1.

Introduction to Identity and Access Management (IAM)

Definition:
IAM is a framework of policies, processes, and technologies that ensure the right individuals (or
machines) can access the right resources at the right times for the right reasons. IAM is critical
for ensuring security, regulatory compliance, and operational efficiency.

Key Components:

 Authentication: Verifying the identity of a user, device, or system.

 Authorization: Determining if the authenticated entity has permission to access a
resource.
 Audit: Keeping records of who accessed what resource, when, and why.

2. Key Concepts in IAM for Access Management

 Access Control Models: The foundation of IAM; defines who can access what
resources.
o Discretionary Access Control (DAC): Resource owners decide who has access.
o Mandatory Access Control (MAC): Access is determined by system-enforced
policies.
o Role-Based Access Control (RBAC): Permissions are assigned based on roles,
simplifying management.
o Attribute-Based Access Control (ABAC): Access decisions are made based on
attributes (e.g., user role, department).
 Least Privilege: Users should only be given the minimum level of access necessary for
performing their job functions.
 Separation of Duties (SoD): Ensuring that critical tasks are divided among different
individuals to prevent fraud or errors.
 User Lifecycle Management: Managing users from onboarding to offboarding, ensuring
access is appropriately granted, modified, and revoked.

3. Access Request Lifecycle in IAM

1. Request Initiation:

 The process begins when a user requests access to a resource. This can be a manual
request or an automated system.
o Common methods include: self-service portals, email requests, or helpdesk
interactions.

2. Authentication:
  The system must verify the identity of the requester.
o Single Sign-On (SSO), Multi-Factor Authentication (MFA), and Biometric
Authentication are typically used.

3. Authorization:

 Once the requestor is authenticated, the system checks if the user’s role, policies, and
attributes allow the requested access.
o The request is cross-checked with existing access control lists (ACL), RBAC,
or ABAC policies.

4. Approval Process:

 Based on the organization’s policies, the request may be routed to an approver or

approval chain. This could involve managers, role owners, or specific authorization
officers.
 Workflow Automation: In larger systems, approval workflows may be automated, with
decision nodes based on roles or conditions.

5. Access Provisioning:

 After approval, the requested access is granted. This might involve adding the user to a
group, modifying their permissions, or granting access to specific applications or
systems.
o Automated provisioning tools often use connectors or APIs to integrate with
systems and services for seamless access granting.

6. Periodic Access Reviews:

 Access should not be a one-time event. Regular reviews (e.g., quarterly or annually) are
necessary to ensure that users still require the access they've been granted.
 Access recertification is a crucial step in reducing the risk of over-privileged accounts or
inactive access.

7. Access Revocation:

 When an access request is no longer valid (e.g., user leaves the organization, role
changes), their access should be revoked immediately.
 Automated deprovisioning helps reduce the risk of access being left open unintentionally.

4. Best Practices for Handling Access Requests

 Self-Service Portals: Empower users to request access to resources via self-service

systems, reducing the burden on IT support teams.
  Automated Workflows: Use workflow automation for approval and provisioning to
reduce human error and delays.
 Clear Role Definitions: Clearly define roles and permissions to avoid ambiguity when
authorizing access.
 Segregation of Duties: Prevent any user from having too much power (e.g., financial
access and approval of their own purchases).
 Multi-Factor Authentication (MFA): Use MFA to ensure that access requests are valid
and users are properly authenticated.
 Audit Trails and Logging: Keep detailed logs of access requests and approvals, which
are useful for compliance and troubleshooting.
 Compliance Standards: Follow industry compliance standards (e.g., HIPAA, GDPR,
NIST, PCI-DSS) for handling access requests.

5. Challenges in Access Management

 User Access Complexity: As organizations scale, user roles and permissions become
more complex, making it harder to manage requests effectively.
 Insider Threats: Employees with excessive or improper access could pose risks to
sensitive systems and data.
 Non-Standardized Processes: Lack of standardized access request workflows across
different departments can lead to confusion and security gaps.
 Integration with Third-Party Systems: Managing access to third-party cloud services
and applications can be challenging.

6. Tools & Technologies for Managing Access Requests

 IAM Systems: Examples include Okta, Microsoft Azure Active Directory, and Ping
Identity.
 Identity Federation: Enables users to access multiple applications with a single identity.
 Privileged Access Management (PAM): Tools like CyberArk and BeyondTrust help
manage high-level privileges and sensitive access.
 Access Management Policies: Cloud-based IAM tools such as AWS IAM, Google
Cloud IAM, and Azure AD enable granular access control policies.

7. Compliance and Regulatory Requirements for Access Requests

Access management must comply with various standards and regulations. Some common
frameworks include:
  General Data Protection Regulation (GDPR): Requires strict control over data access
to protect personal data.
 Health Insurance Portability and Accountability Act (HIPAA): Dictates rules for
controlling access to sensitive health information.
 Financial Industry Regulatory Authority (FINRA): Requires strong access controls
over financial systems.
 Sarbanes-Oxley (SOX): Specifies access controls in accounting and financial reporting
systems.

8. Real-World Scenarios & Case Studies

 Scenario 1: A new employee joins the company

The employee requests access to internal applications (email, file sharing, HR systems).
The system checks their role (HR) and automatically provisions access according to
predefined policies.
 Scenario 2: A user needs temporary access to a sensitive resource
An employee requests access to a finance database for a project. The system grants
access with an expiration date (30 days), and after this time, the access is automatically
revoked.
 Scenario 3: Access escalation due to an emergency
In a critical situation, a user may request elevated permissions for system maintenance.
The request is routed to managers for urgent approval, with an audit trail maintained for
security.

Conclusion

Handling access requests effectively in IAM involves a well-defined process that covers
everything from request initiation to provisioning, approval, and auditing. Leveraging
automation, standardizing policies, using appropriate access control models, and ensuring
compliance with industry standards will help safeguard sensitive systems and data while
improving operational efficiency.