What is Identity & Access Management (IAM) ?

Identity & Access Management is basically managing user identifies (Like email IDs) and their level of access to applications or data within your company. An IAM (or IDam) is a way to protect your company’s data both from internal and external sources. Think of IAM as an airlines membership card. Just because you bought an airline ticket you don’t get to enjoy privileges like lounge & bed access. Those are reserved exclusively for airline club members. In a similar way, not all employees within a company get access to all the data the company has. Having an IAM policy in place provides an elegant solution to the problem of data security within the company. 

What problems does IAM help prevent?

What are the building blocks of IAM?

A way to store user data (employee records, for example)

Enable the IT team to securely access the data & monitor user behaviour.

Ability to modify the data (when an employee joins or leaves a company, for example)

An effective way to prepare reports & analytics over a sufficient time period.

How to implement IAM in your company?

1. Survey your current IAM implementation 

An audit of your existing data security policies and their implementation should give an idea of what is the right solution needed for your company. A good first step is to take stock of the existing inventory of your IT assets (both on-premise & cloud-based applications). Your account should also reflect the applications that come under “Shadow IT” i.e those applications that can be installed without any admin control. Also, review your current policies for establishing user access during onboarding or off-boarding processes. This detailed survey should be helpful in identifying the chinks in your IT armour. 

2. Set goals & expectations for your new IAM policy 

Before starting to implement your IAM strategy, understand how it will impact the work you do currently. It would be a good idea to set your expectations for a new implementation. For example, you can look at how your security and other corporate policies need to change based on your plan. This might give an idea of the task at hand as also the work that is needed to be put in. Also keep in mind the cost-benefit factor. Your implementation shouldn’t be too complicated and expensive as to render your entire exercise futile. 

3. Prepare an IAM implementation strategy 

The next logical step is to prepare a roadmap for your implementation plan. This roadmap should be decided with all the important stakeholders in the process. Assess your requirements and also be sure to check for dependencies. At this stage, it would also be good to define your success metrics and put a timeline on the implementation process. Another important part of your strategy should be to review the right IAM vendors and their best practices. Finally, ensure that your IAM plan is in strict compliance with your security standards and other industry benchmarks that are normally followed by your company. 

4. Measure your progress

Once the right IAM framework is in place, periodically review your metrics to ensure they meet the goals set in the previous step. A thorough monthly or quarterly audit is an efficient way to assess your implementation. This affords you the opportunity to correct any mistakes and implement the recommended IAM best practices. A good way to ensure the success of your IAM plan is to boost adoption within the company. This could be done by scheduling internal webinars that explain how the process works or sending our regular emails as a frequent reminder to all your employees.  

What IAM technologies and tools should you know?

 Over the past decade or so, IAM technologies have seen a phenomenal growth. Both, in terms of their features and adoption. When trying to solve for user identification and data management, it is important that you choose the right tools for your IAM plan. This helps reduce overhead costs (such as maintenance etc.) while potentially minimising errors in your implementation. While your IAM tool must be robust and feature-rich, it should also be customisable to an extent because every organization has its own quirks. In this section, we detail some of the available technologies in the IAM industry today. While we are not naming tools, this should give you an idea of what to expect from your IAM vendor. 

Single Sign-on (SSO) 

SSO is perhaps the easiest form of IAM implementation for your organization. It requires the user to remember only the username and password for a particular application. SSO automatically integrates the user’s credentials with all your other connected applications. Therefore, when your user signs on to one of your applications, they don’t have to repeat the authentication process when signing on to another internal application that has been linked using SSO. Even from the end user perspective, this is an efficient way to ensure access management. 

Multi-Factor Authentication (MFA) 

While SSO is an elegant solution to the IAM problem, companies are always on the lookout for better security implementations. This is where MFA comes in. This can supplement your SSO capabilities and take your IAM game to the next level. Within MFA, organizations are steadily moving from 2-factor to 3-factor authentication methods. 3FA is based on three parameters that, when put together, can uniquely identify a specific user. They include something that a user knows (like a password), something the user has (a smartphone) and something that is unique to the user (like a fingerprint). All three combined provide a robust method of securing user identify and access management. 

Cloud-based integration

As companies move away from on-premise applications to cloud-based ones, so should there IAM plans. Because of an increasingly remote workforce, this makes much more sense as it not only reduces costs of implementation but also helps cover a wide distribution of your employee network. Sophisticated IAM solutions on the cloud can help detect any sort of hack in your devices and act as a killswitch by immediately locking out the hacker. 

A note on risks associated with IAM implementation 

While IAM tools and technologies are immensely useful in providing a secure cover over your data, they are not without risks. When implementing an IAM plan, you are essentially trusting a third-party to secure user access to your applications and also in managing your company data. If the third-party is hacked, all your efforts come to naught? Not if you take the proper precautions. In the planning phase, decide the type of data that you want covered by IAM and create backups of those. Also, performing frequent audits as mentioned above helps identify inactive user accounts in your database. Knowing how your IAM vendor secures and stores your data (what encryptions they use, how anonymized you data is etc.) can help in setting your mind at ease.