Difference between revisions of "Identity and access management"
(→User management) |
(→Strategy quality) |
||
Line 9: | Line 9: | ||
Traditionally, standalone [[user management]] has been grounded with [[on-prem servers]], [[databases]], and closed [[virtual private network]]s (VPN). However, recent trends are seeing a shift towards [[cloud]]-based ''IAM'', granting administrators greater control over digital assets. | Traditionally, standalone [[user management]] has been grounded with [[on-prem servers]], [[databases]], and closed [[virtual private network]]s (VPN). However, recent trends are seeing a shift towards [[cloud]]-based ''IAM'', granting administrators greater control over digital assets. | ||
+ | |||
+ | ==Components== | ||
+ | #Directory: Directory services connect users to the IT resources they need. As the core user store, the directory is the foundation of any identity, access, and device management program. There are two primary classifications of directories — the on-premises directory, such as the legacy service Microsoft Active Directory, and the cloud directory platform. | ||
+ | #Directory extension: Because conventional on-prem directories are ill-equipped to manage many of today’s resources (e.g., Mac, Linux, SaaS, IaaS), a whole category of solutions has been created to extend credentials to other platforms and locations. | ||
+ | #SSO: Single sign-on solutions strive to consolidate the plethora of web application accounts and resources into one login process via the web browser. This category is also known as first-generation IDaaS (Identity-as-a-Service). | ||
+ | #Privileged account management: Some directories don’t provide sufficient security or management of critical systems like databases and network infrastructure. Privileged account management has sprung up to fill the void. These systems provide more stringent access controls, including the ability to manage systems and tightly control access to high-value IT resources. | ||
+ | #Password managers/vaults: End users need to remember so many passwords that a category of solutions has emerged to help. Password vaults store the passwords to your websites and can generate secure passwords for you. | ||
+ | #Multi-factor Authentication (MFA or 2FA): Passwords are an imperfect form of identity protection. To prevent the breach of high-value resources, a second method of authentication is essential. | ||
==Strategy quality== | ==Strategy quality== |
Revision as of 00:26, 7 January 2021
In cyber-security, identity and access management (alternatively known by its abbreviation, IAM, as well as identification and access management or, simply, identity management; more narrowly known as user management; hereinafter, IAM) is practice and a set of concepts based on that practice of granting each user of some system a right system-user role.
The goal of IAM can be stated as to "enable the right individuals to access the right resources at the right times, and for the right reasons" (as quoted in Wikipedia. IAM combines business processes, policies, and technologies.
Contents
User management
User management defines the ability for administrator(s) to manage user access to various IT resources like systems, devices, applications, storage systems, networks, SaaS services, and more. User management is a core part to any directory service and is a basic security essential for any organization. User management enables admins to control user access and on-board and off-board users to and from IT resources. Subsequently a directory service will then authenticate, authorize, and audit user access to IT resources based on what the IT admin had dictated.
Traditionally, standalone user management has been grounded with on-prem servers, databases, and closed virtual private networks (VPN). However, recent trends are seeing a shift towards cloud-based IAM, granting administrators greater control over digital assets.
Components
- Directory: Directory services connect users to the IT resources they need. As the core user store, the directory is the foundation of any identity, access, and device management program. There are two primary classifications of directories — the on-premises directory, such as the legacy service Microsoft Active Directory, and the cloud directory platform.
- Directory extension: Because conventional on-prem directories are ill-equipped to manage many of today’s resources (e.g., Mac, Linux, SaaS, IaaS), a whole category of solutions has been created to extend credentials to other platforms and locations.
- SSO: Single sign-on solutions strive to consolidate the plethora of web application accounts and resources into one login process via the web browser. This category is also known as first-generation IDaaS (Identity-as-a-Service).
- Privileged account management: Some directories don’t provide sufficient security or management of critical systems like databases and network infrastructure. Privileged account management has sprung up to fill the void. These systems provide more stringent access controls, including the ability to manage systems and tightly control access to high-value IT resources.
- Password managers/vaults: End users need to remember so many passwords that a category of solutions has emerged to help. Password vaults store the passwords to your websites and can generate secure passwords for you.
- Multi-factor Authentication (MFA or 2FA): Passwords are an imperfect form of identity protection. To prevent the breach of high-value resources, a second method of authentication is essential.
Strategy quality
Use this checklist to assess your current IAM strategy:
- Centralized Management
- Single Sign-On
- Manage by Groups Requirements
- Compatible with Windows, Mac, & Linux
- Extensible to the Cloud
- Cross-platform Device Management
- Unique Wi-Fi credentials for each user
- Multi-Factor Authentication
- Password Complexity Management
- Secure Passwords (i.e. not clear text or encrypted)
- Uses Core Protocols such as LDAP, SAML, RADIUS, SSH, REST
- Automated Provisioning and Deprovisioning
- SSH Key Management
- IAM platform utilizes zero-trust security practices
Poor
- (0-5) If you’re in this range, then your IAM strategy is actively hurting your company’s efficiency and security. You likely don’t have an identity provider or need to scrap your existing one. Giving your IAM strategy a makeover should be your top priority.
Fair
- (6-8) You’re keeping your head above water, but you’re not able to think about the future. Your IAM strategy is either causing lapses in security or has incompatibility with critical resources. Survey your needs and consider making a major change.
Good
- (9-11) If you scored in this range, that means your IAM strategy is serving you well. Still, all it takes is one missing plate in your armor for a hacker to deal a costly strike. Keep reading to find ways to address your IAM solution’s shortcomings.
Excellent
- (12-14) Give yourself a pat on the back. You’ve already got a high-functioning IAM strategy. Focus your efforts on staying ahead of the curve and being prepared for the changes coming in the identity market.