[Cybersecurity] What can IAM provide
Imagine that we have a key that can give you privileges to enter to multiple rooms: meeting room, office, and exit door. Sounds awesome ? Well, most of the places the house-keeper or the guard would need to have multiple keys. Well this is how it looks once a company needs from IT dept to provide access to every employee.
Let us assume that a company “A” has 500+ employees and the company is currently using between 5 to 8 SaaS solutions. Each solution is separated from one to another, different credential. How would you , as employee of this company , track all of those ? Don’t forget that some of them follow strict and painful policies when it comes to setup passwords and period of expiration. For instance, the default and best practice is 90 days to have your password changed , +8 chars length , and so on. How long does it take to setup an account to every onboarding? How long does a request get done manually? and many questions to ask.
What is then?
In company “A”, the employee(s) , maybe not all, let us assume that 100/50 of them will use Excel sheet / google sheet to keep tracking of their passwords every 3 months. What is the worst scenario could happen to them ?
1- Chance of broken authentication.
2- Open to the public, if your file store somewhere in the cloud / shared drive.
3- Someone could expose the password in case if the account is shared ! THIS IS BAD !
4- Lose of access in case if the user does not remember them and file may get deleted somehow.
5- Chance of stealing the password, the worst could happen in case if the authentication is not secure with 2nd level factor authentication.
This is just a small part of security. We still have management and cost of the process. Imagine We hire 15 IT people to run our business which includes: accounts, access, monitoring servers, security, devices, support, and other. Alot of work and less productivity, this is 100% fact and let me approve this. Let me bring the company “A” and let us name what could happen to their organization how much damage they could get out of this:
1- Security breach.
2- Lose of reputation in case of losing data of their customers, research and so on.
3- Almost 10–20% of controlling their employees accesses.
4- More work on IT team.
5- Cost more to hire IT staff to keep the business running.
6- Human errors could happen in the process of creation/ on-going of the account(s).
7- Less control.
By understanding this and following some of the well-standers of security such as OWASP 10 TOP security and the other available solution(s) in the market. The best fit is Identity and access management tools.
What is IAM ?
IAM is one of the subdomains of cybersecurity, as you can see from the above roadmap :D we have LONG road to master cybersecurity. However, we need to know that this is part of engineering career requires understanding of the life-cycle of an identity , programming, cloud , and other skills that IAM engineer has. IAM is full of solution that take cares of the onboarding account to the life-cycle to the outboarding. The solution can be on-premise or the in the cloud where are there solutions in the market doing this: Okta, Soffid, AWS IAM, AAD IAM. The process takes the feed and process base on the define business logic and then the system would provision the object aka account to a proper one with the required access to the identity provider: LDAP/AD. IAM not only doing this, but also provide ability of assigning proper access base on the logic business as well. IAM also works along very well with Privilege access management. For instance, in AZURE we can manage when the user can access to the on-premise application / other platforms, maintain the security and mitigate the risk of broken authentication with MFA or block in case of suspicious activity. Create logs to monitor all of the activity of any agent. IAM Solution(s) always rely on its agent(s) / custom agents that serve the process of creation/ modification/ deletion for an account / group. 3 aspects we need to have in any IAM solution(s): flexibility, customizable, and reliable. This is in my opinion.
What can we benefit from IAM ?
1- Accuracy of creating accounts and groups for the organization.
2- Less cost.
3- More control.
4- Easy to operate if the solution is good fit for your need.
What is identity provider ?
Let us not go too far ! I will take my identity as example. My ID is the identity and the provider is the government who provided me this and by this I am getting privileges. The ID I have will contain the most important thing:
1- Full name.
2- What is my eye color.
3- Where do I live
4- Social Security number.
.. etc . As we can see that those information will lead to know who I am and what is my status and if I am legally living in where I am living. By this identity, I can open-up a bank account, buy a car, rent a home, get a job and so on. On the other hand, the provider will be referring as the government. In case of background check, they need to contact the provider to get info about me and verify if this is who I am.
IAM as solution
Now let us back to our company “A”, now company can make life easier and been secure with a system that manages their identities / accesses. Normally and the vast majority are using AD, Active Directory from Windows. It is only a source of identity, but does not provide a solution. In this case, we need IAM, Identity and access management, solution(s). This solution is capable of on-boarding, out-boarding employees, and maintain user(s) access. Imagine how long it will take from HR to Hiring Manger and from Hiring Manager to IT and so on, just to get access setup for the new employee while all of this can be done via IAM which will maintain the identity and assign proper access to any other platforms with needed access, nothing more or less!
IAM is becoming a demand skill in the market which it means it is your chance to get a decind job + skill as well. What i will recommend everyone is to understand what is AD / LDAP and Identity provider in detail and understand the lead solutions in the market such as Okta , Azure IAM and so on. After all this article was only a brief of a big world !