Terence Bennett - June 1, 2020
We’re reviewing everything you need to know about identity and Access Management (IAM). Good data governance is the key to success in any industry and you can’t have good data governance without identity and access management software. Identity and Access Management (IAM) solutions, like the software that DreamFactory provides, is essentially a suite of capabilities that enables systems administrators to protect sensitive data.
Of course, there’s a lot more to it than that. This article will cover the ins and outs of the IAM world, explaining in detail the answers to a number of important questions: What is IAM? What are IAM tools? How can you use IAM to secure an API?
In a day and age where cyber attacks against businesses are increasing in both frequency and severity, identity and access management skills are a must-have. This software, deeply connected with API management software, has become a mission-critical part of any business model.
Table of Contents
Did you know you can generate a full-featured, documented, and secure REST API in minutes using DreamFactory? Sign up for our free 14 day hosted trial to learn how! Our guided tour will show you how to create an API using an example database provided to you as part of the trial!
Create Your API Now
IAM Definition
Identity and Access Management software, called IAM for short, takes on a number of shapes and sizes. In order to understand how IAM works, you’re going to need to understand a few different definitions of the phrase.
First things first, “IAM” is an umbrella term that describes a virtually limitless number of different tools, concepts, devops practices, and so on. What each of these techniques and technologies has in common is that they all enable systems administrators to identify, track, and monitor digital users in their applications.
There are two different methods for understanding the purpose and function of IAM technologies. The first is through a simple analogy and the second is through a far more complicated description.
The Simple Version
A simple definition of IAM could be, “Software and strategies that enable you to create, maintain, and use any form of digital identification.” Essentially, this kind of technology does the same thing for digital systems as government IDs do for humans. Whenever a system administrator needs to verify authorization to be in a certain place, they can check the IAM tools.
If you’re familiar with API keys, OAuth tokens, or other authentication and authorization technologies, then you’re already familiar with various access management technologies. That being said, it’s as they teach in grade school: All squares are rectangles but not all rectangles are squares.
In other words, a simple definition doesn’t quite capture the true meaning of identity and access management protocols.
The Complicated Version
The complicated definition is much more helpful — not to mention much more frustrating. IAM is a collection of technological practices and policies combined with supporting technologies that enable systems administrators to obtain detailed user-data analytics for use in allowing or disallowing certain digital users from performing certain operations or accessing certain data.
That means creating things like cryptographic tokens, keys, etc. to prevent unauthorized access. Oftentimes, systems administrators use IAM software to not only protect sensitive data but also to block certain websites from office computers, limit access to external applications, and so on.
Since IAM practices are tied so closely together with API management resources, API automation can significantly improve data governance, systems standardization, and endpoint security. In fact, scripting systems like Amazon Web Services (AWS) even list IAM users as resources, explicitly lumping them in with API configuration policies.
To make understanding IAM easier, DreamFactory offers native connectors for easy integration of a large number of API-authentication systems, including a few from AWS.
An Explanation of IAM Tools
IAM tools are any software suites or plugins that facilitate the development of access management policies. In other words, these tools enable systems administrators to manage authorization and access levels of digital users. Any kind of technology that serves such a function can be considered an IAM tool.
Developers often use these tools to automate the handling of user requests for information, access, operations, etc. Each of these tools significantly reduces security risks, overhead, and labor time, freeing up developers to focus on less tedious uses of their time.
Examples of IAM Tools
There are an incredible number of IAM tools from which to choose. Whether you’re looking for a more physical approach tied to the literal translation of tokens or something automatic and self-verifying, there is an IAM tool for you. The following three examples are listed in descending order from most popular to least popular in the world of IAM.
API Key
It seems like everybody and their mother uses API keys nowadays. This form of authentication excels in verifying user requests, particularly where read-only data is concerned. API key security functions through the use of cryptographic tokens just like many other IAM tools but also works great when developed in tandem with API gateways.
Where these keys fall short, however, is in their limited utility at the intersection of write permissions and user data. That being said, API key security is still the most common form of access management in many professional circles.
OAuth
Another great example of IAM tools is OAuth. Technically, there are two kinds of OAuth, not counting the various project forms and update files associated with each. Both OAuth 1 and OAuth 2 can be great tools for access management, though each functions in a different manner.
OAuth 1.0 can be a powerful tool for managing simple communications between a server and third-party applications, but OAuth 2 allows for more in-depth control over user-specific verifications. In general, OAuth is one of the best available IAM tools for managing authorization levels, particularly when it comes to accessing read-write permissions governing user data.
Blockchain
If you’re familiar with cryptocurrency, you’ve probably heard the word “blockchain” tossed around. But did you know that blockchain is technically a form of IAM technology? The reason we’ve put this into the article is to further highlight the fact that identity and access management is an umbrella phrase used to describe a long list of different tools and devices.
The main difference between blockchain and other IAM tools is that there is no centralized owner of the “chain.” That means that no one person can control access.
IAM and Regulatory Compliance
Regulatory compliance can eat up large swaths of time — not to mention money. In order to stay up to date and avoid potential fines and other legal action, you have to constantly be monitoring, tweaking, and tracking any and all potential threats to your users’ stored data. Or you could just use automated IAM tools to manage that for you.
Just about every country where you might eventually do business has some kind of regulation regarding the safekeeping of customer data.
In the United States, there’s the Health Information Privacy and Accountability Act (HIPAA). In the UK and Japan, there’s the General Data Protection Regulation (GDPR). Specifically in California, there’s the California Consumer Privacy Act (CCPA). The list goes on and on. Wherever you do business, proper IAM protocols can decrease risk exposure in a number of ways.
How IAM Tools Reduce Regulatory Risk Exposure
There are a number of benefits of using iPaas systems like DreamFactory to manage your IAM tools. Many of those benefits directly help mitigate risk associated with regulatory burdens. Whether your goal is to reduce time and money spent on standard overhead expenses or to reduce the probability of a data breach resulting in a negligence suit, IAM tools can help you do just that.
Let’s take the laws mentioned above (HIPAA, GDPR, and CCPA). If you run or ever hope to run an international business, odds are you’ll be working in markets governed by those regulations. Each of these laws requires that you adhere to a minimum set of standards regarding data controls, user authentications, and privacy protections.
Since IAM tools are designed to perform exactly those three functions and then some, they are a great option for reducing administrative overhead.
How DreamFactory Automates Regulatory Compliance
Through the use of advanced API logs, data mining, and compatibility with cutting edge authentication protocols like OpenID Connect and Active Directory, you can better safeguard customer data. With software like DreamFactory, you can even automate these safeguards to improve regulatory compliance efforts while spending less time manually navigating your application’s script.
When working within the popular REST development framework, for example, DreamFactory provides a suite of IAM tools that solves a number of key problems that big businesses often find themselves facing. Namely, scalability, portability, and other backend issues that can arise when thousands of mobile applications create a tangled web of REST APIs.
This tangled web would not only interfere with further development and server migration. It could also create an easy way in for hackers and data thieves in direct violation of several international privacy laws. In order for large businesses to enjoy a high degree of scalability while staving off data breaches and negligence suits, API automation is mission-critical
Benefits and Risks of IAM Tools
IAM tools provide a number of fantastic benefits pertaining to security, scalability, and all-around utility. These benefits can reduce overhead, streamline application development, and more — but there’s a catch! There is always a second side to every lucky coin.
IAM tools are not without their fair share of setbacks, costs, and disadvantages. Relying too heavily on IAM tools can create a tangled mess of security lapses and oversights just the same as having too many REST APIs can clutter backend development. In other words, a well-rounded deployment of IAM protocols into your application involves the use of other software.
This isn’t meant to be all doom and gloom. In fact, IAM tools are some of the most powerful and well-respected tools for securing REST APIs available to developers today. Here are a few examples of the benefits and risks of incorporating identity and access management technology into your networked application.
Benefits
As the spread of COVID-19 has shown, businesses need to plan for every possible scenario, including an increase in work-from-home culture. IAM technologies include protocols that facilitate easy integration of this kind of remote work culture. Working from home means losing the protection of the office’s company firewalls and protections.
IAM helps mobile users and employees in a work-from-home culture maintain key security protections.
- Reduced need for password resets
If you’ve ever worked at a help desk, you know how frequently people need help accessing their systems due to a forgotten password. IAM protocols enable user authentication from anywhere at any time, decentralizing the standard help desk practices. Identity stores like Active Directory and LDAP are great examples of how IAM can solve this problem.
This also means that you can reduce your reliance on forced password resets, which have become an object of controversy for two reasons: forced password resets discourage the development and memorization of complicated passwords and also don’t provide the same protections that they used to.
- Most IAM tools contain self-generated audit trails
The majority of iPaaS systems like DreamFactory do more than just enable authentication and authorization through IAM protocols. They also utilize various datastores that automate audit trails, providing detailed records of who attempted to access which data at what time. Not only can you IAM to reduce the risk that external threats pose, you can also use it to identify social engineering risks before any damage can be done.
Risks
- IAM compatibility can be troublesome
For the most part, developers of IAM tools tend to be big corporations that offer their own platforms (such as Amazon Web Services, which developed AWS Cognito). Without an iPaaS like DreamFactory capable of rendering these tools for use in your application, you may encounter issues with cloud application incompatibility and other common IAM problems.
- Cloud-based IAM doesn’t always “get along” with other management software
Three kinds of management practices come to mind right off the bat: enterprise mobility management (EMM), mobile device management (MDM), and user environment management (UEM). Attempting to run a cloud-based IAM strategy combined with any of these three protocols can result in serious deployment complications.
Identity and Access Management (IAM) Framework
It’s important to note that identity and access management is a framework, not a kind of software. Of course, there are plenty of “identity and access management software” that exist, like DreamFactory, but that phase simply describes a framework that is built into those software. Many kinds of software can provide IAM frameworks, but this is still an important distinction to make.
All in all, there are five parts of any identity and access management framework.
1) Individual Authentication
This is the most basic and arguably the most important aspect of successful identity and access management. Simply put, IAM cannot function properly if it cannot accurately authenticate user requests and provide the intended feedback.
Proper data governance in identity and access management means enabling the system to quickly and correctly identify any and all digital users attempting to access the system. This also means taking the extra step to identify unauthorized users rather than just those users with the proper key, token, etc.
While this may seem obvious, it’s an often overlooked protocol.
2) Role Authentication
The second aspect of any identity and access management framework should involve algorithms for identifying and authenticating user roles. A role can be any number of things but generally comprises the user’s general permissions.
For example, people in an administrative role may have read-write permissions for the most sensitive data your organization has to offer, whereas your lower-level employees might only have read permissions. Those role-based permissions can be further limited to accessing only specific URIs.
Without proper role authentication, it would be impossible to create different standards for different users. In other words, a tech-savvy random could have the same permissions as the director of product development. Hence the importance of role authentication programs.
3) System Addition, Removal, and Update Options
This goes back to what we said about why blockchain hasn’t quite caught on as a standard method of identity and access management technology. In order for IAM practices to be successful, they must be editable. An editable system is a scalable system. Unless your organization never intends to change in size, you’ll want to maximize scalability.
Without the ability to add new users, remove old users, and update security features, user provisioning becomes a virtual impossibility. Instead, you’ll quickly find yourself generating new protocols for every necessary alteration and there are few ways to get called into the head of the engineering department faster than by creating this kind of backend nightmare.
4) Group Identifiers
Group identifiers function much in the same way as individual and role authentications. Essentially, group identifiers offer quick methods for assigning roles and distributing permissions to key personnel.
While it is possible to go through and manually add role identifiers to each person in a group, it is certainly not a time-saving process. Group identifiers are far better options because they allow you to assign a single role to a large number of people in a fraction of the time that it would take you to do so individually.
This feature makes group identification protocols a great option for mitigating scalability issues.
5) Data and System Protections
Needless to say, there is simply no point in having an IAM system if you intend to leave your data and your organization’s system unprotected. After all, why log in if user authentication and authorization levels don’t apply?
As mentioned above, however, there are plenty of laws and regulations that necessitate the importance of identity and profile data storage. Through the use of IAM, particularly when automated through iPaaS technology DreamFactory, regulatory risk is essentially minimized.
Examples of Successful Identity Access Management
Access management is something that most organizations hope to master but few actually have. Although proper access management protocols are critically important for an organization’s longevity, they can be exceptionally difficult to navigate.
The problem is further worsened thanks to the “key man” risk, which arises when too few people understand how to navigate API security protocols. In those cases, the API and its corresponding IAM settings often remain locked away, buried under “do not touch” sticky notes.
That being said, there are a number of great examples of IAM done right. Here are three such examples.
Bastion Account Method: IAM
This method involves the creation of a “bastion account” through which you cross-connect networked accounts. Rather than storing the access codes in that centralized location, you store them in the cross-connected accounts that have no access other than through that bastion.
You can then assign roles to the accounts networked through bastion. This provides you with a convenient method for editing your IAM protocols all in one place while also bolstering overall security by providing an additional layer of defenses.
API Key Rotation: IAM
This is exactly what it sounds like. One of the simpler IAM methods, rotating your API keys enables you to ensure that only trusted users have them and any older keys (which more easily fall into unauthorized hands over time) are thrown away. If using an AWS group, be sure to keep an eye on the cloudtrail for improved security.
Active Directory and Federated Credentials
Active Directory is one of the best API management protocols for authenticating user APIs. Through Active Directory, you can federate SSO credentials to outside sources, enabling quick and easy IAM setup.
Of course, Active Directory is designed to be used solely for Windows applications. In order to use Active Directory for different purposes, you’ll need an iPaaS host like DreamFactory.
DreamFactory and Access Management
DreamFactory is an advanced API management tool, specializing in securing REST APIs through the use of advanced API tools and security algorithms. In order to bypass many of the difficulties that IAM protocols pose to developers, you can use DreamFactory to automate the creation, maintenance, and deployment of REST APIs.
DreamFactory takes identity and access management very seriously. We offer a number of products that identify, authenticate, and authorize users based on the nature of your API and their user data.
DreamFactory also uses universal HTTP connectors to facilitate the easy migration of, for example, legacy servers, significantly improving scalability and reducing backend issues when securing a REST API.
For more information on identity and access management and how you can improve the security of your API, check out our developer blog.
Did you know you can generate a full-featured, documented, and secure REST API in minutes using DreamFactory? Sign up for our free 14 day hosted trial to learn how! Our guided tour will show you how to create an API using an example database provided to you as part of the trial!
Create Your API Now
Terence Bennett, CEO of DreamFactory, has a wealth of experience in government IT systems and Google Cloud. His impressive background includes being a former U.S. Navy Intelligence Officer and a former member of Google’s Red Team. Prior to becoming CEO, he served as COO at DreamFactory Software.