Overview
Identity and access management (IAM) is a centralized and consistent way to manage user identities (i.e., people, services, and servers), automate access controls, and meet compliance requirements across traditional and containerized environments. One example of an IAM solution is when employees use a VPN to access company resources for remote work.
IAM is part of the solution to ensuring the right people have access to the right resources—particularly across multiple cloud instances. IAM frameworks are essential for managing identities across bare metal, virtual, hybrid cloud, and edge computing environments from a centralized location to help mitigate security or compliance risks.
Understanding IAM methods
IAM methods control access to on-premise and cloud assets, applications, and data based on user or application identity and administratively defined policies. IAM methods are found in every stage of the DevOps lifecycle and can help protect against unauthorized system access and lateral movement.
IAM concepts include:
- Authentication: verifying the identity of users, services, and applications.
- Authorization: granting the authenticated users access to specific resources or functions.
- Identity providers, secret vaults, and hardware security modules (HSMs) allow DevOps teams to manage and safeguard security credentials, keys, certificates, and secrets at rest and in transit.
- Provenance: verifying the identity or authenticity of code or an image, typically through a digital signature or attestation record.
As the security landscape evolves, IAM can include additional features like artificial intelligence (AI), machine learning (ML), and biometric authentication.
Authentication: managing user identities
Authentication is the process of confirming or verifying a person’s identity. A user identity (or digital identity) is the set of information used to authenticate a person, service, or even IoT device to specific groups of enterprise data or networks. A basic example of authentication occurs when a person logs into a system with a password; the system can verify the presented identity by checking the given information (password).
The authentication process captures login information and allows IT administrators to monitor and manage activity across the infrastructure and services.
There are several approaches to implementing a security policy that can help increase the security of your environment while still maintaining usability for your users. Two common ones are single sign-on (SSO) and multi-factor authentication (MFA).
- SSO: Different services, devices, and servers all require separate authentication to access them. SSO configures a central identity service that configured services can check for verified users. Users only have to authenticate once and can access multiple services.
- MFA: An extra layer of security that requires multiple checks to verify an identity before granting access. For this method, consider using cryptographic devices such as hardware tokens and smart cards or configure authentication types such as passwords, radius, password OTP, PKINIT, and hardened passwords.
You can also use other tools within your infrastructure to make it easier to manage identity, especially in complex or distributed environments like cloud or CI/CD pipelines—where user authentication can be challenging to implement effectively. System roles can be especially beneficial in a DevSecOps environment. With consistent and repeatable automated configuration workflows, IT administrators can save time and resources, reducing the burden and manual tasks associated with deployment, identity administration, and provisioning/de-provisioning over time.
Authorization: defining access
Authentication is the process of identifying who is trying to access a service. Authorization defines what users can do with that service, such as editing, creating, or deleting information.
Access controls take identity management a step further by assigning a user identity with predetermined access rights. These controls are often given during account setup or user provisioning and operate under “least privilege,” a foundation of the Zero Trust model.
The least privilege only gives users access to the resources they need for a specific purpose, like a project or task, and only allows them to take the required actions (permissions). Access policies can also limit the amount of time available for specific resources.
For example, an employee may have permission to access a broader range of resources than third parties like contractors, partners, suppliers, and customers. If a user is approved for a different level of access, IT administrators can go into the identity database and make user adjustments as needed.
Access management systems that follow the least privilege include privileged access management (PAM) and role-based access management (RBAC).
PAM is the most crucial type of access control. Admins and DevOps personnel receiving these assignments typically have unrestricted access to sensitive data and can change enterprise applications, databases, systems, or servers.
RBAC grants defined roles or collections of users and then grants permissions to those roles to resources or functions based on their job responsibilities. RBAC makes applying access rights consistent and clear, simplifying administration and onboarding and reducing privilege creep. RBAC can help save time and resources by automating the assignment of access rights based on a user’s role within an organization.
Choosing the right IAM solution
IAM provides built-in security through the app development pipeline and is crucial for implementing DevSecOps in your organization. It is one of the building blocks for creating a layered approach to security across bare-metal, virtual, container, and cloud environments.
Ensuring your IAM system can support solutions across multiple environments and workloads is essential. This includes implementing IAM throughout the development, testing, operations, and monitoring of applications.
Because there is a wide range of IAM solutions available, enterprises can narrow down their options via the following:
- Conduct an audit of new and legacy systems, especially if you have applications on-premises and in the cloud.
- Identify any security gaps for both internal and external stakeholders.
- Define user types and their specific access rights.
Once you have defined your organization’s security needs, it is time to deploy your IAM solution. You can choose a standalone solution, a managed identity service, or a cloud subscription service–like Identity as a Service (IDaaS)–from a third party.