Identity and Access Management, or IAM, is becoming a key component of business information systems as we see a growing trend towards outsourced applications, attacks on identity, and a need to centrally manage and secure applications that are not always within our control. Identity is the new security boundary, and IAM systems and approaches are the key to ensuring that boundary holds against whatever comes at it. If you have a single system outside of your on-premises data center and integrated with your Active Directory that your users are using, you need IAM. To achieve a state of IAM Nerdvana, you need to ensure you have considered these six key points.
Who are you?
It’s like Roger Daltrey croons…who are you? The first pillar of any IAM is determining not only who a user is, but how they are identifying themselves. Windows uses either a sAMAccountName or a UserPrincipalName, and Microsoft’s recommendation is to make the UPN match their email address. This is a pretty good idea to start with, since it is intuitive to users. Don’t worry about it being something easily determined…if the secrecy of your username is your first line of defence you have many more problems than we can go into here.
How do you prove it?
What multifactor authentication method are you going to use? You’re not? Then you’re doing it wrong. Simply relying upon username/password practically guarantees you are going to have an incident, and soon. Use 2FA to prevent phishing attacks, shoulder surfing, brute forcing, or even just simple guessing from breaching your security. There are lots of options here. You could use smart cards or key fobs or apps on your mobile phone. I prefer the last, since these days, everyone has a mobile device and they almost never forget to carry it.
Where do you store details about your users?
The best answer for most of you is going to be Active Directory. Between workstation management, internal resources hosted by Windows servers, LDAP and Kerberos and token based authentication, AD can cover most needs. But don’t just assume that. There are other options. You need to assess what is in your environment now, and what may be in the future, and go for the best option. I still think it will be AD, but confirm that.
What do you want to support with your IAM?
Then comes the question of what you want to permit to use that store. You need to establish some form of relationship with the store so that it can be consumed. In AD, if you join a machine to the domain that machine can consume resources including identity from AD. External systems may also be able to do that, indirectly through a federation trust or using legacy protocols like LDAP. If you are going to use LDAP make sure it’s LDAP/S and use a third-party CA for the certificate. There are a ton of third-party IdPs that can use Active Directory as their source of authority, including Microsoft’s own ADFS, CA SiteMinder, PING Federate, Okta, and more. Look at the various cloud based services you may want to use, and make sure the IdP has full support for them. There are standards, but sometimes they are more like guidelines, and not all IdPs are truly equal. But back to the IAM. If all your applications are directly based on Active Directory users and groups, there’s little more for an IAM to do. But what if you have LOB applications running on Linux or Unix, or <gasp> RACF? What if you have to provision user accounts in SaaS apps hosted in one of the many clouds or in a hosted app? The idea behind using an IAM to provision users is that it should automate setting up all of the accounts and access they need. Make sure you take all your apps into consideration when you are planning.
What standards do you need to support?
This one is key. How do you want users to authenticate? You can auth over LDAP (make bloody sure you’re using SSL if you since that’s just username/password, and probably won’t have support for MFA) or you can use Kerberos, which plays well with both Windows and Linux. NTLM may still be required for legacy apps. When you go to do federation, look at what is required by the apps you are considering. SAML is the buzzword today, but there are different versions of SAML and that is not the only federation auth protocol in use. There are several within the WS-* block including WS-Fed and WS-Trust. You want to make sure that the authentication part of your IAM solution covers all the bases you will need, as it is rare for a hosted app to adjust itself to meet your system. You usually have to adjust yours to fit the app.
How do you provision, and more importantly, deprovision users?
We saved the best, or at least, the most important, for last. The whole point of using an IAM solution is to automate the provisioning and deprovisioning of users. This helps to ensure a consistent, predictable, reliable and repeatable process for onboarding new hires, handling job changes by removing permissions to resources no longer accessed in the new role while granting access to those resources now needed, and in the event a user’s employment relationship comes to an (abrupt) end, deprovisioning the user quickly and completely to cut off their access before bad things can happen. Is the IAM the starting point for actions, or does it initiate them based on an external feed? Does it provide data to the HR system or does it get data from the HR system? Is that a push or a pull? Which system is authoritative for user data, and will it support user self-service for updates? Consider all of these in your selection criteria as well as your design, and take this tip to heart. No matter which system you use, if you have any Windows systems on your network, and plan to use any application that leverages Active Directory, like, say, Exchange, then don’t make the mistake of trying to treat Active Directory as a read-only repository of information. Exchange reads, and writes, data to Active Directory all the time. If you have an IAM system that thinks it owns everything (I’m looking at you, CA IdentityMinder!) you’re setting yourself up for a world of hurt, countless workarounds, and limitations with products that want to update Active Directory. Can you get things working in this scenario? Absolutely. Just budget for the professional services or in-house expertise to do all that special work!
Identity and Access Management is key to both reliably consistent and straightforward administration, and strong security. That’s not something you can do by hand unless you’re a very small organization indeed. If you are looking into IAM, consider the six pillars to hold your infrastructure up, and you will do very well indeed.