How Identity & Access Management (IAM) Works

Identity and Access Management (IAM) refers to the processes, organizational structure and technologies that authenticate and authorize a user to access and consume an organization’s resources. These resources may be digital assets, data and application workloads, network access or perimeter access to the physical data center location.

Let’s take a look at this important business function.

The purpose of identity & access management

Business organizations are compelled to limit employee access to these systems beyond what is required by their job routines — this helps reduce all sorts of risks, and it has knock-on effects in terms of limiting resource consumption, too.

This idea follows the Principle of Least Privilege access, which guides strong security controls for authorizing access. IAM is tightly coupled with the governance structure and security policies facing the organization, driven by:

• Applicable compliance regulations
• Cybersecurity risks
• The business value associated with every data asset, application and network component

An IAM system provides the necessary technology infrastructure to enforce the security policies with the flexibility to manage resource access when needed.

The goal of an IAM system is to establish an optimal tradeoff between strong security against unauthorized access, with the flexibility to provision resource access without violating the security policies or exposing undue security risks. The latter is particularly challenging as most enterprises operate a complex infrastructure that runs highly dependent application components and isolating these resources by static policies defined by user roles and resource types becomes virtually impossible.

So how do you manage the IAM lifecycle of the organization? Let’s break this into two simple questions, and I’ll hopefully provide the clearest answers.

(For more security basics, learn about Vulnerability vs Threat vs Risk and the CIA Security Triad.)

How do you manage identity?

The IAM system authenticates the identity of the requesting entity, which may be an individual user, a group or a role depending on your access control policy. Factors used for authentication include:

• What you know: username, email address, passwords, passcode, pincode, passphrase and security questions
• What you are: Biometrics such as fingerprints, voice, hand geometry and Iris recognition
• What you have: smart keys, smart cards, tokens, mobile devices, phone number, email accounts

The IAM system authenticates the source of a request to determine the identity of the user, user group and roles. The authentication system is tightly coupled by the governance of the identity database and its consumption in the entity authentication protocols. The authentication process itself does not determine whether the request is approved — it simplified verifies the claimed identity of the requesting party and is corroborated by the fact that the requesting entity is active, alive and a member or partner of the organization.

The IAM also extends the verification process to data authentication via API requests from an integrated set of third-party cloud-based services that may request access to your corporate network. This process refers to data authentication. Data authentication verifies the originating source of data and also authenticates the integrity of that data (that is, the data has not been modified by an unauthorized source).

How do you manage access?

The IAM system is designed to reduce the security risk exposure of your data by managing access controls over the lifecycle of the identified entity. It achieves this goal by denying all requests by default, with the exception of requests that comply with the access control mechanism.

The IAM system is used to associate policies to IAM identities or third party resources. These policies determine the list of permissions that can be attributed to these IAM identities. These permissions are then used to approve or deny a request to access the network or data resources.

Common access management approaches

Some of the common schemes to manage permissions and employ appropriate access controls for IAM identities include:

• Role Based Access Controls (RBAC). These are identity-based access control policies that assign a set of permissions to individual entities, including users, their roles and groups.
• Attribute Based Access Controls (ABAC). This authorization strategy defines the permissions based on the attributes associated with the request. The role of the IAM identity itself can be considered as an attribute, but the ABAC brings a holistic view to this concept. Attributes can include an exhaustive decision criteria including environment variables, subject parameters, actions requested and IAM resource objects that describe the identities and groups.

The explicit policies generated by the RBAC, ABAC or another access control scheme override the default request denial of the IAM system. The ABAC model allows organizations to scale permissions in a complex IT infrastructure environment, where it may be difficult to federate sensitive data assets and network components based on the roles and identity of the user. Instead, the attribute tags assigned to users and the resources can be used to establish granular permissions that do not overlap.

IAM is a continuous process

The continuous process of authenticating the identity of the request source and managing access controls over the course of the identity’s lifecycle is the primary goal of an IAM system. The key value proposition of the IAM is to automate this process while maintaining flexibility to onboard new users, enforce diverse security policies and reduce risk exposure as the user base scales.

What is Splunk?

This posting does not necessarily represent Splunk's position, strategies or opinion.