A Visual Introduction to the Components of Identity and Access Management (IAM)

To start, I’d like to give a special thanks to my son, Ellis, and his sharing time and skill to help put this idea to life. I’m super proud of his creativity and willingness to try to learn novel things.

Let’s begin our journey into using Lego© to explain components of IAM.

Introduction to IAM in FinServ

1. Core Technologies and Concepts
   1. Single Sign-On (SSO) – VIP Pass
   2. Multi-Factor Authentication – Checkpoints
   3. Role-Based Access Control – Group Management
   4. Privileged Access Management – Gala Managers
   5. Directory Services – Attendee Lists
   6. Identity Governance and Admin – Event Planners and Organizers

Imagine you’re at a grand, exclusive party—let’s call it the Financial Services Gala. The guest list is tight, and the security is top-notch. Every attendee (or in our world, user) has a unique invitation (identity) that grants them access to certain areas of the [totally not haunted] mansion (networks and systems). This is the essence of Identity and Access Management (IAM) in the financial services sector, acting as the Roadhouse bouncer who knows exactly who gets in, where they’re allowed, and what they can do inside.

“IAM is the foundational layer of defense that ensures only authenticated and authorized users can access specific resources within an organization’s assets.”

This article, 2024

Beyond the cybersecurity angle, there’s at least a few regulatory requirements that financial services must navigate—think of it as a list of rules for throwing your gala without upsetting the city council. Regulations such as the General Data Protection Regulation (GDPR) in the EU, the Sarbanes-Oxley Act (SOX) in the U.S., and the Payment Card Industry Data Security Standard (PCI DSS) globally, demand stringent controls over who has access to financial data and how it’s managed. IAM plays a pivotal role in ensuring compliance with these regulations by providing a transparent, auditable system for managing user access to sensitive information.

Core Technologies and Concepts

To extend the analogy further, there are a few components that will support the Gala (and the bouncer) to ensure security and clear auditability.

1. Single Sign-On: The VIP pass that the bouncer (IAM) will reference to get into the party.
2. Multi-Factor Authentication: Additional security checkpoints for the more sensitive areas of the Gala.
3. Role-Based Access Control: VIPs might have different groups, and others beyond VIPs attend the gala, e.g. staff, performers, and catering. RBAC helps bouncers know what certain roles can do within the mansion.
4. Privileged Access Management (PAM): Even the highest-level VIP won’t have access to the Security Office or the A/V booth. That’s reserved for the managers of the Gala. PAM ensures that only the most privileged folks get to interact with the most critical infrastructure.
5. Directory Services: Bouncers will need to reference attendees and access often and rapidly. These are the attendee lists.
6. Identity Governance and Admin (IGA): Attendees need to get onto the right Directory Services lists in real-time. IGAs, are the event planners and organizers throwing the party.

Single Sign-On (SSO) – VIP Pass

Imagine each guest at this gala, before entering, is handed a single, all-access VIP pass. This pass allows them entry to any room within the gala they are authorized to visit—be it the main hall, the dining area, or a private meeting room—without the need to prove their identity at the door of each room. The SSO simplifies their experience, letting them enjoy the gala without the hassle of managing multiple passes, much like SSO technology allows users to access multiple applications with a single set of credentials.

Common SSO Tools for FinServs

Several SSO tools are well-regarded in the financial services industry. Some of the notable ones include:

• Okta: Highly popular for its comprehensive security features and extensive integration capabilities.
• Microsoft Azure Active Directory (Azure AD): Offers seamless integration for organizations that rely heavily on Microsoft products.
• OneLogin: Known for its user-friendly interface and robust security measures.
• Ping Identity: Offers flexible and scalable solutions, particularly for larger enterprises with complex needs.

Multi-Factor Authentication – Checkpoints

Multi-Factor Authentication (MFA) acts like an additional security checkpoint at our gala event. Imagine if, upon entering the gala with their VIP pass (SSO), each guest also needed to confirm their identity through another means—maybe a fingerprint check, a retinal scan, or a special code sent to their smartphone. This extra step ensures that even if someone were to get their hands on a VIP pass, they couldn’t masquerade as an invited guest without passing this additional verification. MFA significantly enhances security by layering multiple authentication methods, making unauthorized access much more challenging.

Common MFA Tools for FinServs

Financial services institutions, prioritizing the security of their sensitive data and compliance with regulatory standards, can consider various MFA tools, including:

• Duo Security: Offers a range of flexible and user-friendly MFA options, including push notifications, SMS, and biometrics.
• RSA SecurID: A well-established MFA solution known for its robust security features and wide-ranging application integrations.
• Microsoft Authenticator: Integrates well with Microsoft Azure Active Directory and offers a seamless user experience, especially for organizations heavily invested in the Microsoft ecosystem.
• Google Authenticator: Provides a simple and efficient time-based one-time password (TOTP) system, widely adopted for its ease of use and integration capabilities.

Role-Based Access Control – Group Management

Role-Based Access Control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within a financial services institution. Imagine a sophisticated gala event where guests have different roles—performers, caterers, VIP guests, event staff, and so on. Each role has specific areas they can access: performers can go backstage, caterers to the kitchen, VIPs to exclusive lounges, and staff to all operational areas. RBAC works similarly by assigning access rights based on roles, ensuring that individuals only have access to the information and resources necessary for their roles, enhancing security and operational efficiency.

Common RBAC Tools for FinServs

Several RBAC tools are well-regarded for their ability to manage complex access requirements in financial services, including:

• Microsoft Active Directory (AD): Offers robust RBAC features and is particularly useful for organizations already embedded in the Microsoft ecosystem.
• Okta: Known for its integrated identity management solutions, including comprehensive RBAC capabilities.
• IBM Security Identity Governance and Intelligence: Provides advanced RBAC features, including role mining and role lifecycle management.
• SailPoint: Offers identity governance solutions that include powerful RBAC functionalities, suitable for complex enterprise environments.

Privileged Access Management – Security Managers

Privileged Access Management (PAM) is a critical security measure that focuses on monitoring, controlling, and securing access to an organization’s most critical information and resources. Imagine if there were certain areas so exclusive and sensitive that only a handful of high-ranking officials—say, the event organizers and lead security personnel—could enter. These areas might contain the event’s master control systems or confidential VIP guest information. PAM is akin to the rigorous process of ensuring that only these few individuals have the keys to these areas, alongside strict protocols on when and how they can enter these spaces, ensuring maximum security and oversight.

Common PAM Tools for FinServs

Several PAM solutions stand out for their effectiveness in managing and securing privileged access within financial services, including:

• CyberArk: Renowned for its comprehensive suite of PAM solutions, CyberArk specializes in securing privileged accounts and sessions across a wide range of environments, from on-premises to cloud and DevOps workflows.
• BeyondTrust: Offers a robust platform that includes privileged password management, endpoint privilege management, and secure remote access. BeyondTrust’s solutions are designed to prevent data breaches related to compromised privileged credentials.
• Thycotic: Provides a suite of PAM solutions that focus on secret management, privileged account management, and endpoint privilege management. Thycotic’s tools are known for their usability and deployment flexibility.
• Arcon: A comprehensive PAM solution that offers a robust framework for monitoring, controlling, and managing privileged access. Arcon is notable for its real-time monitoring and threat analysis capabilities.

Directory Services – Attendee Lists

Directory Services (DS) are a crucial component of Identity and Access Management (IAM) systems, acting as the digital equivalent of a comprehensive phone book for an organization. They store, organize, and provide access to information about the network’s users, computers, and other resources, like a detailed directory that not only lists the gala event attendees but also their roles, table numbers, and specific privileges.

Directory Services facilitate the management of identities, credentials, and permissions in a structured manner, enabling administrators to efficiently control who has access to what within the network. This centralized repository ensures that users can be easily authenticated and authorized, streamlining access management across the organization.

Common Directory Services Tools for FinServs

Financial services institutions, with their complex IT infrastructures and stringent regulatory compliance requirements, need robust Directory Services solutions. Some of the most commonly evaluated tools in the industry include:

• Microsoft Active Directory (AD): Dominates the market as a comprehensive directory service for Windows environments, offering a wide range of identity and access management features.
• Azure Active Directory: Designed for cloud environments, Azure AD provides directory services, identity governance, and access management across Microsoft’s cloud ecosystem.
• OpenLDAP: An open-source directory service that is highly customizable and widely used for managing user information in a variety of environments.
• Apache Directory Server: Another open-source option, offering a full-featured directory service that is compatible with LDAP (Lightweight Directory Access Protocol).
• JumpCloud: A cloud-based directory service that offers a modern alternative to traditional AD, supporting a variety of devices and operating systems.

Identity Governance and Admin – Event Planners and Organizers

Identity Governance and Administration (IGA) refers to the policies, processes, and technologies used to manage digital identities and their access rights within an organization. Think of IGA as the rules and procedures that govern who can attend the gala, what areas they can access based on their ticket type (identity), and how their access is managed throughout the event to ensure security and compliance. These event planners and organizers have a lot to keep track of.

IGA solutions provide a framework for managing identities and access rights effectively, automating key processes like onboarding, role management, access requests, and certification. They also offer visibility and control over who has access to what, ensuring that access rights are in line with organizational policies and regulatory requirements.

Common IGA Tools for FinServs

Some of the most highly regarded IGA tools in the industry include:

• SailPoint IdentityIQ: Offers comprehensive IGA capabilities, including compliance controls, provisioning, and access management. SailPoint is particularly well-suited for complex environments and is known for its strong policy management and reporting features.
• Saviynt Security Manager: Provides advanced IGA features with a focus on cloud environments and integrates well with existing business applications. It offers risk-based access request and intelligent lifecycle management.
• IBM Security Identity Governance and Intelligence: Delivers a business-friendly interface and strong analytics capabilities, making it easier for organizations to manage access risks and compliance requirements.
• Oracle Identity Governance: A robust solution known for its scalability and flexibility, Oracle IGA supports complex IT environments and provides comprehensive identity governance and administration features.
• Microsoft Azure Active Directory (Azure AD) for Identity Governance: While primarily known for its directory services, Azure AD also offers identity governance capabilities, especially suited for organizations heavily invested in the Microsoft ecosystem.

Wrapping Up

IAM is complicated, but hopefully we made it a little more fun to learn. Again, a special thanks to my son, Ellis, and his sharing time and skill to help put this idea to life.

This series (probably not this cool) will continue with a high-level overview of Selecting, Implementing, and Evaluating the Best IAM Tool

---

Resources

Resource	Description
https://expertinsights.com/insights/top-10-identity-and-access-management-solutions/	Consistently updated, running list of IAM providers