An identity access management (IAM) system is a framework for business processes that facilitates the management of electronic identities. The framework includes the technology needed to support identity management.
IAM technology can be used to initiate, capture, record and manage user identities and their related access permissions in an automated fashion. This ensures that access privileges are granted according to one interpretation of policy and all individuals and services are properly authenticated, authorized and audited.
Poorly controlled IAM processes may lead to regulatory non-compliance because if the organization is audited, management will not be able to prove that company data is not at risk for being misused.
Why you need IAM
It can be difficult to get funding for IAM projects because they don’t directly increase either profitability or functionality. However, a lack of effective identity and access management poses significant risks not only to compliance but also an organization’s overall security. These mismanagement issues increase the risk of greater damages from both external and inside threats.
Keeping the required flow of business data going while simultaneously managing its access has always required administrative attention. The business IT environment is ever evolving and the difficulties have only become greater with recent disruptive trends like bring-your-own-device (BYOD), cloud computing, mobile apps and an increasingly mobile workforce. There are more devices and services to be managed than ever before, with diverse requirements for associated access privileges.
With so much more to keep track of as employees migrate through different roles in an organization, it becomes more difficult to manage identity and access. A common problem is that privileges are granted as needed when employee duties change but the access level escalation is not revoked when it is no longer required.
This situation and request like having access like another employee rather than specific access needs leads to an accumulation of privileges known as privilege creep. Privilege creep creates security risk in two different ways. An employee with privileges beyond what is warranted may access applications and data in an unauthorized and potentially unsafe manner. Furthermore, if an intruder gains access to the account of a user with excessive privileges, he may automatically be able to do more harm. Data loss or theft can result from either scenario.
Typically, this accumulation of privilege is of little real use to the employee or the organization. At best, it might be a convenience in situations when the employee is asked to do unexpected tasks. On the other hand, it might make things much easier for an attacker who manages to compromise an over-privileged employee identity. Poor identity access management also often leads to individuals retaining privileges after they are no longer employees.
What should an IAM system include?
IAM solutions should automate the initiation, capturing, recording and management of user identities and their related access permissions. The products should include a centralized directory service that scales as a company grows. This central directory prevents credentials from ending up recorded haphazardly in files and sticky notes as employees try to deal with the burden of multiple passwords for different systems.
IAM systems should facilitate the process of user provisioning and account setup. The product should decrease the time required with a controlled workflow that reduces errors and the potential for abuse, while enabling automated account fulfillment. An identity and access management system should also provide administrators with the ability to instantly view and change access rights.
An access right / privilege system within the central directory should automatically match employee job title, location and business unit ID to manage access requests automatically. These bits of information help classify access requests relevant to employees’ existing positions. Depending on the employee, some rights might be inherent in their position and automatically provisioned, while others may be allowed upon request. In some cases, reviews may be required. Other requests may be denied except in the case of exemption or may be outright prohibited. All variations should be handled automatically and appropriately by the IAM system.
An IAMS should set workflows for managing access requests, with the option of multiple stages of reviews with approval requirements for each request. This mechanism can facilitate setting different risk level-appropriate review processes for higher-level access as well as reviews of existing rights to prevent privilege creep.
**Important note** - contact our sister company, www.tabularosa.net, for very powerful solutions for IP management (IPv4 and IPv6), security, firewall and network/systems management solutions:
In addition to this blog, Netiquette IQ has a website with great assets which are being added to on a regular basis. I have authored the premiere book on Netiquette, “Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". My new book, “You’re Hired! Super Charge Your Email Skills in 60 Minutes. . . And Get That Job!” will be published soon follow by a trilogy of books on Netiquette for young people. You can view my profile, reviews of the book and content excerpts at:
If you would like to listen to experts in all aspects of Netiquette and communication, try my radio show on BlogtalkRadio Additionally, I provide content for an online newsletter via paper.li. I have also established Netiquette discussion groups with Linkedin and Yahoo. I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. Further, I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and have been a contributor to numerous blogs and publications.
Lastly, I am the founder and president of Tabula Rosa Systems, a company that provides “best of breed” products for network, security and system management and services. Tabula Rosa has a new blog and Twitter site which offers great IT product information for virtually anyone.