Identity and Access Management

What is Identity and Access Management and Why is it important to Business?

Identity and access management (IAM) is a framework of business processes, policies and technologies that facilitates the management of electronic or digital identities. With an IAM framework in place, information technology (IT) managers can control user access to critical information within their organizations. Identity and access management products offer role-based access control, which lets system administrators regulate access to systems or networks based on the roles of individual users within the enterprise. In this context, access is the ability of an individual user to perform a specific task, such as view, create or modify a file. Roles are defined according to job competency, authority and responsibility within the enterprise. Systems used for identity and access management include single sign-on systems, multi-factor authentication and privileged access management (PAM). These technologies also provide the ability to securely store identity and profile data as well as data governance functions to ensure that only data that is necessary and relevant is shared. IAM systems can be deployed on premises, provided by a third-party vendor through a cloud-based subscription model or deployed in a hybrid cloud.

Basic components of IAM

On a fundamental level, IAM encompasses the following components:
  • How individuals are identified in a system
  • How roles are identified in a system and how they are assigned to individuals
  • Adding, removing and updating individuals and their roles in a system
  • Assigning levels of access to individuals or groups of individuals
  • Protecting the sensitive data within the system and securing the system itself

What IAM systems should include

Identity access management systems should consist of all the necessary controls and tools to capture and record user login information, manage the enterprise database of user identities and orchestrate the assignment and removal of access privileges. That means that systems used for IAM should provide a centralized directory service with oversight as well as visibility into all aspects of the company user base.

Technologies for identity access and management should simplify the user provisioning and account setup process. These systems should reduce the time it takes to complete these processes with a controlled workflow that decreases errors as well as the potential for abuse while allowing automated account fulfillment. An identity and access management system should also allow administrators to instantly view and change access rights.

These systems also need to balance the speed and automation of their processes with the control that administrators need to monitor and modify access rights. Consequently, to manage access requests, the central directory needs an access rights system that automatically matches employee job titles, business unit identifiers and locations to their relevant privilege levels.

Multiple review levels can be included as workflows to enable the proper checking of individual requests. This simplifies setting up appropriate review processes for higher-level access as well as easing reviews of existing rights to prevent privilege creep, the gradual accumulation of access rights beyond what users need to do their jobs.

IAM systems should be used to provide flexibility to establish groups with specific privileges for specific roles so that access rights based on employee job functions can be uniformly assigned. The system should also provide request and approval processes for modifying privileges because employees with the same title and job location may need customized, or slightly different, access.

IAM in the enterprise

It can be challenging to get funding for IAM projects because they do not directly increase an organization’s profitability or functionality. However, a lack of effective identity and access management poses significant risks not only to compliance, but also overall security. These mismanagement issues increase the risk of greater damages from both external and internal threats. Keeping the required flow of business data going while simultaneously managing its access has always required administrative attention. The business IT environment is ever evolving and the difficulties have only become greater with recent disruptive trends like bring your own device, cloud computing, mobile apps and an increasingly mobile workforce. There are more devices and services to be managed than ever before, with diverse requirements for associated access privileges.

How Vouch dIAM Solves the Primary Security Issue facing all Identity Access Management Systems

Vouch dIAM (decentralized Identity and Access Management) complements existing IAM systems using a decentralized blockchain technology approach that maintains a high ground against hackers. Vouch solves for centralized identity access management (IAM) systems’ single point of failure – all of the user passwords being stored in a single “centralized” place. These certificate authorities are the primary weakness responsible for a large percentage of the major personal data breaches. Once a breach is achieved, since all of the user passwords are stored in a single place, a hacker can effectively gain access to every users’ personal data in the entire system. With Vouch, each user’s credentials are stored separately in a unique block on the chain. Each block is secured in a layer of high security encryption. This encryption is the same level of cryptography protecting today’s cryto-currency systems, which as of the time of this writing, it’s estimated that one hour of computing cost to attempt break a bitcoin block is over $1,000,000/US/hour. If a hacker were to be able to crack an individual identity block on the chain, they would only get access to a single user’s credentials (that actually contain no PII), ensuring that the effort is simply not worth the reward for the hacker.

Vouch dIAM Integrates with existing Identity Access Management Systems

Vouch dIAM is easily integrated into Enterprise Identity Provider (IDP) and Identity Access Management (IAM) solutions from suppliers such as Forgerock™, Idaptive™, Okta®, Ping Identity® or Microsoft® ADFS or Azure™ using SAML and Open ID Connect. Vouch dIAM complements existing IAM systems by adding security, improving the user experience and reducing cost in the following ways:
  1. Remove the source of breached password databases – by replacing centralized password storage with decentralized blockchain storage of user credentials (see Vouch System Overview).
  2. Completely eliminate passwords and related password reset costs – Passwords are a security weakness, a terrible user experience and costly for the enterprise to support (see Cost of Password Resets).
  3. Using Modern MFA Security Factors – simply the user experience, while also providing the added security of MFA with innovative security factors like personas and quorums, modern factors such as biometrics, the user’s device ID and (coming soon) location, time of day and network/IP address factors. (see Multifactor Authentication)
  4. Protect User Credentials – by not storing any Personally Identifiable Information (PII), and by enabling the assertion of users’ credentials through Biometrics that reduce user friction Vouch is more secure than passwords.