Best Practices for IAM Framework Architecture

The most critical elements of an identity and access management (IAM) strategy include a central user directory, strong authentication controls, privileged user management and monitoring, and single sign-on (SSO)/federation for cloud control and access management. This piece explains each of the elements in greater detail and the use cases to consider when building an IAM framework architecture for a new program.

IAM Program Key Areas

IAM is really the practice of defining who needs access to what, and then controlling the entire lifecycle of user and access management across resources. Any IAM program, for the cloud or otherwise, comprises the following specific areas:

• Authentication
  
• Authorization
  
• Federated identities
  
• SSO
  
• Auditing and user activity monitoring
  

Organizations must also ensure the following activities are included within those main areas:

• User management: Defines and dictates the governance of identities.
  
• Authentication management: Determines who an entity is based on one or multiple factors.
  
• Authorization management: Determines what rights and privileges an entity has based on policies and roles.
  
• Access management: The definition of access control policies that enforce entity access to IT resources.
• Identity provisioning: A set of processes and tools that provision identities within authorization guidelines (may also include de-provisioning).
• Monitoring and auditing: Monitoring, auditing and reporting services related to entity access and activities (primarily logging and event creation in many environments).
  

IAM Strategy Considerations

There are several important things to evaluate and consider for an IAM strategy, which include, but are not limited to:

• A central user directory, such as Active Directory (AD).
  
• Strong authentication technologies, like password management and multifactor authentication (MFA), preferably hardware-based if possible.
  
• Privileged user management (PUM) technologies that can provide controlled short-term access to critical services.
  
• A strong vendor for SSO and federation, either in an on-premises gateway and/or service delivery model.
  

IAM Program Use Cases

Cloud Hybrid Strategy

A common use case is movement to a cloud hybrid strategy. IAM is a complex, multifaceted area. To implement a modern IAM strategy and extend it to the cloud:

• Ensure in-house identity repositories can be extended to the cloud (identity provisioning): Many organizations use AD or another repository, and most cloud service providers (CSPs) support this. Any custom identity types will need to be evaluated, though.
  
• Determine federation capabilities and attributes needed: These will likely be a function of the CSP services and your own application use cases.
  
• Examine CSP access control capabilities and standards: It seems there are as many different authentication and access control capabilities and models as there are cloud providers. Some have their own systems in place (e.g., Amazon’s IAM system), whereas many others use usernames and passwords or other multifactor systems.
  
• Consider identity service providers in addition to the CSP for additional brokering/ proxying: Numerous services are available for cloud identity services that may be simpler to implement than directly working with the CSP.
  

Privileged Users

Another common use case is managing privileged users. Privileged access management (PAM) is a technology that is growing rapidly and increasing in importance to enterprises. Many attacks and malware make use of privileged identities, and insider scenarios with unchecked privileges in play can be devastating as well. Auditors and regulatory bodies are paying much closer attention to privileged accounts in organizations because many IT teams are now being asked to provide comprehensive controls over privileged account access, along with extensive audit trails of privileged user activity.

All this said, PAM tools are often cited as one of the thorniest technologies to plan for and implement within enterprise IT environments. One reason for this is the sheer breadth of privileged access in the enterprise today. The task of implementing PAM feels daunting, likely because there are so many systems, accounts and use cases to consider when looking at how admins get their jobs done. When choosing a PAM tool, it is important to consider:

• Discovery and deployment: Many newer PAM tools have streamlined discovery processes for privileged access, as well as easier deployment processes to speed things up and make the integration of PAM more seamless than ever.
  
• Ease of use: Ease of use has long been lacking in PAM products for many years. Some products are complex, with interface designs that do not make choosing policies and implementing diverse PAM throughout the IT environment simple or intuitive. Enterprise-class vendors emphasize usability and interface design, so admins and security/audit teams don’t need advanced degrees to figure out what they need to do within the product.
  
• Support for new technology: PAM products are also adapting rapidly to new technology stacks that include cloud services, containers, DevOps deployments, development-focused secrets management platforms and many more.
• Feature set: Modern enterprises need the full gamut of PAM capabilities – session recording, high-availability for the solution itself, application-to-application mapping, strong discovery and account/application detection, and coverage of major operating systems along with newer technology stacks.
  

IAM Services and Tools

IAM technology providers to consider in general include Bitium, Centrify, IBM, Microsoft, Okta, OneLogin, Ping Identity, SailPoint and Salesforce. IAM tools also tend to break down into specific spaces, such as:

• Consumer: Google, Facebook and ForgeRock.
• Legacy-focused: IBM, Microsoft, Ping and SailPoint.
• Cloud-first: Bitium, Okta, OneLogin, Centrify and Salesforce.
  

Most organizations, both hybrid and primarily cloud-based, should likely choose cloud-first IAM solutions that incorporate directory synchronization, SSO, federation and access controls. Some vendors, like Ping, may offer both cloud-native and on-prem tools. If choosing legacy on-prem platforms, check if cloud IAM enablement is also available.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.