19CE006,19CE016,19CE020 IDENTITY AND ACCESS MANAGEMENT

IDENTITY and ACCESS MANAGEMENT

▪ Identity and access management (IAM) is the concept that helps the right person to access
the right resources at the right times for the right reasons.

▪ IAM addresses the important need to make sure that appropriate access to
resources across increasingly mixed technology environments and to meet
increasingly difficult regulation requirements. It is very deeply related to business,
and it requires business skills, not just technical expertise.
▪ Identity management and access systems help organizations to manage their
employee apps without logging into each app as an administrator.It helps
organizations to manage a range of identities including people, hardware,software,
and IoT devices.

Why IAM is important?

▪ Identity and access management, or IAM, is the security service that helps the right
entities (people or things) to use the right resources (applications or data) when they
want, without disturbance, using any devices they want to use.
▪ IAM is consists of the systems and processes that allows the IT administrator to
allocate a single digital identity to each user, authenticate them when they log in,
authorize them to access specific resources, and monitor and manage those users
throughout their lifecycle.

▪ Now IAM is not only for employees of an organizations.But, Organizations now

should be able to provide secure access for business partners and contractors,
remote and mobile users, and customers. With fast digital transformation, identities
are now also assigned to Internet of Things (IoT) devices,pieces of code such as APIs
or microservices and robots. IAM further gets more complicated by introduction
Multicloud hybrid IT environments and software as a service (SaaS) solutions.

CSPIT-CE,CHARUSAT 1
19CE006,19CE016,19CE020 IDENTITY AND ACCESS MANAGEMENT

How IAM Works?

▪ Manage user identities
▪ Provisioning and deprovisioning
users
▪ Authenticating users
▪ Authorizing users
▪ Reporting
▪ Single Sign-On

• MANAGE USER IDENTITIES

• IAM systems sole criteria for creation was to create, manage , and delete users
along with integrating them with different user directory and to synchronize
them .It can also create with specialized access to the certain tools of the
organization.

• Authentication

• IAM systems authenticate a user by verifying that they are the same person who
they say they are. Nowadays, secure authentication means multi-factor
authentication (MFA) and, preferably, adaptive authentication.

CSPIT-CE,CHARUSAT 2
19CE006,19CE016,19CE020 IDENTITY AND ACCESS MANAGEMENT

• Authorizing users

• Access management makes sure that a user is granted the exact level and type of
access to a tool that they're assigned to by the organization. Users can also be
combined or separated into groups or roles so large groups of users can be granted
the same privileges.

• Provisioning and deprovisioning users

• User Provisioning (Account Provisioning) is an integral Identity Access Management

(IAM) process that makes sure that user accounts are created, updated, deleted and
given proper access rights across many SAAS applications and systems that are being
used at the same time. User/employee information such as name, attributes, group
name, and other associated data are available through account and access
management to the organization, which allows organization to grant or prohibit
access based on your needs.

• Deprovisioning refers to taking away a user's access to various SAAS apps and
network systems at the same time. When an employee leaves a firm or changes
position within the organization, the Deprovisioning action is called upon.
Deprovisioning lets organizations to free up disc space, ports, certificates, and
company-issued workstations for future usage by removing users accounts from file
servers and authentication servers like Active Directory. Deprovisioning helps in

CSPIT-CE,CHARUSAT 3
19CE006,19CE016,19CE020 IDENTITY AND ACCESS MANAGEMENT

protecting the organization's security and confidentiality by preventing former

employees from accessing organization’s resources after they leave.

• Single Sign On

• Identity and access management solutions with single sign-on (SSO) allow users
to verify their identity at one portal instead of many different resources. Once
verified, the IAM system acts as the source of identity truth for the other
resources available to the user, thus removing the need for the user to
remember several passwords.

CSPIT-CE,CHARUSAT 4
19CE006,19CE016,19CE020 IDENTITY AND ACCESS MANAGEMENT

Types of Digital Authentication

▪ With IAM, organizations can implement a array of digital authentication methods to
prove digital identity and authorize access to company’s resources.
▪ Unique passwords. The most
commonly used type of digital
authentication is the unique
password. To make passwords more
secure, many organizations require
longer or complex passwords that
should contain a combination of
letters, symbols and numbers.
Unless users can automatically
gather their group of passwords
behind a single sign-on entry point,
they typically find remembering
unique passwords more
cumbersome.
▪ Pre-shared key (PSK). PSK is type of
digital authentication where the
password is shared among users
authorized to access the same
resources -- think of a branch office Wi-Fi password. This type of authentication is
less secure than individual passwords and can open many vulnerabilities.

Types of digital authentication

▪ A problem with shared passwords like PSK is that frequently changing them can be
tiresome.
▪ Behavioural authentication. When dealing with highly sensitive information and
systems, organizations should use behavioural authentication to get far more details
and analyse keystrokes and mouse-usage characteristics. Then by applying artificial
intelligence, a trend in IAM systems, organizations can quickly recognize if user or
machine behaviour falls outside of the rules set by the organizations and can
automatically lock down systems.
▪ Biometrics. Modern IAM systems use biometrics to precisely authenticate users. For
instance, they collect a range of biometrics, which include fingerprints, irises, palms,

CSPIT-CE,CHARUSAT 5
19CE006,19CE016,19CE020 IDENTITY AND ACCESS MANAGEMENT

gaits, voices ,faces, and, in some cases, DNA. Biometrics and behaviour-based
analytics have been found to be more effective than passwords.

Benefits of Identity and Access Management Systems

1. Eliminating weak passwords—research shows over 80% of data breaches are caused
by default, or weak passwords ,stolen. IAM systems enforces best practices in
credential management, and can practically eliminate the risk that users will use
weak or default passwords. They make sure that users frequently change their
passwords.
2. Mitigating insider threats—a growing number of breaches is caused by employees
within organization. IAM limits the damages caused by malicious insiders, by
ensuring that users can only have access to the systems they work with, and cannot
escalate privileges without supervision or prior permission from administration.
3. Advanced tracking of anomalies—modern IAM solutions does more than simple
credential management, and include technologies such as artificial intelligence, and
risk-based authentication ,machine learning, to identify and block anomalous
activity.
4. Multi-factor security—IAM solutions help enterprises progress from two-factor to
three-factor authentication, using capabilities like fingerprint sensors, iris scanning,
and face recognition.

IAM Risks
▪ IAM also comes with its own risks, which includes IAM configuration oversights.
Expert outlined five oversights that should be avoided, including incomplete
provisioning, poor process automation and insufficient reviews. One should follow
principle of least privilege is essential to ensuring proper security.
▪ Biometrics, as discussed earlier, also poses security challenges, including data theft.
Collecting and storing only data that is necessary lessens that risk. Organizations
should know what biometric data they have, how and where data is stored ,what
they need, how to get rid of what they don't require.
▪ Cloud-based IAM can be of concern when the provisioning and deprovisioning of
accounts in an organizations aren't handled correctly, if there are too many
vulnerable inactive assigned user accounts. Organizations need to make lifecycle
control over every aspects of cloud-based IAM to prevent malicious people from
gaining access to user identities and passwords.
▪ Features like multifactor authentication can be more easily deployed in a cloud-
based environment than they would be on premises because of their complexity.

CSPIT-CE,CHARUSAT 6
19CE006,19CE016,19CE020 IDENTITY AND ACCESS MANAGEMENT

▪ Audit capabilities act as a check to make sure that when users switch roles or leave
the organization, their access changes accordingly.

Recent Advancement and Future In IAM

▪ Evolution of artificial intelligence.
▪ Artificial intelligence (AI) helps in improving operational efficiencies by
automating processes. AI and machine learning makes IAM solution to
continually model and adapt access as your business requirements and
environment evolve. Already, many organizations are moving towards AI-
based solutions to reduce risk. The future of identity will solely rely on AI and
machine learning to solve problems that cannot be solved by human ability.

▪ Future of single sign-on systems.

▪ Single sign-on (SSO) is becoming a integral IAM requirement for many
organizations. Employees log into a growing number of systems and
applications, and SSO simplifies the user experience while eliminating the
need to manage multiple credentials of different logins. The recent move to
the cloud is one of the reason behind SSO adoption because organizations
view it as a way to reduce security risks.

▪ Self-sovereign identity.
▪ This idea is the premise behind self-sovereign identity, an emerging concept
that could change how identity management works.
▪ Self-sovereign identity (SSI) is a set of technologies and tools that eliminates
the need for organizations to store users’ identity data. It is decentralizing
identity creation, attestation and verification—and as founders of the idea
say—is the future of secure, user-controlled identity management. While
implementation is far away, several industry leaders, as well as financial
institutions, are working on practical applications. Various aspects need to be
addressed before it is adopted by all, including the development of universal
standards and an interoperable ecosystem.

CSPIT-CE,CHARUSAT 7
19CE006,19CE016,19CE020 IDENTITY AND ACCESS MANAGEMENT

AWS IAM CASE STUDY

Using AWS Identity and Access Management (IAM), one can simply specify who can
access which AWS services and resources, and under what conditions. IAM is a feature
of AWS account and is offered at no additional charge. To get started using IAM or if you
have already registered with AWS, go to the AWS Management Console.
How it works
With IAM, you define who can access what by specifying detailed permissions. IAM then
pushes those permissions for every request. By default the access is denied and access is
granted only when permissions specify an "Allow."

CSPIT-CE,CHARUSAT 8
19CE006,19CE016,19CE020 IDENTITY AND ACCESS MANAGEMENT

Self sovereign identity and access management

▪ Identity and Access Management Softwares (IAM) are used by companies to

authenticate, manage ,authorize and create a central repository of their
users/employees.
▪ Whenever a new employee is onboarded into a company, a whole new set of
accounts has to be created every time. A lot of different accounts are created from a
simple email account to databases, servers, AWS and even Slack.
▪ Once this employee leaves, all these accounts neds to be revoked as they were
created: manually one by one. If any one instance of a not properly revoked

CSPIT-CE,CHARUSAT 9
19CE006,19CE016,19CE020 IDENTITY AND ACCESS MANAGEMENT

credential can open the door for vulnerability and a malicious former employee can
access the company’s network and steal confidential data.
▪ Through the use of Self-Sovereign Identity the user would be onboarded on all the
different services using his own credentials or one created by the company. The
employee would then store the credentials on his identity wallet. On the moment of
revocation, only one credential of the identity wallet would have to be revoked to
cut access to all of the accounts.
▪ By strengthening the audit trail, Self-Sovereign Identity could be an innovation in the
Identity and Access Management area. These enterprise softwares keep track of user
access for fraud protection and compliance concerns. Though the way by which that
log is created – sometimes a text file – is concerning since privileged people could
alter or remove logs for malicious purposes. Because of its immutability, blockchain
could be a good fit for access log security.

CSPIT-CE,CHARUSAT 10