What is identity management? Broadly speaking, identity management systems (also known as identity and access management, or IAM, systems) enable the administration of individual identities within a system, such as a company, a network or even a country. More specifically, ID management in enterprise IT is about defining and managing the roles and access privileges of individual network users and the circumstances in which users are granted (or denied) those privileges.
An ID management system’s core objective is one identity per individual. Once that digital ID has been established, it must be maintained, modified and monitored throughout each user’s “access lifecycle.”
Thus, the overarching goal of ID management is to “grant access to the right enterprise assets to the right users in the right context, from a user’s system onboarding to permission authorizations to the offboarding of that user as needed in a timely fashion,” according to Yassir Abousselham, senior vice president and chief security officer for Okta, an enterprise identity management provider.
ID management systems provide administrators with the tools and technologies to change a user’s role, track user activities, create reports on those activities, and enforce policies on an ongoing basis. These systems are designed to provide a means of administering user access across an entire enterprise and to ensure compliance with corporate policies and government regulations.
ID management technologies include (but aren’t limited to) password-management tools, provisioning software, security-policy enforcement applications, reporting and monitoring apps and identity repositories. ID management systems are available for on-premise systems, such as Microsoft SharePoint, as well as for cloud-based systems, such as Microsoft Office 365.
ID management systems must be flexible and robust enough to accommodate the complexities of today’s computing environment. One reason: An enterprise’s computing environment used to be largely on-premises, and ID management systems authenticated and tracked users as they worked on-premises, says Jackson Shaw, senior director of product management for ID and access management provider One Identity. “There used to be a security fence around the premises,” Shaw noted. “Today, that fence isn’t there anymore.”
As a consequence, ID management systems today should enable administrators to easily manage access privileges for a variety of users, including domestic on-site employees and international off-site contractors; hybrid compute environments that encompass on-premise computing, software as a service (SaaS) applications and shadow IT and BYOD users; and computing architectures that include UNIX, Windows, Macintosh, iOS, Android and even Internet of Things (IoT) devices.
Ultimately, the ID management system should enable centralized management of users “in a consistent and scalable way across the enterprise,” says Abousselham.
In recent years, identity-as-a-service (IDaaS) has evolved as a third-party managed service offered over the cloud on a subscription basis, providing ID management to a customers’ on-premise and cloud-based systems.
Why should I care about identity management?
ID management is a critical part of any enterprise security plan, as it is inextricably linked to the security and productivity of organizations in today’s digitally enabled economy.
Compromised user credentials often serve as an entry point into an organization’s network and its information assets. Enterprises use ID management to safeguard their information assets against the rising threats of ransomware, criminal hacking, phishing and other malware attacks. Global ransomware damage costs alone are expected to exceed $5 billion this year, up 15 percent from 2016, Cybersecurity Ventures predicted.
In many organizations, users sometimes have more access privileges than necessary. A robust ID management system can add an important layer of protection by ensuring a consistent application of user access rules and policies across an organization.
ID management systems can enhance business productivity. The systems’ central management capabilities can reduce the complexity and cost of safeguarding user credentials and access. At the same time, ID management systems enable workers to be more productive (while staying secure) in a variety of environments, whether they’re working from home, the office, or on the road.
Many governments require enterprises to care about identity management. Regulations such as Sarbanes-Oxley, Gramm-Leach-Bliley and HIPAA hold organizations accountable for controlling access to customer and employee information. ID management systems can help organizations comply with those regulations.
The General Data Protection Regulation (GDPR) is a more recent regulation that requires strong security and user access controls. GDPR mandates that organizations safeguard the personal data and privacy of European Union citizens. Effective May 2018, the GDPR affects every company that does business in EU countries and/or has European citizens as customers. For more, read about GDPR’s requirements, deadlines and facts.
On March 1, 2017, the state of New York’s Department of Financial Services (NYDFS) new cybersecurity regulations went into effect. The regulations prescribe many requirements for the security operations of financial services companies that operate in New York, including the need to monitor the activities of authorized users and maintain audit logs—something ID management systems typically do.
By automating many aspects of providing secure user access to enterprise networks and data, ID management systems relieve IT of mundane but important tasks and help them stay in compliance with government regulations. These are critical benefits, given that today, every IT position is a security position; there’s a persistent, global cybersecurity workforce shortage; and penalties for not being compliant with relevant regulations can cost an organization millions or even billions of dollars.
How can an identity management system benefit my business?
Implementing ID management and associated best practices can give you a significant competitive advantage in several ways. Nowadays, most businesses need to give users outside the organization access to internal systems. Opening your network to customers, partners, suppliers, contractors and, of course, employees can increase efficiency and lower operating costs.
ID management systems can allow a company to extend access to its information systems across a variety of on-premise applications, mobile apps, and SaaS tools without compromising security. By providing greater access to outsiders, you can drive collaboration throughout your organization, enhancing productivity, employee satisfaction, research and development, and, ultimately, revenue.
ID management can decrease the number of help-desk calls to IT support teams regarding password resets. ID management systems allow administrators to automate these and other time-consuming, costly tasks.
An ID management system can be a cornerstone of a secure network, because managing user identity is an essential piece of the access-control picture. An ID management system all but requires companies to define their access policies, specifically outlining who has access to which data resources and under which conditions they have access.
Consequently, well-managed IDs mean greater control of user access, which translates into a reduced risk of internal and external breaches. This is important because, along with the rising threats of external threats, internal attacks are all too frequent. Approximately 60 percent of all data breaches are caused by an organization’s own employees, according to IBM’s 2016 Cyber Security Intelligence Index. Of those, 75 percent were malicious in intent; 25 percent were accidental.
As mentioned previously, an ID management system can bolster regulatory compliance by providing the tools to implement comprehensive security, audit and access policies. Many systems now provide features designed to ensure that an organization is in compliance.
How do identity management systems work?
In years past, a typical ID management system comprised four basic elements: a directory of the personal data the system uses to define individual users (think of it as an ID repository); a set of tools for adding, modifying and deleting that data (related to access lifecycle management); a system that regulates user access (enforcement of security policies and access privileges); and an auditing and reporting system (to verify what’s happening on your system).
Regulating user access has traditionally involved a number of authentication methods for verifying the identity of a user, including passwords, digital certificates, tokens and smart cards. Hardware tokens and credit-card-sized smart cards served as one component in two-factor authentication, which combines something you know (your password) with something you have (the token or the card) to verify your identity. A smart card carries an embedded integrated circuit chip that can be either a secure microcontroller or equivalent intelligence with internal memory or a memory chip alone. Software tokens, which can exist on any device with storage capability, from a USB drive to a cell phone, emerged in 2005.
In today’s complex compute environments, along with heightened security threats, a strong user name and password doesn’t cut it anymore. Today, ID management systems often incorporate elements of biometrics, machine learning and artificial intelligence, and risk-based authentication.
At the user level, recent user authentication methods are helping to better protect identities. For example, the popularity of Touch ID-enabled iPhones has familiarized many people with using their fingerprints as an authentication method. Newer Windows 10 computers offer fingerprint sensors or iris scanning for biometric user authentication. The next iPhone, due out later this year, is rumored to include iris scanning or facial recognition to authenticate users instead of fingerprint scanning.
Some organizations are moving from two-factor to three-factor authentication, says Abousselham, combining something you know (your password), something you have (a smartphone), and something you are (facial recognition, iris scanning or fingerprint sensors). “When you go from two-factor to three, you have more assurance that you’re dealing with the correct user,” he says.
At the administration level, today’s ID management systems offer more advanced user auditing and reporting, thanks to technologies such as context-aware network access control and risk-based authentication (RBA).
Context-aware network access control is policy-based. It predetermines an event as well as its outcome based on various attributes, says Joe Diamond, Okta’s director of products. For example, if an IP address isn’t whitelisted, it may be blocked. Or if there isn’t a certificate that indicates a device is managed, then context-aware network access control might step-up the authentication process.
By comparison, RBA is more dynamic and is often enabled by some level of AI. With RBA, “you’re starting to open up risk scoring and machine learning to an authentication event,” Diamond says.
Risk-based authentication dynamically applies various levels of strictness to authentication processes according to the current risk profile. The higher the risk, the more restrictive the authentication process becomes for a user. A change in a user’s geographic location or IP address may trigger additional authentication requirements before that user can access the company’s information resources.
What is federated identity management?
Federated identity management lets you share digital IDs with trusted partners. It’s an authentication-sharing mechanism that allows users to employ the same user name, password or other ID to gain access to more than one network
Single sign-on (SSO) is an important part of federated ID management. A single sign-on standard lets people who verify their identity on one network, website or app carry over that authenticated status when moving to another. The model works only among cooperating organizations—known as trusted partners—that essentially vouch for each other’s users.
Authorization messages between trusted partners are often sent using Security Assertion Markup Language (SAML, pronounced “SAM-el”). This open specification defines an XML framework for exchanging security assertions among security authorities. SAML achieves interoperability across different vendor platforms that provide authentication and authorization services.
SAML isn’t the only open-standard identity protocol, however. Others include OpenID, WS-Trust (short for Web Services Trust) and WS-Federation (which have corporate backing from Microsoft and IBM), and OAuth (pronounced “Oh-Auth”), which lets a user’s account information be used by third-party services such as Facebook without exposing the password.
What are the challenges or risks of implementing an identity management solution?
A successful implementation of ID management requires forethought and collaboration across departments. Companies that establish a cohesive ID management strategy—clear objectives, stakeholder buy-in, defined business processes—before they begin the project are likely to be most successful. ID management works best “when you have human resources, IT, security and other departments involved,” says Shaw.
Often, identity information may come from multiple repositories, such as Microsoft Active Directory (AD) or human resources applications. An ID management system must be able to synchronize the user identity information across all these systems, providing a single source of truth.
Given the shortage of IT people today, ID management systems must enable an organization to manage a variety of users in different situations and computing environments—automatically and in real-time. Manually adjusting access privileges and controls for hundreds or thousands of users isn’t feasible.
For example, de-provisioning access privileges for departing employees can fall through the cracks, especially when done manually, which is too often the case. Reporting an employee’s departure from the company and then automatically de-provisioning access across all the apps, services and hardware he or she used requires an automated, comprehensive ID management solution.
Authentication must also be easy for users to perform, it must be easy for IT to deploy, and above all it must be secure, Abousselham says. This accounts for why mobile devices are “becoming the center of user authentication,” he added, “because smartphones can provide a user’s current geolocation, IP address and other information that can be leveraged for authentication purposes.”
One risk worth keeping in mind: Centralized operations present tempting targets to hackers and crackers. By putting a dashboard over all of a company’s ID management activities, these systems reduce complexity for more than the administrators. Once compromised, they could allow an intruder to create IDs with extensive privileges and access to many resources.
What terminology should I know?
Buzzwords come and go, but a few key terms in the identity management space are worth knowing:
- Access management: Access management refers to the processes and technologies used to control and monitor network access. Access management features, such as authentication, authorization, trust and security auditing, are part and parcel of the top ID management systems for both on-premise and cloud-based systems.
- Active Directory (AD): Microsoft developed AD as a user-identity directory service for Windows domain networks. Though proprietary, AD is included in the Windows Server operating system and is thus widely deployed.
- Biometric authentication: A security process for authenticating users that relies upon the user’s unique characteristics. Biometric authentication technologies include fingerprint sensors, iris and retina scanning, and facial recognition.
- Context-aware network access control: Context-aware network access control is a policy-based method of granting access to network resources according to the current context of the user seeking access. For example, a user attempting to authenticate from an IP address that hasn’t been whitelisted would be blocked.
- Credential: An identifier employed by the user to gain access to a network such as the user’s password, public key infrastructure (PKI) certificate, or biometric information (fingerprint, iris scan).
- De-provisioning: The process of removing an identity from an ID repository and terminating access privileges.
- Digital identity: The ID itself, including the description of the user and his/her/its access privileges. (“Its” because an endpoint, such as a laptop or smartphone, can have its own digital identity.)
- Entitlement: The set of attributes that specify the access rights and privileges of an authenticated security principal.
- Identity as a Service (IDaaS): Cloud-based IDaaS offers identity and access management functionality to an organization’s systems that reside on-premises and/or in the cloud.
- Identity lifecycle management: Similar to access lifecycle management, the term refers to the entire set of processes and technologies for maintaining and updating digital identities. Identity lifecycle management includes identity synchronization, provisioning, de-provisioning, and the ongoing management of user attributes, credentials and entitlements.
- Identity synchronization: The process of ensuring that multiple identity stores—say, the result of an acquisition—contain consistent data for a given digital ID.
- Lightweight Directory Access Protocol (LDAP): LDAP is open standards-based protocol for managing and accessing a distributed directory service, such as Microsoft’s AD
- Multi-factor authentication (MFA): MFA is when more than just a single factor, such as a user name and password, is required for authentication to a network or system. At least one additional step is also required, such as receiving a code sent via SMS to a smartphone, inserting a smart card or USB stick, or satisfying a biometric authentication requirement, such as a fingerprint scan.
- Password reset: In this context, it’s a feature of an ID management system that allows users to re-establish their own passwords, relieving the administrators of the job and cutting support calls. The reset application is often accessed by the user through a browser. The application asks for a secret word or a set of questions to verify the user’s identity.
- Provisioning: The process of creating identities, defining their access privileges and adding them to an ID repository.
- Risk-based authentication (RBA): Risk-based authentication dynamically adjusts authentication requirements based on the user’s situation at the moment authentication is attempted. For example, when users attempt to authenticate from a geographic location or IP address not previously associated with them, those users may face additional authentication requirements.
- Security principal: A digital identity with one or more credentials that can be authenticated and authorized to interact with the network.
- User behavior analytics (UBA): UBA technologies examine patterns of user behavior and automatically apply algorithms and analysis to detect important anomalies that may indicate potential security threats. UBA differs from other security technologies, which focus on tracking devices or security events. UBA is also sometimes grouped with entity behavior analytics and known as UEBA.