Identity and Access Management (IAM)

In a recent study by Verizon, 63% of the confirmed data breaches are due to either
weak, stolen, or default passwords used. There is a saying in
the cybersecurity world that goes like this “No matter how good your chain is it’s
only as strong as your weakest link.” and exactly hackers use the weakest links
in the organization to infiltrate. They usually use phishing attacks to infiltrate an
organization and if they get at least one person to fall for it, it’s a serious turn of
events from thereon. They use the stolen credentials to plant back doors, install
malware or exfiltrate confidential data, all of which will cause serious losses for
an organization.
How Identity and Access Management Works?
AWS(Amazon Web Services) will allows you to maintain the fine-grained
permissions to the AWS account and the services provided Amazon cloud. You
can manage the permissions to the individual users or you can manage the
permissions to certain users as group and roles will helps you to manage the
permissions to the resources.
What Is Identity and Access Management(IAM)?
Identity and Access Management (IAM) is a combination of policies and
technologies that allows organizations to identify users and provide the right form
of access as and when required. There has been a burst in the market with new
applications, and the requirement for an organization to use these applications has
increased drastically. The services and resources you want to access can be
specified in IAM. IAM doesn’t provide any replica or backup. IAM can be used
for many purposes such as, if one want’s to control access of individual and group
access for your AWS resources. With IAM policies, managing permissions to
your workforce and systems to ensure least-privilege permissions becomes easier.
The AWS IAM is a global service.
Components of Identity and Access Management (IAM)
Users
Roles
Groups
Policies
With these new applications being created over the cloud, mobile and on-premise
can hold sensitive and regulated information. It’s no longer acceptable and
feasible to just create an Identity server and provide access based on the requests.
In current times an organization should be able to track the flow of information
and provide least privileged access as and when required, obviously with a large
workforce and new applications being added every day it becomes quite difficult
to do the same. So organizations specifically concentrate on managing identity
and its access with the help of a few IAM tools. It’s quite obvious that it is very
difficult for a single tool to manage everything but there are multiple IAM tools
in the market that help the organizations with any of the few services given
below.
IAM Identities Classified As
IAM Users
IAM Groups
IAM Roles
Root user
The root user will automatically be created and granted unrestricted rights. We
can create an admin user with fewer powers to control the entire Amazon account.
IAM Users
We can utilize IAM users to access the AWS Console and their administrative
permissions differ from those of the Root user and if we can keep track of their
login information.
Example
With the aid of IAM users, we can accomplish our goal of giving a specific person
access to every service available in the Amazon dashboard with only a limited set
of permissions, such as read-only access. Let’s say user-1 is a user that I want to
have read-only access to the EC2 instance and no additional permissions, such as
create, delete, or update. By creating an IAM user and attaching user-1 to that
IAM user, we may allow the user access to the EC2 instance with the required
permissions.
IAM Groups
A group is a collection of users, and a single person can be a member of several
groups. With the aid of groups, we can manage permissions for many users
quickly and efficiently.
Example
Consider two users named user-1 and user-2. If we want to grant user-1 specific
permissions, such as the ability to delete, create, and update the auto-calling group
only, and if we want to grant user-2 all the necessary permissions to maintain
the auto-scaling group as well as the ability to maintain EC2,S3 we can create
groups and add this user to them. If a new user is added, we can add that user to
the required group with the necessary permissions.
IAM Roles
While policies cannot be directly given to any of the services accessible through
the Amazon dashboard, IAM roles are similar to IAM users in that they may be
assumed by anybody who requires them. By using roles, we can provide AWS
Services access rights to other AWS Services.
Example
Consider Amazon EKS. In order to maintain an autoscaling group, AWS eks
needs access to EC2 instances. Since we can’t attach policies directly to the eks
in this situation, we must build a role and then attach the necessary policies to
that specific role and attach that particular role to EKS.
IAM Policies
IAM Policies can manage access for AWS by attaching them to the IAM Identities
or resources IAM policies defines permissions of AWS identities and AWS
resources when a user or any resource makes a request to AWS will validate these
policies and confirms whether the request to be allowed or to be denied. AWS
policies are stored in the form of Jason format the number of policies to be
attached to particular IAM identities depends upon no.of permissions required for
one IAM identity. IAM identity can have multiple policies attached to them.
Access management for AWS resourcesIdentity management
Access management
Federation
RBAC/EM
Multi-Factor authentication
Access governance
Customer IAM
API Security
IDaaS – Identity as a service
Granular permissions
Privileged Identity management – PIM (PAM or PIM is the same)

Figure – Services under IAM

More About the Services: Looking into the services on brief, Identity
management is purely responsible for managing the identity lifecycle. Access
management is responsible for the access to the resources, access governance is
responsible for access request grant and audits. PIM or PAM is responsible for
managing all the privileged access to the resources. The remaining services either
help these services or help in increasing the productivity of these services.
Market for IAM: Current situation of the market, there are three market leaders
(Okta, SailPoint and Cyberark) who master one of the three domains (Identity
Management, Identity Governance and Privilege access management), according
to Gartner and Forrester reports. These companies have developed solutions and
are still developing new solutions that allow an organization to manage identity
and its access securely without any hindrances in the workflow. There are other
IAM tools, Beyond Trust, Ping, One login, Centrify, Azure Active Directory,
Oracle Identity Cloud Services and many more.
Use cases Identity and Access Management(IAM)
Resource Access Control: Identity and access management (IAM) will allows
you to manage the permissions to the resources in the AWS cloud like users who
can access particular serivce to which extent and also instead of mantaing the
permissions individually you can manage the permissions to group of users at a
time.
Managing permissions: For example you want to assign an permission to the
user that he/her can only perform restart the instance task on AWS EC2 instance
then you can do using AWS IAM.
Implemneting role-based access control(RBAC): Identity and Access
Management(IAM) will helps you to manage the permissions based on roles
Roles will helps to assign the the permissions to the resourcesw in the AWS like
which resources can access the another resource according to the requirement.
Enabling single sign-on (SSO): Identity and Access Management will helps you
to maintain the same password and user name which will reduce the effort of
remembering the different password.
IAM Features
Shared Access to your Account: A team working on a project can easily share
resources with the help of the shared access feature.
Free of cost: IAM feature of the AWS account is free to use & charges are added
only when you access other Amazon web services using IAM users.
Have Centralized control over your AWS account: Any new creation of users,
groups, or any form of cancellation that takes place in the AWS account is
controlled by you, and you have control over what & how data can be accessed
by the user.
Grant permission to the user: As the root account holds administrative rights,
the user will be granted permission to access certain services by IAM.
Multifactor Authentication: Additional layer of security is implemented on
your account by a third party, a six-digit number that you have to put along with
your password when you log into your accounts.
Accessing IAM
AWS Console: Access the AWS IAM through the GUI. It is an web application
provided by the AWS(Amazon Web Application) it is an console where users can
access the aws console
AWS Command Line Tools: Instead of accessing the console you can access y
the command line interface (CLI) to access the AWS web application. You can
autiomate the process by using the Scripts.
IAM Query API: Programmatic access to IAM and AWS by allowing you to
send HTTPS requests directly to the service.
Challenge 1: Managing identities across multiple cloud environments
With the increasing use of multiple cloud environments, organizations face the
challenge of managing user identities across all their cloud systems. This requires
an IAM solution that can support multiple cloud environments and provide a
single source of truth for identity information. A unified IAM solution will allow
organizations to easily manage identities, control access, and enforce security
policies across all their cloud systems.
One such example is the usage of more than one software-as-a-service (SaaS)
application. Creating a local identity for each of the SaaS application makes it
very difficult to keep track of the all the people who have access, which in turn
may result in leavers retaining access to such applications.
Challenge 2: Threat materialisation in cloud-based identity providers
Organisations are increasingly moving towards cloud-based identity providers
(for example Google and O365). This usage brings in a challenge that is different
from an on-premise identity provider. Whilst on-premise identity providers have
their own set of challenges in terms of threats and vulnerabilities, from an impact
perspective it is small. Threats and vulnerabilities applicable to cloud-based
identity providers have a larger blast radius and the impact could be huge.
Addressing this situation is tricky. Whilst for many organisations it makes
business sense to move to cloud-based identity providers, organisations may also
need to monitor the threat landscape to keep themselves ahead of the curve.
Challenge 3: Ensuring compliance with regulations and standards.
Organizations are required to comply with various regulations and standards such
as GDPR, PCI DSS, and HIPAA, which impact their IAM strategy. An IAM
solution must be capable of enforcing these regulations and standards to ensure
that sensitive information is protected and that organizations are not at risk of
non-compliance.
Challenge 4: Managing identities for non-human entities
IAM solutions must also be capable of managing identities for non-human entities
such as applications, services, and APIs. This requires a comprehensive IAM
solution that can manage identities, provide visibility, control access, and enforce
security policies for non-human entities.
Challenge 5: Integration with emerging trends
IAM evolves in response to the threats faced. Evolving IAM trends include
passkeys and password-less authentication. Cloud service providers and
organisations need to factor in the evolving trends and prepare for transition with
technology change and user education.
Challenge 6: Keeping pace with the ever-evolving threat landscape
The threat landscape is constantly evolving, and organizations must ensure that
their IAM solution is capable of adapting to new threats and vulnerabilities.
Credential harvesting is as applicable to cloud IAM as it is to on-premise IAM.
An IAM solution must be capable of providing real-time security intelligence,
monitoring, and alerts to ensure that organizations are aware of new threats and
are able to respond to them in a timely manner.
Challenge 7: Managing identities for external users and partners
Organizations must also manage identities for suppliers, external users, and
partners who need access to sensitive information. An IAM solution must be
capable of controlling access and enforcing security policies for external users
and partners, while also ensuring that sensitive information is protected from
unauthorized access. Granting time-boxed Just-In-Time access is one way to
address this challenge.
Challenge 8: Addressing the unique challenges of BYOD and identity
BYOD policies bring their own set of challenges for IAM, including managing
identities for personal devices and ensuring that sensitive information is protected
from unauthorized access. An IAM solution must be capable of addressing these
challenges and providing a seamless and secure authentication process for
employees using personal devices.
Challenge 9: Managing identities for IT/OT , that are located on-premise but
interface with cloud based solutions
IT/OT devices like any other devices need identities. Managing these identities
pose a challenge as traditional security measures like password rotation and MFA
do not apply to OT. Organizations must manage these identities along with the
vendors to ensure that any compromise of the cloud-based solution does not
impact the OT devices and any compromise of the identity of an OT device does
not impact the enterprise network. An IAM solution must be capable of managing
identities for all types of resources, controlling access, and enforcing security
policies, regardless of where the resources are located.
Challenge 10: Maintaining visibility and control over role bindings and access
controls
Organizations must maintain visibility and control over role bindings and access
controls to ensure that sensitive information is protected from unauthorized
access. An IAM solution must provide real-time monitoring and alerts to ensure
that access controls are being enforced correctly, and must also provide the ability
to revoke access in real-time if necessary.
Decentralized Identity Management
• As companies transition from on-premises data to cloud-hosted data,
centralized on-prem can become decentralized. This gives more autonomy
to different departments, but also increases risk when it comes to IAM.
• In a centralized system, a single user identity is used across the entire
organization. This gives admins control of user access to company data,
but it also means they are responsible for user identity management.
• This means they are also responsible for user identity management. This
means they must store and manage user credentials, user profiles, and user
identification (ID) attributes.
• As you decentralize data, decentralized identity management may become
necessary. In decentralized identity management, each department has its
own user identity system.
• Each user’s identity and access privileges are controlled by that
department, and they are not shared with other departments. This means
that centralized admin responsibilities are distributed to each department.
This can make IAM more challenging, but it can also open up autonomy
in certain departments.
Cloud Data Management
• Cloud data is the data that is hosted in a remote data center and accessed
over the Internet. It is a common practice for organizations to store their
data in the cloud because it is much cheaper than on-premise data storage.
• It’s also more scalable and easily accessible from anywhere. But with this
convenience comes a few challenges for IAM professionals.
• A major issue with cloud data is that it could be hosted by a service provider
with whom your company doesn’t have a contract. This means there may
be little control over how data is protected and maintained.
• You’ll also need to ensure that you can securely transfer data to and from
the cloud, which can be a challenge in its own right. If the data is sensitive
or regulated, the challenges associated with securing cloud data increase
even further.
Data Security
 • Data security is crucial when considering any IAM implementation. While
many organizations still prefer to store their data on-premise, many others
have moved their data to the cloud.
• In both cases, when it comes to data security, admins will need to determine
the best method for protecting their data from malicious attacks.
• There are several ways to protect data from malicious attacks, including: –
Strong access control – Cryptography – Data minimization – Strong
monitoring and alerting – Data obfuscation Strong access control and
cryptography are effective ways to protect data from unauthorized users
and potential attacks.
• Data minimization and data obfuscation are less common security
measures. They aim to minimize the data collected, which reduces the
overall risk. These methods are helpful for compliance and regulatory
requirements like GDPR.
User Authentication and Authorization
• Authentication is the process of confirming the identity of a user by
verifying their credentials. This ensures that only authorized users can
access your data. Authentication is usually a one-time process.
• Authorization, on the other hand, is the process of granting users access to
specific data or resources. Both are often executed together, but they should
be separate processes. Authentication is based on identity, while
authorization is based on privilege.
• An example of this is logging into a computer or website. When you log
in, your credentials are authenticated, but they don’t indicate your level of
authority or what you can do on the platform. Authentication and
authorization work together to ensure that only authorized individuals have
access to sensitive data.
Organizational Change Management
Organizational change management is focused on the people aspect of IAM. Part
of this change is cultural, as employees already have a set of expectations and
methods for managing their data. Adding new levels of security and access
privileges complicates this process. Organizational change management can be
addressed by involving stakeholders in the design, implementation, and rollout
stages of IAM. By involving key stakeholders, you can get a better idea of how
the system will work in the real world. You can then identify and address any
issues that could arise as the system is implemented. Organizational change
management requires open and frequent communication between stakeholders.
This helps to identify potential issues before they become major problems.

1. Setting up user profiles

Before IAM is operational, security teams must onboard existing users with the
right role description, user credentials, and access privileges. This can be a
daunting task in large companies, across multiple departments, locations, and
even continents.
Matching users and privileges is a complex process. Individuals require access
to different cloud resources. This may involve additional permissions, such as
content management systems or accounting tools, within a specific application.
Role-based access control tools can help here. The right tools guide security
admins as they set up profiles. But, constant testing and vigilance are needed to
ensure privileges work correctly.
2. Interoperability and app sprawl
IAM services also have to work with many different network assets. They
may need to manage access to on-premises legacy applications, SaaS tools, PaaS
suites, and third-party resources. Device identities range from mobile and work-
from-home devices to IoT sensors. Getting everything to work together is
challenging.
IAM services are designed to provide secure access to existing cloud platforms.
But there may still be compatibility issues with individual apps. Your security
team needs to ensure that access management systems fit their needs before
commissioning any products.
SSO can resolve these problems. With the right single sign-on system, companies
can gather all assets together. This makes managing communities of cloud apps
much simpler.
3. Continuity – maintaining focus
IAM is not a one-time purchase or technical fix. It is a constantly evolving
process that adapts to changing business needs. Security teams need to plan for
audits and revisions as events unfold. They cannot rely on automated profile
management and SSO to run without regular checks.
Companies need to know that new hires are receiving appropriate privileges.
They need to be sure that privileges are accurate and protect sensitive data. And
they need assurance that users are de-provisioned when they leave the
organization.
4. Role creep and permission glut
In the world of IAM, role creep is akin to the clutter that accumulates in a drawer
over time. As employees transition through different roles within an organization,
their access permissions can pile up, leading to a condition known as a permission
glut.
This isn't just organizational untidiness; it's a security risk. Employees who no
longer need sensitive data access may still have it, creating opportunities for
accidental or intentional misuse.
Automation tools that can prune these excess permissions exist, but they're not
foolproof and often require manual oversight. Consequently, IT admins need to
regularly audit and adjust permissions, a task that's easier said than done. This
challenge underscores the need for a balanced approach to IAM—one that
combines technological solutions with vigilant governance.
5. Scaling hurdles and performance drag
Scaling issues, one of the IAM challenges, often resemble a traffic bottleneck on
a growing highway. As an organization expands, the IAM system must
accommodate an ever-increasing number of users and applications.
Unfortunately, not all IAM systems are built to scale efficiently. The symptoms
of these constraints are often noticeable: authentication processes slow down,
leading to delays that frustrate users and put extra pressure on IT staff.
This performance degradation isn't merely an annoyance; it could be a sign
that the IAM system is reaching its operational limits. A failure to address
these scaling issues could result in broader security vulnerabilities, requiring IT
management's tactical and strategic attention to resolve effectively.
6. Insider risks and ethical dilemmas
While external threats often make headlines, risks from within the organization
can be just as significant. Employees with elevated access permissions may
misuse their powers, either intentionally or inadvertently, posing a complex
challenge to manage.
Trust within a team is vital for a functional workplace but balancing that trust
with the need for security oversight is tricky. Constant monitoring can erode
employee morale, but lax oversight can lead to security breaches.
Therefore, this challenge demands a carefully calibrated approach combining
technology with policies to ensure trust and security coexist. It underscores the
need for comprehensive and ongoing training and regular audits to mitigate the
risks without compromising the work environment.

- IAM Architecture and Practice

Identity Access Management is used by the root user (administrator) of the
organization. The users represent one person within the organization, and the
users can be grouped in that all the users will have the same privileges to the
services.
Shared Responsibility Model for Identity Access Management
Cloud Service Provider (CSP)
Infrastructure (Global Security of the Network)
Configuration and Vulnerability Analysis
Compliance Validation
Customer
Users, Groups, Roles, Policies Management and Monitoring
Use IAM tools to apply for appropriate permissions.
Analyze access patterns and review permissions.
The Architecture of Identity Access Management
User Management:- It consists of activities for the control and management over
the identity life cycles.
Authentication Management:- It consists of activities for effectively
controlling and managing the processes for determining which user is trying to
access the services and whether those services are relevant to him or not.
Authorization Management:- It consists of activities for effectively controlling
and managing the processes for determining which services are allowed to access
according to the policies made by the administrator of the organization.
Access Management:- It is used in response to a request made by the user
wanting to access the resources with the organization.
Data Management and Provisioning:- The authorization of data and identity
are carried towards the IT resource through automated or manual processes.
Monitoring and Auditing:- Based on the defined policies the monitoring,
auditing, and reporting are done by the users regarding their access to resources
within the organization.
Operational Activities of IAM:- In this process, we onboard the new users on
the organization’s system and application and provide them with necessary access
to the services and data. Deprovisioning works completely opposite in that we
delete or deactivate the identity of the user and de-relinquish all the privileges of
the user.
Credential and Attribute Management:- Credentials are bound to an individual
user and are verified during the authentication process. These processes generally
include allotment of username, static or dynamic password, handling the
password expiration, encryption management, and access policies of the user.
Entitlement Management:- These are also known as authorization policies in
which we address the provisioning and de-provisioning of the privileges provided
to the user for accessing the databases, applications, and systems. We provide
only the required privileges to the users according to their roles. It can also be
used for security purposes.
Identity Federation Management: - In this process, we manage the
relationships beyond the internal networks of the organization that is among the
different organizations. The federations are the associate of the organization that
came together for exchanging information about the user’s resources to enable
collaboration and transactions.
Centralization of Authentication and Authorization: - It needs to be
developed in order to build custom authentication and authorization features into
their application, it also promotes the loose coupling architecture.

Lost in the complex landscape of DevOps? It's time to find your way! Enroll in
our DevOps Engineering Planning to Production Live Course and set out on an
exhilarating expedition to conquer DevOps methodologies with precision and
timeliness.
What We Offer:
Comprehensive DevOps Curriculum
Expert Guidance for Streamlined Learning
Hands-on Experience with Real-world Scenarios
Proven Track Record with 100,000+ Successful DevOps Enthusiasts

1. Understand project goals

Firstly, it's essential to visualize the endpoint of your IAM project. There are
myriad reasons to implement identity and access management.
Customer service teams could be overwhelmed by requests to reset passwords.
There could be concerns about potential and existing threats from phishing or
internal sabotage, while security audits may have exposed security risks like
excessive user permissions.
Assess what mix of resources will fall under your identity solution. Do you rely
on cloud-based applications or a blend of bare metal, remote devices, and the
cloud?
Understand what problems IAM seeks to solve, and make those solutions the
fulcrum of your project strategy.
2. Map the workforce to assign privileges
When embarking on an identity security project, defining who needs access to
what resources is vital. Consult HR to build a picture of every role and individual
inside the organization and contractors or freelancers who require secure access.
At the same time, establish ongoing relationships between security and HR teams
to enable constant revisions to privileges as employees arrive, leave the company,
or change their roles.
It may also be necessary to create an inventory of connected apps, databases, and
devices to act as a basis for granting privileges. This inventory creation exercise
can double up as an audit to catch any legacy equipment or software upgrades
before changing any access processes.
3. Create individual profiles and intelligent role definitions
Every individual accessing the network requires a profile detailing their specific
privileges. Don't assign rights to contractor companies or departments. Take a
granular approach to privileged access management that provides complete
information.
However, constantly updating individual access privileges is often unworkable.
To make matters easier, create role-based rights and assign those roles to
individuals as required. In some cases, role-based access control tools can even
give privileges for defined periods – adding flexibility for teams that work across
network resources.
4. Adopt Zero Trust Network Access as standard
When assigning privileges, ZTNA is the gold standard access management
solution. Under the Zero Trust model, every user is treated as suspicious until
provided their access credentials. There are no exceptions, even for executive-
level users.
The "principle of least privilege" should govern any lateral movement through
the network - meaning that users should only have access to resources that their
role requires. Managers should also take care to avoid granting excessive
permissions in all cases.
5. Make multi-factor authentication universal
The process of authentication is a core aspect of secure IAM. As a rule, never rely
on passwords alone for data security. Integrate a form of multi-factor
authentication into user access portals instead.
MFA involves requesting one or more additional credentials before granting
access. These credentials could include biometrics, codes sent via SMS or email,
or even authentication via social media accounts. Third-party multi or two-factor
authentication providers can integrate seamlessly into access management
systems, adding an extra layer of protection.
It may also be worthwhile to consider abandoning passwords altogether, and
password-free access is increasingly common. If this isn't a viable option, include
strong password security practices in your IAM system at every stage.
6. Create centralized network visualization
Robust IAM implementations provide complete visibility for network managers.
Managers need the ability to monitor every endpoint and user who connects to
the network, alongside activity within the perimeter, including cloud and bare-
metal devices.
Visibility is critical in complex organizations with multiple cloud databases or
core apps. For instance, a company may need to integrate eCommerce APIs
and customer identity and access management (CIAM) systems with corporate
accounts and HR. Cloud access management solutions will generally be the right
solution in these situations.
Ensure that the centralized IAM system connects every user device, location, and
department. Centralization makes real-time user access monitoring more
effective and enables smooth onboarding and management of orphaned accounts.
Additionally, be sure to employ single sign on (SSO) practices wherever possible.
Users should have a single point of data access using a single set of credentials.
7. Audit orphaned accounts regularly
When employees leave companies, their network identities do not necessarily
depart. So-called orphaned accounts can be prime targets for hackers using social
engineering techniques.
According to a 2021 Varonis study, approximately 40% of companies in the
financial sector had more than 10,000 of these "ghost users." It is essential to
track down orphaned accounts when users move on or change roles.
Schedule regular user management audits to ensure that orphaned accounts are
neutralized rapidly, and remember to extend this to any contractors or partners
who no longer work with the company.
8. Use automation to your advantage
Automation of functions like employee or customer onboarding can radically
reduce the cost and labor associated with IAM.
Pre-assigned roles can smoothly integrate new employees into network security
protocols, and there is usually no need for security staff to tailor individual access
privileges during the onboarding process.
Automate ongoing password management too. For instance, self-service
password portals can reduce the workload on security teams while prompting
employees to improve their password security.
The same applies to offboarding, where automation can help handle problems
regarding orphaned accounts. However, regularly assess automated processes, as
roles will need updating to reflect changing circumstances.
9. Build IAM around regulatory compliance
Managing access is a core component of modern cybersecurity standards, and a
robust IAM implementation will contribute toward effective compliance.
Access control applies whether you are seeking to satisfy compliance regulations
like the EU's General Data Protection Regulation (GDPR), the Health Insurance
Portability and Accountability Act (HIPAA), or the Payment Card Industry Data
Security Standard (PCI-DSS).
Factor compliance into your plans from the beginning, and ensure that sector-
specific rules fully cover you. Compliance isn't just a legal issue. It's also an
excellent focal point to concentrate project managers and a way to build trust with
partners or customers.