With organizations shifting their vital assets en masse from physical data centers to cloud infrastructures for better accessibility, and with some straddling both, it is important to ensure that the right people have access to business-critical resources at the right times. To overcome this challenge, companies must authenticate, authorize, monitor, and audit users' permissions to access important assets based on their needs and roles. To accomplish all these tasks, organizations must leverage access management.
Let's start with the question: What is access management? It is an IT governance framework comprising of tools, techniques, and technologies that enable the process of authenticating, delegating and monitoring of users' access to organizations' resources. With access management systems in place, IT and administrative teams can ensure that the right user with appropriate attributes and job roles get access to the right resource for the right period.
Access management has become a necessary task for organizations due to the shift of resources to hybrid environments. Like every cybersecurity strategy, access management is a blend of techniques used to create and maintain a user's access-based privileges. The tools and techniques required to implement access management include:
User provisioning relates to the onboarding process where a user's profile is created along with their necessary credentials and controls. Provisioning also involves accommodating changes to access privileges based on context (i.e., when an employee undergoes role-based changes within an organization).
A user's credentials must undergo deprovisioning as part of the offboarding process when the user’s association with the organization, and thus their identity life cycle, ends. Deprovisioning plays an integral part in preventing the stagnation of orphaned accounts, which can be potential threat vectors allowing attackers to infiltrate networks.
Authentication is a major part of identity management and is the step that precedes authorization. IT administrators must confirm the identities of users, ensuring they are who they claim to be. Authentication happens with the verification of a user's credentials, which can be of the following types:
Authentication used to be heavily dependent on passwords for verification, but as cyberattacks became more dynamic, these traditional methods required another layer of protection for added security. This requirement led to multi-factor authentication (MFA), in which, upon password verification, the login window also asks the user to provide additional credentials, which can include either a possession- or inheritance-based factor.
Another protocol that can be coupled with other authentication methods in MFA is token-based authentication, in which, upon verification of their identity, the user receives a cryptographic message with an expiration period, known as a token. The user can function within the network until the session ends, which coincides with the expiration of the token.
Another evolution of verification systems that is much-coveted is risk-based authentication, which enables the system to increase the stringency of authentication based on the number of potential security threats (in cases of BYOD and remote work environments) a user can bring into a network.
After authentication, administrators provide users with access to network resources according to their role-based requirements coupled with other contextual factors (such as their designation, endpoint risk, and geolocation). Authorization minimizes the risk of exposing on-premises and cloud resources to potential threat actors by regulating users' access privileges. Authorization controls can be implemented across an organization by performing these two tasks:
Apart from regulating the flow of incoming traffic, an access control policy sets clear goals for authorization systems by determining safe practices that are permissible for users within the organizational network. Policy enforcement involves granting or rejecting users' actions and ensuring that users stay compliant with the security guidelines.
Some of the most prominently used access control policies include:
With legacy verification tools becoming inadequate for accommodating the growing number of devices and vendor applications within networks, authentication has become more reliant on identity- and entity-based attributes. The need for networks to delegate access based on a more granular user profile has given rise to identity and access management (IAM).
With IAM, a user receives permissions to access resources only on the basis of their role. Additionally, IAM leverages federated identity, enabling a user to maintain a single identity profile for access across a multitude of applications using single sign-on (SSO). Auditing of user behavior and access privileges is made easier with the combined deployment of behavior-based tracking solutions—like security information and event management (SIEM)—and user and entity behavior analytics (UEBA) tools.
The most common types of IAM include:
A confluence of cybersecurity, user experience, and data analytics, CIAM enables organizations to authenticate, authorize, and manage the identities of end users while accessing solutions. Apart from delivering a secure environment for customers, CIAM can aid the personalization of the user experience by allowing organizations to map the customers' online behavior.
Also known as workforce IAM, this protocol applies IAM capabilities to secure the operational end of organizations: employees, internal users, and business-critical resources housed in on-premises and cloud environments. EIAM services include: