Friday, July 12, 2013

IAM Identity & Access Management

Labels:

IAM Identity & Access Management affects every business unit throughout the organization, IT departments will benefits by implanting IAM solutions, which support business processes and provide solutions that meet corporate objectives without exposing the company to undue risks.
.

What is IAM ?

Identity & Access Management (IAM) is a term that refers broadly to the administration of individual identities within a system, such as a company, a network or even a country. In enterprise IT, identity management is about establishing and managing the roles and access privileges of individual network users. IAM systems provide IT managers with tools and technologies for controlling user access to critical information within an organization.

The core objective of IAM system in a corporate setting is this: one identity per unit (person. Machine, software). But once that digital ID has been established, it has to be maintained, modified and monitored throughout what has been called the "access lifecycle."
So IAM systems provide administrators with the tools and technologies to change users’ role, track user activities and enforce policies on an ongoing basis. These systems are designed to provide means of administering user access across an entire enterprise and to ensure compliance with corporate policies and government regulations.
IAM address three main questions:
  1. Who has access to what information?
  2. Is the access appropriate for the job being performed?
  3. Is the access and activity monitored, logged, and reported appropriately?


The list of technologies that fall under this category includes password-management tools, provisioning software, security-policy enforcement applications, reporting and monitoring apps and identity repositories. Nowadays, these technologies tend to be grouped into software suites with assortments of additional capabilities, from enterprise-wide credential administration to automated smart-card and digital-certificates management.

Why should I care about IAM?

IAM system is inextricably linked to security and productivity. Companies are using IAM systems not only to protect their digital assets, but also to enhance business productivity. IT can benefits from the systems' central management capabilities by reduce the complexity and cost of maintaining the IT infrastructure. The centralized access control also supports consistent security policy enforcement.
IAM systems also give organizations a way to control any types of end stations —laptops, PDAs and cell phones, tablets —buzzing around the enterprise “BYOD – Bring Your Own Device”. Many of these devices are neither owned nor provisioned by the companies whose networks they need to access. The ability to enforce a set of policies, on the devices that connect with the network, through the management of the users’ identity of those is fast becoming a must-have security capability.
And besides, the government says you have to care about identity management. Sarbanes-Oxley, SOX Gramm-Leach-Bliley, HIPAA —each holds the company, in various ways, responsible for controlling access to customer and employee information.


How can an IAM system benefit my business?

Implementing IAM systems and associated best practices in your organization can give you a real competitive advantage in a number of ways. Nowadays, most businesses want and need to provide users outside the immediate organization with access to their internal systems. Opening your network's doors to customers, partners, suppliers, contractors and, of course, employees can increase efficiencies and lower costs. ID management systems can allow a company to extend access to its information systems without compromising security. Controlled identity and access management actually has the potential to provide greater access to outsiders, which can drive productivity, satisfaction and, ultimately, revenue.

An IAM system can become a cornerstone of a secure network, because managing user identity is an essential piece of the access-control picture. An IAM system requires companies to define their access policies, specifically outlining who has access to what. That's a fundamental part of what a digital ID is. Consequently, well-managed IDs means more control of user access, which translates into a reduced risk of internal and external attacks.
An IAM system improves regulatory compliance by providing an organization with the tools to implement comprehensive security, audit and access policies.  

How do IAM systems work?

A typical IAM system today comprises four basic elements: a directory of the personal data the system uses to define individual users (think of it as an ID repository); a set of tools for adding, modifying and deleting that data (the access lifecycle management stuff); a system that regulates user access (enforcement of security policies and access privileges); and an auditing and reporting system (so you'll have a way to verify what's actually been happening on your system).

Regulating user access can involve a number of authentication methods for verifying the identity of a user, including passwords, digital certificates, tokens and smart cards. Hardware tokens and credit-card-sized smart cards have traditionally served as one component in the two-factor authentication scheme, which combines something you know (your password) with something you have (the token or the card) to verify a user's identity.

What is Federated IAM ?

Federation lets you share digital IDs with trusted partners. It's an authentication-sharing mechanism designed to allow users to employ the same user name, password or other ID to gain access to more than one network. It's what is known as a "single sign-on." A single sign-on standard lets people who verify their identity on one network or website carry over that authenticated status when moving to another. The model works only among cooperating organizations—known as trusted partners—that essentially vouch for each other's users.
The federated model relies on the security assertion markup language specification, better known as SAML (pronounced "SAM-el"). This open-specification defines an XML framework for exchanging security assertions among security authorities.

What challenges or risks do implementing an IAM solution present?

IAM systems are inherently challenging. The applications in your system are likely to have their own ID data stores and authentication schemes. The ID data they contain isn't necessarily organized in a standard way. You might have had the foresight to opt for industry standards early on in your company's development, but your latest acquisition may not have been thinking ahead.
A successful implementation requires some forethought. Companies that establish a cohesive ID management strategy—clear objectives, stakeholder buy-in, defined business processes—before they begin the project are likely to be more successful.
One risk worth keeping in mind: Centralized operations present tempting targets to hackers and crackers. By putting a dashboard over all of a company's ID management activities, these systems reduce complexity for more than the administrators, Once compromised, they could allow an intruder to create IDs with extensive privileges and access to many resources.

Definition of Key Concepts
·         Identity — the element or combination of elements used to, uniquely, describe a person or machine. It can be any combination of “what you know”, such as a password or a personal identification (ID) number; with “what you have”, such as an ID card, security token, or software token.
·         Access — the information representing the rights that the identity was granted. These information access rights can be granted to allow users to perform transactional functions at various levels; Such as copy, transfer, add, change, delete, review, approve, read-only, and cancel.
·         Entitlements —collection of access rights to perform transactional functions. Note: The term entitlement is used occasionally and synonymously with access rights.
When the concept of identities is discussed, many executives typically think of human users. However, it is important to remember that there are also service accounts, machine identities, and other non-human identities that must be managed. Failure to control any of these identities and the access they have can be detrimental to an organization’s overall control framework.
For identities to become part of an organization’s DNA and access management system, they need to pass through several stages. These stages are:
·         Provisioning. Provisioning refers to an identity’s creation, change, termination, validation, approval, propagation, and communication. This process varies in breadth and length of time to complete based on the specific needs of the organization. In addition, this process should be governed by a company specific and universally applied policy statement that is written and maintained by the IT department with input from other business units.
·         Identity management. Identity management should be a part of ongoing companywide activities. It includes the establishment of an IAM strategy; administration of IAM policy statement changes; establishment of identity and password parameters; management of manual or automated IAM systems and processes; and periodic monitoring, auditing, reconciliation, and reporting of IAM systems.
·         Enforcement. Enforcement includes the authentication, authorization, and logging of identities as they are used within the organization’s IT systems. The enforcement of access rights primarily occurs through automated processes or mechanisms.