Relationship with Security and the Convergence of the Legacy and Modern Identity Solutions Identity is becoming less of a tool and more of a strategic framework to secure digital assets and protect data privacy. As a result, Identity and Access Management (IAM) vendors are looking to grab a more significant percentage of the business for growing market share. Identity protects digital assets, supports digital transformation initiatives, and bolsters Personal Identifiable Information (PII) privacy, using NIST-based security standards (i.e., )and best practices. In addition, it enables organizations to centrally manage their expanding perimeter of SP 800–63 mobile and work from anywhere users and on-premises, multi-cloud, and hybrid infrastructure. Another push factor of the convergence is the promotion of (ZTA). Solutions like SASE would heavily rely on authentication as the first tier of protection. Thus, using an identity platform to manage accounts across organization applications would be more than necessary. Zero Trust Architecture What Is Identity and Access Management (IAM)? IAM is an essential part of cybersecurity security that manages digital identities and . defines IAM as: user access to an organization’s data, systems, and resources Gartner …the discipline that enables the right individuals to access the right resources at the right times for the right reasons. As a critical security function, IAM allows companies to respond to changes in the business and become more proactive in anticipating identity-related access risks that result from the dynamic business environment. According to the : 2020 Identity and Access Management Report 72% of organizations prioritize security over operational efficiency (52%) and breach prevention (47%) as the critical drivers for developing an IAM program. Looking forward, organizations equally prioritize investment in multifactor authentication (52%) and privileged access management (52%), followed by identity management and governance (49%). Role-based access control continues to be the most deployed IAM capability for 71% of organizations, followed by single sign-on (58%) and user monitoring (51%). Lack of automation (43%) and lack of skilled staff (41%) are the two biggest challenges regarding managing access in organizations, followed by not utilizing available technologies (33%). When selecting an IAM solution, 72% of organizations prioritize ease of integration above end-user experience (62%) and product performance/effectiveness (61%). A solid approach to IAM enables organizations to mitigate risks, improve compliance, and increase efficiencies across the enterprise. That’s why managing proper access through the correct IAM framework goes a long way towards supporting risk management within the organization. The Identity Pillars Identity plays a pivotal role within an organization’s security posture. However, stakeholder roles are spread across IT infrastructure, security operations, and compliance to manage regulatory risk. First, identity solution has three distinguished pillars: Identity Governance Administration (IGA), Privileged Access Management (PAM), and Access Management (AM). of the three pillars are critical to ensure all applications, systems, APIs, policies, and processes are working smoothly with each other. Automation and interoperability Nowadays, there are dozens of vendors that offer one of these pillars. In the past, they referred to their products as However, many now call the identity of their as they start building more integrated capabilities. These are vendor-specific platforms, and . “identity tools.” “products platforms” no vendor offers an identity platform with complete AM, IGA, and PAM capabilities What is Access Management (AM)? (IAM) solution strengthens security and reduces risk by carefully Most access management solutions include tools for administering access privileges and tracking login attempts and access activity. They should be able to help organizations better manage (IAAA): controlling access to on-premises and cloud-based applications, services, and infrastructure. Identification, Authentication, Authorization, and Accountability. It also ensures selected users have authorized access to the specific resources at the correct period for valid reasons. Security vendors and solution providers offer two different types of access management solutions. — to authenticate and authorize employees and contractors to access corporate applications and IT systems. Workforce Access Management — to authenticate and authorize consumers and clients to access public-facing applications and services. Customer Access Management What is Identity Governance and Administration (IGA)? IGA is both a policy framework and a set of security solutions that enable organizations to mitigate identity-related access risks within their business effectively. IGA automates creating, managing, and certification user accounts, roles, and access rights for individual users in an organization. With IGA, companies can streamline user provisioning, password management, policy management, access governance, and access reviews within their business. Considered as part of IAM, IGA offers organizations increased visibility into users’ identities and access privileges. Thus, they can adequately manage . who has access to what assets and when What is Privileged Access Management (PAM)? PAM is considered a critical security control that enables organizations to simplify defining, monitoring, and managing privileged access across their systems, applications, and infrastructure. Because administrator accounts have elevated privileges that can access sensitive data and execute applications or transactions — often with little or no tracking control — it can be challenging to manage privileged accounts. PAM solutions centralize the management of administrator profiles and ensure least privilege access is enforced. Among AM, IGA, and PAM, PAM is the most narrowly defined but has the significant responsibility for mitigating identity-related access risks related to privileged access. While user access for resources, systems, and applications across the organization, Below are three specific types of privileged accounts: AM and IGA focus on more comprehensive PAM defines and controls access for privileged users. Root or Administrator Accounts: These accounts possess full authority over systems and have no restriction for accessing services or data residing on a server. They are considered the most valuable targets for threat actors. System Accounts: These accounts are used for running operating system services and can modify the relevant files and configurations. They are typically provisioned with the operating system. Service/Application Accounts: These accounts are used for running processes and applications through automated, often unattended tasks. They frequently own or have access to data, resources, or configurations not available to non-privileged users. Security and Identity — Zero Trust Identity management began with synchronizing LDAP accounts, which was a small corner of an organization’s IT. Apart from security, it was more about efficiency. It took over a decade to become mainstream knowledge, but now conventional wisdom draws the security perimeter at identity. The difficulties of determining the perimeter to an organization’s IT infrastructure were highlighted , discussing the trend of what was later coined “De-Perimiterisation.” In 2009, Google implemented a referred to as . by the Jericho Forum in 2003 Zero Trust Architecture BeyondCorp Zero Trust is a security mindset centered on the idea that organizations should not automatically trust anything inside or outside their perimeters and, alternatively, must verify anything and everything trying to connect before granting access. Broadening the Definition of Identity Identity started with a focus on humans. Thus, identity is something that can describe a person with a consistent set of details/attributes. But in the era of digital transformation, it is not limited to human identity only. Conventional IAM architectures have relied primarily on the ability to authenticate user credentials to a directory store and grant fine-grained access to business applications based on statically assigned privileges, regardless of any inherent risk posed by a user. This model no longer reflects an IT landscape in which a mobile workforce can use unmanaged smart devices from anywhere in the world to access sensitive data in cloud-hosted business applications. According to a study, As a result, implementing risk-based controls to manage non-employee identities’ lifecycle is even more significant for employees. Ponemon 59% of all breaches are linked to a third party and often involve the misuse of non-employee identities. In many organizations, non-employee identities are unmanaged by IAM processes and controls since traditional identity solutions have focused solely on employee populations and used HR system data to make access decisions. However, there is often no authoritative source to drive the identity lifecycle or the risk assessment for non-employees. These gaps mean that it is not unusual for non-employee identities to be overprovisioned and difficult to audit and remain active for several years after a user’s termination. Another essential characteristic of non-employees is that they aren’t just contractors, vendors, and B2B users. The increasing adoption of microservices, RPA, and , such as those used by devices and bots, to be managed with the same rigor as human-owned identities. Zero Trust Architectures require non-human worker identities If you can define an object’s identity, you can apply security to that object by setting security rules which is, after all, why identity is the no-longer-new perimeter. Below are some examples of the new definition of identity: APIs (with a unique key) Cloud Workloads (with a unique assigned “code) IoT (with a “unique serial number) The Importance of Bringing Identities Together Organizations are undergoing a different stage of digital transformation everywhere. Whether it is: modernizing the platforms, trying to launch a data center in the cloud, or trying to manage manufacturing IoT devices more efficiently; Because of that, We no longer have a “digital network” or “digital services,” but we now have a whole “digital ecosystem” that keeps expanding. the size and shape of our digital footprint are changing. Suppose we want to remain secure while realizing these new channels or efficiencies or agility. In that case, we need to adopt Zero Trust Architecture — But, unfortunately, this can lead to an explosion of new security tools and interfaces and dashboards and monitoring and logging and alerting…And all of them are the burden of the IT team. using the lens of identity to see potential risks and inform where we draw the “perimeter.” Even with artificial intelligence (AI) and machine learning (ML), things slip through the cracks if you control multiple distinct interfaces to evaluate organizational risks. For example, say using User and entity behavior analytics, or UEBA, to help monitor abnormal behavior of users. However, mapping all the profiles of users and their interactions with different assets would be time-consuming and erroneous. To efficiently and effectively manage the entire security posture, it makes more sense to have a to determine policy, view posture, enact compliance, and respond to risk. single, holistic view of organizational identities The next wave of IAM solutions needs to evaluate Those capabilities will require organizations to implement risk frameworks that incorporate activity, behavioral analytics, device, geolocation, data sensitivity, and identity proofing into their existing access policies. It will also require, at a minimum, a heightened focus on mitigating the risks posed by non-employee access. inherent and contextual risk when granting sensitive data and applications access. The adoption of risk-based IAM will not be easy or quick. For most companies, it will be a transformative, multi-year journey. But in today’s IT landscape, There is no more remarkable example than the risks exposed every day by breached organizations because they failed to manage non-employee access effectively. identity and risk can no longer be considered autonomous of each other. The Potential Challenges of Convergence It is fair to say that convergence can be good for vendors but challenging for users. For many organizations, the prospect of any software platform conversion means Also, product convergence eliminates competition, potentially leading to higher prices and fewer choices. more costs, more and possibly different licenses, and added usage. Apart from financial investment, there are also technical challenges. For example, IGA is the most mature identity technology, while PAM is the least mature. Integrating them means having a centralized platform to share the user profiles and other attributes in both ways. By definition, one of the core principles of a zero-trust architecture is “Trust no one and verify everything.” Unfortunately, zero trust builds some friction into the user experience since additional layers of authentication, such as multifactor authentication, are required. One way to get around this friction is by that doesn’t require users to authenticate their identity further when it’s not necessary. implementing adaptive authentication, a context-based approach The above example is a challenge that identity platforms face if they have joined together various capabilities and critical functions without focusing on the user experience. Ideally, the answer is to even if the underlying technology changes. Then, if a particular vendor needs to be swapped out, users are never impacted. have a consistent user interface, Final Words While today there is a fractured identity landscape, over the next 3–5 years, I expect convergence of the IGA, PAM, and AM pillars. In addition, security vendors are beginning to expand their offerings through partnerships, technology acquisitions, vendor convergence, and in-house development through organic expansion of capabilities. A comprehensive identity platform allows for a common user experience across multiple applications and systems (both legacy and modern). In addition, it will enable consumers and distributed workforces to use the same authentication method to access applications and resources across different enterprises. Also Published Here

Google

Cybersecurity Predictions For 2022

Defining the Difference Between EPP, EDR, MDR & XDR

2021 - HackerNoon Contributor of the Year - CULTURE

Support Me on Coil

2021 - HackerNoon Contributor of the Year - PERSONAL-DATA

Nominated for 2022 - HackerNoon Contributor of the Year - Cybersecurity

Nominated for 2022 - HackerNoon Contributor of the Year - Security

Nominated for 2022 - HackerNoon Contributor of the Year - Privacy

Nominated for 2022 - HackerNoon Contributor of the Year - Beginners Guide

Nominated for 2022 - HackerNoon Contributor of the Year - Containers

Nominated for 2022 - HackerNoon Contributor of the Year - Data Privacy

Too Long; Didn't Read

Make resilience your competitive advantage

Identity and Access Management - IGA, IAM, and PAM Explained

Identity and Access Management - IGA, IAM, and PAM Explained

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

Windows Sticky Keys Exploit: The War Veteran That Never Dies

06/02/2018: Biggest Stories in the Cryptosphere

0-Days are on the Rise and that Means a Lot More Work for SOC Teams

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

Windows Sticky Keys Exploit: The War Veteran That Never Dies

06/02/2018: Biggest Stories in the Cryptosphere

0-Days are on the Rise and that Means a Lot More Work for SOC Teams

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps