I usually spend my mornings doing some reading and enjoying my coffee. On this one particular morning, I noticed that I had received an email from a gaming company I had created an account with around 10 years ago for my kids. They had sent me a code to confirm a login that was being done from Thailand. I had forgotten that I had even created the account. The account used a set of my credentials that had been compromised many years ago in one of the many data breaches that occur on a continuous basis. I was saved by a form of identity access management (IAM), and while I didn’t use the account anymore, I was thankful they had set this up.
But What Is IAM?
Identity access management is the process of verifying information to identify a user. This information is used to authenticate the identity of an individual, and in the process of authentication, the user is given authorized access and to perform certain tasks or to access information. Access management is about what networks, systems, applications, and data that the identified user can access and control.
Any identity access management solution should include the following:
- How individuals are identified
- How roles are identified and how they are assigned to users in a system
- Adding, removing, and updating individuals and/or groups
- Assigning levels of access for individuals and/or groups
- Protecting the sensitive data and securing a system
Why Should You Use Identity Access Management?
In this continually evolving technological world, organizations have more data to protect in a variety of places such as on-premises, the cloud, mobile devices, legacy applications, etc. The normal boundaries that were used to protect data are disappearing rapidly. This has created massive challenges for organizations that want to control data access in a connected and distributed environment.
Identity access management is the means by which access to data can be protected. Towards that end, all data should be accessed via some sort of identity. For example, the 2017 Verizon Data Breach Investigations Report found that 81% of data breaches come from compromised credentials. Protecting access to data is no longer optional; it has become a requirement. That’s where Identity access management can solve the problem.
There are three primary types of identity access management. They are as follows:
- Single Sign On
- Multi-Factor Authentication
- Privileged Access Management
Let’s spend a little time discussing the first type of identity access management.
Single Sign On: A Primer
Single sign on (SSO) is a session and user authentication service that permits a user to use one set of login credentials (e.g., name and password) to access multiple applications. Single sign on involves multiple parts and several different solutions such as OAUTH, protocols, and Smart Cards. OAUTH is an example of the framework used in single sign on, and it enables a user’s account information to be used by third-party services such as external applications without exposing the user’s password.
SAML is an XML standard that facilitates the exchange of user authentication and authorization data across secure domains. SAML-based SSO services involve communications between the user, an identity provider that maintains a user directory, and a service provider. This is helpful in streamlining logins for the user experience while also maintaining security across domains.
Another SSO tool, Kerberos is a system where once the user credentials are provided, a ticket-granting ticket (TGT) is issued. The TGT fetches service tickets for other applications the user wishes to access without asking the user to re-enter their credentials. Kerberos is used in Microsoft Active Directory and is also included with several UNIX based systems such as MacOS, Red Hat Enterprise Linux, FreeBSD, OpenBSD, and others. There are some drawbacks for Kerberos, however. Those include a single point of failure with continuous availability of a central server. (This can be mitigated with multiple Kerberos servers.) There is also a requirement of making sure all systems are synchronized with a server clock. If the ticket time availability is not synchronized properly with the host clock, authentication will fail.
Smart-card-based SSO will ask an end user to use a card holding the sign-in credentials. Once used, a user will not have to re-enter usernames or passwords. Smart card-based SSO does streamline application access by users, but all access to related systems will be lost if it fails.
Deploying single sign on does help with streamlining the user experience, but unless it is coupled with other security measures, it also introduces risk.
Part two of this post will discuss how this can be strengthened by using two other forms of identity access management: multi-factor authentication and privileged access management.