Data security and privacy are crucial, especially as the risk of identity theft continues to rise, with 80% of breaches due to compromised credentials (link here). Identification, authentication, authorisation, and access management are fundamental pillars of cybersecurity. Identity and Access Management (IAM) is emerging as a critical solution to address these challenges. This article examines the importance of IAM in the digital world, highlighting its benefits, its essential role in protecting sensitive data, and a practical example with Entra ID, Microsoft’s cloud-based identity and access management solution (formerly known as Azure Active Directory).
Introduction
Organisations today are facing an explosion in data volume and an unprecedented increase in security threats. According to ISACA (link here), in 2022, 76% of organisations were targeted by a ransomware attack, of which 64% were infected. Computer attacks, data breaches, and information leaks can paralyse the Information System, bring production to a halt, and threaten companies’ reputations. In this context, identity and access security become a top priority for any organisation that must thrive in a digital environment.
The Foundations of IAM
IAM encompasses processes, policies, and technologies designed to securely manage user identification, authentication, authorisation, and access management to systems and data. It provides control over who has access to what, when, and how while respecting the fundamentals of IT security: confidentiality, integrity, availability, and traceability of information.
IAM is more than just a user and password management process. It’s a strategic approach to securing access to digital assets (data, applications, software, etc.) while facilitating a seamless and seamless user experience.
Here are the main reasons why IAM is an essential pillar of modern cybersecurity for businesses.
Enhanced IT security
IAM provides centralised identity and access management, reducing the risk of data compromise and increasing resilience against cyberattacks.
Organisations can enforce the same security policy across the enterprise with an IAM tool. Using an IAM solution helps them limit user (or machine or software component) access to resources, significantly reducing the risk of unauthorised parties accessing (or even accidentally or intentionally using) sensitive data.
IAM methods like single sign-on (SSO) and multi-factor authentication (MFA) also reduce the risk that user credentials will be compromised or misused because users don’t need to create and maintain multiple passwords. And because users need evidence-based authorisation (such as security questions, one-time passwords, or inherent factors like fingerprints) to access protected resources, the chances of a malicious actor gaining access to critical resources are lower.
Enterprises can use IAM methods such as role-based or attribute-based access control (RBAC or ABAC, link here ) and the principle of least privilege (giving digital identities the privileges strictly necessary to perform their tasks) to meet regulatory requirements.
Regulatory Compliance
By providing access tracking and auditing tools, IAM helps organisations comply with privacy and data protection regulations in several ways (5 Key DORA Requirements).
- Activity tracking and access auditing: IAM tools record user activities, including access attempts, actions taken, and changes to permissions, making it easier to comply with data privacy regulations. For example, the European Union’s Digital Operational Resilience Regulation (DORA, link here) recommends continuous audits of identities and access rights in the financial sector.
- Compliance Reporting: IAM solutions make it easier for organisations to document and report on access policies, user activity, and security measures in place. This helps to demonstrate compliance with regulations (link here), such as the GDPR (General Data Protection Regulation) in Europe or the CPRA (California Privacy Rights Act) in the United States. These reports help identify security gaps, implement safeguards such as firewalls, and reduce the risk of loss or unauthorised disclosure of sensitive data.
Improved or increased employee productivity
By automating authentication and access management processes, IAM reduces friction for end users and increases their productivity.
With security measures like SSO and MFA, organisations can strengthen data security while reducing barriers that prevent workers from being productive (link here). Employees can quickly access the resources needed to complete their tasks, regardless of location. With IAM, employees seem more confident that they are working in a secure environment.
An IAM solution with automatic user provisioning allows employees to quickly request and obtain authorised access to different resources when needed without burdening IT or making IT a bottleneck that limits employee productivity.
Reduced IT costs
By streamlining identity and access management processes, IAM helps reduce operational costs associated with IT security (link here).
IAM solutions automate and standardise many identity, authentication, and authorisation management tasks so IT administrators can focus on tasks that add more value to the business.
According to Gartner Group, between 30% and 50% of IT help desk calls are for password resets ( link here ). Implementing Self-Service Password Reset (SSPR) solutions significantly reduces this call volume, allowing users to reset their passwords.
Additionally, many IAM services are now available as a service on cloud platforms, so the need to purchase, implement, and maintain on-premises infrastructure for IAM is significantly reduced or eliminated.
IAM Capabilities
Access management and sensitive data protection
IAM solutions allow or block access to sensitive data and applications by defining precise policies based on criteria such as time and location (link here). They impose strict permissions for data creation, modification, and deletion. For example, role-based access control (RBAC) limits user actions (link here), preventing temporary employees from sending or receiving data outside corporate systems.
Identity Lifecycle Optimization
IAM makes it easier to manage the identity lifecycle, including employee onboarding, offboarding, and transfers, while ensuring appropriate access and prompt revocation. Additionally, it enables fine-grained role and entitlement management, ensuring that each user has access only to the resources needed for their job.
Segregation of Duties (SoD)
SoD is the principle that no single user should have complete control over sensitive systems, processes, or activities. It is a set of controls within an organisation that requires multiple people to perform a single task to prevent fraud or error (link here). In a payroll department, for example, one employee may be responsible for the accounting portion, and another person may be responsible for signing checks. IAM solutions automate this separation to enhance security.
Identity Reconciliation
It is associating existing accounts with existing users ( link here ). It also ensures that users’ access rights and privileges are appropriately assigned and in line with their roles and responsibilities by verifying their accuracy and compliance with the principle of least privilege (link here). IAM solutions automate this process, ensuring appropriate access and compliance with security policies.
A concrete example of an IAM project
A large international company, a client of Devoteam, needed to define an Entra ID target (configuration) for external identity management. This involved configuring an Entra ID environment dedicated to the secure management of external user accounts requiring access to its organization’s sensitive applications.
The main objectives of the project were:
- Define specific Entra ID configurations for each type of application (B2B, B2C).
- Enforce the principle of least privilege by limiting administration and access rights per application.
- Strengthen access security by defining conditional access policies and enforcing multi-factor authentication (MFA).
- Implement a granular group and role management system in Entra ID to manage resource access permissions.
Risks associated with this project include:
- Misconfiguration of security settings exposing critical applications to cyberattacks.
- Unauthorised Access: Poorly implemented conditional access policies give unauthorised users access to applications.
- Group and Role Management: Complex granular management that can cause permission and application access issues if poorly managed.
The challenges of the project are as follows:
- Resource Protection: Ensure only authorised external users access customer applications, protecting corporate data and systems from unauthorised access and cyberattacks.
- Centralised management of external identities: Have a centralised solution to efficiently manage external identities.
- Secure and seamless access: Specific configurations tailored to external user types (B2B, B2C) and well-defined conditional access policies ensure secure and efficient application access while improving external user satisfaction and productivity.
- Reducing operational risk: Applying the principle of least privilege to grant users only the rights necessary to perform their tasks.
Result: Thanks to this project, the client now has a solution to manage its external users while improving the security of access to its resources.
Conclusion
Identity and access security are of paramount importance to any serious organisation. IAM offers a robust solution to this challenge by ensuring security, compliance, and productivity.
While its implementation can be challenging, IAM’s benefits are undeniable and justify the necessary investments. It is crucial for organisations to fully recognise the importance of IAM in the digital world and take steps to ensure the security and privacy of their data.
However, with the rise in the use of Generative Artificial Intelligence, a legitimate question arises: Will we see an increase in identity theft? Although current events seem to answer this question positively, it seems to us that, for the time being, it is difficult to give a definitive opinion on this point, given the disparity in the level of security of organizations in terms of access management.
Definition of terms
Traceability is the process of tracking and monitoring user activities in a system, which is essential for detecting suspicious behaviour, ensuring compliance, and investigating security incidents.
Authentication consists of verifying the identity of a user, system or device declared during the identification phase before authorising their access to resources.
Multi-factor authentication (MFA) is the process of verifying identity that requires more than one method of confirmation before granting access to a system or data. By requiring multiple means of authentication, MFA enhances security.
Single sign-on (SSO) allows users to log in to multiple applications with a single set of credentials, simplifying access across platforms and enhancing security.
Authorisation is the process that determines what actions a user can perform or what resources they can access after authenticating.
Confidentiality is the principle that sensitive information is protected from unauthorised access or disclosure, ensuring that only authorised persons have access to it.
Availability ensures that systems, services or data are accessible and usable when needed, without interruption.
Information integrity ensures that data is not altered, damaged, or modified in an unauthorised manner, thereby maintaining its accuracy and reliability.
ABAC (Attribute-Based Access Control) is an authorisation policy that defines permissions based on attributes.
RBAC (Role-Based Access Control) is an authorisation management model in which access to resources in a computer system is assigned based on users’ roles within the organisation.