IAM: How to manage user identities and accesses

There are more and more applications in your company: SaaS and On-Premise. Staff movements are becoming more and more frequent.

To orchestrate your ecosystem of users, automate and manage each person's access to the company's software, it's high time to find out what IAM software can do for you.

See all software Identity & Access Management

What is IAM? Definition and basic principles

IAM (Identity and Access Management ) brings together all the systems put in place to manage user authorisations in order to control their access and rights to applications.

If we wanted to sum up IAM in a simple (simplistic? 🙂 ) phrase, we could say that IAM corresponds to the management of users and their authorisations.

Over the last few years, IAM has become a real issue at the heart of business processes, even beyond the remit of the IT Department.

ℹ️ Why is it so important to manage user authorisations?

In a company, employees will need to access software or data with a certain number of authorisation rules in order to carry out their work.

When each employee arrives, a large part of the onboarding process consists of creating 2 groups of resources:

• Resources belonging to the "common core". These include basic office tools such as Active Directory accounts and email (Office 365, GSuite, etc.),
• Business-specific" resources. These resources correspond to tools specific to the employee or the department to which they belong.

It is also important to note that for the common core, the settings for each resource are specific to the user's function. For example, when the Active Directory account is created, the security groups corresponding to the user's role must also be set up.

Once a new employee has joined the company, it is also necessary to adapt the user's access rights and tools as they evolve within the company. When a user changes job, joins a new department or a new team, security rights need to be removed or added, the distribution groups to which they belong need to be changed, they need to be given new rights on new software and, above all, they need to remember to remove any rights they no longer need.

All these operations can be carried out manually by following processes. You also need to ensure that the processes evolve in line with changes to the IS or the scope of the IS. To do this, you need to keep an up-to-date inventory of all the software accounts, all the types of authorisation (sometimes referred to as authorisation profiles), and an authorisation repository for each user so you know who has access to what.

ℹ️ Why is it so important to have this type of repository?

Because when someone leaves the company, you don't want their access to remain open. Cisco, for example, was hacked by a former employee who still had access to all its tools several months after leaving.

Also because, in the event of an audit, you need to show that you have fine-grained access control: don't leave room for approximation or craft when you talk about authorisations!

To ensure rigorous management, and given that we're talking about hundreds or thousands of users, accesses and clearance parameters, you need to use a tool that enables governance and, ideally, automation of the maintenance of these repositories.

The 4 stages in setting up an IAM

Step 1: Get to know your employees

It may seem surprising, but yes, it is important to keep a list of ALL your users. Who has the list of users in your company? In reality, nobody!

HR has part of it (employees on permanent contracts, fixed-term contracts, etc.), the business departments have another part (temporary staff, service providers, etc.). It is therefore essential to have a single view of all these users in order to be able to manage their authorisations.

Step 2: Take stock of your software

This can be a difficult task, but you need to list all the software used in your company. I risk turning the knife on you, but you really do need to list all the software, even that which is not managed/known by IT.

If you want to ensure your company's security right through to the end, it's a good idea at this stage to also note down all the hardware that's provided, such as access badges, keys and IT equipment.

Step 3: "Reconcile" users and software

In accounting, this is known as 'lettering': it involves associating the different accounts for all the applications with the right users. This reconciliation defines the list of tools available to each user.

When this reconciliation action is carried out, you will find 'orphan' accounts: these are either 'system' accounts or user accounts that do not exist or no longer exist in your repository. These are the famous "ghost accounts". The users have left, but the accounts are still active.

Our advice : carry out these 3 steps as often as possible, as this will ensure the security of your IS.

IAM software can simplify these 3 operations:

By connecting your IAM solution to your HRIS, you obtain the list of employees, then you connect the solution to your Active Directory (or similar) and you obtain the complete list of accounts. The solution automatically reconciles the data and notifies you of any users and accounts in error. It requires no effort on your part and you have all the information you need in just a few minutes!

The great thing about an IAM solution is that, once set up, it can perform these actions in near real time.

Step 4: manage access rights

The final step is to manage your users' access rights. You've just said who has the right to use which software, but now you need to define what they are allowed to do with it.

The most common mistake is to give everyone administrator rights. If you give everyone full powers, you might as well have no rights management policy!

When you give administrator access, think carefully about the responsibilities of the person who is going to receive these rights. Keep a close eye on these accesses in particular, because if they are hacked, the damage will obviously be catastrophic.

Some IAM systems allow you to specifically monitor certain sensitive access rights so that you can be informed in the event of a change (for example, a user being appointed administrator of a resource).

Do you manage your users' accounts yourself, or do you choose an external solution?

After reading the 4 steps for doing your own identity and access management, you might be thinking, either :

• OK, I'll set that up OR
• it seems a bit time-consuming to carry out all these actions on a regular basis and without the certainty of being exhaustive.

What you think at the time is already a good indicator of whether or not you need a fully-fledged IAM solution.

The size of your company and your staff turnover are other important criteria.

The easy answers: if you have 100 employees or more and/or if you have high staff turnover, choose an IAM platform.

If you have more than 200 employees, it's not feasible to operate without such a system.

The 3 most common mistakes not to make when it comes to IAM

Mistake No. 1: Confusing IAM and SSO

SSO is an authentication system, whereas IAM is an account management system.

IAM and SSO work very well together, but do not perform the same functions at all.

At the root of this confusion is the definition of the need, which is not necessarily very clearly defined: the IT department wants to simplify/centralise password management for users. This request is at the crossroads of IAM, SSO and password managers.

Setting up an SSO system makes it possible to centralise some of the authentication of users on their various accounts. But the technical constraints of implementation, compatibility and maintenance mean that SSO is only partially applied to the company's various applications.

If we were to use a metaphor:
With SSO, you decide who has the right to enter the house;
with IAM you decide who has the right to move furniture, repaint walls or just sit down.

SSO does not allow you to manage clearance levels correctly, you do not have an overall view of your tools and software, because they are not all compatible, nor do you have an overall view of the people working in your company, because it does not connect to the HRIS.

Mistake No. 2: Confusing users and accounts

When I'm in contact with a company and I ask them if they have a repository that centralises all the users, I regularly get the answer: "yes, Active Directory is the reference". But that's precisely the mistake you shouldn't make: confusing users with accounts.

Users are natural persons who have a surname, a first name, a date of arrival and possibly a date of departure.

These users are given access accounts based on HR functional parameters.

If you understand this fundamental difference, you are well on the way to implementing intelligent identity management in your company.

Mistake no. 3: thinking that once the IAM tool is in place it will work on its own

You can totally fail your IAM project by not putting someone in charge of managing the tool. Yes, even the best IAM solution needs to be looked after. New arrivals, account creations and suspensions need your intervention, and it's by maintaining your IS that it will remain 'clean' and correctly synchronised with HR information.

See all software Identity & Access Management

Finally, the key points for getting started

👉 Choose a "user-friendly" solution: you will be using the tool on a regular basis, and the solution you choose must be simple and ergonomic.

👉 A SaaS solution: offers you unfailing flexibility, with no cumbersome software to install and maintain. Your solution is always up to date, and the TCO is much lower in hosted mode.

👉 Compatibility with your applications: some of your applications are "On premise" and some are SaaS (Office 365, for example). It's important to check that you can integrate your applications, whatever their technology, so that you can cover the entire scope of your information system. The main difficulty is often integrating proprietary on-premise tools. That's why at Youzer we've set up a universal connector so that our customers can 'build' a custom connector for each of their applications.

👉 Responsive customer service : you may be committing to an IAM solution for several years, so you need responsive customer service to be able to answer your questions and resolve your problems. If you're on a huge platform, make sure you get a decent response time and that the person you're dealing with is technically proficient (so you don't get taken for a ride before you get your answer 🙃).

👉 A solution that evolves : choose a solution that evolves. It's not uncommon these days to see software platforms that haven't evolved for several years or even several decades. With technology and usage changing so rapidly, it's important to choose a platform that is flexible and scalable.

Sponsored article. The expert contributors are authors who are independent of the appvizer editorial team. Their comments and positions are their own.