication, Authorization, Single Sign-on and federation.
- Privileged account management — This solution area focuses on placing an extra layer of governance on those administrative accounts that can do the most harm if compromised. Key features include password-vaulting, session management, Endpoint privilege management and ActiveDirectory bridging.
- Identity Governance and Administration — This solution area focuses on ensuring that every user has only the permissions they need to do their jobs and nothing else across the application estate. This is useful both from a security and a compliance perspective. Key features include Provisioning, Identity Lifecycle Management, Access Request, Access Review, Access Certification.
The Benefits of IAM
Robust IAM solutions offer several key advantages.
- First and foremost, strong identity management provides enterprises with greater control over user access. This reduces the risk of unauthorized access, which in turn lowers the risk of data breaches.
- Segregation of duties ensures that access to certain systems or information is restricted based on a user’s specific role. This helps minimize business risk of fraudulent activity, such as the employee with the authority to approve expense reports also having the authority to cut checks.
- Automating a wide range of common and low-priority tasks associated with access request, access review, and workflow management can improving productivity and efficiency. This lets employees focus more attention on high-priority tasks.
- IAM enables enterprises to demonstrate compliance with requirements such as HIPAA, Sarbanes-Oxley, Gramm-Leach-Bliley, and various NIST guidelines by auditing, reviewing, and documenting which users have access to which systems.
Where IAM Is Limited
One of the biggest potential limitations of IAM is the silo. IAM works best when it connects all systems across the enterprise — not just IT but also Human Resources, Procurement, Facilities, and all key business lines. If IAM solutions are restricted to certain enterprise systems or business lines, their effectiveness is limited.
Another challenge is managing changes to an individual’s access rights. An employee’s role is bound to change as they get promoted or take on additional responsibilities, and new enterprise applications are bound to be implemented to help improve productivity. If an IAM solution isn’t set up to automatically identify changes to access, then IAM teams must do this automatically — introducing a process that is slow and prone to errors.
What the Future of IAM Looks Like
At Clear Skye, we believe that IAM is just one component —albeit a critical one — of a larger enterprise-wide strategy that encompasses security, governance, risk management, and compliance. When IAM is implemented across an enterprise, as part of a larger identity management framework, enterprises are able to implement and enforce governance policies for authentication, validation, privilege management, and more. This gives employees a consistent experience that aligns with their everyday business workflows— ensuring that the right thing to do is also the easy thing to do.
Read more about IAM:
SearchSecurity.com: What is identity and access management? Guide to IAM