skip to Main Content

cloud identity and access managementIdentity and Access Management (IAM) is an established part of IT. IAM is about controlling who has access to digital assets. As we move more and more into Cloud computing, IAM is taking on more importance.  Cloud identity and access management is comparable to the traditional IAM we use on-premises, but with a few key differences. Given the important connection between IAM and Governance, Risk Management and Compliance (GRC), it’s worth understanding how cloud IAM works.

Basic Identity and Access Management Concepts

What is IAM? The term contains two related but entirely separate ideas. Identity refers to who a user is. Access management is about what digital assets he or she can use. Implied in this construct is the idea that different users may (or should) have differing levels of access. Some users might be able to access absolutely anything they want. Others will be more restricted.

Digital identity

Digital identity is the key concept in IAM. You have an identity as a human being. This comprises your name and vital data, such as your birthday and government identifiers like a driver’s license or social security number. There may be more than one person named John Smith in the United States, for instance, but there is only one John Smith who has a unique social security number and a particular birthday. By aligning these separate identity factors, you get to a unique, natural identity for John Smith.

The digital identity is an extension of the natural identity. Being John Smith, even with all of his identifying factors, isn’t enough to get John permission to log onto your corporate network and access your SAP ERP suite. For this, John will need a digital identity. John’s digital identity adds unique digital identifiers, such as a user ID number and a user role definition to his profile.

The IAM system

An IAM system is a specially-designed piece of software that enables IT managers to control user access to digital asset. Such systems are almost always built atop a directory such as Microsoft Active Directory. The directory is the definitive list of who’s who—and, who’s allowed to do what—in the IT universe. The most common way to assign access privileges is by role. While most IAM tools let you assign access rights one user at a time, this is very inefficient and prone to error. Role-based access, in contrast, lets you manage access rights by role, which is far more efficient.

Authentication vs. authorization

Authentication means establishing that a user is who he or she says she is. If John Smith wants to log into the network, how do we know it’s really our John Smith, the one we have listed on Active Directory? Usually, we authenticate using a username and password combination. This is not ideal, given that such credentials can be stolen or guessed. That’s why we have extra authentication steps, described in a moment. Authorization, authentication’s twin in the world of IAM, deals with what digital assets the user is authorized to see.

Privileged access

A privileged user is someone who is authorized to access the administrative back end of a system or piece of infrastructure. This kind of user can access all of the data on a system, set up or delete accounts, change configurations and more. For this reason, privileged users are carefully controlled. Usually, they have their own, separate identity control system, known as a Privileged Access Management (PAM) solution. Most PAM solutions are integrated with IAM systems. The IAM system holds the master directory. Privileged users are a subset of all users.

Single Sign-On (SSO)

IAM systems usually enable single sign-on (SSO). This is probably a familiar experience for anyone who has worked in a large company. You log in once. From there, the IAM system signs you into all systems you are authorized to use. You don’t have to sign in separately for email, file drives and so forth.

Multi-Factor Authentication (MFA)

When John Smith logs into the corporate network using his username and password, the IAM system is relying on only those two pieces of information to authenticate him for access. In today’s world, this is not a robust way of protecting digital assets from threats. To improve security, many organizations require additional authentication factors. These might include a PIN, a one-time use code sent by SMS text message, a secret passphrase or even a biometric identifier like a finger print. With multi-factor authentication (MFA), the likelihood is much higher that someone claiming to be John Smith is actually our John Smith and not a malicious actor.

What’s Different about Identity and Access Management in Cloud Computing?

IAM is arguably even more of a necessity in the cloud than it is on-premises. Cloud computing puts digital assets into remote data centers. In functional terms, IAM isn’t all that different in the cloud than it is in a conventional setting. However, a number of distinctions arise that show how cloud identity and access management presents it fair share of challenges:

  • The cloud is like a second, totally independent network and data center – If your IAM is set up to authenticate and authorize users on a single, on-premises network, the cloud introduces a totally separate zone of potential access. An IAM system for cloud computing needs to span the corporate premises (including any co-location facilities) as well as the cloud.
  • Users of cloud assets can be anywhere – Location is a relatively easy authentication factor. If John Smith is logging in to the network from his desk at the office, you don’t have to ask where he is. You know where he is. Your policy may require remote users to use a Virtual Private Network (VPN) connection to log on to the network. With the cloud, though, unless you set up a clear access policy and a cloud identity and access management system, a malicious actor could attempt to log in from anywhere in the world. Given that many malicious actors are abroad, this is a big risk exposure.
  • The cloud uses a two-tier approach to security – In almost every cloud computing service agreement, the cloud provider (such as Microsoft Azure or AWS) is responsible for securing the cloud infrastructure itself. The client, meaning you, is responsible for access control. You have to manage your own cloud identity and access management.
  • Cloud users may not even be people – Today, a lot of users are actually other machines. Machine-to-machine transactions are common, such as when you log into your banking app and it then logs you into your insurance company account. To the insurance company, the user is your app, not you. The IAM system must take into account non-human users. This is true on-premises and in the cloud, but the cloud makes machine IAM murkier and harder to control.
  • Cloud and on-premises systems blend in hybrid architectures – Most cloud architectures today span on-premises and cloud-based instances of software and data. It’s also quite common for a company to use more than one cloud, a practice known as multi-cloud. Your IAM system must be able to track users as they skip between clouds and on-premises instances with SSO. This is also true of organizations that split their applications between on-premises installations and software-as-a-service (SaaS) solutions.

The role of cloud identity and access management in GRC

GRC activities, especially Segregation of Duties (SoD) rely on sound cloud identity and access management. If you don’t know who is accessing your systems and data, it’s nearly impossible to control them and ensure the integrity you need for security and compliance. With SoD, for example, where it’s essential know which user role can perform a given transaction, you absolutely must be on top of identity, authentication and authorization. As critical systems like SAP move into the cloud, or partly into the cloud, IAM must keep up in order to maintain strong SoD and comparable controls.

The Symmetry GRC IAM solution

Symmetry’s ControlPanelGRC meets cloud IAM challenges with its Access Controls Suite. This suite offers an intuitive user interface and easy-to-read reports.  It provides the kind of integrated approach that you need to identify and assess IAM control failures, potential failures and SoD conflicts. The suite prevents overly-broad access to individuals that might outstrip what their role would dictate.  It provides continuous monitoring of access risk and SoD violations.

Symmetry delivers fast deployment for ControlPanelGRC, backed by proven support and managed services.  We are proud of our industry-leading Net Promoter Score as well as of our 23+ years managing SAP systems. Working with us means that your ControlPanelGRC implementation will not only be successful, but that your time to value and audit readiness will be greatly accelerated.

Talk to Symmetry to learn more about ControlPanelGRC and its Access Controls Suite for identity management and access control in the cloud.

Jon Perry, Sr. SAP Security Consultant

Jon Perry, Sr. SAP Security Consultant

Jon Perry is a Senior SAP Security/GRC Consultant focused on the SAP Security and Controls Practice at Symmetry. With 25+ years of hands-on SAP Security Administration experience, he has focused on implementing and supporting GRC solutions for over 15 years. Starting out as a functional user of SAP, Jon has working knowledge of Material Management, Procurement, Distribution, Human Resources, and Finance and has supported all modules and platforms of SAP including the latest versions of HANA and Fiori (as well as many Java-based SAP solutions). Jon is results driven and always striving to implement the best solutions for clients, meeting deadlines and requirements with a focus on automation and risk reductions.