What Is IAM?
Identity and Access Management is about creating and managing trusted digital identities using policies, technologies, processes, and personnel with the purpose of protecting sensitive organizational data.
Identity and Access Management includes the following areas:
- Assignment rules, role definition, and identification for the system
- User or non-person entity (NPE) attribute management
- Individual, groups of individuals, and NPEs access level assignments
- NPE and individual role management and maintenance in the system
Authentication and Authorization
Identity and Access Management uses Authentication to verify an individual or Non Person Entities identity. Authentication is defined as verifying the identity of a user, process, or device.
Authorization is used to define the asset permission level the individual or Non-person entity has and is defined as “the permission granted to an entity to access a system resource”
Common Authentication methods include:
- Password based Authentication – individual or automated process uses a user login and password to authenticate their identity and is the most common authentication method.
- Certificate-based Authentication – Users provide digital certificate to sign in
- Hardware / Software token Authentication – New one-time code generated every 30 seconds or so to authenticate identity
- Multi-Factor Authentication (MFA) – uses 2+ independent ways to authenticate
- Biometric Authentication – unique physical identifier of a person i.e. fingerprint
- Behavioral Authentication – This method uses Artificial Intelligence to detect if user behavior is outside the norm and lock down access to systems
Common Authorization methods include:
- Role-Based Access Control (RBAC) – Permissions are assigned to designated job roles or functions within the organization.
- Access Control List (ACL) – To grant or deny access to information systems is by defined rules.
- Policy-Based Access Control (PBAC) – Business roles and policies of users are combined to determine what access privileges users of each role should have.
- Graph-Based Access Control (GBAC) – Permissions or abilities to entities/users are defined by Query language
National Institute of Standards & Technology (NIST)
The National Institute of Standards and Technology Cybersecurity Framework includes Identity and Access Management under the Protect function.
The NIST CSF outcome category for Identity and Access Management is:
Identity Management, Authentication and Access Control (PR.AC): Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.
Identity Management, Authentication, and Access Control has the following 7 subcategories:
- PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
- PR.AC-2: Physical access to assets is managed and protected
- PR.AC-3: Remote access is managed
- PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
- PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)
- PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions
- PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)
Identity and Access Management is critical to Cybersecurity. With Identity and Access Management, organizations are able to significantly reduce illegal access to sensitive information. IAM provides protection against dissemination of compromised login credentials, unauthorized access to the organizations network, as well as, hacking, and various other types of cyberattacks.
Also, Identity and Access Management helps organizations meet industry regulations to ensure customer data is secure and private. Regulations such as the Payment Card Industry Data Security Standard (PCI-DSS), Health Insurance Portability and Accountability Act (HIPAA), and Sarbanes-Oxley (SOX) govern the protection of customer data and data assets.
Summary
Identity and Access Management is important for information and network security. Policies, technologies, processes, and personnel are all used to create and manage trusted digital identities in an organization.
Authentication methods are used to validate identities and authorization is used to define the permission levels for system assets or resources.
Identity and Access Management is a critical outcome category for the Protect function of the NIST Cybersecurity framework and includes 7 subcategories that ensure all areas of Identity and Access Management are covered within an organization.