1 Introduction
Businesses, government agencies, and non-profit organizations of all sizes have increasingly complex requirements for managing access to their digital resources. With cybercrime and fraud growing in volume and sophistication, access management has become a front-and-center issue for executives, managers, and users alike.
Access management solutions generally contain a core set of functions including authentication, authorization, identity federation, and Single Sign-On (SSO). Access management is a large subset of Identity and Access Management (IAM), which encompasses identity proofing, provisioning, credential issuance, identity repositories, lifecycle management, governance, entitlements management, access reconciliation, deprovisioning, and audit.
Client-server access management was well established by the turn of the millennium and relied upon the fairly static generation and maintenance of users, groups, and roles. Entitlements were coarse-grained permissions contained in Access Control Lists (ACLs). Web access management evolved to meet the different technical requirements of that environment, which largely utilized browser cookies, HTTP headers, and encoded URLs as workarounds for the lack of notions of statefulness and user identity in the online world. Identity federation arrived in the early 2000s to enable SSO between web domains. Authorization and entitlement management have been extended to allow more fine-grained, attribute and policy-based access controls.
Many legacy applications still need to be supported and need to cooperate with enterprise access management systems. For legacy apps that do not work with IAM solutions, a common alternative is to place the application infrastructure behind reverse proxy server(s). In this scenario, the application servers and databases are generally located on isolated VLANs, with a reverse proxy mediating access to the legacy application. The reverse proxies are configured to intercept user requests, interact with authentication and authorization services, and allow or deny access in accordance with enterprise policies.
Each of the areas within broader IAM and access management specifically have been componentized and offered "as-a-Service" by vendors. Adherence to pertinent IAM standards allows interoperability between products and service providers. Some products and services offer discrete functions such as authentication; others serve as Identity Providers (IdP)s, addressing the functions of identity verification, credential issuance and maintenance, governance and lifecycle, etc.; and yet others offer the full stack of IAM capabilities. Some vendors in the IAM space were early to not only support cloud-based applications, but also to create cloud-native identity services, often called Identity-as-a-Service (IDaaS). While current IAM products and IDaaS solutions cover a large percentage of use cases, many organizations still struggle to integrate modern IAM systems with non-standard client-server (legacy) applications.
Besides having a wide range of possible applications, data types, and user identity repositories, managing access is further complicated by the fact that organizations need to allow users outside their home organizations "in" to their resources, which may be in their data centers or in various cloud locations. Depending on the use cases, employees, contractors, B2B customers, and consumers may need to be managed. Moreover, these additional users access resources from disparate types of devices, many of which are not under the control of the target enterprise. Device identity, reputation, and health can and should be considered as attributes in access control decisions.
Authentication has been one of the areas within access management that has experienced the most technical advancement. Researchers and vendors have sought to address the inherent weaknesses of password-based authentication and have thus developed many different kinds of authenticators and protocols to increase assurance levels. Biometrics on mobile devices, out-of-band applications, mobile push notifications, and a variety of hardware tokens are noteworthy examples.
Authentication and authorization services, as two key ingredients in access management solutions, are important threads in Identity Fabrics, which are gaining traction in industry today. An Identity Fabric is an architecture that can be composed of disparate data sources and capabilities delivered as discrete services. Identity Fabrics permit organizations to add and upgrade segments of their infrastructure or contract with service providers to meet business objectives in a more agile manner. Given the widespread availability and adoption of cloud-hosted services running the gamut from IaaS to PaaS to SaaS, more vendors are packaging their solutions in containers such that they can provide the same types of functions regardless of deployment models. This means that on-premises software ships as images or virtual instances that can be deployed on most of the common operating systems or IaaS/PaaS platforms or made available as micro-services via the vendor or MSPs.
Zero Trust Architecture (ZTA) has arisen over the past decade and has become a primary means of addressing access control use cases. ZTA, usually shortened to "Never trust, always verify", is an embodiment of the principle of least privilege, and at its core mandates that every access request be properly authenticated and authorized. Thus, access management is a foundational element for ZTA. Proper access management in service of ZTA means taking into account the requesting user's attributes, authentication context, environmental context, permissions and roles, source device information, and the requested resource attributes. Zero Trust Architecture implies a concept where clients can access services from everywhere, not relying only on internal network security mechanisms and IAM. In fact, ZTA has become the strategic IT security paradigm for many services and products.
The key requirements most organizations look for in ZTA-enabling access management solutions are:
- Support for multiple authenticator types, such as:
- Smart Cards, USB tokens, and older form factor hardware tokens
- Mobile apps and push notifications
- x.509 certificates
- Biometrics, especially mobile biometrics leveraging native OS capabilities
- OTP: HOTP/TOTP over phone, email, and SMS
- Availability of a mobile SDK for customers to write their own secure apps
- Adherence to policy-based access control model so that IT departments and Line of Business application owners can define risk-appropriate access control rules
- Enforcement of configurable actions including permit, step-up authentication, deny, lock account/device, etc.
- Integration with legacy applications using proprietary means and other IAM systems to allow SSO, usually via cookie support
- Support for identity federation via OAuth2, OIDC, JWT, and SAML
- Integration with SIEM, SOAR, UBA, and other security systems
- Provide administrators with management dashboards and configurable reporting
- Allow for delegated and role-based administration within the solution