Every day we use countless online services that require us to login with a username and password. Have you ever stopped to think about how these services know that it is really you trying to login? This process is called authentication, and it is a fundamental part of identity and access management (IAM).

In this blog post, we will cover the basics of IAM, including an overview of common IAM terms, technologies, and best practices. By the end of this post, you should have a good understanding of what IAM is and how it can help improve your organization’s security posture.

What is Identity and Access Management?

Identity and Access Management (IAM) is a process of managing users’ identities, credentials, and access to resources. IAM includes both physical and logical access control.

Physical access control restricts physical access to resources, such as buildings, rooms, servers, and devices. Physical access control can be implemented through security measures like locks, alarm systems, and badge readers.

Logical access control restricts access to computer systems, applications, and data. Logical access control is typically implemented through user authentication, which we will discuss in more detail later.

Why is Identity and Access Management Important?

IAM is important because it helps organizations protect their resources from unauthorized access. By properly managing users’ identities and credentials, organizations can ensure that only authorized users have access to sensitive data and systems.

In addition to security, IAM can also help organizations improve efficiency and compliance. For example, by automating the provisioning and de-provisioning of user accounts, IAM can help reduce the amount of time and money spent on onboarding and offboarding processes. Additionally, by enforcing least privilege policies, IAM can help ensure that users have the minimum amount of access necessary to do their jobs, which can further reduce the risk of security incidents.

Common Terms in Identity and Access Management

There are a few common terms that you will come across when learning about IAM:

User: A person who interacts with a system or an application. In the context of IAM, a user is typically someone who has been assigned a set of credentials that allow them to login to a system or application.

Credentials: A set of information that can be used to authenticate a user, such as a username and password, an API key, or a digital certificate.

Authentication: The process of verifying a user’s identity. In most cases, authentication requires the use of credentials.

Authorization: The process of determining whether a user has the right to access a particular resource. Authorization checks are typically done after a user has been authenticated.

Access Control: A security mechanism that controls how users are allowed to access resources. There are two types of access control: discretionary and mandatory. Discretionary access control (DAC) allows users to specify who can have access to their resources. With mandatory access control (MAC), administrators define the rules for who can have access to which resources.

Identity Federation: The process of linking together multiple identity management systems. Identity federation can be used to provide single sign-on (SSO) capabilities across different systems.

Role-Based Access Control: A type of access control in which users are assigned to roles and those roles are given permissions to access certain resources. Role-based access control is a common method for implementing least privilege policies.

Group-Based Access Control: A type of access control in which users are assigned to groups and those groups are given permissions to access certain resources. Group-based access control is often used in combination with role-based access control.

Single Sign-On: A type of authentication that allows users to login once and gain access to multiple systems or applications. Single sign-on can be implemented through identity federation or by using a shared set of credentials.

Multi-Factor Authentication: An authentication method that requires the use of more than one factor, such as something you know (a password), something you have (a security token), or something you are (biometrics). Multi-factor authentication is often used to add an extra layer of security to sensitive resources.

Zero Knowledge Proof: A type of authentication that allows a user to prove their identity without revealing their credentials. Zero-knowledge proofs are often used in combination with other authentication methods.

IAM Fundamentals

Now that you understand some of the common terms associated with IAM, let’s take a more detailed look at the basics of IAM. We’ll start by discussing the three main components of an IAM system: users, credentials, and access control.

Users

In most cases, a user is someone who has been assigned a set of credentials that allow them to login to a system or application. Users can be either people or applications. For example, a person who uses their company email account to login to their work computer is a user. An application that uses an API key to access data from another application is also a user.

Credentials

As we mentioned earlier, credentials are a set of information that can be used to authenticate a user. The most common type of credentials is a username and password, but there are other types of credentials as well, such as API keys and digital certificates.

When creating credentials for a user, it’s important to choose an appropriate level of security. For example, you wouldn’t want to use the same password for all of your accounts. Instead, you would want to use different passwords for different accounts, and you would want to make sure those passwords are strong enough to resist brute force attacks.

Access Control

Access control is a security mechanism that controls how users are allowed to access resources. There are two types of access control: discretionary and mandatory.

Discretionary access control (DAC) allows users to specify who can have access to their resources. DAC is often used in consumer-facing applications, such as social media networks and online shopping sites.

With mandatory access control (MAC), administrators define the rules for who can have access to which resources. MAC is often used in enterprises, where it’s important to enforce strict security policies.

IAM Best Practices

Now that you understand the basics of IAM, let’s take a look at some best practices that you should follow when implementing IAM in your organization.

Choose an Appropriate Level of Security

When creating credentials for a user, it’s important to choose an appropriate level of security. For example, you wouldn’t want to use the same password for all of your accounts. Instead, you would want to use different passwords for different accounts, and you would want to make sure those passwords are strong enough to resist brute force attacks.

In addition to using strong passwords, you should also consider using multi-factor authentication. Multi-factor authentication adds an extra layer of security by requiring the use of more than one factor, such as something you know (a password), something you have (a security token), or something you are (biometrics).

Enforce Least Privilege

When assigning permissions to users, it’s important to follow the principle of least privilege. This principle states that users should only be given the permissions they need to do their job and no more.

For example, if you have a user who only needs to read data from a database, there’s no reason to give them write access as well. By following the principle of least privilege, you can reduce the risk of accidental or unauthorized changes to data.

Implement Least Privilege for Applications

When creating credentials for applications, it’s important to follow the principle of least privilege. Application credentials should only be given the permissions they need to do their job and no more.

For example, if an application only needs to read data from a database, there’s no reason to give it write access as well. By following the principle of least privilege, you can reduce the risk of accidental or unauthorized changes to data.

Rotate Credentials Regularly

It’s important to rotate credentials regularly, such as every 90 days. This helps to ensure that if one set of credentials is compromised, the attacker won’t have access to your resources for very long.

In addition to rotating credentials, you should also consider using single-use tokens. Single-use tokens are only valid for a short period, such as 15 minutes. This means that even if an attacker manages to get their hands on a token, they won’t be able to use it for very long.

Monitor Activity

It’s important to monitor activity in your IAM system. This can help you detect unauthorized access, and it can also help you diagnose problems with your system.

There are several tools that you can use to monitor activity in IAM, such as Amazon CloudWatch and Splunk. By monitoring activity, you can ensure that your IAM system is functioning properly and that your resources are safe from attack.