Why is IAM important?

Photo by Rayner Simpson on Unsplash

My previous article might have explained what some concept within IAM means, but it doesn’t not clearly mention why its important and what the drawbacks of not having IAM implemented within an organization is.

Lets look at these in the same format as mentioned in the other article:

• Joiner: Not having a Joiner process defined, cause a lot of confusion and waste of time and resources every time a new employee is hired. I remember the time, more than a decade ago, where I joined a small organization, and it took 4weeks for me to get setup. To add to that, every new hire cannot be hired the same way. Each department hire needs to follow a different process entirely. You cannot give an Legal Department new hire access to an Account Team’s application and vice versa.
• Mover: Imagine being the same organization for about 15years and think about all the systems, tools and teams you would have gained access to during this time. It’ll usually be a lot. Now imagine, this user’s account gets hacked! Your blast radius would be huge! Your access would not have been removed when you moved into an entirely different team and different role.
• Leaver: Like mentioned above, while Joiner and Mover are important processes to have, not having a leaver process (even a manual legacy process) could mean disaster and you wouldn’t have to wait too long. Terminations that are immediate are usually rocky and disgruntled employees would want to cause harm or steal valuable information if their accounts are not disabled in a timely manner.

A Mature IAM System

There are different levels of maturities an organization can reach in its IAM implementation. Not all organization need to reach the high maturity level. But below are some of the key features an average maturity level of IAM implementation looks like:

• New hires are granted all the necessary roles and permissions needed to perform their duties on day 1. And each department new-hire is treated different in terms of the types of access they need.
• When a user in the organization needs access to an application/database/shared folder etc., they can submit a request to gain access, and the request flow through the system and automagically grants them the access (after approvals) without any manual intervention.
• A user moves to a different team, and as long as the HR system reflects the team change, the user should have gained access to the new team’s resources. Again, without any manual interventions.
• Auditor should be able to easily trace down how and when a user gained access to a system, who approved it, and what was the justification of the request.
• People managers would be able to review and certify the access of all their direct hires on a regular basis and revoke access as needed. Helps with access blot

Other Concepts:

There are other concepts in this space that are worth mentioning.

• Role Based Access Controls (RBAC)
• Attributes Based Access Controls (ABAC)
• Segregation (Separation) of Duties (SODs)

Will create separate articles around these topics if there is more interest.