Understanding the Basics of Identity and Access Management – Irish Tech News – Irish Tech News

Guest post by Alex Vakulov .
Identity and Access Management (IAM) technologies provide all your applications with a single identity management service, which significantly simplifies users’ lives and increases systems’ security. To avoid common mistakes, you should start building an access control system in a company by introducing IAM services.
Quite often, information technologies copy familiar situations from life. For example, let us imagine an access control system in an ordinary business centre. Usually, an employee of the tenant company creates a guest pass request. The visitor shows his ID card, and the security officer issues him a one-time pass card.
In the digital world, information systems and applications are like office tenants in business centres. Applications need their own access system. In this system, accounts must be created, and different permissions should be assigned to users.
Each user must be identified and authenticated, similar to going through the security post in a business centre. But instead of an ID card, the user will need a login and password to enter, and instead of a pass card, a session will be created, and a security token will be issued.
Then the application will have to check that the security token presented by the user is not expired, not revoked, and the rights specified in it correspond to the requested access level.
Companies use many different applications in their work, including desktop, mobile, and web applications. They can be deployed on company servers or cloud services. Often, each application approaches access control tasks on its own.
So, users are forced to remember plenty of passwords and go through the identification/authentication process again and again. Some prefer to use password managers but that can be unsafe too.
Let us imagine that all tenants in a business centre suddenly decide to install their own turnstiles, create their own pass bureaus, and issue their own passcards. This seems absurd but this is often the case in the digital world.
With the growing number of applications in use and the development of password chaos, companies realise the need for centralised access control. What should such a system consist of?
An access control system can include the following services:
— Identity Management (IDM) services provide synchronisation of user accounts in applications, automate the creation and deletion of accounts, and assign and revoke permissions.
— Identity and Access Management (IAM) services provide Single Sign-On (SSO) and authentication, multi-factor authentication, and access control to web applications and services (API gateway, web proxy).
— Directory Services provide storage of user accounts, their attributes, permissions, and passwords.
Many of you start with the implementation of IDM solutions, but projects within this approach have drawbacks:
— They usually take a long time.
— They have high organisational complexity.
— They require a deep study of the company’s business processes.
The best alternative to such time-consuming procedures would be to implement IAM solutions and Directory Services. Again, IAM is the gateway system for users of the company’s applications. It unifies identity management, authentication, and user access control. Such projects do not take a lot of time and provide results very quickly, allowing the company to identify the requirements for new applications.
Prior to implementing IAM, a company might not even be aware of the importance of having external service sign-in functionality in applications. This functionality can be achieved by supporting the SAML or OpenID Connect standards.
We can distinguish two AIM approaches:
— Enterprise single sign-on (ESSO)
— Identity provider (Web SSO, IDP)
In the first case, when implementing the technology, an ESSO agent is installed on each user device. When the device is turned on, ESSO asks the user to go through identification and authentication using a combination of methods: password, smart card, biometrics.
After that, the user can launch the application. The application does not know anything about ESSO, and during the startup, it will try to show the user a screen asking for a login and password. At this moment ESSO agent intercepts the login screen and enters the username and password for the user. Thus, the user will receive reliable identification/authentication when entering the device, as well as convenient automatic access to all company applications.
As this approach is based on the so-called deception of applications, logging into them with a username and password and bypassing the running ESSO agent is still possible. It means many threats inherent in password authentication remain. This is certainly a drawback.
There is another important issue with using ESSO. The agent may not be installed on all devices. There may be tech problems with Linux, macOS, Android, and iOS.
The second technological approach is the introduction of the Identity Provider (IDP). This approach is free of the disadvantages of ESSO. The user can use any device. You only need to have a web browser. Not only laptops or smartphones but also voice stations, game consoles and Smart TVs can be used.
The price paid for this flexibility is the need to support IDP connectivity. In other words, the application must be able to support some of the IDP interoperability standards. Fortunately, more and more applications and cloud services already know how to do this, so this is not actually a drawback.
When using IDP, the user contacts the application, and instead of displaying its login screen, the application sends an identification request to the server. If the IDP already knows the user, then the permission to enter the application is verified, and the fact of the visit is registered. This will send the user information from the company accounts directory to the application.
If the IDP does not know the user, it will ask him to first go through identification and authentication. Instead of just checking login and password, IDP can use additional authentication methods (depending on the login context and access policy). For example, when logging into an application from a work network, the user can be automatically identified based on the results of verification in the domain (Kerberos SSO).
If a user wants to enter some very important application or, for example, logs in using an unfamiliar device, then the IDP may ask for additional confirmation – demand to enter a one-time password sent by SMS or generated by a mobile application.
For identification, IDP can also use an external login system, for example, social networks, Apple ID, etc.
The number of IAM solutions on the market is quite big and diverse. You can find solutions that can be installed on the company’s servers and solutions that can be rented in the format of a cloud service (Identity-as-a-Service).
You can also create your own IAM based on open-source solutions or use proprietary software. Once again, I want to emphasise the fact that it is essential to start building an access control system with the introduction of IAM.
Written by Alex Vakulov

Alex Vakulov is a cybersecurity researcher with over 20 years of experience in malware analysis. Alex has strong malware removal skills. He is writing for numerous tech-related publications sharing his security experience.
Irish Tech News are Ireland’s No. 1 Online Tech Publication and often Ireland’s No.1 Tech Podcast too.
You can find hundreds of fantastic previous episodes and subscribe using whatever platform you like via our Anchor.fm page here: https://anchor.fm/irish-tech-news
If you’d like to be featured in an upcoming Podcast email us at [email protected] now to discuss.
Irish Tech News have a range of services available to help promote your business. Why not drop us a line at [email protected] now to find out more about how we can help you reach our audience.
You can also find and follow us on Twitter, LinkedIn, Facebook, Instagram, TikTok and Snapchat.

(adsbygoogle = window.adsbygoogle || []).push({});

Follow Irish Tech News
#mc_embed_signup{background:#fff; clear:left; font:14px Helvetica,Arial,sans-serif; } /* Add your own Mailchimp form style overrides in your site stylesheet or in this style block. We recommend moving this block and the preceding CSS link to the HEAD of your HTML file. */

Subscribe to our Podcast Digest

* indicates required

(function($) {window.fnames = new Array(); window.ftypes = new Array();fnames[0]=’EMAIL’;ftypes[0]=’email’;fnames[1]=’FNAME’;ftypes[1]=’text’;fnames[2]=’LNAME’;ftypes[2]=’text’;}(jQuery));var $mcj = jQuery.noConflict(true);