The critical use of identity and access management (IAM) in cloud platformsIAM or identity access management is a protocol followed by administrators to identify
users and tell them what they are allowed to do. For example, it is like a gatekeeper at a club with a list of who can go in, who cannot, and who are eligible to access
the VIP area.
In technical jargon, IAM means giving digital identities and privileges associated with it. In an
organization, IAM is a combination of hardware, software, process, and cloud services that
empower administrators to oversee and control the data and other resources that individual
users can access.
After reading this article you will be able to:
- How is identity defined in computing?
- Something the user knows
- Something the user has
- Something the user is
- What is access management?
- Importance of IAM in cloud computing
- IAM deployment in a hybrid architecture
How is identity defined in computing?
It is not possible to upload and store the characteristics of a person on a computer. The identity of any person in the context of computing means a particular set of properties digitally measured and recorded. It is like a passport or ID card. Not every fact about a person gets recorded there. It contains, for example, a date of birth or unique numbers that become the easy identification factor.
For verification, the computer assesses a user with characteristics specific to them, and if they match, the user identity is confirmed. These unique characteristics are the so-called “authentication factors' that confirm who the user is as declared by them.
The three most used authentication factors are
Something the user knows
An authentication factor like a username and password is unique to a single user. Suppose a user wants to check their company email from home. In that case, first, he has to log in to establish his identity by entering the user’s name and password. The system recognizes the person and allows him to access the email account. It will ensure that no other person other than the bonafide user can access the email and compromise the company data. Even if someone tries to impersonate the user by entering the username, they will not succeed without knowing the password.
Something the user has
This factor is like a physical token that authorized users to use. A simple example is of an authentication factor is someone who is the owner of a house or allowed to enter by using the keys given to them. The assumption is that only those who have the key can enter the house. Similarly, in digital terms, the user can be using a physical object like a smartphone or a USB device. Here an organization may want to double-check the user identity by using a second authentication factor. The secret password may not be enough to know the user. The user also has to tell the system that he has another physical object that no one has, such as his smartphone. The system sends a one-time code to the device, and the user then types the same code to get access to the email account. It confirms that the user possesses the smartphone.
Something the user is
It is another form of authentication factor, such as the physical attributes of any user like their fingerprint or face. A common type of authentication is the Face ID features offered by many smartphones: fingerprint scanning or the lesser-known one like retina scan. So, a multifactor authentication would include a password, a one-time code, and a fingerprint scan to confirm the user to the email system. The user identity is a complex mix of characteristics, location, history, and other telling factors in the real world. In this digital world, the user's identity comprises some of the multiple authentication factors stored in the identity database. The computer systems double-check for extra security to prevent imposters or hackers from committing phishing or brute force attacks.
What is access management?
Access means allowing users to see and access only those resources once they log in to the system. For example, once the user logs in to their mail account, they can only see their email account and not anyone else. Identity verification does not mean a user can do anything in the system or network. An employee can access those data related to his job role. A sales executive has no reason to access a Payroll or HR account, whereas an accountant who needs to edit payrolls will be allowed access once his identity is verified.
Importance of IAM in cloud computing
Cloud platforms allow data to be accessed remotely over the internet.
Users can be anywhere, including remote locations or any device, to access the data. Cloud services are device and location agnostic. Since the cloud is virtual, it is not confined to the physical perimeter of the organization network. Here the identity of the user becomescritical for controlling access.
In a cloud platform, data is stored in a remote virtual server. If an attacker wants to access the data of the organization, they do not need to break in the physical barrier or the network perimeter in a premises data center like breaking into a building or bribing an employee to access the data.
Users log in to the system through apps or browsers from any remote location in the cloud platform.
A hacker requires the identity credentials of users, such as a username and a password, and an internet connection. They need not have to deal with physical network perimeter anymore.
IAM prevents identity-based attacks and data breaches that usually happen when unauthorized users have privileged access to sensitive data. The IAM is essential for cloud- based services and remote teams.
IAM deployment in a hybrid architecture
IAM is predominant in cloud services. Users have to pass the cloud service and access the rest of the organization's cloud infrastructure. IAM can be used in an organization physical internal network
Many external service providers who provide cloud services also bundle IAM services. Some organizations use multi-cloud or hybrid services. Many keep IAM as a separate service for flexibility and better control. If an organization changes cloud vendor, the IAM services do not get affected, and the protection continues without interruptions. Vendors offering IDaaS or Identity-as-a-Service is a cloud-based service that helps to verify identities. Depending on the capabilities of the vendor, IDaaS can be the whole of the IAM system or part of it.