When properly implemented and in compliance with local security policies, identity access management software can...
serve as the center of any IT security strategy -- but it's important for IT pros to select the right platform for their organization.
While most authentication platforms rely on the traditional, less secure username/password pair, identity access management (IAM) enables a much greater degree of control and still fully implements the accounting and logging capabilities that remain key security requirements. IAM can also use information stored in common management databases such as directories, and can include many other familiar capabilities such as security certificates, single sign-on (SSO), multi-factor authentication (MFA) and even the federation of security credentials.
How IAM products work
Vendors developed IAM tools when mobility was becoming dominant in essentially every organization, making mobile management a core driver of the advancements and capabilities of IAM.
Since mobility is a vital element in almost every modern IT shop, today's comprehensive IAM platforms should feature capabilities enabled by a mobile environment. These include the time of day and day of the week, but also location and the specific device that an authorized user operates at that date, time and location. For example, a given user might have access to certain resources with an authorized device on weekdays during working hours and only in certain locations, but otherwise denied access.
Identity access management software enables the granular control of authorization and access down to the level of a given user, but also makes it possible to manage groups of users as well. For example, IAM software can restrict logistics staff to certain applications in physical locations involving manufacturing or shipping, and grant executive staff access to resources appropriate to them everywhere. The same principle applies to guest access; guests are just another class of user.
IAM is applicable to all devices, users and applications, whether local or cloud-based, and can even include IoT devices and applications that involve no human interaction. IT pros can implement IAM as a cloud service, which improves reliability, cost control and scalability. The same security requirements apply to the cloud as for on-premises platforms.
Considerations for selecting identity access management software
Identity access management software comes in the form of independent products from both network and Wi-Fi system vendors such as Cisco, as well as third-party suppliers such as Ping Identity and Okta. IAM is also often integrated into more comprehensive enterprise mobility management (EMM) platforms that include device, content, application and policy management. For example, BlackBerry's IAM products integrate into its EMM portfolio.
Authentication vs. authorization
IAM is the successor to authentication, authorization, and accounting (AAA). Authorization to access a specific resource such as a file, application or any other element of IT, is a function of authentication. In other words, authentication is who you are and authorization is what you can do as a function of who you are. Authentication often drives encryption, using a given user's credentials to derive per-user session keys for Wi-Fi access or other purposes.
It can be complex to select the right identity access management software, but a few points of guidance can ease the process:
Assure compatibility. Make sure any IAM software is fully compliant with the organization's security policy, management consoles, directory services and other requirements.
Expert Adam Gordon explains third-party services for IAM in the cloud
Scale from pilot deployments. Understand how the platform works within a given IT environment before you proceed to full-production deployments. Therefore, limited-scale initial deployments are essential. It's important to also conduct ongoing security audits to ensure the objectives of the security policy remain fully intact.
Verify internal support services. Educate help desks and other support staff in the policies, procedures and tools in use. It's also crucial to train them against social engineering and related attacks that can compromise IAM products that are otherwise very effective.