Identity and Access Management

Given the rise in identity-focused breaches and the continuously growing number of identities, identity and access management has emerged as a cornerstone for safeguarding enterprise systems. By orchestrating secure authorization and authentication, IAM serves as the digital gatekeeper, granting controlled access to diverse resources — from on-premises databases to cloud-based applications. Recognizing the weaknesses of traditional password-based authentication, the industry is transitioning to more robust and multi-layered methods.

In this Refcard, we delve deep into IAM's crucial role in modern cybersecurity. We outline the primary functions and principles that underpin IAM, highlight its significance, address common challenges faced by engineering teams implementing IAM policies, and focus on the core IAM practices.

At its core, identity and access management is about ensuring that the right entities (users, devices, services, apps, etc.) have the right level of access to the right resources for the right reasons. IAM involves processes, policies, and tools that manage user authentication, and it provides control over user validation and resource access via permissions, roles, and privileges. The goals of IAM are to enhance security by controlling access to systems and safeguarding data against unauthorized access — as well as to maintain regulation compliance.

Core Functions and Principles of IAM

IAM solutions, irrespective of their vendor, offer essential core functions concerning the security of the users and the digital identities under the solution's management. These core functions are based on a crucial framework of security principles.

Authentication

The goal of authentication is to verify the identity of an entity (subject) that is requesting access to a system or resource. The subject's identity is validated by provided credentials, such as usernames and passwords, certificates, biometric data, or security tokens. IAM offers a set of authentication mechanisms suitable for each use case and logs authentication events for auditing.

Authorization

Successful authentication verifies the identity; however, it does not — and should not — necessarily grant access. To this end, IAM also performs authorization checks before granting access. During authorization, IAM checks the request against the predefined authorization policies that specify the permissions for each identity (principal). Most IAM systems operate on a deny-by-default principle, granting access only if explicit permissions permit.

User, Identity, and Policy Lifecycle Management

IAM automates and manages the end-to-end user identity lifecycle, including their access rights and policies, streamlines user provisioning and offboarding, and performs stale account cleanup. These actions reduce possible delays with deprovisioning, avoiding any security risks while also ensuring compliance.

Credential Management

IAM handles the creation, storage, and administration of both short- and long-term authentication factors like usernames, passwords, multi-factor authentication (MFA) tokens, access tokens, API keys, and biometric factors. IAM enforces password requirements and credential hygiene, and it adheres to the principle of least privilege.

Principle of Least Privilege

The principle of least privilege (PoLP) is a foundational principle of IAM that requires users and identities to be granted the minimal required access to perform their intended tasks — and no more. The PoLP goes beyond human access and is applicable to all types of identities, including machines, devices, services, and application identities. The main advantage of the PoLP is that it reduces the attack surface, limits the impact of attacks, and mitigates unauthorized access.

Over-privileged identities increase the extent of damage to critical systems should a breach occur, and they enable lateral movement, allowing attackers to gain a deeper level of access in a network. An equally significant principle is the one mandating the least duration of access, which enforces time-bound access, effectively reducing the window of unauthorized access.

Figure 1: The principle of least privilege

Principle of Separation of Duties

Another fundamental concept of IAM is the separation of duties (SoD) principle, which requires the distribution of conflicting application permissions across different individuals. This prevents one person from controlling multiple critical processes — otherwise, they could perform fraudulent activities or compromise the system's integrity. SoD significantly reduces the reliance on high-privileged IAM members, thereby minimizing the risk of insider threats and potential misuse of permissions.

Zero Trust

Zero trust is a cybersecurity strategy that naturally aligns with IAM. Zero trust is primarily based on the concepts of "never trust, always verify" and "assume everything is hostile by default." It is driven by three core principles:

1. Assume breach
2. Verify explicitly
3. Enforce the principle of least privilege

Zero trust requires IAM to enforce strong identity verification, adaptive authorization, controls, continuous monitoring of access requests, and logging of key security metadata like logins, timestamps, applications, and locations. This data collection process enables the creation of a consistent audit trail.

Technology Trends Shaping the IAM Landscape

IAM has expanded its scope to provide a unified identity management solution with advanced access management and federation mechanisms, enabling seamless identity integration and access control across cloud environments, IoT devices, big data analytics platforms, and DevOps pipelines. This evolution empowers organizations to efficiently manage digital identities in modern, complex, and interconnected technological environments.

How technology trends shape the IAM landscape:

• Cloud computing – In cloud environments, firewalls are insufficient for defining the entirety of its perimeter. IAM shifted to facilitate the management of access policies on identities and resources, forming a more realistic security perimeter centered around access vs. network-centric attributes (e.g., IP addresses).
• Internet of Things (IoT) and mobile – Mobile devices and IoT introduce complexities in handling the unique identities and access requirements of a growing network of endpoints.
• Big data – Big data analytics enhance IAM by enabling the use of data-driven insights for analyzing identity-related data to detect patterns and anomalies in user behavior, helping mitigate unauthorized access attempts.
• DevSecOps – IAM solutions evolved to offer automated identity provisioning, access control configuration as code, and scalable policy enforcement across the SDLC. In DevSecOps environments, IAM policies are defined and tested via automated IAM pipelines that eliminate bottlenecks associated with manual policy validation and deployment.

IAM Challenges

Setting up and operating an IAM solution securely and efficiently has certain challenges, especially in complex and large enterprise environments.

User and Device Identification

The proliferation of distributed and decentralized environments, IoT, connected devices, bring-our-own-device (BYOD) policies, remote user access, and custom user authentication journeys demand secure endpoint device provisioning, de-provisioning, and device-to-user association (identification). IAM solutions allow integration with mobile device management (MDM) solutions to accurately and securely identify devices and identities in order to establish a strong security perimeter.

Identity Threat Detection and Response

Specialized solutions, called identity threat detection and response (ITDR), have been developed to address the rising number of critical identity-based attacks. ITDR solutions monitor, collect, and analyze user activity and access management logs generated by multiple IAM solutions, and they aim to detect, prevent, and respond to identity-based threats.

Implementing ITDR is essential due to its ability to promptly identify compromised IAM systems and enable quick investigations, real-time detection of identity activity anomalies, exposure of security misconfigurations, and identity analytics. By focusing on identity threat detection and response, organizations can effectively mitigate risks associated with identity breaches.

Privacy and Governance

IAM solutions capture and store sensitive user information, including personal data such as names, email addresses, and in certain cases, even biometric information for authentication. One challenge is finding the correct balance between the requirement of collecting and using user data and respecting user privacy rights and data protection regulations. As IAM systems handle increasing amounts of personal data, there is growing concern about how this information is stored, retained, used, accessed, and shared.

Another major security challenge is the potential theft of biometric data. Organizations that collect and store IAM data need to have a clear understanding of the type of user data they collect, what is actually necessary, when and how to dispose of unnecessary data, and how user data is stored. To ensure data security and user privacy, organizations should implement strong encryption at rest, in transit, and in use — as well as fine-grained access control policies — to prevent unauthorized access to sensitive user information and minimize the impact of potential data breaches.

Overly Permissive Identities and Privilege Abuse

Despite the principle of least privilege being fundamental for defining access policies in IAM, cases of privilege escalation or unauthorized access due to excessive permissions continue to be prevalent. Most over-permissive identities occur due to policy misconfiguration, unhardened IAM permissions, a lack of regular access reviews, and manual policy lifecycle management.

Now, let's take a look at some key core practices of identity and access management.

Credential and Identity Hygiene

As a fundamental block of a cybersecurity strategy, credential and identity hygiene plays a pivotal role in identity security:

• Prevents dormant and orphaned accounts, users, identities, roles, permissions, and groups
• Addresses vulnerable identities, weak passwords, identity sprawl, and permission creep
• Guarantees that access is aligned with each identity's changing roles and responsibilities, minimizing the potential for overprovisioning and unauthorized access

Lacking a well-designed credential and identity hygiene policy can dramatically increase the attack surface for unauthorized access, so it's critical for security teams to regularly perform a comprehensive audit of existing identities, access privileges, and credentials.

Legacy Authentication Protocols

Legacy authentication protocols have inherent weaknesses that attackers can exploit by employing tactics — such as brute-force attacks, password spraying, and man-in-the-middle attacks — in order to gain unauthorized access. Examples of such legacy and insecure authentication protocols include NTLM, basic authentication (username and password), and any IAM solution that uses insecure cipher suites and algorithms, or lacks support for MFA and interactive sign-ins. It is highly recommended to disable all legacy authentication protocols, enable security defaults, and apply conditional access policies, as described next.

Conditional Access

Conditional access extends an organization's first-factor authentication by combining real-time identity signals in order to grant or deny access based on predefined conditions. By implementing conditional access, organizations can enforce context-aware access controls, taking into account factors such as user location, device health, roles, risky sign-in behaviors, resources accessed, etc.

Conditional access helps organizations align their IAM strategy with the guiding principles of zero trust by allowing them to define access policies according to the business' risk levels, needs, and compliance requirements, ensuring that the right users access the right resources under the appropriate circumstances.

Figure 2: How conditional access works

Just-in-Time Access

Just-in-time (JIT) access is another critical cybersecurity process that aligns with the zero-trust security model. JIT provides users, applications, or systems privileged access to a resource only for a limited period of time and on an as-needed basis. This way, JIT:

• Reduces the attack surface by minimizing the number of standing credentials and privileges
• Enforces the principle of least privilege by granting only the minimal level of access required for a specific task
• Improves the auditability and accountability of access requests and actions by logging and monitoring them

Using JIT, the need for standing (long-term) credentials is removed; thus, the risk of credential theft or misuse is significantly reduced.

Multi-Factor Authentication

Multi-factor authentication is a simple best practice that adds extra forms (factors) of authentication on top of the first form of authentication, which is typically the combination of a username and password. When enabled, MFA requires at least one of three types of additional information:

1. Something you know, such as a password, a PIN, or an answer to a security question. This is typically the first factor of authentication.
2. Something you have, such as a one-time token generated by a smartphone app or a hardware token.
3. Something you are, such as biometric data like fingerprint scans or facial recognition.

MFA can be enabled to verify the MFA token during the sign-in process; before privileged actions, including password changes or financial transactions; or as a response to any unusual user activity.

Passwordless Authentication

Traditional authentication using passwords is susceptible to several security issues, including brute forcing, dictionary attacks, credential stuffing, and credential theft through phishing attacks and data breaches. Even if eight-character passwords use combinations of letters, numbers, and symbols, they can be cracked in less than 60 minutes. Password managers can also be compromised, exposing credential and personal details to malicious actors, as was the case of the recent LastPass security incident that allowed unauthorized access to cloud backups.

Passwordless authentication is the future of authentication, and all tech giants recently announced that they would support FIDO2 to enable passwordless authentication across devices. By eliminating the reliance on passwords and adopting advanced methods like biometrics, hardware tokens, or push notifications on mobile apps, passwordless authentication establishes a more secure user authentication process.

Role-Based Access Control

Role-based access control (RBAC) is an authorization strategy that organizes privileges according to specific roles, providing access rights and permissions associated with those roles. RBAC allows permissions to be grouped for collective assignment and revocation. Altering role permissions can quickly modify permissions for a group of users rather than tens or hundreds of individual users, simplifying administration efforts.

Every RBAC implementation requires careful planning by the IAM engineering team, which should define the roles and perform periodic reviews to validate assigned permissions, helping maintain the least privilege and avoid separation of duties conflicts.

Below is pseudocode illustrating a basic implementation of an RBAC authorization check:

if (user.hasRole("admin") or user.isPermitted(somePermission)) {
   // user is authorized to access the protected resource
}
else {
   // user is not authorized to access the protected resource
}

Single Sign-on

Single sign-on (SSO) is an important feature that enhances IAM security by simplifying user access to multiple applications with a single set of credentials without having to log in to each app separately. Once a user authenticates using SSO, a digitally signed certificate or token is generated, serving as a security key for accessing other apps. This approach allows administrators to centrally control IAM requirements like credential hygiene and MFA, significantly reducing the chances of weak passwords or password reuse. SSO also streamlines user provisioning and deprovisioning and enhances the overall user log-in experience as it eliminates the problem of credential entry fatigue.

Privileged Identity and Access Management

Privileged access management (PAM) and privileged identity management (PIM) are integral to IAM. Even though they share similarities, they offer complementary roles in organizational security:

• PIM centralizes the management of privileged identities, ensuring time-bound access to sensitive resources enforced through granular role-based authorization. It encompasses privileged account discovery, centralized provisioning, strong password policies, temporary privileges, monitoring, and auditing, ensuring strict security and efficient control over elevated access.
• PAM broadens its scope with detection and access controls for privileged identities, encompassing privileged identity discovery, baseline establishment, policy-based privilege adjustments, and real-time monitoring for privilege misuse and policy changes.

The terms PIM and PAM are oftentimes used interchangeably due to overlapping functionalities offered by various vendors.

Customer Identity and Access Management

While identity and access management focuses on internal users like employees and contractors, customer identity and access management (CIAM) platforms are designed to manage external user identities, such as customers, partners, and suppliers. More specifically, CIAM's main use cases are business-to-business (B2B), business-to-consumer (B2C), business-to-business-to-consumer (B2B2C), business-to-business-to-employee (B2B2E), and machine-to-machine (M2M) authentication and authorization.

CIAM is often regarded to be at the forefront of digital transformation. Modern CIAM platforms are built upon five fundamental pillars: personalized customer experience, frictionless developer experience, security and future-proof authentication, privacy and compliance, and scalability and high availability.

Personalized Customer Experience

Customer experience is a top concern in CIAM. CIAM platforms streamline user onboarding and registration processes, offering features like self-service account management, SSO, and social login options. Social login is a critical component of the customer experience in CIAM that enables customers to use their existing digital identities, also known as bring your own identity, such as those from Facebook, Microsoft, and Google. Another important component of the overall customer experience is the full customization and personalization of the user interfaces, the login pages, the user journeys, emails, and the authentication workflows. This ensures alignment with each customer’s branding across all devices (mobile, tablet, desktop).

Frictionless Developer Experience

To facilitate seamless integration, CIAM platforms provide tools such as quick-start application wizards, software development kits (SDKs), and low-code interfaces that simplify complex workflows. This developer-friendly approach enables efficient incorporation of authentication and user management features into applications without requiring deep identity management expertise. Additionally, CIAM platforms provide a set of APIs enabling seamless integration with various enterprise applications and services and providing a unified view of customer data across the organization. Using off-the-shelf integrations, developers can seamlessly embed identity management into content management systems, marketing automation tools, customer relationship management platforms, enterprise resource planning systems, and business analytics.

Security and Future-Proof Authentication

Customer identity and data security is of critical importance in CIAM. Modern CIAM solutions prioritize robust security controls, including MFA, adaptive access control, passwordless authentication, rate limiting, password compliance, breach detection, fraud detection, and identity verification and proofing. Single-tenant architectures further enhance security by isolating customer data, thereby minimizing the risk of cross-tenant data breaches.

Privacy and Compliance

CIAM manages customer identity data, protection of which is heavily regulated, and adherence to global privacy regulations, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), is a critical aspect of CIAM platforms. CIAM platforms incorporate consent management services that empower users with granular control over how their personal data is processed and shared, ensuring compliance and user trust.

Scalability and High Availability

Modern CIAM platforms are designed to handle millions of users, ensuring high availability and low latency for seamless login experiences, even during peak traffic times. To achieve this, they employ distributed architectures that eliminate single points of failure, ensuring redundancy and disaster recovery capabilities. CIAM solutions should offer transparent total cost of ownership with clear and predictable pricing models that scale with user needs, avoiding hidden fees and restrictive licensing.

Data Perimeters

A data perimeter consists of preventive measures that ensure trusted identities, such as IAM roles and users, access resources from expected networks. These guardrails establish a protective boundary across accounts and resources, and enhance security by enforcing security standards, preventing unauthorized access and improving data loss prevention strategies. Data perimeters establish controls through resource-based, identity-based, and network access policies. They ensure IAM users, roles, and resources adhere to defined security standards, reducing the risks of privilege escalation and insider attacks. Additionally, data perimeters prevent external sharing of resources, mitigating data loss risks effectively.

IAM Configuration Verification

In large environments with a large number of users, roles, permissions, microservices, cloud services, and APIs, IAM configurations can become very complex and prone to human errors. As the number of IAM objects and their scopes grow, the risk of misconfigurations also rises. Automated checks enforce IAM best practices using policy as code and static IAM configuration scans at build time. Cloud providers also offer native tools for enhanced permissions management, generating fine-grained policies and verifying permissions while identifying and removing unused access permissions for more secure IAM configurations.

Centralized and Decentralized Identity Management

Centralized identity management enables access to multiple applications with the same credentials by storing user identity data in a single, central identity store. This strategy enhances user convenience, simplifies administration, improves security monitoring, and streamlines access (often with SSO), reducing friction and fatigue. However, centralized identity management can introduce a single point of failure and poses risks if the identity store is compromised.

In contrast, decentralized identity management distributes access across various environments. Users store identity data in a digital wallet on their devices, using unique public and private keys to share only necessary transaction information. Decentralized models emphasize unidirectional trust relationships, ensuring user data control and privacy through advanced cryptographic techniques like self-sovereign identity and verifiable credentials.

Identity and access management, rightly so, is at the core of modern cybersecurity, safeguarding systems against unauthorized access, data loss, and misuse of sensitive data. IAM orchestrates secure authorization and authentication, acting as the digital gatekeeper of resources. In this Refcard, we examined IAM's core functions, principles, challenges, and practices for success. As cybercriminals become more sophisticated, IAM technologies also advance, bringing forth novel identity protection measures.

Implementing IAM is a journey, and to stay up to date with the latest developments, it is highly recommended to study the latest resources from the Identity Defined Security Alliance (IDSA) and to participate in identity-focused conferences, such as the Identiverse and the Cloud Identity Summit.

Additional resources:

• Authentication and Authorization Cheat Sheets, OWASP
• "Identity and Access Management Best Practices," Maria Pelagia
• "IAM Best Practices," Dwayne McDaniel
• OAuth Patterns and Anti-Patterns Refcard, Aaron Parecki
• "Privacy and the 7 Laws of Identity," Jackson Shaw
• "Designing Secure Authentication and Identity Management," Joey Dantoni
• "What is Customer Identity and Access Management (CIAM)? CIAM Explained," FusionAuth
• "Scaling Your Auth - Best Practices for Performance and Security," FusionAuth
• "How Passwordless Authentication Works - A Deep Dive," FusionAuth
• "Why Adaptive MFA is a Game Changer for User Experience," FusionAuth