Identity and Access Management (IAM)

Identity and Access Management is the process of handling user authentication and authorisation. It’s about ensuring the right people have access to the right information. It’s often misunderstood how complex IAM is to deploy in organisations, which involves things like integrating hundreds of systems with a centralised Identity and Access Management solution to streamline the onboarding. moving, and leaving activities associated with employees. Multi-Factor Authentication (MFA), formerly known as 2-Factor Authentication (2FA), Zero-Trust, and Single Sign-On (SSO) are also components of IAM.

What is the Application Security Methodology?

• Meets business objectives for the management and governance of users
• Addresses regulatory and legal requirements,
• Dynamically identifies and tracks all employee access
• Integrate all critical systems, with the central IAM platform
• Results in more streamlined user access, management, and governance

A Typical Methodology

1. Understand the business objectives for IAM
2. Ensure the organisation has an adequate IAM platform, either via a solution or as part of a cloud subscription.
3. Identify various business functions, and common access requirements to define roles, which can then be used to achieve effective Role-Based Access Control (RBAC).
4. Integrate all critical systems (almost always includes HR platforms and Active Directory) with the central IAM platform.
5. As systems are onboarded to IAM, enable Single Sign-On (SSO), to allow users to access it, amongst many other systems with a single log in.
6. Require users to authenticate using Multi-Factor Authentication (MFA).
   • Multi-Factor authentication refers to having 2 or more combinations of the following factors:
     • Something you know (A password)
     • Something you have (A token available on your phone)
     • Something you are (Retina or fingerprint)
   • The term 2-Factor Authentication (2FA) by name limits this to 2 factors, and is colloquially associated with a password + token combination. The term MFA is preferred due to it reflecting the multiple combinations of factors you could have to reduce the impact of a password being breached.
7. Where possible using IAM as an additional perimeter for your organisations, by forcing users to authenticate to each and every system, but simplifying this otherwise clunky security feature with SSO. This is also known as ZeroTrust, and enables organisations to transcend the requirement of having a VPN, especially where the organisation is cloud-native.
8. Establish a cadence for Identity and Access Governance
   • Usually entails user access reviews conducted through the central IAM platform

---