our stories

tech never sleeps, so neither do we

A guide to Identity Access Management

Identity Access Management (IAM) solutions are designed to minimise cyber and data governance risks by tracking and limiting who has access to your digital systems.  At a minimum, IAM solutions capture and record user login information, manage the database of user identities and the rules and policies around them, and orchestrate the assignment and removal of access privileges.

The benefits of identity access management

An organisation might deploy an IAM solution for a number of reasons:

  • Reduce the risk of internal or external data breaches
  • Decrease the time and effort involved in managing access to their network, especially compared against manual processes
  • Enforce policies of user authentication, validation and privileges
  • Address issues, such as privilege creep and failure to retire access for leavers
  • Comply with data governance and regulation
  • Ensure that data requested by auditors is readily available on demand

The principles of identity access management

Identity access management touches on a number of principles that are of relevance to organisations of all sizes. Let’s take a look at the principles of identity access management.

#1. Compliance 

IAM implementation is increasingly important, especially for larger enterprises, when dealing with compliance with data privacy laws, information governance, sector regulations, and industry-specific compliance. As well as ensuring only authorised users have access to sensitive information, IAM tools provide the necessary audit trails about access to that information that auditors will require.

#2. Zero trust

Zero trust is a security paradigm developed in response to the complex challenges of managing today’s cloud and hybrid architectures. It takes the standpoint that trust cannot be assumed and that identities must be authenticated before users and devices can be given access to preapproved applications, data, services and systems. Adopting a zero trust approach to cyber security is facilitated by the use of an IAM.

#3. Least privilege

An important principle of zero trust is the notion to “least privilege”, whereby access is limited to only the applications, data, services and systems a user needs to do their jobs.

#4. Role-based access management

As its name suggests, role-based access management grants rights on the basis of assigned roles and duties. It’s one way of controlling access rights per user and enforcing a policy of least privilege (based on roles). It simplifies IAM because administrators do not have update access rights per individual if requirements change or in response to new starters or leavers.

#5. Privileged access management

Privileged access management is a companion to a least privilege approach and role-based access management. It is vital to control and secure the activity of users which have access to critical and sensitive systems and data assets to minimise the risk associated with these enhanced user access privileges.

#6. Single sign-on

Single sign-on (SSO) aids access management by simplifying authentication. When SSO is enabled, only one set of credentials is required cross multiple software applications and systems. 

#7. Muti-factor authentication

Multi-factor authentication strengthens user authentication processes by requiring two or more different means of authentication at sign-on. Having become a new focus of the UK Government’s Cyber Essentials scheme in the latest Cyber Essentials Certification requirements, MFA is an increasingly important focus of IAM efforts.

#8. Monitoring user access

One important function of an IAM solution the monitoring of user accounts and access requests. Analysing user logs makes it possible to identify anomalies and raise warnings about suspicious activity.

#9. Revoking access and offboarding

An effective leavers policy is an essential part of IAM. A good IAM solution makes it easier to enforce these policies and proactively revoke access where suspicious activity or issues are identified.

#10. Artificial intelligence

Innovations in artificial intelligence (AI) offer new opportunities to enhance IAM, especially in the areas of monitoring and analysing network, systems and application access. AI can automate and speed up the process of spotting and responding to anomalies and suspicious activity. 

#11. Blockchain and decentralised identity

Blockchain is of interest in an IAM context because it offers opportunities to transfer information in a secure, encrypted way for increased privacy protection and enhanced auditing. 

#12. SP-010

For IT professionals in large enterprises who are implementing an IAM solution, the OSA IAM design pattern SP-010 offers an architecture model of how the various IT admin roles interact with IAM components and the systems that rely on IAM. One important principle is that policy enforcement and policy decisions are separated from each other and dealt with by different elements within the IAM framework. It is a good starting point when beginning an IAM solution deployment project.

Choosing an IAM solution

Modern IAM solutions are often cloud-based, software-as-a-service applications which can be rapidly deployed. Choosing a suitable solution will require a clear identification of your organisation’s requirements from a solution based on the systems, applications, data, business model and regulatory environment, mapped against solution features and capabilities, as well as cost.

stuck for answers?

Understand the questions