Understanding Identity and Access Management: On-Premises and in the Cloud
September 20, 2021
Identity and access management (IAM) is an established part of IT, controlling who has access to digital assets. Let’s look at some basic IAM concepts and then explore some important distinctions that arise with cloud IAM.
First, IAM addresses two related, but separate, ideas:
- Identity refers to who a user is.
- Access management encompasses what digital assets the person can use.
Implied in this construct is the idea that different users and roles may (or should) have differing levels of access.
You have an identity as a human being. This comprises your name and vital data, such as your birthday and government identifiers, including a driver’s license or social security number. And while there may be more than one person named John Smith in the United States, for instance, there is only one John Smith with a unique social security number and particular birthday. By aligning these separate identity factors, you get to a unique, natural identity for John Smith.
Digital identity, a central concept in IAM, is an extension of natural identity. Being John Smith, even with all of his identifying factors, isn’t enough to get John permission to log on to your corporate network and access your SAP ERP suite. For this, John will need a digital identity, which adds unique digital identifiers, such as a user ID number and a user role definition to his profile.
The IAM System
An IAM system is software that enables IT managers to control user access to digital assets. Such systems are almost always built atop a directory such as Microsoft Active Directory. The directory is the definitive list of who’s who – and, who’s allowed to do what – in the IT universe.
The most common way to assign access privileges is by role. While most IAM tools let you assign access rights one user at a time, this is very inefficient and prone to error. Role-based access, in contrast, lets you manage access rights by role, which is far more efficient.
Authentication vs. Authorization
Authentication means establishing that a user is who he or she says she is. If John Smith wants to log into the network, how do we know it’s really our John Smith, the one we have listed on Active Directory?
Usually, companies authenticate using a username and password combination. This is not ideal, given that such credentials can be stolen or guessed. That’s why there’s an extra authentication step: authorization, authentication’s twin in the IAM world, which deals with what digital assets the user is authorized to see.
A privileged user is someone who is authorized to access the administrative back end of a system or piece of infrastructure. This kind of user can access all of the data on a system, set up or delete accounts, change configurations and more. For this reason, privileged users are carefully controlled. Usually, they have their own, separate identity control system, known as a privileged access management (PAM) solution. Most PAM solutions are integrated with IAM systems.
Single Sign-On (SSO)
IAM systems usually enable single sign-on (SSO). This is probably a familiar experience for anyone who has worked in a large company. You log in once, and from there, the IAM system signs you into all systems you are authorized to use.
Multi-Factor Authentication (MFA)
When John Smith logs into the corporate network using his username and password, the IAM system is relying on only those two pieces of information to authenticate him for access. In today’s world, this is not a robust way of protecting digital assets from threats. To improve security, many organizations require additional authentication factors. These might include a PIN, one-time use code sent by SMS text message, secret passphrase or even biometric identifier, such as a fingerprint. With multi-factor authentication (MFA), the likelihood is much higher that someone claiming to be John Smith is actually our John Smith – and not a malicious actor.
What’s Different about Identity and Access Management in Cloud Computing?
Cloud computing puts digital assets into remote data centers. With cloud computing increasingly pervasive, IAM is taking on more importance.
Given the connection between IAM and governance, risk management and compliance (GRC), it’s worth understanding how cloud IAM works. Cloud identity and access management is comparable to traditional, on-premises IAM – though with a few key differences and challenges:
- The cloud is like a second, totally independent network and data center – If your IAM is set up to authenticate and authorize users on a single, on-premises network, the cloud introduces a totally separate zone of potential access. An IAM system for cloud computing needs to span the corporate premises (including any co-location facilities), as well as the cloud.
- Users of cloud assets can be anywhere – Location is a relatively easy authentication factor. If John Smith is logging in to the network from his desk at the office, you don’t have to ask where he is; you know. When it comes to remote users, your policy may require them to use a virtual private network (VPN) connection to log on to the network. With the cloud, though, unless you set up a clear access policy and a cloud IAM system, a malicious actor could attempt to log in from anywhere in the world. Given that many malicious actors are abroad, this is a big risk exposure.
- The cloud uses a two-tier approach to security – In almost every cloud computing service agreement, the cloud provider (such as Microsoft Azure or AWS) is responsible for securing the cloud infrastructure itself. The client, meaning you, is responsible for access control. You have to manage your own cloud IAM.
- Cloud users may not even be people – Today, a lot of users are actually other machines. Machine-to-machine transactions are common, such as when you log in to your banking app, and it then logs you in to your insurance company account. To the insurance company, the user is your app, not you. The IAM system must take into account non-human users. (This is true on-premises and in the cloud, but the cloud makes machine IAM murkier and harder to control.)
- Cloud and on-premises systems blend in hybrid architectures – Most cloud architectures today span on-premises and cloud-based instances of software and data. It’s also quite common for a company to use more than one cloud, a practice known as multi-cloud. Your IAM system must be able to track users as they skip between clouds and on-premises instances with SSO. This is also true of organizations that split their applications between on-premises installations and software-as-a-service (SaaS) solutions.
The Role of Cloud IAM in GRC
GRC activities, especially segregation of duties (SoD), rely on sound cloud identity and access management. If you don’t know who is accessing your systems and data, it’s nearly impossible to control them and ensure the integrity you need for security and compliance. With SoD, for example, where it’s essential to know which user role can perform a given transaction, you must be on top of identity, authentication and authorization. As critical systems like SAP move into the cloud, or partly into the cloud, IAM must keep up in order to maintain strong SoD and comparable controls.
NTT’s GRC IAM solution
Our ControlPanelGRC meets cloud IAM challenges with its Access Control Suite. It provides the integrated approach needed to identify and assess IAM control failures, potential failures and SoD conflicts. The suite prevents overly broad access to individuals that might outstrip what their role would dictate, and delivers continuous monitoring of access risk and SoD violations – all from an intuitive user interface and with easy-to-read reports.
NTT delivers fast deployment for ControlPanelGRC, backed by proven support and managed services. Working with us means that your ControlPanelGRC implementation will not only be successful, but that your time-to-value and audit readiness will be greatly accelerated.
Interested in learning more about ControlPanelGRC and how to improve IAM in the cloud? Request a free SAP GRC risk assessment.
Scott Goolik is the vice president of SAP security and compliance at the Managed Cloud & Infrastructure Services of NTT.