This is our second article in our “concepts you’re using without even knowing” series. This time, we’re discussing identity management, and specifically centralized identity management.
Read on to see what identity management is, why IAM has become such a key tool in the enterprise computing world, and what benefits centralized identity management holds for your organization.
- Introduction to centralized identity management
- Authentication challenges
- Why does centralized identity management work?
- Configuration and oversight
- Centralized Identity Management Is Here To Stay
Somewhere, in some way, your technology environment needs the ability to authenticate users. You want to keep unauthorized external users out, while ensuring that your staff only has access to the security and data that they need to do their jobs.
There are various approaches to managing users and permissions – some more organized than others. In complex enterprise computing environments, there is a strong need for structured approaches to managing users, assets, and permissions – and that’s why identity and access management evolved.
Identity management is a framework by which users, devices, and other resources are assigned a security identity – and by which each of the identities are assigned specific access rights. Identity management is pervasive – almost every large organization will be using identity and access management to authorize users and to control access to enterprise systems.
Identity management gives you the ability to grant users access to the resources that they have rights to, and to do so in a controlled, context-sensitive manner. Each identity (or user) is assigned one or multiple roles, which entitles the identity to access rights to a specific set of resources.
The distinction between decentralized and centralized is relatively straightforward. Under the decentralized model, there is no single location for identity management. IAM is performed across many different environments and applications, and a single user might have multiple identities stored in various identity stores.
A user will be expected to sign into their workspace, performing an authentication step with one identity provider at that stage, but will then also be expected to sign into a key application – performing yet another authentication step at that time.
The centralized model does away with different centers for identity management – instead, users sign into a single authentication provider which then propagates the identity’s access rights across to all the applications and resources within the organization.
In practice, it means that the user signs in to a single workspace – and never needs to sign in to another service again, as access is granted based on that first and only sign-in event.
Before we take a deeper look into identity management, let’s first get an overview of the issues and challenges behind authentication. That will give us a much better insight into why centralized identity management is so commonly applied.
Access and permissions visibility
From both a compliance and troubleshooting perspective, organizations need to know which users have access to what resources and at what time. That also holds for identities associated with applications and services. Answering these questions can be challenging in less organized, decentralized identity environments.
In particular, it becomes very challenging to audit user access and behavior where each application relies on a siloed user directory. Though at an enterprise scale most organizations use a central directory such as Active Directory (maybe via Azure AD), it’s also the case that users increasingly sign up to cloud services which do not link up to the organization’s established directory service – creating an opaque permissions environment.
Onboarding and de-provisioning
Quickly onboarding new employees helps them get started faster, but onboarding can be time-consuming if IT admins need to tediously navigate multiple directories. Worse, with SaaS apps commonly deployed at the departmental level – marketing SaaS for sales, CRM SaaS for customer service – onboarding can consume a significant amount of energy outside of the IT department.
If the employee leaves, offboarding or de-provisioning their access can be challenging – and, in reality, often incomplete. The IT department will do what it needs to do – using automated tools to de-provision enterprise resources.
However, where access was managed by functional departments that access could stay alive – putting an organization at risk, as an external party retains access to applications. Imagine the cleanup job if a user has twenty different logins – it essentially becomes twenty cleanup jobs, with responsibility for cleanup spread across the organization.
With distributed, siloed user directories another problem develops – directories are inevitably not fully synchronized. Users end up being unable to access some applications but not others.
A divide can emerge between cloud and on-premise applications for example, and remote workers might find that they’re unable to access everything they need for their work – because their offsite location causes a disconnect.
User behavior and user fatigue
Finally, some of the biggest challenges around identity management lies around user behavior. It’s a huge challenge – getting users to use strong, unique passwords for lots of different sign-on points isn’t easy. Where users end up with more and more credentials the security risk increases – users are more likely to choose easy to guess passwords, and resort to reusing passwords across services.
Users also get tired of trying to juggle an endless list of usernames and passwords, with a requirement to constantly sign in and out of services equally tedious. It may even result in users making less use of the services available to them.
Clearly, identity and access management pose many challenges for organizations. Taking a more centralized approach to identity management can solve many of these challenges – but there are also some disadvantages to a centralized approach.
Usability benefits of centralized identity management
It’s easy to see the benefits of providing users with a single login to access all enterprise services. Employees need to remember just a single set of credentials, and authentication is automatic across applications – there’s no need to constantly perform login events to gain access to resources.
Centralized identity management removes many of the usability frustrations around access management – and by consequence, reduces the temptation for employees to try and circumvent access control – which boosts security.
Management and security benefits
Management is far easier too, as onboarding and de-provisioning are done in one step – there’s just one identity store that stretches across the organization. On setup, users instantly receive access to all of the resources they are entitled to – and on departure, an employee’s access is fully and comprehensively curtailed.
Policy enforcement is also improved with centralized identity management as it’s much easier to enforce strong passwords and multi-factor authentication when it’s just one identity that authorizes access across all resources.
In fact, a single identity opens the path to bullet-proof authentication mechanisms such as biometrics and physical tokens – mechanisms that won’t be accepted by users if needed for every resource and application.
Orchestration based on standardization
Centralized identity management is standards-based. For example, many cloud vendors rely on OAuth 2.0 – including, for example Google, which relies on this protocol to enable authentication and authorization across Google cloud apps – and across third party apps.
Other centralized identity standards enable different feature sets – with openLDAP, for example, acting as a directory service, while OpenID focuses on authentication.
One of the key points of a centralized identity management solution is that it offers organizations the ability to construct fluid, cutting-edge technology architectures while maintaining high levels of security – and that happens due to the inherent standardization.
A good IAM solution, therefore, removes bottlenecks by closely integrating with diverse cloud-based services and resources. So, it’s also worth thinking of centralized identity management in terms of its orchestration capabilities – which is something you won’t be able to do with decentralized identity management.
Downsides to centralized identity management
The benefits of the centralized approach are inarguable – but centralized identity management also has its detractors, and there are some downsides to a single identity store.
Perhaps the most worrying downside is that relying on just one identity – and one set of credentials – creates a single point of failure. Where an attacker can compromise this single point of authentication it automatically enables the attacker to access all the resources a user has access to, right across the organization. That said, the risk of this happening can be mitigated by relying on strong authentication protocols for this single identity.
Another issue with centralized identity management is that application integration can be challenging – particularly where there is a mix of legacy and on-premise applications working next to cloud-hosted apps. Where a single legacy app doesn’t plug into IAM standards or where integration and customization isn’t an option it instantly generates the need for an extra set of identities.
Any changes in the underlying application architecture can also cause unexpected authentication issues, suddenly disconnecting thousands of users from a key resource.
Interaction with RBAC
Centralized identity management provides a terrific platform for seamless role-based access control (RBAC). With RBAC, organizations can set up different policies to match specific job functions – specifying what access rights an employee has depending on their role in their organization.
These policies are then published to the centralized identity and access management platform, which provides a single point of control that automates access and identity management based on the parameters specified in the RBAC policies.
As a final point, it’s important to understand that centralized identity management needs very strong oversight. It requires an architectural approach to set up – with a comprehensive design and planning process.
A poorly structured central identity repository can end up unfit for purpose. Similarly, your centralized identity management toolset must be designed with flexibility – and the future – in mind to ensure that you’re not forced into a situation where users are forced to manage multiple identities anyway.
Security is another concern. CISOs get closely involved with the governance of IAM solutions as security can only be maintained through strict controls and strongly enforced policies. Indeed, C-level IT staff will be closely involved in guiding the setup and use of centralized identity management – while also monitoring continuously to ensure compliance – and to spot potential risks.
Within an increasingly cloud-centric world a central, secure identity store delivers important benefits – allowing organizations to fluidly deploy applications across their technology estate while enforcing consistent security standards.
In a way, if your organization makes use of cutting-edge cloud apps, you’re likely already using software from an IAM vendor – even if it’s the default choice that comes with your company’s cloud productivity software.
Nonetheless, centralized identity management has a couple of challenges that are worth keeping in mind, the most important being its weakness as a single point of failure. One identity underpins all access – which means it must be controlled and monitored closely.
However, as long as organizations use strong authentication methods the benefits of centralized identity management greatly outweigh the weaknesses, with a centralized approach making identity management just that much earlier.