Identity and Access Management - IGA, IAM, and PAM Explained

Written by z3nch4n | Published 2022/01/18
Tech Story Tags: identity-management | iam | pam | cybersecurity | identity-and-access-management | identity | privileged-access-management | zero-trust | web-monetization

TLDRIdentity and Access Management (IAM) is becoming less of a tool and more of a strategic framework to secure digital assets and protect data privacy. IAM is an essential part of cybersecurity security that manages digital identities and user access to an organization’s data, systems, and resources. A solid approach to IAM enables organizations to mitigate risks, improve compliance, and increase efficiencies across the enterprise. A lack of automation (43%) and lack of skilled staff (41%) are the two biggest challenges regarding managing access.via the TL;DR App

Relationship with Security and the Convergence of the Legacy and Modern Identity Solutions

Identity is becoming less of a tool and more of a strategic framework to secure digital assets and protect data privacy. As a result, Identity and Access Management (IAM) vendors are looking to grab a more significant percentage of the business for growing market share.
Identity protects digital assets, supports digital transformation initiatives, and bolsters Personal Identifiable Information (PII) privacy, using NIST-based security standards (i.e., SP 800–63)and best practices. In addition, it enables organizations to centrally manage their expanding perimeter of mobile and work from anywhere users and on-premises, multi-cloud, and hybrid infrastructure.
Another push factor of the convergence is the promotion of Zero Trust Architecture (ZTA). Solutions like SASE would heavily rely on authentication as the first tier of protection. Thus, using an identity platform to manage accounts across organization applications would be more than necessary.

What Is Identity and Access Management (IAM)?

IAM is an essential part of cybersecurity security that manages digital identities and user access to an organization’s data, systems, and resourcesGartner defines IAM as:
…the discipline that enables the right individuals to access the right resources at the right times for the right reasons.
As a critical security function, IAM allows companies to respond to changes in the business and become more proactive in anticipating identity-related access risks that result from the dynamic business environment.
According to the 2020 Identity and Access Management Report:
  • 72% of organizations prioritize security over operational efficiency (52%) and breach prevention (47%) as the critical drivers for developing an IAM program.
  • Looking forward, organizations equally prioritize investment in multifactor authentication (52%) and privileged access management (52%), followed by identity management and governance (49%).
  • Role-based access control continues to be the most deployed IAM capability for 71% of organizations, followed by single sign-on (58%) and user monitoring (51%).
  • Lack of automation (43%) and lack of skilled staff (41%) are the two biggest challenges regarding managing access in organizations, followed by not utilizing available technologies (33%).
  • When selecting an IAM solution, 72% of organizations prioritize ease of integration above end-user experience (62%) and product performance/effectiveness (61%).
A solid approach to IAM enables organizations to mitigate risks, improve compliance, and increase efficiencies across the enterprise. That’s why managing proper access through the correct IAM framework goes a long way towards supporting risk management within the organization.

The Identity Pillars

Identity plays a pivotal role within an organization’s security posture. However, stakeholder roles are spread across IT infrastructure, security operations, and compliance to manage regulatory risk. First, identity solution has three distinguished pillars:
  • Identity Governance Administration (IGA),
  • Privileged Access Management (PAM), and
  • Access Management (AM).
Automation and interoperability of the three pillars are critical to ensure all applications, systems, APIs, policies, and processes are working smoothly with each other.
Nowadays, there are dozens of vendors that offer one of these pillars. In the past, they referred to their products as “identity tools.” However, many now call the identity of their “products platforms” as they start building more integrated capabilities. These are vendor-specific platforms, and no vendor offers an identity platform with complete AM, IGA, and PAM capabilities.

What is Access Management (AM)?

(IAM) solution strengthens security and reduces risk by carefully controlling access to on-premises and cloud-based applications, services, and infrastructure. Most access management solutions include tools for administering access privileges and tracking login attempts and access activity. They should be able to help organizations better manage (IAAA):
  • Identification,
  • Authentication,
  • Authorization, and
  • Accountability.
It also ensures selected users have authorized access to the specific resources at the correct period for valid reasons.
Security vendors and solution providers offer two different types of access management solutions.
  • Workforce Access Management — to authenticate and authorize employees and contractors to access corporate applications and IT systems.
  • Customer Access Management — to authenticate and authorize consumers and clients to access public-facing applications and services.

What is Identity Governance and Administration (IGA)?

IGA is both a policy framework and a set of security solutions that enable organizations to mitigate identity-related access risks within their business effectively. IGA automates creating, managing, and certification user accounts, roles, and access rights for individual users in an organization.
With IGA, companies can streamline user provisioning, password management, policy management, access governance, and access reviews within their business. Considered as part of IAM, IGA offers organizations increased visibility into users’ identities and access privileges. Thus, they can adequately manage who has access to what assets and when.

What is Privileged Access Management (PAM)?

PAM is considered a critical security control that enables organizations to simplify defining, monitoring, and managing privileged access across their systems, applications, and infrastructure.
Because administrator accounts have elevated privileges that can access sensitive data and execute applications or transactions — often with little or no tracking control — it can be challenging to manage privileged accounts. PAM solutions centralize the management of administrator profiles and ensure least privilege access is enforced.
Among AM, IGA, and PAM, PAM is the most narrowly defined but has the significant responsibility for mitigating identity-related access risks related to privileged access. While AM and IGA focus on more comprehensive user access for resources, systems, and applications across the organization, PAM defines and controls access for privileged users. Below are three specific types of privileged accounts:
  • Root or Administrator Accounts: These accounts possess full authority over systems and have no restriction for accessing services or data residing on a server. They are considered the most valuable targets for threat actors.
  • System Accounts: These accounts are used for running operating system services and can modify the relevant files and configurations. They are typically provisioned with the operating system.
  • Service/Application Accounts: These accounts are used for running processes and applications through automated, often unattended tasks. They frequently own or have access to data, resources, or configurations not available to non-privileged users.

Security and Identity — Zero Trust

Identity management began with synchronizing LDAP accounts, which was a small corner of an organization’s IT. Apart from security, it was more about efficiency. It took over a decade to become mainstream knowledge, but now conventional wisdom draws the security perimeter at identity.
The difficulties of determining the perimeter to an organization’s IT infrastructure were highlighted by the Jericho Forum in 2003, discussing the trend of what was later coined “De-Perimiterisation.” In 2009, Google implemented a Zero Trust Architecture referred to as BeyondCorp.
Zero Trust is a security mindset centered on the idea that organizations should not automatically trust anything inside or outside their perimeters and, alternatively, must verify anything and everything trying to connect before granting access.

Broadening the Definition of Identity

Identity started with a focus on humans. Thus, identity is something that can describe a person with a consistent set of details/attributes. But in the era of digital transformation, it is not limited to human identity only.
Conventional IAM architectures have relied primarily on the ability to authenticate user credentials to a directory store and grant fine-grained access to business applications based on statically assigned privileges, regardless of any inherent risk posed by a user.
This model no longer reflects an IT landscape in which a mobile workforce can use unmanaged smart devices from anywhere in the world to access sensitive data in cloud-hosted business applications.
According to a Ponemon study, 59% of all breaches are linked to a third party and often involve the misuse of non-employee identities. As a result, implementing risk-based controls to manage non-employee identities’ lifecycle is even more significant for employees.
In many organizations, non-employee identities are unmanaged by IAM processes and controls since traditional identity solutions have focused solely on employee populations and used HR system data to make access decisions.
However, there is often no authoritative source to drive the identity lifecycle or the risk assessment for non-employees. These gaps mean that it is not unusual for non-employee identities to be overprovisioned and difficult to audit and remain active for several years after a user’s termination.
Another essential characteristic of non-employees is that they aren’t just contractors, vendors, and B2B users. The increasing adoption of microservices, RPA, and Zero Trust Architectures require non-human worker identities, such as those used by devices and bots, to be managed with the same rigor as human-owned identities.
If you can define an object’s identity, you can apply security to that object by setting security rules which is, after all, why identity is the no-longer-new perimeter. Below are some examples of the new definition of identity:
  • APIs (with a unique key)
  • Cloud Workloads (with a unique assigned “code)
  • IoT (with a “unique serial number)

The Importance of Bringing Identities Together

Organizations are undergoing a different stage of digital transformation everywhere. Whether it is:
  • modernizing the platforms,
  • trying to launch a data center in the cloud, or
  • trying to manage manufacturing IoT devices more efficiently;
Because of that, the size and shape of our digital footprint are changing. We no longer have a “digital network” or “digital services,” but we now have a whole “digital ecosystem” that keeps expanding.
Suppose we want to remain secure while realizing these new channels or efficiencies or agility. In that case, we need to adopt Zero Trust Architecture — using the lens of identity to see potential risks and inform where we draw the “perimeter.” But, unfortunately, this can lead to an explosion of new security tools and interfaces and dashboards and monitoring and logging and alerting…And all of them are the burden of the IT team.
Even with artificial intelligence (AI) and machine learning (ML), things slip through the cracks if you control multiple distinct interfaces to evaluate organizational risks. For example, say using User and entity behavior analytics, or UEBA, to help monitor abnormal behavior of users. However, mapping all the profiles of users and their interactions with different assets would be time-consuming and erroneous.
To efficiently and effectively manage the entire security posture, it makes more sense to have a single, holistic view of organizational identities to determine policy, view posture, enact compliance, and respond to risk.
The next wave of IAM solutions needs to evaluate inherent and contextual risk when granting sensitive data and applications access. Those capabilities will require organizations to implement risk frameworks that incorporate activity, behavioral analytics, device, geolocation, data sensitivity, and identity proofing into their existing access policies. It will also require, at a minimum, a heightened focus on mitigating the risks posed by non-employee access.
The adoption of risk-based IAM will not be easy or quick. For most companies, it will be a transformative, multi-year journey. But in today’s IT landscape, identity and risk can no longer be considered autonomous of each other. There is no more remarkable example than the risks exposed every day by breached organizations because they failed to manage non-employee access effectively.

The Potential Challenges of Convergence

It is fair to say that convergence can be good for vendors but challenging for users. For many organizations, the prospect of any software platform conversion means more costs, more and possibly different licenses, and added usage. Also, product convergence eliminates competition, potentially leading to higher prices and fewer choices.
Apart from financial investment, there are also technical challenges. For example, IGA is the most mature identity technology, while PAM is the least mature. Integrating them means having a centralized platform to share the user profiles and other attributes in both ways.
By definition, one of the core principles of a zero-trust architecture is “Trust no one and verify everything.” Unfortunately, zero trust builds some friction into the user experience since additional layers of authentication, such as multifactor authentication, are required. One way to get around this friction is by implementing adaptive authentication, a context-based approach that doesn’t require users to authenticate their identity further when it’s not necessary.
The above example is a challenge that identity platforms face if they have joined together various capabilities and critical functions without focusing on the user experience. Ideally, the answer is to have a consistent user interface, even if the underlying technology changes. Then, if a particular vendor needs to be swapped out, users are never impacted.

Final Words

While today there is a fractured identity landscape, over the next 3–5 years, I expect convergence of the IGA, PAM, and AM pillars. In addition, security vendors are beginning to expand their offerings through partnerships, technology acquisitions, vendor convergence, and in-house development through organic expansion of capabilities.
A comprehensive identity platform allows for a common user experience across multiple applications and systems (both legacy and modern). In addition, it will enable consumers and distributed workforces to use the same authentication method to access applications and resources across different enterprises.
Also Published Here
Written by z3nch4n | Interested in Infosec & Biohacking. Security Architect by profession. Love reading and running.
Published by HackerNoon on 2022/01/18
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy