Abstract
An IAM system is capable of establishing identities, issuing access roles, rules, and policies, and assigning user privileges based on their credentials. In the case of ATN, it is used for managing the process of authentication and oversight of control rules and policies. In addition, the system can mitigate a range of threats. Finally, it provides the possibility to systematize unstructured data.
Main Body
Data breaches are increasingly more difficult to avoid on an enterprise level. One of the possible ways of mitigating the risk is using an identity and access management (IAM) system. The following essay describes the IAM system leveraged in a solution used by the ATN.
The complexity of the IT landscape of the telecommunications provider ATN has prompted an attempt to move to a cloud-based service. The move was expected to minimize expenses associated with the management of a highly heterogeneous portfolio of legacy applications accumulated in several corporate acquisitions. In addition, it made the application consolidation process easier and more comprehensive.
After the initial successful transition of several low-risk applications to a platform as a service environment, ATN has created several identities in order to give users access to services, at which point it was suggested by their consultants, CloudEnhance, to launch a pilot identity and access management (IAM) system, thus fulfilling the need for cloud-based identities. The IAM system in question manages security boundaries within the cloud environment. The identities created for the purpose are different from legacy on-premise ones that used internal security policies of the company.
The identity and access management system used as a part of a cloud-based solution by ATN is a system that provides control over the access to and use of sensitive information by stakeholders. The system is regulated by the administrators and utilizes a role-based access control model, in which rights and permissions are determined by the roles of service consumers within the hierarchy (Khansa & Zobel, 2014). The system issues access to different components of the service, including operating systems, data storage locations, resources, and environments.
The IAM system in question utilizes four key elements. First, it includes a tool responsible for user authentication in the system. Depending on the type of platform used for internet access, the authentication component can be based on different types of media, including username and password pairs, digital certificates and signatures, IP and MAC registration, voice recognition software, and biometric data, among others (Peer, Bule, Gros, & Struc, 2013). In most cases, the latter will be the preferred method for mobile users, whereas the former will be more common for desktop computers.
The second element is an authorization mechanism, which manages rules of access control and monitors interactions between security policies and authorizations issued to different users. The third element performs a range of administrative functions, including generation and storage of user accounts, creation and management of user groups, and management of authentication information. Finally, the fourth element uses consumer identities to manage access control policies and reduce the occurrence of insufficient authorizations.
As can be seen, the IAM system in question is capable of establishing identities, issuing access roles, rules, and policies, and assigning user privileges based on their credentials. Such a system allows for the minimization of threats such as a denial of service attacks, conflicting trust boundaries, and insufficient authorization. In a typical scenario of IAM system operation, a user decides to get access to service features and enters their credentials.
The authentication element verifies the credentials for consistency. In order to complete the operation, the attributes of a user are compared against those of the environment and resource. Most likely, at this point, the data is replicated onto an on-premise database managed by the cloud response administrator. After the identity of the user is established, they are assigned respective permissions by the authorization element, enabling logical access to the cloud-based service. At the same time, the IAM data is synchronized with the on-premise storage.
The efficiency of the described procedure is achieved through full automation of the process. In the optimal scenario, access control is performed entirely based on data obtained during the authentication procedure. It is important to mention that while the IAM system’s tasks include logging consumer access to data, the control of access is handled by a different mechanism.
Currently, a number of commercial vendors offer products with IAM functionality. These include Hitachi ID systems, iWelcome, Avatier, Centrify, Forge Rock, Dell, Oracle, and Microsoft Azure AD, among others. These products are compatible with different platforms and environments, which ensures a high degree of uniformity in security practices across the organization. In addition, they are capable of creating a risk profile of a user based on a number of factors, which addresses the threat posed by the Bring Your Own Device (BYOD) policy (Marshall, 2014). Finally, they can log the activities occurring within the unstructured enterprise data, which is highly beneficial for ATN.
As can be seen, the IAM system offers a number of advantages in organizing and managing the process of authentication and oversight of control rules and policies. In addition, the system is capable of mitigating a range of threats. Finally, it provides the possibility to systematize unstructured data, which is especially relevant for a heterogeneous enterprise such as ATN.
References
Khansa, L., & Zobel, C. W. (2014). Assessing innovations in cloud security. Journal of Computer Information Systems, 54(3), 45-56.
Marshall, S. (2014). IT consumerization: A case study of BYOD in a healthcare setting. Technology Innovation Management Review, 4(3), 14-18.
Peer, P., Bule, J., Gros, J. Z., & Struc, V. (2013). Building cloud-based biometric services. Informatica, 37(2), 115-122.