June 17, 2016
An Overview of Identity and Access Management (IAM)
June 17, 2016
Assets are categorized as information, systems, devices, facilities and personnel. Any entity, whether it's an individual, a group of individuals or a corporation wants to protect these assets from failures, accidents and bad actors by using Identity and Access Management (IAM).
In any given IAM situation, there's the concept of subject and object. The subject can be a person, a group of people, a process or a system that's trying to access the object.
Another concept is authentication and authorization. Having privileges to open a file share is authentication and being restricted from deleting a file is authorization.
You're authenticated using: something you know, something you have, something you are or somewhere you are. E.g. username, password, fingerprint and your location, respectively. You are authorized to take an action only after you pass authentication.
There are various controls to manage IAM. These controls can be physical, technical/logical (virtual) and administrative:
- Preventative Controls - Fences, locks, security cameras, lights, watch dogs, smart card scanners, retina scanners, guards asking for proof of identity, background checks, job rotation, etc. are controls used to prevent or stop unauthorized access and activities.
- Detective Controls – Network monitoring, auditing, logging, security cameras, motion sensors, etc. are controls uses to detect an unauthorized activity.
- Corrective Controls – Password changes, failovers to other systems, reboots of a system, removal of viruses and quarantine, flattening and rebuilding of a computer system etc. are controls used to correct the system after an unauthorized activity occurs.
- Recovery Controls – Restoring from a backup, redeploying the system on a new drive, database or fileserver clustering, high availability systems etc. are controls used to recover from an unauthorized activity.
- Directive Controls – Turnstiles, entry and exit signs, security warnings, group policies etc. are controls used to enforce compliance and prevent unauthorized activity.
- Compensation Controls – Backup personnel, secondary systems that can be brought online when a primary fails, keeping a guard at the door when power fails and smart cards cannot be authenticated, etc. are controls used to compensate for a primary control used to prevent unauthorized access.
An example of a centralized IAM system is Single Sign On (SSO). Your Google username and password provides one authentication to authorize to all Google properties: Gmail, Hangouts and YouTube.
Federated Identity Management like a Facebook login or Open ID used to authenticate on third party sites and apps is a decentralized approach to IAM.
Depending on the organizations risk appetite and their needs, they may choose between centralized or decentralized IAM solutions. Both solutions have their pros and cons when it comes to administration and applying physical and logical controls.
Here are a few challenges that you'll come across implementing IAM:
- User Provisioning – Ability to validate, add, modify and remove access for users, system accounts, etc.
- Distributed Users and Systems – With a mobile global workforce and cloud-based Software as a Service (SAAS) solution, many organizations are facing the challenge of managing identity and access across the large suite of applications and services.
- Bring Your Own Devices (BYOD) – With the low cost of ownership of personal computers, more and more people want to use their personal devices for both professional and personal work.
- Policies and Compliance – Changes in security policies and compliance need to be propagated as quickly as possible centralized or distributed systems.
I promised this was going to be a quick overview on IAM; so far, I've only touched the basics. As a security professional, you want to know the various protocols and architecture used for implementing the systems, various options for implementing SSO, understand PKI, Kerberos, Biometrics, Multifactor authentication and more. Also, understanding physical security is equally important.Here are some links to help you think through and implement IAM:Harvard University IT Identity and Access Management Program Plan - http://iam.harvard.edu/files/iam/files/iam_program_plan.pdfNIST Cybersecurity Practice Guide, Special Publication 1800-2: "Identity and Access Management for Electric Utilities" - https://nccoe.nist.gov/projects/use_cases/idamNISTIR 7817 - A Credential Reliability and Revocation Model for Federated Identities http://nvlpubs.nist.gov/nistpubs/ir/2012/NIST.IR.7817.pdf