Identity and Access Management (IAM) is a framework of policies, technologies and processes that enables users to access required resources in a secure and trusted manner.
Let’s focus a little bit on the characteristics of IAM framework:
- Policies – they define the “what” and “why” of IAM landscape. Policies arise from the need to suffice political decisions (which are heavily influencing the domain), functional requirements and nevertheless best practices built within dedicated think-tanks. This is a critical aspect of IAM because it implies that IAM policies is a collective effort and responsibility, cross-domain and specially requires stakeholders to agree, account and enforce them.
- Technologies – they describe the environment used to implement, make effective and achieve the goals of the IAM.
- Processes – they define the “how”, step-by-step instructions that detail how a policy is implemented.
Indeed, policies are our mechanism to establish rules and objectives. But there are required processes to make policies actionable and ensure they are consistently followed. Technology enables us to not leave policies just as words on paper but actually bring them to life by making effective the required processes to fulfill them.
The need of an Identity and Access Management is deeply embedded in the life itself: organism learning about their environment, abstracting/identifying objects and behaviors, protecting resources and adapting to changes to ensure a chance for a better security posture. And this is applicable from bacteria to neanderthals to the most advanced IT systems to come in the universe. And it is not new at the table of human knowledge as well:
- Ancient civilizations used seals, signatures and specific distinguishing signs to discriminate between people of their own tribe and enemies
- Later, when people started building knowledge repositories and inventories, they started to use distinctive behaviors and marks to make sure they will not grant access to enemies to their resources
- And in the ancient Sumerian armies we find writings of soldiers using specific words to discriminate access beyond a military checkpoint. Which now we now as passwords.
- When people get more organizational knowledge and processes, access control lists where instated under the form of a pass / certificate / documents
- When the document’s authenticity was challenged, additional questions where put to factor in the decision to consider the holder and the document authentic. Basically, what we’re doing now with MFA, but more with words, less with using human as a clipboard for numeric code between devices.
- And then organizations became complex in offering services, privileges but in same time to mark fulfillment of obligations (taxes and death – the only certainty in universe).
IAM is so foundational that most people simply consider it implicitly as breathing. That’s why I encourage when reading this courseware, you to think of habits or your own behavior when trying to know someone or access a (protected) resource.
The primary goal of Identity and Access Management is to ensure the Confidentiality, integrity and availability of information in the interaction of systems and users. This goal is achieved through:
- Authentication – Verify the identity of the users with a high degree of trust.
- Authorization – Grant access to a user over a resource, based on existing policies
- Access Control: Mechanism and processes so it can ensure only authorized users can access protected resources
- Compliance: Design policies and comply with them ensuring confidentiality, integrity and availability
- Operational efficiency: the process of authentication and authorization is done in convenient time with efficient resource consumption.
Regardless I want to evangelize you on the importance of IAM, on how it may be the alfa and omega of our live, nowadays, IAM is referenced strictly as a security control and that’s why in 99.99% IAM is thrown away as “thingy that those cybersecurity weirdos do so we can avoid fines”.
What I can assure you is that if you consider IAM strictly from a cybersecurity perspective, it will become a failed project and certainly will create more friction inside the organization it is implemented than necessary. IAM is not cheap, requires everyone from the organization to be onboard (and most will see this as an “extra work”), requires internal alignment/negotiations (involving a lot of politics) and nevertheless out-of-the-box products rarely solve a problem without proper consulting and professional services.
To better understand the situation – imagine you want to build something: it is foundational to have as tools a shovel and a handsaw. But just having them won’t help you to build something, and for sure they require your input to become actionable. It is the same with IAM.
IAM is also a great platform for robot process automation (RPA) for any identity-data based workflow of an organization. I know 100% of the companies treat IAM as purely cybersecurity (yes, it’s 99% about security, but that remaining 1%, if done correctly can bring huge value into your business). But I am so happy for my customers that they decided to get IAM to the next level and went on an identity-data driven business, with great success.