Why Identity & Access Management (IAM) must be your primary security layer

A layered approach to cybersecurity is not just best practice: it’s essential. But as threats evolve, what should be your primary layer for defending against attackers?

When you think about it, layering your cybersecurity defences makes perfect sense. If a threat actor manages to breach one layer, other obstacles will still need to be cleared before they can reach your data.

Less obvious is what those layers should be.

The modern cybersecurity stack

The Open Systems Interconnection (OSI) model details a seven-layer network security stack: physical, data link, network, transport, session, presentation and application. This is an old model, but one that remains as a basis for many organisations today.

Then there’s a more internet-friendly stack, based around the familiar term TCP/IP. This is the Transmission Control Protocol/Internet Protocol model and it uses five layers: physical, network access, internet, transport and application.

Today’s security experts will tell you that the layers have evolved. They will often break it down into human, perimeter, network, endpoint, application, data and mission-critical assets.

Humans sit atop all the security stacks: we are the foundational layer

Whichever way you slice it, the first layer of security is the most critical to get correct. It’s this layer, after all, that acts as the foundation upon which your security architecture is built.

That’s why the human or physical layer sits atop all those models. We are the foundational layer. Be it a case of stolen or leaked credentials, social engineering, or malware, cybercriminals most commonly exploit the human layer to begin an attack.

Which is where identity & access management (IAM) enters for the defence.

Why IAM defines your security posture

Although more workers are returning to the office after the pandemic lockdowns, remote working remains popular and hybrid work models are increasingly common. Now add a myriad of internet of things devices, applications and third parties who require access to your networks and data.

The case for IAM as your primary security layer is pretty much carved in stone. If you need more convincing, the 2022 Trends in Securing Digital Identities report from the Identity Defined Security Alliance found that more than 80% of enterprises surveyed reported an identity-related breach last year.

what is IAM?

Identity & access management is an umbrella term. It encompasses many different aspects to achieve the end goal of the right people (or devices) accessing the right resources at the right time and for the right reasons.

IAM is a framework, if you like, that enforces policy through defined processes using the right tools for the job.

Consider an employee who has been granted access permissions that aren’t essential to their role, creating a greater security risk should their account be compromised. In the worst case, it could be enough to close that business.

Now consider what happens when you implement a (largely automated) IAM workflow. Here, the user would only be granted access privileges that match contextual requirements. And all access would be withdrawn when that user leaves employment.

It’s the ability to assign user access permissions within context, taking into account both policy and workflow, that makes IAM a security and efficiency win. Replace “employee” with devices, application programming interfaces, third-party contractors, and you start to see the value.

Component parts of an IAM solution

There’s a reason why the security industry talks about IAM as a bonded pair and not identity management and access management in isolation. You see, one without the other is doomed to fail.

However, it’s vital to note that they typically address different functions: authentication and authorisation, respectively. Don’t lose track of their essential combined importance or that they will need to communicate with each other to work effectively.

The exact component parts of an IAM solution will, as always, vary from vendor to vendor, as well as being dependent on organisational needs. However, everything revolves around authentication and authorisation, which are the mandatory foundation stones.

What we mean by authentication

Identity management will check every attempted login, be it human or device-originated, against a database of those who are allowed access. This is the authentication process, and the identity management database will be a dynamic thing that has to change as people (or devices) join, leave or their roles are updated.

Most identity management systems now also incorporate a secondary method of authentication, known as multi-factor authentication (MFA) or two-factor authentication (2FA), to inject additional security into the process. This may be by way of a one-time code, biometric identification or hardware keys.

Such strict authentication processes would impact workflow and therefore productivity if repeated multiple times across the day. That’s why single user, single-sign-on (SSO) functionality allows secure authentication once and then grants access to all available resources without logging in each time.

What we mean by authorisation

Access management brings authorisation to the IAM table. This checks which resources, and what data, the now authenticated user has permission to access. Such permissions will be defined by policy and change over time, but this contextual granting of access is key to successful IAM implementation.

Defining access granularity – the roles and attributes – is an area where IAM can be weakened if not implemented correctly. The principle of least privilege should always be applied to ensure data and resources, such as applications and networks, are only accessible to those who really need them.

Too broad an access permissions sweep is dangerous and leaves the threat door to “privilege creep” wide open. This is where resources not necessary to their role are accessible, which could enable an attacker to traverse a network with relative ease. Conversely, too narrow the permissions and productivity can be impacted.

What you need to do

Remember, attackers look to compromise identity in order to gain initial access to resources and data. That human layer is the one most at risk: social engineering of humans, and malware-infected devices, are the attack enablers.

But you can’t rush in. Organisations must get their houses in order before embarking on an IAM implementation. Without the proper planning up-front, an IAM implementation is unlikely to go smoothly.

 That’s why you need to follow these four steps first:

four steps to success

  • First, define authentication and authorisation policies. Identity databases must be up to date and follow a standardised process. 
  • First, define authentication and authorisation policies. Identity databases must be up to date and follow a standardised process. 
  • Choose your IAM vendor, which could be an on-premise or cloud-based solution, with great care. Read white papers, do your research. 
  • Don’t overlook integration with existing infrastructure, and look to implement in stages rather than organisation-wide initially to iron out any issues. 
Avatar photo
Davey Winder

With four decades of experience, Davey is one of the UK's most respected cybersecurity writers and a contributing editor to PC Pro magazine. He is also a senior contributor at Forbes. You can find him at TechFinitive covering all things cybersecurity.