Simplified Identity and User Management

Identity and Access Management (IAM) is an umbrella term that describes all aspects of managing user digital identities and providing secure access to resources. IAM solutions include identity authentication, single sign-on, user provisioning, authorization, RBAC, role management, user lifecycle management, encryption, data loss prevention, privileged access management, and more.

A key component of any IAM solution is authentication, which verifies the identity of an individual who attempts to gain access to a resource. The goal is to provide secure access to resources while minimizing the risk of unauthorized users accessing those resources. In other words, IAM seeks to ensure that only authorized individuals can perform actions within an organization's network.

The most important advantage of IAM is that organizations can reduce their security risks. For example, instead of having separate passwords for different websites, users only need one password to log into all of them. In addition, by ensuring that no unauthorized users may access the system, IAM lets organizations enforce security policies across all devices and networks, such as requiring employees to use two-factor authentication when accessing sensitive corporate data.

IAM also helps protect against cyber attacks by managing access to the organization's resources. For example, when a hacker gains unauthorized access to a system, they often try to use stolen credentials to gain further access to other systems. Organizations can prevent hackers from accessing additional systems by restricting access based on user accounts.

Besides helping organizations protect against security breaches, IAM also helps them comply with regulatory requirements and reduce operational costs.

User Account Provisioning (UAP) refers to the process used to manage user accounts across multiple systems and devices. It provides centralized management of user identities and passwords and helps prevent unauthorized use of resources.

Manual or Delegated User Account Provisioning typically requires the IT department to handle all Provisioning. A new hire, for example, will have to be granted access to specific files, documents, and systems depending on their position. Doing so manually is a slow process that is also prone to errors. In addition, when an employee leaves, deprovisioning them requires revoking all rights and removing or deactivating their account.

Automating user account provisioning can help free up IT staff while increasing the organization's security. With Automated User Account Provisioning, provisioning actions are automatically triggered when information is changed in a "source system," such as an HR or SIS system, which then serves as a "single point of truth." If, for example, an employee is promoted, the Automated User Account Provisioning software will detect the change in the organization's HR system (the source). Once detected, the change will be automatically synchronized to the downstream systems (the targets). This significantly speeds up account management and makes it simple, secure, and cost-effective.

The "User Account Lifecycle Management" is the process of managing user accounts and digital identities throughout the entire lifespan of an employee, student, or temporary worker. This process is called "CRUD," Create, Review/Update, and Delete/deactivate.

In designing a user account lifecycle process, most organizations' first attempt is using a "manual" process. Where the IT department is required to manually manage multiple digital identities for a single user account across multiple systems. As the process matures, many organizations adopt an automated provision solution. With automation, a change in the HR (source) system is detected and automatically synchronized to the third-party downstream systems (targets). In return, the IT department is freed up to focus on more impactful projects.

Role-based access control (RBAC) is an authorization model used to restrict user access to resources based on their Role within the organization. The RBAC model helps design roles in an organization and assign users to the appropriate roles.

The Identity and Access Management system using the RBAC roles allows only authorized users to gain access to a resource. If they don't have permission to do so, they will receive an error message. For example, a manager may be able to view all employees' salaries but not change them. A salesperson may be allowed to create new accounts but not modify existing ones. Or a user may be able to view certain documents but not edit them.

Thus, RBAC increases security by preventing unauthorized individuals from accessing sensitive data without proper authorization. This reduces the potential for breaches or information leaks. It also helps organizations comply with regulations like Sarbanes–Oxley Act (SOX), HIPAA, and others. In addition, it helps prevent accidental damage caused by unauthorized users who gain access to sensitive information. Finally, RBAC increases efficiency by automating Provisioning, deprovisioning, and access management processes.

RBAC is commonly used both on-premises and when granting permissions to external systems such as cloud applications.

As the size of an organization increases, the need to have structured roles (aka Business Rules) is paramount. Role Modeling is a key factor when designing a well-thought-out security model for any identity management implementation. The process starts with basic "Role Mining" to determine the resources required for each job responsibility. Then design roles or business rules (aka Role Generation) into groups or classifications. For example, the "Jr. Accounting Role" requires access to QuickBooks and the invoice folder. The "Sr. Accounting Role" requires the same access along with the accounts receivable folder. How an organization designs its roles is based on many factors. They are typically based on job titles and entitlements, but other factors such as building location or department are used. For example, here are two different ways to group two roles.

Role: Jr. Accounting
Job Titles: Jr. Accounting, Level 1 Accounting, Accounting
Entitlements: QuickBooks, Invoice Folder

Role: Sr. Accounting Role
Job Titles: Sr. Accounting, Accounting Manager
Entitlements: QuickBooks, Invoice Folder, Accounts Receivable Folder

OR

Role: Accounting
Job Titles: Jr. Accounting, Level 1 Accounting, Accounting, Sr. Accounting, Accounting Manager
Entitlements: QuickBooks, Invoice Folder

Role: Sr. Accounting Role
Job Titles: Sr. Accounting, Accounting Manager
Entitlements: Accounts Receivable Folder

The term "segregation of duties" or "separation of duties" refers to the practice of assigning different tasks to separate employees so they cannot conspire with each other. It is an important part of preventing fraud because it prevents collusion between employees who might work together to commit fraud. In some IDM software products, the segregation of duties is automatically done. In others, you need to manually design the segregation of duties into your security roles or business rules.

In general, segregation of duties should be implemented whenever possible. A person who performs one task alone should not be able to access sensitive data without proper safeguards. For example, an employee who has only been assigned to perform administrative tasks cannot gain unauthorized access to sensitive company records. The same applies when employees are given permission to access certain areas of the business but are restricted from accessing other parts of the system.

In addition to preventing employees from gaining unauthorized access to confidential data, segregation of duties helps ensure that no single individual is responsible for all aspects of a project. In this way, the risk of error is reduced.

The segregation of duties also helps organizations comply with regulations like the Sarbanes-Oxley (SOX) Act, which was introduced after several high-profile fraudulent acts in the financial sector. Among other provisions, SOX compliance requires organizations to hire independent auditors to review their accounting practices, a clear example of segregation of duties.

The terms Source and Target systems are commonly used in user provisioning software solutions. The source represents the system or systems that contain the data needed for the user lifecycle processes. Typically, this is a Human Resource (HR) or Student Information System (SIS) system containing user, job, or student information. The target represents the downstream system or systems that the source data will be synchronized to. Typically, this is Active Directory, Azure AD, Google Workspace, or other software applications.

Not all downstream target systems support API access to manage users and access, but most support Excel or CSV imports. When this is the case, you need to format application-specific export files to complete your user lifecycle processes. This process is called "Data Exports." Additionally, some applications support specific protocols, such as OneRoster, that compress the files into a single zip before uploading to the target system. Data Exports and Rostering are similar, but Rostering is geared more toward classrooms, staffing schedules, or event listing of users. For example, rostering is used heavily in the Education market for student classroom attendee rostering.

The Principle Of Least Privilege (POLP) states that users should be granted only the access they need to perform their job effectively. It ensures that users do not have more privileges than necessary to complete their tasks. For example, when an employee logs into a corporate network, they should be able to access files and applications needed to do their job without having to log in under other user accounts. Or an employee who needs to use a corporate database should not be given full administrator rights to the system.

This principle applies to employees and other people who use computers, such as contractors, vendors, and consultants. Therefore, ensuring that these individuals are not accidentally exposed to sensitive information when performing tasks outside their normal responsibilities is important.

That is why, when someone logs into a computer system, they must first authenticate themselves before gaining access to the entire system. Once authenticated, POLP ensures they are only given limited privileges to view files and perform specific tasks within the system. Not only does POLP strengthen security but it also speeds up deprovisioning and reduces possible errors.