In order for the IAM system to be able to authenticate identities, they first need to be provisioned to the servers. Provisioning means defining identities along with their specific attributes in the databases. Identities are entitled with roles which specify what the identity can do. Identities can also be provisioned to the server from trusted external service providers like Google. This method is called inbound provisioning which accelerates the process of defining identities and its relevant procedures. Another supported method for this purpose is outbound provisioning which enables the server to provision identities to trusted external identity providers like Google. There are some outbound provisioning connectors in the solution by default, but any other custom provisioning connectors can also be provided per request.
Another useful provisioning method provided in NIU.IAM is Just-In-Time (JIT) provisioning which allows accounts to be created on the spot whenever they are required. This can be really convenient for users since they will not get stopped on the login process in middle of their work.
A very important task regarding the security of systems is to verify that the entity requesting access to a certain resource is really who it claims to be. This is done through authentication which usually evaluates the answers to one or more of following questions: “what you know”, indicating the knowledge factors like a password; “what you possess”, indicating the possession factors like a token device; and “what you are”, indicating the inherence factors like a fingerprint. The simplest form of authentication is done by using a pair of username and password that are stored in a database. Other forms of authentication could be through biometrics such as fingerprint, palm topology, facial features, etc. that are specific to a single individual. These data are also stored in a database and are linked to a certain person. Authentication through possession factors is based on something that the system knows only a specific entity has, like a credit card used to pay for purchases. In more sensitive systems, IAM can employ a multi-factor authentication in order to make unauthorized access more difficult. In this method, two or more of the aforementioned factors will be evaluated to verify the authenticity of the entity’s identity. In other words, even if an intruder manages to breach one factor, he or she still has to pass through the other factor(s).
After identifying the entity who requests access to certain resources, IAM must verify if that entity is authorized to access those data. Based on the policies and rules of every organization, authorization in IAM can be done via different methods such as role-based access control, attribute-based access control, fine grained policy-based access control, and claim-based access control. For example, in role-based access control, every entity is entitled with one or more roles based on which it can access predefined resources and data. Attribute-based access control, however, evaluates the attributes of the requesting entity, the resource, etc. in order to decide whether to grant the access or reject it. This evaluation can be based on some predefined policies, which leads to policy-based access control, or in some specific systems, the attributes can be defined as claims, which provides a claim-based access control.
Federated identity management (FIM) is an arrangement that can be made between multiple enterprises to let subscribers to be able to authenticate to one domain, and then access resources in the other domains without having to log in a second time, while administrators can still control the level of access in their own domains. The use of such a system is called identity federation. Identity federation offers economic advantages, as well as convenience, to enterprises and their network subscribers. For example, multiple corporations can share a single application, resulting in cost-savings and consolidation of resources.
In order for FIM to be effective, the partners must have a sense of mutual trust. Authorization messages between partners in an FIM system can be transmitted using Security Assertion Markup Language (SAML) or a similar XML standard (or OAuth, OpenID, Security Tokens, Web Service Specifications, Windows Identity Foundation, etc.) that enables a user to log on once for affiliated but separate websites or networks.
Currently, most of us are involved with many applications and services any of which require us to enter our unique credentials to be able to sign in and use them. This can be bothersome when we are using a lot of applications and have to remember different pairs of username/passwords for every one of them. However, with a single-sign-on (SSO) feature employed in our proposed IAM system, you can just sign in to one of the trusted applications or services and have access to all other ones within that trust relationship as long as the session is active; thus eliminating password fatigue.
SSO is an important component of federated identity management. Although FIM systems provide their users with a form of single sign-on, they are not the same. SSO generally enables users to use a single set of credentials to access multiple systems within a single organization, while FIM enables users to access systems across different organizations.
Implemented correctly, SSO can be great for productivity, IT monitoring and management, and security control. With one security token (a username and password pair), you can enable and disable user access to multiple systems, platforms, apps and other resources, and also reduce the risk of lost, forgotten or weak passwords.
But bear in mind, although single sign-on is a convenience to users, it may present risks to enterprise security if an attacker gains control over a user's SSO credentials since they will be granted access to every resource the user has rights to, increasing the amount of potential damage. Therefore, in order to avoid malicious access, it's essential that every aspect of SSO implementation be coupled with identity governance or two factor authentication (2FA) or multifactor authentication (MFA) to improve security.
This feature is enabled by default in NIU.IAM in order to provide a more convenient user experience to end-users. Moreover, service providers also benefit from this feature since they no longer have to manage user identities as they are managed at a central point, which is more secure, less complex, and easily manageable.
In order to make sure the system performance is satisfactory and be able to detect inconsistencies as fast as possible, we need to monitor and audit the system properly. Monitoring is regular reviews performed as part of normal operations to confirm ongoing compliance while auditing is a formal review of the compliance.
Continuous Auditing (CA) and Continuous Monitoring (CM) are automated feedback mechanisms used respectively by Internal Audit and Management to monitor IT systems, transactions, and controls on a frequent or continuous basis, throughout a given period.
Ongoing monitoring should be a continuous control, monitoring both processes and methods to detect compliance risk issues associated with an organization’s operations. Monitoring programs should be designed to test for inconsistencies, duplications, errors, policy violations, missing approvals, incomplete data, dollar or volume limit errors, or other possible breakdowns in internal controls.
IAM is a popular and well-known name for Identity and Access control Management systems and nothing else could better present the solution. Therefore, IAM along with NIUniverse trademark, i.e. NIU.IAM, makes the perfect name for this rigidly secure, reliable solution.