Overview: Evolving IAM functional needs and the importance of identity fabric
The requirements for having a holistic Identity and Access Management (IAM) approach have increased significantly in the recent past. Decentralized IT setups with distinct human and non-human digital identities, zero trust adoption, and the proliferation of SaaS applications and multi-cloud environments as well as complex identity-based functional use cases that can lead to insider and third-party threats, have all led to the construction of robust perimeter security around each digital identity.
Every IT infrastructure, such as on-prem, hybrid, private/public clouds, and multi-clouds, are continuously accessed by numerous and distinct identities during different hours for different purposes. Therefore, improving IAM infrastructure is no longer an option but is mandatory to ensure adequate control of identities, i.e. every digital identity accessing business and infrastructure assets at the right time for the right purpose. Because different identities constantly interact with critical applications, secrets, and information of critical importance, including the network and infrastructure devices, a holistic IAM practice is a must to thwart identity misuse and abuse related threats.
In this context, building an identity fabric goes a long way towards providing the framework for secure and seamless IAM practice. A well-architected identity fabric provides complete visibility into the identity system and provides adequate safeguards against IT threats like account takeover, insider attacks, and third-party risks.
Let us find out what are the 5 key components to build an identity fabric
- Centralized engine to manage multiple and distinct digital Identities
In a typical IT setup, organizations must control and manage numerous kinds of digital identities. There are:
- Human Identities (Named and shared identities)
- Non-human identities (for software bots, workloads on cloud and various automated services)
- Cloud identities (DevOps toolchains, SaaS applications)
It becomes a herculean task for IT administrators to administer and govern hundreds of identities in a distributed and complex IT environment. Adding to woes, the fragmented IAM approach, i.e., standalone IAM, PAM, IGA solutions to administer access management use cases results in decentralized controls and decentralized polices.
Therefore, the first requirement, to build a holistic IAM approach, and construct identity fabric is to have a centralized mechanism in place that can administer all kinds of digital identities. So, it is important for IAM pros to move towards the converged IAM approach. Convergence of Identities builds a comprehensive and centralized approach towards the major functional areas of Identity Access Management (IAM) space. It nullifies the necessity of multiple solutions to manage distinct identities available in an IT setup and combines all the different dimensions and requirements of identity and access management in one platform. It includes identity access policy framework, identity governance, and even seamless monitoring.
- Policy Enforcement
The “who, what, where, when, how, or why” parameters build the base of a secure policy in an IT environment. Before enforcing a policy in the IT setup, it is important to define the policy, explain it to the users, apply it to the respective users and build a secure IT environment. A standard identity fabric is built by enforcing a standard and desirable IT policy for every digital identity available in the IT environment. Occasionally, IT policies that are applied to a group of identities, are categorized automatically as per roles and access limitations of the users.
Identity access control policy includes the below parameters:
- Creation of identities (auto onboarding of digital identities from source of truth such as HR application, active directory, Azure AD, AWS EC2 instance, GCP)
- Categorization of identities
- Monitoring the identities
- Interaction with the identities
- Execution of rules with the identities
Policy enforcement of digital identities may also address specific technical interactions or requirements such as which protocols to accept, which ports to use, or details about connection timeouts.
- Entitlement Management
Entitlement management of digital identities is a mechanism that administers, allows, enforces, and revokes digital identity access permissions. In a standard identity fabric, the privilege authorizations, access rights, and permissions are the prerequisites of identity entitlement management.
The purpose of entitlement management is to execute the predefined IT access policies for the structured/unstructured data, devices and servers. This can help eliminate potential human errors, especially while ensuring the right users have right access to the right systems, networks, applications, and devices. At the same time, it manages what the users should be barred from.
Due to the continuously changing workflow, the user access rights and requirements keep on altering. While it is essential for the users to have access to the systems and applications for uninterrupted IT operations, at the same time security cannot be ignored to prevent any unauthorized access. In fact, with a standard identity fabric, organizations can manage identity access of both insiders and outsiders. Entitlement management systems in identity fabric can:
- Define user roles
- Manage end-user hierarchies and workflow management
- Define and manage permissions of users (granular controls, just-in-time access)
- Allow and revoke user privileges based on requirements
- Manage complexities of allowing and denying access control mechanisms
- Implement different access control paradigms, e.g., data-driven approaches, role-based approaches etc.
- Multi-factor Authentication (MFA)
Authenticating users before allowing the desired access is one of the basic IT security steps followed by the IT administrators in a distributed IT environment. To protect confidential data assets and critical servers from unauthorized and suspicious access, authentication mechanism plays a pivotal role. Every category of identity in an IT setup requires some kind of authentication to remain ‘authorized’ before any desired access. This authentication mechanism could be categorized based on the criticality of the identity. For example,
- A general non-privilege user can have two-factor authentication
- A privileged user with a privileged identity can have multi-factor authentication (MFA)
- A cloud identity with access to highly confidential cloud resources require adaptive authentication mechanism to predict and prevent sophisticated attacks
To be precise, Multi-factor Authentication (MFA) provides additional and adequate layers of protection to the critical systems and applications. It verifies the authenticity of the identity in multiple layers before allowing access to the desired server, application, or target device.
AI-based adaptive authentication mechanism, on the other hand, is based out of the experience of past user behaviour which mostly happens through geo location, IP address and typing speed. These aspects determine whether the user activity has happened through an authentic environment. This is more beneficial for the organizations that follow hybrid work models where too many users remotely access critical systems and applications for seamless IT operations.
- Identity Governance and Administration (IGA)
Poor governance of identities is one of the reasons behind the increase of identity-based threats in the recent past. Every identity in the IT infrastructure has its individual role and thus governing them continuously can build a comprehensive IT security infrastructure. A standard identity fabric with the help of identity goveranance can ensure the right user access to the right resource at the right time for the right purpose. Thereby, it maintains a secure access control framework in every layer of IT setup and protects the confidential IT assets from breaches and unauthorized access.
IGA ensures provisioning and deprovisioning of identities: For example:
- Running on-demand and detecting all digital identities
- Corelating with existing on-boarded users
- Classifying accounts into local domain/ privileged/ non-privileged
- Deprovisioning dormant accounts
- Handling transfer use cases
The IAM functional needs are evolving continuously. As a result, the necessity for a holistice IAM approach is gradually increasing. These five key components discussed above build an identity fabric that not just ensures complete control of the identities but also enables seamless administration.