The Four A's of Identity and Access Management
Identity and Access Management (IAM) is a cybersecurity practice that focuses on ensuring the right people have the right access to the right resources at the right time. It's often called the "new perimeter" because instead of just protecting the network, it protects the user first.
The foundation of IAM is built on four key functions, known as the "Four A's":
Administration: The process of creating, updating, and deleting user accounts and their permissions.
Authentication: The act of verifying a user's identity (answering the question, "Who are you?").
Authorization: The process of deciding what a verified user is allowed to do (answering the question, "Are you allowed to do this?").
Audit: The practice of reviewing activity logs to ensure the first three A's were performed correctly and to detect suspicious behavior.
Core Architecture: Store & Sync
The base of any IAM system is having a place to store user information and a way to keep it synchronized.
Directories: A directory is a place (like a database) where user identity information is stored. Examples include Active Directory or any system that uses the LDAP protocol.
The Problem: In reality, most organizations have multiple directories. An HR system, a finance system, and a customer system might all have their own separate directories.
The Solution: The architect must design a way to synchronize these directories so that all systems have consistent, up-to-date user information. This can be done with a meta directory (which centralizes information) or a virtual directory (which acts as an index to find information where it lives).
Administration & Provisioning
This is the process of managing user accounts throughout their lifecycle. A robust IAM system automates this to improve both efficiency and security.
Role-Based Access Control: Instead of assigning permissions one by one, users are assigned to roles (e.g., "Sales Staff" or "Branch Manager"). These roles automatically grant them all the necessary permissions.
Provisioning: The system automatically creates accounts and assigns permissions when a new employee is hired.
Deprovisioning: The system automatically revokes all access rights when an employee leaves the company. This is the most critical step from a security perspective, as it immediately closes all potential attack vectors from a former employee.
Access Requests: An administrative system allows existing users to request new access rights, which are then routed through an automated approval workflow.
Authentication & Authorization
These are the functions that control access in real time.
Authentication (Who you are):
Single-Factor: Relying on one method, like a password (something you know).
Multi-Factor (MFA): The best practice, requiring two or more factors: something you know (a password), something you have (your phone), and/or something you are (a fingerprint). This makes it significantly harder for an attacker to gain access.
Single Sign-On (SSO): A user authenticates once to an SSO system and can then access all their connected applications without having to log in again. This improves user experience without sacrificing security, especially when combined with MFA.
Authorization (What you can do):
This determines what a user is allowed to do after they have been authenticated. Modern systems use risk-based authorization, which adapts access based on the context of the request (e.g., location, type of request, or time of day).
Special Cases & Auditing
Privileged Access Management (PAM): A specific area of IAM dedicated to securing the "keys to the kingdom"—the highly sensitive accounts used by system administrators. A PAM system forces these users to check out an account, automatically changes the password after each use, and often records every keystroke to provide a complete audit trail.
Audit: The final "A" involves monitoring and analyzing all activity logs. User Behavior Analytics (UBA) is a technology used to detect anomalies and flag suspicious activity, such as a user suddenly creating, copying, and deleting a database in quick succession.
Identity Federation: This allows a user to use their identity from one organization (e.g., their company) to securely access resources from another (e.g., a cloud provider or business partner), without having to create a separate account.
No comments:
Post a Comment