Otechy - Azure Cloud Architecture, Cloud Adoption Framework, Well-Architected Frameworks and More

Entra ID Identity and Access Management (IAM)

The Identity and Access Management (IAM) space can seem like a vast, complex field, especially if you’re just starting to explore it. From managing user identities to controlling access to systems and applications, IAM is critical for ensuring that the right individuals have the right access to the right resources at the right time. 

If you’re looking to enter this field, whether through roles like Entra ID or other IAM solutions, you’ll likely encounter a variety of acronyms, standards, and technologies. These concepts may seem overwhelming at first, but they’re essential to understanding how organizations safeguard their systems and data. 

Let’s take a closer look at the key acronyms and concepts in the IAM and Identity Governance and Administration (IGA) space, along with what you need to watch out for when preparing for a career or role in this domain. 

Identity and Access Management Overview:

1. Identity and Access Management (IAM) 

At the heart of any organization’s cybersecurity strategy lies IAM — a broad term that refers to the processes, policies, and tools used to manage the digital identities of employees, customers, and other stakeholders. IAM systems are responsible for ensuring that users can securely authenticate themselves (prove their identity) and are authorized (given access to the appropriate resources) based on their roles, attributes, or specific needs. 

The primary goals of IAM include: 

• Authentication: Verifying the identity of users, devices, or services (using passwords, biometrics, etc.). 
• Authorization: Ensuring users only access resources that are necessary for their job or role. 
• Auditability: Tracking and logging access to systems for compliance and security monitoring. 

- Native Solution (Entra ID) is the go-to service for IAM within Microsoft's ecosystem. It allows organizations to manage employee access, authentication, and authorization to resources like Office 365, Microsoft 365, and custom applications. 

- Third-Party Solution: Okta is a popular third-party IAM provider. It offers robust identity management, Single Sign-On (SSO), and Multi-Factor Authentication (MFA) that integrate well with both cloud and on-prem solutions. 

2. Identity Governance and Administration (IGA) 

While IAM deals with the basics of identity management, IGA goes a step further by focusing on the governance and administration of access rights. This includes managing the lifecycle of user identities, ensuring compliance with internal policies and external regulations, and automating access provisioning and deprovisioning. 

In simple terms, IGA addresses: 

• Lifecycle Management: Automating user account creation, modification, and deletion throughout the employee’s tenure (Joiner, Mover, Leaver processes). 
• Access Review: Regularly auditing and reviewing user access to ensure compliance with policies and regulations. 
• Role Management: Defining roles within the organization and aligning access to roles (role-based access control). 

IGA tools like SailPoint, Okta, and Microsoft Entra Identity Governance are widely used to streamline these processes, improving both security and operational efficiency. 

3. Joiner, Mover, Leaver (JML) 

JML processes refer to the stages of managing user identities as they join, move within, or leave an organization. Proper JML management ensures that employees are provisioned with the correct access and that access is revoked when they leave the company. 

-  Native Solution: Entra Identity is Azure’s native solution for JML. It automates provisioning (joining), role changes (moving), and de-provisioning (leaving) to ensure security and compliance in the identity lifecycle. 

-  Third-Party Solution: SailPoint IdentityNow handles JML processes as part of its identity governance suite. It integrates well with cloud and on-prem systems for automated user lifecycle management.

4. Single Sign-On (SSO) 

In an increasingly complex digital environment, users need access to numerous systems. SSO allows a user to authenticate once and gain access to multiple applications without needing to re-enter credentials each time. 

By reducing the number of times a user has to log in, SSO improves both the user experience and security. However, it also increases the risk if an attacker gains access to that one set of credentials, making multi-factor authentication (MFA) an important companion to SSO. 

5. Multi-Factor Authentication (MFA) 

MFA is a security measure that requires users to provide two or more verification factors to gain access to a system. These factors usually fall into three categories: 

1. Something you know: A password or PIN. 
2. Something you have: A smart card, mobile device, or token. 
3. Something you are: Biometrics like fingerprints or facial recognition. 

MFA is crucial for reducing the risks associated with compromised credentials and is now a standard requirement for many systems and services, especially in high-security environments. 

6. Role-Based Access Control (RBAC) 

RBAC is a popular access control model that assigns users to roles based on their job functions and responsibilities. Once a user is assigned a role, they automatically inherit the permissions associated with that role. For example, an employee in the “HR” department might automatically be given access to employee records but not to financial systems. 

RBAC helps organizations simplify the process of access management and ensures that permissions are consistently granted according to business rules. However, it may not be flexible enough for more complex organizations, leading to the rise of Attribute-Based Access Control (ABAC). 

7. Attribute-Based Access Control (ABAC) 

Unlike RBAC, which ties permissions to roles, ABAC controls access based on attributes. These attributes could be user-related (e.g., department, seniority, or location), resource-related (e.g., file type or classification), or environmental (e.g., time of access or device used). ABAC offers a more granular and dynamic approach to access control and is better suited for complex, highly regulated environments. 

8. Privileged Access Management (PAM) 

PAM focuses specifically on managing the access of privileged accounts — those with administrative rights to critical systems or sensitive data. These accounts have elevated permissions and are prime targets for cybercriminals. PAM tools are designed to control, monitor, and record the use of privileged accounts to mitigate the risks associated with these high-value targets. 

Tools like CyberArk and BeyondTrust are leaders in this space, helping organizations manage, secure, and audit privileged accounts effectively. 

9. Federated Identity Management (FIM) 

Organizations often have multiple systems and applications, sometimes across different domains or even external organizations. Federated Identity Management (FIM) allows users to use a single identity across multiple systems and organizations, facilitating Single Sign-On (SSO) across disparate systems. 

In a federated environment, authentication is managed by a central identity provider (IdP), such as Entra ID, which shares authentication tokens (e.g., using SAML or OAuth) with other applications. 

10. OAuth and OpenID Connect (OIDC) 

These two protocols are often used in tandem to enable secure delegated access to resources. OAuth is an authorization framework that allows a third-party service to access a user’s resources without needing the user’s credentials. OpenID Connect (OIDC), built on OAuth 2.0, adds authentication on top of it, allowing the service to verify the user’s identity in addition to authorizing access. 

These protocols are critical for enabling modern cloud-based applications and mobile applications, where users need to authenticate once and access multiple services securely. 

11. Zero Trust Security 

The Zero Trust model assumes that no one, whether inside or outside the network, can be trusted by default. Access to every resource is continuously verified, with authentication and authorization applied at every level, for every session. This model is gaining momentum in modern cybersecurity strategies, particularly for businesses adopting cloud technologies and remote work. 

Implementing Zero Trust typically involves continuous monitoring of user behavior, stringent access control policies, and regular validation of identities. It’s a key trend driving innovation in the identity space. 

12. Identity as a Service (IDaaS) 

With the shift to cloud services, Identity as a Service (IDaaS) has emerged as a solution that allows businesses to outsource their identity and access management needs. Instead of managing IAM infrastructure on-premises, businesses can subscribe to cloud-based IAM services such as Okta, Entra ID, or Ping Identity. 

IDaaS platforms provide scalable, cloud-native solutions for authentication, access control, user management, and integration with cloud applications. 

LEGENDS:

• PBAC – Policy-Based Access Control 

        PBAC refers to an access control model that enforces access decisions based on predefined policies. These policies determine who can access which resources, and under what conditions, based on factors such as user attributes, device health, and location. 

• UAM – User Account Management 

UAM involves the processes and systems used to create, manage, and deactivate user accounts throughout their lifecycle. It includes activities like account creation, password resets, role changes, and deactivation of accounts when users leave the organization. 

• SCIM – System for Cross-domain Identity Management 

        SCIM is an open standard for automating the exchange of user identity information between identity systems and service providers. It allows for seamless user provisioning and de-provisioning across multiple applications and platforms. 

• CIAM – Customer Identity and Access Management

        CIAM focuses on managing the identities of external customers or users, particularly in B2C (Business-to-Consumer) contexts. It involves providing secure and seamless access to applications, typically with a focus on user experience, privacy, and scalability. 

• KBA – Knowledge-Based Authentication 

        KBA is an authentication method that relies on questions and answers to verify the identity of a user. This typically involves asking personal questions that only the user should know, though it is becoming less common due to security concerns. 

• VAM – Visitor Access Management 

        VAM involves managing the access of temporary visitors to an organization’s physical and digital environments. It includes processes for issuing visitor passes, granting temporary credentials, and ensuring that visitors only have access to necessary resources for a limited period. 

• XACML – eXtensible Access Control Markup Language 

        XACML is an open standard used to define access control policies in a machine-readable format. It enables organizations to create complex rules for controlling access to resources based on attributes such as user roles, security classification, and environmental conditions. 

• LAP – Lifecycle Access Provisioning 

        LAP refers to the end-to-end management of user access throughout the lifecycle of their account. This includes the processes of provisioning new users, modifying access based on role changes, and revoking access when users leave the organization. 

• SSE – Security Service Edge 

        SSE is a security architecture that combines network security and cloud-native identity management to ensure secure access to resources across distributed environments. It often integrates features like Zero Trust and SASE (Secure Access Service Edge) to provide comprehensive protection. 

• TAM – Trusted Access Management 

        TAM focuses on ensuring that only trusted entities (users, devices, or services) are allowed access to critical resources. This involves validating the identity and health of both the users and their devices to ensure access is granted under secure and trustworthy conditions.

Key Takeaways: Watch Out in the Identity Space 

1. Understand the Foundations: Whether you’re dealing with IAM or IGA, the foundation of identity management lies in the basic concepts of authentication, authorization, and auditability. Familiarize yourself with protocols like OAuth, SAML, and OpenID Connect, as they are integral to modern IAM systems. 
2. Embrace Automation: The future of IAM is increasingly automated. Tools that automate user provisioning, de-provisioning, and access reviews (like IGA) not only improve operational efficiency but also reduce the risk of human error. 
3. Security Is Always Evolving: As cyber threats evolve, so do identity management practices. MFA, Zero Trust, and PAM are no longer optional in many organizations — they are becoming the standard to protect against modern attacks. 
4. Regulations Are Key: Identity management is often at the intersection of security and compliance. Stay aware of regulations like GDPR, HIPAA, or PCI-DSS, as they heavily influence how IAM solutions are designed and implemented. 
5. Cloud and Hybrid Models: More companies are adopting cloud-first strategies. As such, solutions like IDaaS are growing, but hybrid models (on-premises + cloud) still exist. It’s important to be comfortable with both on-prem and cloud-based IAM tools and strategies. 

By understanding these core concepts and staying up to date on emerging trends, you’ll be well-equipped to navigate the evolving world of Identity and Access Management. Whether you’re dealing with user lifecycle management, SSO, or role-based access, mastering these concepts will ensure you’re prepared for a role in the rapidly growing identity space.