Every website, every app, every online service with a login functionality needs to allow its users to authenticate themselves and must assign them rights and privileges: decide what those users can do, what data they can read, write, modify, and delete.
This is what Identity and Access Management (IAM) is all about.
Why Identity & Access Management (IAM) Matters: If It Fails, Everything Falls Apart
We have all seen the hacker set-pieces in the movies: the hacker, trying to access a computer system, uses the name or handle of a person he pretends to be, then "guesses" the password, and voila: they are in. A little later, they may need to get elevated privileges or find a user with more privileges on the system they are trying to control.
This may only be a movie, but it shows why IAM is so important: if it fails, things fall apart, and catastrophically so. Users can steal, delete, or create new identities. And they can do things they should not be able to do: access trade secrets, change records, plant logic bombs. Or, most often, just buy stuff on someone else's account.
IAM is the real access point to everything that can be done with a system, to all the data that is stored, to all the actions that are possible. It is like a house key plus code for the alarm system: if the IAM is not working, the whole system or platform is wide open.
What Identity and Access Management (IAM) Must Do
IAM is a broad and not very precisely defined term. Therefore, other terms are often used that mean the same thing as Identity and Access Management, or IAM for short, such as “authentication solution” or “user management”. There are different kinds of sub-groups, e.g. Customer Identity and Access Management consists of services that are particularly important for all consumer-facing websites with a login, while an enterprise solution might be directed inwards to an organization's intranet.
- However, here are some things that any solution should be able to do:
- Must be centralized, seamlessly connecting multiple resources and subsystems.
- Support single sign-on: Users should be able to access multiple subsystems with a single identity.
- Must reliably authenticate users and should support advanced authentication methods (e.g., multi-factor) for users with advanced access rights.
- Must provide convenient self-service mechanisms for users (e.g., changing passwords).
- Should provide role-based access rights: access rights should not have to be tailor-made every time, but pre-defined on a least-privilege/need-to-know basis.
- Should be able to map complex sets of access rules that exist in the organization or on the platform.
Where Data Protection and Privacy Enter the Picture
This set of functions shows that the IAM service is the key to the whole system: all the data, all the identities, everything that can be done on the platform. Therefore, if there are deficiencies in technical data protection, the entire system is non-compliant and can easily be compromised.
This is why, for example, the German Federal Office for Information Security (BSI) devotes an entire section of its IT-Grundschutz compendium to IAM (ORP.4 - Identity and Access Management).
- First, it states that the responsibility for IAM lies with the C-level (Section 3).
- Second, the IAM service should be a core network service (ORP.4 A18).
- And third, the service should meet all the criteria listed in the comprehensive section of the Compendium.
For most services beyond a certain size and complexity, it is nearly impossible to meet all of these criteria with a homegrown solution. This is especially true for distributed systems that require a cloud-based IAM solution. A provider is needed, which in data protection terms means: outsourced data processing according to Art. 28 GDPR (or in some cases: joint control, Art. 26 GDPR).
Since authentication data is personal data, and since it is the key to access even more data, a data transfer to and from the IAM provider will take place, triggering the complex set of rules laid down in the GDPR.
- The IAM provider must be carefully selected, and the rational should be documented.
- A Data Processing Agreement (DPA) is needed between the parties to govern the processing of personal data on behalf of the controller.
- Data transfers to third countries / countries without an adequacy decision are only possible with appropriate safeguards.
- Data transfers to the USA are a special case. The EU Commission has issued an adequacy decision based on the so-called EU-US Data Privacy Framework (DPF). However, this has not yet been finally assessed by the European Court of Justice (ECJ). It has already declared several similar constructions to be inadequate.
Action Required
IAM systems do not always get the attention they deserve. They work under the hood, are very technical, and are not exciting in any way. Yet they are the gatekeepers between a system and the world. If they are weak, compromised, or simply not compliant, then so is the entire system. Again: IAM is a C-level responsibility.
The good news is that choosing the right cloud-based IAM system makes life easier for the business, IT and users alike. Well-defined roles and easy-to-use self-service interfaces minimize administration and make processes transparent. Maintenance and further development are outsourced to a provider who works centrally and efficiently and who constantly follows the latest developments in technology, administration and legislation.
At Engity, we believe that this is simply good business.
Note: This article was first published in March 2022 and last updated and corrected in March 2024