Identity and Access Management
When it comes to an organization, the data it holds is of utmost importance and should be protected at all costs. This is where Identity and Access Management (IAM) comes into the picture. As the name suggests, it is all about managing users, user roles, user access privileges, and many more.
At this point, there might be a lot of questions running through your mind. Why do we need IAM? How can user management be related to the security of an organization? Don’t worry, I’ll clear everything out.
In modern days an organization may be using one or several applications. There may be several or even millions of users connecting to these applications externally (customers, suppliers) or internally (employees). These applications might store confidential and sensitive information such as personal details and bank details. By now it is clear why we need security implemented. So, IAM is used to safeguard this valuable information from hackers, ransomware, phishing, etc.
But why can’t we secure the system by applying a single user access rule like, ‘no user can view any data in the system’. It is simple and clear that there should be several roles in the system. When it comes to a bank, the front-desk staff should be given access only to view customer details, do new registrations, and may be minor changes to user details. The managers should be allowed to view cumulative details of users, high-level analytics and these should be hidden from the front-desk staff. The customers of the bank should only be allowed to view and edit their details and should be restricted from any other tasks that front-desk staff and bank managers can perform. So to tackle this problem, we need a clear division of roles and assign what that specific role can do. But this looks tedious, so IAM comes to the aid.
Authentication and Authorizations
Before we move on, let’s take a look at two words that look the same but actually are different, Authentication and Authorizations. In simple, authentication means making sure that the person who entered the system is the one who said he/she is. For example, if Alex entered his credentials and logged into his bank account, Alex is authenticated because it is Alex who entered his own credentials. But if Alex uses Ben’s credentials to enter into Ben’s bank account, it a breach of authentication and this is where passwords come.
Authorization is making sure that the authenticated user who accesses a specific resource has the privileges to access that resource. For example, Alex who entered into his bank account with his details tries to access another user’s details which are only allowed to front-end staff and bank managers.
Traditional Access Management
Now let’s see what is Traditional Access Management. In Traditional access management, each and every application manage identities within their system. So users need to create user accounts with unique passwords. With the wide use of web applications, a single person may possess many accounts in different organizations. Imagine having separate passwords with all the required constraints for each and every account. So most of the users tend to use the same password for all the accounts, simply because it’s human nature. This will result in security issues. This is where IAM comes into play.
The IAM is built on several concepts and principles.
Centralized Access Management — This will allow you to use the same credentials to access all your user accounts with the help of an Identity Provider (IdP), who manage your credentials.
User Provisioning — Here you can create a single user account in the IdP, and use that to access all the other applications.
Single Sign-On — The enables users to sign in once and access all the other applications
Multi-Factor Authentication (MFA) — Using just a username and password to authenticate to a system is not acceptable in today’s context. Because the password is the only protective layer between the system and the intruder. So MFA is the concept of applying several layers to authenticate such as SMS, biometrics.
Adaptive Authentication — This simply a balance between usability and security. The system will apply authenticating factors based on users’ risk profile.
Identity Federation — This allows to access multiple systems across different organizations by building a trust relationship between two identity providers.
Legal Aspects
When talking about all these we should not forget the legal requirements. There are regulations imposed by governments such as Sarbanes-Oxley, Gramm-Leach-Bliley, HIPAA, and most importantly General Data Protection Act (GDPR) to ensure organizations safeguard personal data and privacy of users.
Why WSO2IS
With all these facts bombarded on to you. You might be thinking of an Identity Provider that you can integrate into your organization. Let me introduce WSO2 Identity Server which is a fully open-source product adhering to the required legal requirements and serves over 180+ production customers and manages 100M+ accounts worldwide. It comes with several important features such as web SSO, Identity Federation, Identity bridging, MFA and Adaptive authentication mechanisms, Fine-grained access control, API security, Identity analytics, and privacy.
Hope you got a better understanding of IAM. See you next time.
