Have you ever heard of the concept of Identity and Access Management? Here is a brief introduction to Identity and Access Management and to its main components.
IAM which stands for Identity and Access Management mainly consists of
- Identity Management
- Access Management
Under Identity Management user is authenticated whether s/he is a legitimate user to the system while under Access Management logged users are granted with necessary privileges to user the system. When considering why we need an IAM it is mainly because of an IAM could prevent inside threats. As per the statistics 60% of internal threats are caused by organizational users while 10% of them are caused by partners and vendors.
Product/Service Components of an IAM
- Authentication
- Authorization
- User Management
- Directory Services
When implementing all the four components should be implemented.
Let’s look at each component separately.
Authentication
Under the process of authentication, it tries to verify the identity of the user. For this verification process session and token management, password management, Multifactor Authentication (MFA) can be used.
Password Management – The users who have access to several different environments, tend to use same password for every environment. In such situations, a single sign-on master password can be allowed which gives access to other environments also. So that one login allows all the other logins. The fact that says one strong password is better than ten weak passwords concept has been applied here.
Multi-factor Authentication – MFA is used to validate a user whether s/he is a legitimate user using two or more factors. In MFA combination of something you have, something you know and Something you are criteria are used.
Authorization
Under authorization a legitimate user is specifying with the right access/privileges to the system. Under proper authorization un-authorized access to the system will be prohibited and data integrity will be secured. To specify the legitimates access,
- role-based access granting
- rule-based (IP) based access granting
- privilege-based access granting
mechanisms can be used.
Privilege based authorization – A Privilege Access Management (PAM) will help in controlling users and their privileges. But we cannot control the activities of a particular user. Here we can user time-based privileges for the user to control their actions. In time-based privilege the users are granted with specific privileges only for a specific time-period.
User Management
Under user management, what a specific user can do is controlled. This component ensures that the user is having only what is needed. Not the unnecessary privileges. For the purpose of user management, the following steps can be taken.
- Provisioning
- User and role management
- Password management
- Self-services
- Delegated administration
For the purpose of user management, under user profile management, policy base profiles can be created. The user profiles that are created under policies can also be managed with password which can be identified as a self-service to the user. The created user profiles are then being assigned to a group profile where a specific user profile can inherent the authorities. But with this group profiles a user may misuse his/her authorities. As a solution for this command level restrictions can be assigned. With the command level restrictions need of higher-level authorizations and real time alerts for dangerous tasks can be implemented.
Directory Services
A directory service is a database that stores information about users, devices, and resources. Library object access, IFS access and File share access are identified as the main components in directory services. One of the major concerns in here is attackers target IFS to spread the ransomware/ malware. Therefore, Auditing and Reporting is a key component in IAM solution.
Top comments (0)