Identity and Access Management (IAM) is the art and science of ensuring that someone is who they say claim to be. This ensures that they have the correct level of access to systems and data – enough to do their job, but no more. IAM systems cover a wide range of features, but typically include:
- Management and provisioning of user IDs and credentials
- “Privileged access management” (PAM), which gives special attention to users needing higher levels of privilege than the typical employee does. For instance, a system administrator might need privileges to install or upgrade software on a server. This high level of privilege obviously bears potential for abuse, and thus requires a higher level of scrutiny than usual.
- The ability to sign on to multiple systems (both local and in the cloud) using only one set of credentials (single sign-on, or SSO)
- Management of related identity tools such as hardware tokens and software tokens
- Biometrics in which some aspect of the user’s physical body—fingerprint, face, retina—confirms their identity.
A key concept in IAM is multi-factor authentication (MFA), which requires more than one piece of evidence to confirm someone’s identity. MFA factors must come from two or more of the following categories:
- something you have
- something you are
- something you know
When you withdraw money from an ATM, you are using MFA: the card is something you have, and your PIN is something you know. However, note that when you login to a system using an ID and password you are not using MFA, because both the ID and the password come from the same category, or factor. They are both “something you know”.
Although MFA is significantly stronger than single-factor authentication, it is by no means perfect. I should know: not long ago, my ATM card was “skimmed”, and the criminals were able to withdraw money, without authorization, from my account. The skimming device helped them to duplicate my card, and to obtain my PIN. As a result, they had both factors. (Fortunately, my bank covered the theft).
Despite its imperfections, MFA is still helpful in security. For any online system you use, particularly those involving money, obtain and implement the best MFA available to you.
