Chapter 2: Defining Identity and Access Management
Now that you have had an overview of the SC-300 Identity and Access Administrator exam and what you need to prepare for the exam, it is important to understand Identity and Access Management (IAM). This chapter will provide the foundational information that the topics of this book will be based on and will provide an understanding of where IAM has changed as cloud technologies have become more prevalent.
In this chapter, we're going to cover the following main topics:
- Understanding IAM
- Learning IAM use cases
- Understanding the scope of IAM
- The evolution of IAM
Understanding IAM
Before discussing the services and solutions that Microsoft has for IAM, it is important to understand the core concepts and why they are important. The concepts of IAM have been around for decades. Any time that you have created a username and a password, you have been engaging in some form of IAM. Let's break down the two components further.
Identity
Identity can be defined simply as who you are. Your identity starts with your username. This is your digital name for a particular site or application. Just as your first and last name identify you outside the digital world, your username identifies you to the website, application, or email tenant to which you are attempting to gain access. Most usernames are an alias of your actual name. It may be your full first and last name, your first initial with your last name, or something entirely random or custom. In many cases, it could also be an email address. Whatever this username is made of, it is what will identify you to the website, application, or email client.
The second part of your identity is generally a way to verify you are who you say you are. We will discuss different methods for this verification within this book, but the traditional manner of verification has been the use of a password. This verification is similar to a driver's license or a passport when asked to verify your age. The process of verifying your identity is also known as the process of authentication.
Access
Access comes after an identity has been verified. After a user has verified their identity, they can then be granted access to the requested resources. What they can view and interact with depends on the level of access, also known as permissions or authorization.
An example of this is having a name badge with your organization that is also used for building access. There may be doors that only certain members of the organization have permission to access with their badges. This is how access to digital services works with the configuration of access within a user's identity. The combination of the user's identity and what they have access to is the foundation of IAM.
The next section will go through some use cases for identity and access.
Learning identity and access use cases
Now that we understand the definitions of identity and access and how they work together, let's explore some examples that will assist in how this takes place.
Shopping websites
If you are reading this book, you most likely purchased it from a shopping website on the internet. It may have been purchased anonymously, without a username and password, but you may have used a site that you have used before that allows you to log in.
The benefit here is that having an identity on this site allows you to search for and save products in a cart. It would also provide you with an account that allows you to view your order history and track orders. Having this identity provides a customized experience when viewing the site that you otherwise would not have. The creators of the site have created the level of access that you have when you sign in with your identity.
Identity and access together provide this experience. The access permissions that are set allow the user to shop, save, and purchase products, but they are not able to see other sensitive information, such as other customer's and sales information, which is only available to users within the organization with access.
Now let's look at the way that identity and access work with an email account.
Personal email accounts
As stated in the previous section, identity is in many cases tied to an email address. An email address starts with the username or alias, and the second part is the domain. In a user's personal email account, this domain is going to be the email provider, such as outlook.com.
When you navigate to outlook.com, you do not have the ability to see your inbox until you sign in. This is accomplished by providing your username, which is the email address, and password. This the identity and access verification that you have the proper credentials to view the email account. Once you have provided this verification, you have the permissions of an email user to customize your inbox, calendar, to-do list, and any other services that are provided. You can also change the settings for the account, but you cannot change any application features or permissions for the account.
Within this account, not only is the username/email address the identity that is used to gain access to the inbox and calendar, this email address is a public identity that you can share with others. This is now the identity that you have for others to communicate with you through email.
The following screenshot shows the process of gaining access to an outlook.com account using a username, or email address, and password. This is how you would sign into Outlook:
Figure 2.1 – Sign into Outlook
This is followed up by inputting your email address, phone number, or username, as shown in the following screenshot:
Figure 2.2 – Enter your identity
Within the Sign in field, note that there is more than one option provided for an identity. As part of the authentication process, enter your password here:
Figure 2.3 – Password to confirm your identity
Once the authentication process is completed, we are then authorized to access our Outlook email inbox and calendar, as shown in the following screenshot:
Figure 2.4 – Outlook inbox menu for email and calendar
Verifying your identity and access provides you with the permissions that the application has given to users of their service and the ability to use it to communicate. Let's now look at how identity and access work within a social media account.
Social media accounts
Social media accounts have their own way of utilizing identity. Unlike email accounts and shopping sites, where you typically use an email address for both your identity and access to the site, as well as your profile identity, social media accounts provide a level of separation between the two. With most social media accounts, you have a unique username, or handle, that is your public-facing identity. In order to verify that you own this identity and your access permissions, you have an email address tied to this username. This allows you to sign in to your social media account using either the username or email address and provide a password to verify your identity.
As part of your permissions to the social media account, you can customize your privacy settings to hide your email address from the public and only use the username to communicate. This is similar to having an unlisted phone number or address. As for access applied to social media accounts, your account allows you to provide the information that you want others to be able to see. In order to make changes to your account, you must utilize the identity and access mechanisms of username or email along with a password to verify who you are.
The screenshots that follow show the login pages for LinkedIn, Twitter, and Facebook. Similar to Outlook, there is more than one option for using a username for each of these social media accounts. These options include an email address, phone number, account username or alias, and even an identity from a different account type. When using a different IAM account to access a separate account, this is called a business-to-consumer (B2C), federated trust relationship. This will be discussed in more depth in Chapter 5, Implementing and Managing External Identities and Guests. The following screenshot is the login page of LinkedIn:
Figure 2.5 – LinkedIn sign-in screen
The next screenshot shows the login page of Twitter:
Figure 2.6 – Twitter sign-in screen
In the following screenshot, you can see what the login page of Facebook looks like:
Figure 2.7 – Facebook sign-in screen
Up to this point in this section, use cases have been provided on how identity and access is used within the way that users access various aspects of technology for personal use that require creating an identity to access. The next use case will explain how identity and access are used in a company setting.
Company applications
As far as the objective topics of the SC-300 exam are concerned, when discussing identity and access, we are usually discussing it in terms of accessing company-provided resources. As you progress in this book, how identity and access work within a company environment will become clear, but we will provide some initial background here.
When you join a company, you provide them with all of your personal identifiable information (PII) as part of the personnel onboarding. This includes information that makes up your identity, such as your name, address, phone number, social security number, driver's license, passport, and others. Many companies require two specific forms of identification to verify your identity as part of this process. Once you have provided verification of your identity to your company, you are given the ability to access company resources. This may be a badge that allows you to scan and open doors within the office building and your assigned digital identity to access your company computer and applications.
In the same manner as a personal email account, your digital identity within the company is an email address made of some variation of your name. Common examples include firstname.lastname, or your first initial with your last name along with the domain of the company, such as [email protected]. This becomes your identity for accessing company resources and your identity that everyone will use to communicate with you internally and externally.
What is important to understand is that depending on your status or level within the company, this identity will provide you with a different level of access to resources than others, who may be within a different department or authority. This is all verified when you use your identity in the morning to log into company resources with your email address and password. This verification allows the company systems to pull the level of access that has been assigned to your account and allows you to work with the required resources necessary to complete your job duties. This is the principle of least privilege, a concept that will be discussed later in this chapter.
The following diagram shows how identity and access to an on-premises application would take place:
Figure 2.8 – Identity and access to on-premises applications
You should now have a better understanding of what is meant in terms of identity and access, and how it is used in various aspects of our digital lives. Now we will begin to build on that foundation to provide further understanding around the area of IAM.
Understanding the scope of IAM
The topics to this point of the chapter have defined identity and access, as well as provided use cases of where identity and access are utilized. In those use cases, the process of identity being verified, and access being granted, is IAM.
Defining IAM
Now that identity and access principles are understood, how do they relate to IAM? IAM is the process by which we assign roles to those users, groups, and resources to determine what permissions they have when they verify their identity. In other words, when a user verifies their identity, they are provided a level of access. IAM is that process of reviewing and providing those access permissions.
This is where the role of identity and access administrator becomes important. It is the role of this group to interact with executives and department supervisors to properly plan, define, assign, and test the roles that are required for every task within the organization and provide them with the proper levels of access necessary to perform their duties. Without proper planning and communication, access permissions could be inadequate for users to complete work requirements, or worse, they may have elevated permissions that allow them to access information that they are not authorized to view.
The overall planning and implementation process will be covered in subsequent chapters, but it is important to understand this scope and the importance of properly planning for the access roles required within the company.
Principle of least privilege
When designing and scoping the company roles for IAM, the principle of least privilege should always be at the forefront of the discussion. This is the concept that any user or resource only has access to the applications, resources, and information that they require to perform their specific duties. Anything above that could be a vulnerability and a potential threat to the company that sensitive information could be leaked to those that should not be allowed to view it.
The purpose of IAM is to ensure that any user, group, or resource has been properly assigned roles and access that adhere to this principle. This should be properly documented by job title with role assignments, and the roles should be reviewed regularly with department owners to verify that the assignments are still accurate and valid. When we discuss creating users and groups in a later chapter, we will discuss options for creating role assignments in a dynamic, auto-assigned manner, and how to automate the review of these roles.
As you continue through this book and when you perform your duties as an identity and access administrator, you must always be thinking about the principle of least privilege. This is the foundation of IAM.
We will close this chapter by discussing where IAM started and how it has evolved with cloud technologies.
The evolution of IAM
Now that you understand more about IAM, how it is used in our daily lives, and the importance of protecting our resources with IAM, it is important to understand how IAM has changed as people and companies have continued to use more applications and resources in the cloud.
This section will discuss the evolution of IAM at a high level. This will provide a better level of understanding in terms of the importance of IAM and how it is changing with the increasingly growing role of cloud technologies within companies and for personal use. Three stages are discussed when talking about IAM: traditional, advanced, and optimal. We will go through each of these in detail.
Traditional
Traditional IAM is how IAM was handled prior to cloud technologies. As a company, all applications and user identities were within a private data center. Users that connected to resources did so through secure virtual private network (VPN) connections into the data center to access resources. Therefore, the focus of the company was to protect the physical building and network perimeter from threats and attacks to protect the applications, data, and identities. All identities were protected within the enclosed private data center, and if bad actors did not gain access through the perimeter, physical or virtual, they were protected.
In this scenario, the company is not utilizing cloud applications within the business, so there is no requirement for single sign-on for on-premises and cloud applications. IAM for applications was provided through an on-premises server, Windows Active Directory in a Microsoft environment, that managed user and group access through Group Policy to avoid elevated access. Since IAM was under the full control of the company, usernames and passwords were generally the only form of verification that was used to gain access to applications and data.
Advanced
With the onset and expansion of cloud technologies, companies started to find that their level of control shifted. The physical and network perimeter was no longer the single entry point to company data and identities. The flexibility of the cloud allowed companies to subscribe to business applications rather than making large investments in server and network hardware. However, due to existing large investments in on-premises hardware and software, there was still a requirement to maintain non-cloud legacy applications. This new company ecosystem created challenges for companies. Usernames and passwords were now being managed in multiple places to support application access. The user experience became more challenging with the need to authenticate to applications differently depending upon whether they were on-premises or in the cloud. New threats emerged, targeting identities through phishing and dictionary attacks to attempt to gain access to critical business data or steal personal information.
To address these challenges, new, more advanced IAM capabilities were required. To bridge the gap between on-premises and cloud authentication, open source protocols were established, such as Security Assertion Markup Language (SAML) and OAuth, to allow for federation to on-premises directory services. The federation of these systems created a single sign-on user experience but also created additional security challenges. No longer were our identities located within a company data center's control; they were also located within these new cloud applications, creating a higher level of risk to compromised or stolen identities. In order to protect the identities of users, additional security requirements are needed, such as mulit-factor authentication for administrators and Conditional Access policies for access to certain applications.
The IAM techniques to federate cloud and on-premises identities provided gated access through conditional policies, and the use of analytics to improve our visibility to potential identity theft are all aspects of advanced forms of IAM and modern authentication.
Optimal
Once a company has begun the journey to federate cloud and on-premises infrastructures in a federated manner with modern authentication, they can look to get to the optimal level of IAM. To perform at the optimal level of IAM, a company must embrace the modern authentication capabilities that are available through Microsoft and other providers. They should review the recommendations that are found through the advanced analytics regarding user and device behavior, security best practices and baselines, and security and compliance levels for the various cloud applications that they are utilizing. From this information, they can justify the requirements and enforce multi-factor authentication for all users, not just administrators, and require dynamic Conditional Access policies based on real-time user behavior and device compliance. As companies move to this optimal level of IAM, password-less authentication becomes more accessible and usable throughout the organization.
Performing at the optimal level of IAM does not happen quickly and easily, especially if the company is utilizing legacy applications and devices with older operating systems. Companies must embrace modern authentication through their app development, and update and upgrade applications and operating systems that do not currently support it.
The following table summarizes the key points in the evolution of IAM:
Table 2.1 – Levels of IAM
These advanced and optimal concepts will be described in detail in later sections of this book. As you continue the journey through this book, it will guide you through the services and solutions that can move an organization to the optimal levels of IAM.
Summary
In this chapter, we covered the foundational understanding of IAM. We defined what identity and access are as they pertain to how you would authenticate to applications and be authorized to view information. In addition, we discussed the evolution of IAM as companies begin to adopt a hybrid infrastructure of on-premises and cloud technologies. This evolution has led to modern authentication solutions that further protect identities and our vulnerabilities from threats. These modern authentication solutions will be the focus of many of the topics as you continue through this book and prepare to take the Identity and Access Administrator exam.
The next chapter will begin to discuss Azure Active Directory and the role that it plays in cloud IAM. We will explore the configuration and setup of Azure Active Directory for IAM roles, custom domains, and tenant settings.