Written by Stephanie Skolka
Identity and Access Management (IAM) refers to the network of technologies and their associated policies that ensure the right people in an organization have the proper access to the resources they need. IAM falls under the category of Information Technology (IT) Security. IAM governs not only authenticating and authorizing individuals, but also access to the software and applications needed for these individuals. In recent years, IAM solutions have become increasingly important as the compliance requirements become more complex. But the biggest problem IAM faces starts with people.
IAM has the most direct connection with humans because it is designed to identify and grant access to them. But humans also pose the biggest risk on IAM systems. People don’t want a lengthy process to log in to a system, so they try to minimize the IAM role in the process as much as possible. In doing this, people make the systems more automated and the system’s job much more complicated. People strive for convenience and when they feel like something is too lengthy, shortcuts arise. Some examples of this dilemma are the Personal Identity Verification (PIV) or Common Access Card (CAC) that federal employees are issued to use to log in to networks. Workers don’t want to insert a card into their computer every time they want to access their work. When a study was conducted to see if the new implementation of PIV cards was being used properly, it showed a deficiency in how well employees complied with the new rules.
The growing expansion of IAM networks also increases the issues that come along with it. Solutions to these problems can bring centralization and structure to an organization. To start defining a solution, an agency must know and understand all the technologies and policies associated with them. An organization needs a detailed inventory of their systems to see where their data lives and who has access to it. Unfortunately, most organizations do not have these inventories and, therefore, cannot start developing a solution.
The key points to solving IAM problems are to first get a detailed inventory of all systems and records of who has access to what data. From there you can create an IAM plan that will maximize what you already have and remove what is no longer useful. When dealing with a flawed human factor, it is important to remember that convenience prevails above all.
This article is the first in a series of discussions of IAM and the technologies, tools, and techniques that we can use to provide improved security while overcoming the challenges evident today.