Identity and Access Management in the Cloud: Policies & Best Practices

What is identity and access management (IAM)? The simple answer is, IAM systems give the right level of data access to people who interact with your organization. Today, most of that happens through cloud-based apps and services.

Cloud security sure was much simpler to manage back when your company was contained by a building with an entrance - and maybe even a physical security fence!

Physical boundaries meant you could easily check the credentials of employees and visitors as they entered the premises, and from that limited pool of individuals you could then further control who had access privileges to the computers that were inside.

Before networks arrived, you had all your information technology assets literally under lock and key and user access was easier to administer, but then came the dawning of on-site and later cloud-based servers. 

But things have changed - drastically.

Did you notice the phrase above, "...people who interact with your organization" and wonder why it doesn't just say 'employees'? It's because those users could also be customers, trusted partners, or external contractors too.

Remote network access and cloud-based services have made it easier for just about everyone to access your company data, but it's also made security a much bigger challenge.

Why is Identity and Access Management (IAM) Important?

Identity and access management isn’t just one thing.

It’s a collection of processes, policies, and technologies that let your business manage digital identities and control who gets access to what information technology resources within your organization.

The main objective of an IAM system is to assign one digital identity to each user access candidate, and then allow that profile to be maintained, monitored, modified, protected, and eventually closed down.

That's the identity management side of the IAM equation, but there's an access management side of it too because one identity will most likely need different access privileges for different resources.

So, with that in mind, there are two main reasons why IAM systems are so important.

The first is business-related.

Your organization can only work if the information that is its lifeblood can be shared with the people who need it, when they need it, and in a secure manner.

But maintaining access to cloud services while also keeping it watertight is an around-the-clock job with lots of moving parts and lots of opportunities for slip-ups.

Luckily, identity and access management (IAM) technologies can now automate user authentication and enhance security.

The second reason why IAM systems are important is cybercrime, which is now at epidemic levels.

Ransomware attacks are predicted to cost global companies more than $21 billion during 2021 – 57 times more than in 2015. With such rich pickings to be had, attacks are increasing by the day.

You are guaranteed to be targeted eventually, but it's not as if you can simply deny access to intruders at the front desk anymore.

Security has become a lot more complicated than that thanks to remote work.

Now the people who need to use your cloud systems could be logging in from anywhere – like their homes, the office, or halfway up a mountain, and even when they're entirely trustworthy, they can still make your business vulnerable.

People are often the weakest link in any security chain.

For instance, employees can click on bad links, choose weak passwords, forget them, write them on a piece of paper (not secure), lose their mobile devices, leave the organization, change roles, and generally do things that demand an identity and access management system that's as flexible as it is secure. 

Securely maintaining access privileges to cloud-hosted systems means keeping a lot of plates spinning in the air at once.

If you've been wondering whether you have the time or the expertise to manage this critical and complex suite of tasks in-house, let's explore why you might be better off entrusting them to an IT services team instead.

What is an IAM Tool?

Technologies used in IAM systems let you securely store user identity and profile information and restrict data access only to those who need it.

These IAM tools include provisioning software, identity repositories, security-policy enforcement applications, reporting applications, monitoring applications, and others.

Between them they allow you to control and automate user access to all the information at your enterprise.

Here's a list of some of the most commonly used IAM tools for the management of user access and identities:

• Single Sign-On

Not all IAM systems use this, but the best ones certainly do.

As the name suggests, single sign-on (SSO) lets individual users sign into lots of different apps using a single set of login credentials for authentication of their digital identities.

When they try to log into services or use an application, a trusted third party verifies that it’s them using Authentication-as-a-Service (AaaS) or Identity-as-a-Service (IaaS).

The third-party technology provider looks after the authentication and registration of users and manages their information, which is appealing for users because they don’t have to remember so many passwords, and your enterprise doesn’t have to manage so many identity access management credentials.

It ultimately means better identity protection in IAM systems and more security for customers, partners, and vendors.

• Multi-Factor Authentication

Multi-factor authentication requires users to provide more than one identifying factor:

• Something that they know: a password
• Something that they possess – as in something that can be emailed to them or texted to their smartphone like a six-digit code, or a code produced by an authentication app or hardware device that they’ve been given.
• Something that’s unique to them, like their fingerprints or facial features (biometrics).

Each additional request for information presents another stumbling block for hackers to overcome.

Best practices like this enable IAM systems to take cloud resource protection beyond simple password use.

• Privileged Access Management

You don’t want just anybody to have access to your critical resources.

Privileged access management (PAM) solutions assist with securing, controlling, managing, and monitoring privileged access to critical assets in the cloud.

This is the sort of top-level access given to senior staff that cybercriminals are so keen to get their hands on.

PAM solutions will often lock away privileged admin account credentials, so users must go through the PAM system to get at their login information (and during the authentication process their access activity is recorded, too).

PAM uses a "belt and braces" approach to user access, or perhaps a better analogy would be that it's authentication that's based on locking the combination to one safe inside another safe, creating an extra barrier to entry. 

• Risk-Based Authentication (RBA)

You might have come across this if you have ever tried to access your bank account from a new device or a new location.

Risk-based authentication systems look at factors like what device you're using, IP address, geographical location, and network to assess the level of risk your request poses. 

This type of identity and access management can flag up potential intrusions when users try to access applications or information from somewhere unexpected or maybe they use a new device or network.

The system weighs up the perceived risks and then either bars them or else asks them for extra information to establish their identity.

• Data Governance

Data governance refers to the sets of policies and standards that define how an organization’s users get to interact with its data, and this also includes the subset of information technology tools needed to preserve data integrity.

Or to put it another way, it covers the rules about what data users are allowed to access, who they can share it with, what data they can change, how much can they change it, and under what circumstances. 

• Federated Identity Management

With this process, multiple organizations share the same user login credentials. Each business maintains its own identity management system, but they all link to a trusted third party that stores the user’s credentials. Single sign-on is an IAM tool that uses FIM.

• Identity Analytics (IA) 

IA systems use machine learning algorithms that allow your organization to detect and stop risky behaviors by users.

IAM Administration Benefits

By implementing this list of tools, your IAM system will be able to achieve these key outcomes:

• recording, capturing, and authentication of user login details like usernames, passwords, certificates
• tracking and reporting on everything users do when they access cloud-based systems and data
• management of the user database including job roles, including adding, deleting, and amending them
• creating a detailed log-in history for audit purposes
• enforcement of systems access policies
• achieving compliance with regulations

Identity and Access Management (IAM) Concepts

IAM systems are built on certain core ideas that are crucial to their success: 

• Zero-Trust

Zero-Trust is a key security concept that underpins the whole approach to identity and access management now.

The idea is to trust no one because you can’t rely on reception staff or a company firewall to keep data safe, and because intruders will try and use stolen credentials, phishing attacks, or malicious code to find a way in.

Nobody who tries to access your resources is above suspicion, so they are only granted access when their credentials have been established beyond doubt.

IAM should adhere to this principle so that companies can constantly assess and verify the people accessing their resources.

• Role-Based Access Control

As we mentioned, IAM frameworks need to control how users access critical information and resources using the principle of role-based access control.

A user’s job title, level of authority, and level of responsibility within the organization should be used to determine what networks or systems they get to access, and whether their privileges include sharing, editing, or just viewing information. 

Part of the thinking here is that if you only give employees access to what they need to fulfill their role and no more, it helps to limit the potential damage that can be caused if their credentials are ever compromised (and limit what damage they can do too).

• Automatic De-Provisioning

In the identity management world, 'de-provisioning' is a slightly jargonistic way of saying that you’re removing the access privileges to cloud-based apps and information technology resources of someone when they leave the business or change their role (because their new role may come with different access requirements).

If access control for leavers was left to a manual process then it might be overlooked, but the right IAM solution can follow policies and revoke these privileges automatically.

Removing expired identities, passwords, and privileges closes potential network security risks to hackers.

• Employee and Equipment Identity Management 

Every person in the business needs a digital identity, as does every trusted partner, but so do devices and applications too.

The "Internet of Things" means that many more pieces of equipment may be connected to the network, which means more risk potential. IAM systems need to account for them all, especially since hackers have been known to target and exploit overlooked devices.

Advantages of an Identity and Access Management System

IAM solutions help organizations to realize the full advantages of cloud-based services.

Secure network access to cloud-based apps and resources for more staff, contractors, customers, and partners means that all of these users can be more efficient and productive because the security risks are comprehensively managed. 

IAM solutions take the pressure off help desks too through automation.

It means there are fewer calls for staff to reset passwords and deal with help desk requests because management is automatic. A user can establish their identity without bothering system administrators, who are then freed up to spend more of their time on tasks that are more valuable to the business.

Better identity management reduces the risk of data breaches. Hackers are targeting user credentials more often in their efforts to access enterprise network systems.

Data and privacy regulations are growing ever more stringent too, and IAM systems using best practices help your organization to meet its compliance obligations.

Is Active Directory an Identity Management System?

No, but it can be part of one.

Microsoft's Active Directory is the most dominant directory service for dealing with logins and other admin functions on Windows networks.

But while it can issue basic access rights for systems, it can't cover the full range of user access needs that a true IAM system needs to handle.

It lacks comprehensive auditing features and it can't cope with privileged access and edge cases like contractors and vendors, but it can work alongside other tools that fill the gaps it leaves.

Implementing IAM

We've looked at quite a few IAM technologies and concepts, ways to manage access, govern security, secure systems, validate users, and so on, and this might have given you the impression that IAM is only viable for enterprise users.

Actually, even smaller organizations can implement IAM tools and best practices. 

Cost-conscious SMEs can get on board with IAM cloud solutions fairly quickly, and you don't need to incorporate every identity management feature either.

Just pick and choose the most useful tools, select them like 'bolt- on' components to help you manage access rights, roles, user accounts, security, etc.

As an IT service provider, Ntiva can walk you through what you need to create the custom, cost-effective IAM solution that best suits your needs.

Contact us today to discuss how we can help you with your IAM challenges.