Seven Reasons to Provision IAM in Your Stack Right Now

Image for post
Image for post
Christoph Scholz, IT Security Schloss vor Crypto-Hintergrund — blau

If nothing else, the coronavirus pandemic is accelerating movement to cloud native infrastructures, as businesses struggle to accommodate a distributed workforce. That makes Identity Access Management (IAM) crucial for the scalability and security of any enterprise. Here’s why.

1. IAM is the best way to address a distributed and contingent workforce.

IAM is the best way to effectively onboard and offload new employees, partners and suppliers in a way that is scalable and systematic. It can set role and service permission policies and automate what was once a time-intensive and error-prone manual onboarding and deprovisioning process.

Now that first day at the new job means going from your kitchen to your living room, IAM is the best way to onboard and configure permissions and access for any new employee. And, as more and more employees are contingent, project-based, and gig workers, you need systems that allow you to onboard workers for specific tasks who aren’t necessarily full-time employees.

Managing that resource flow through a classic Human Resource Management System (HRMS) won’t scale well. Managing those identities and permissions through the cloud is the best possible solution, and there are a variety of HRMS, such as Bamboo, Workday and Namely that provide classic functionality from the cloud.

Deprovisioning users is even more important, because access via former employees is a major attack vector for hackers, especially when former employees aren’t aware that they still have active accounts. Especially for large enterprises, IAM is really the only way to deprovision employees in a way that is systematic and secure.

Added bonus: this will solve your problems with shadow IT and BYOD users.

2. IAM makes possible the rapid integration of distributed teams into cloud-based build and testing systems.

Modern agile development requires user, endpoint, services and server credentialing and authentication, fully integrated into a continuous development pipeline. Now that hackers have identified exposed integration and staging environments as vectors for attacks, managing authentication across all those environments, key vaults and handshakes is time-intensive and challenging. IAM greatly simplifies the complexity of this process, makes it subject to automated testing and monitoring, and all these systems are multi-tenant and highly available, so it will help offset downtime in your deployments. IAM also makes possible provisioning of your infrastructure as code, a growing DevOps practice that enhances the speed, consistency and resilience of your deployments.

3. IAM reduces the danger of malicious or accidental damage to your applications and products.

This is especially needed right now. Researchers at Palo Alto Networks estimate there were over 40000 high-risk websites and domains registered in the first three months of the year; Feb-March alone saw a 569% growth in these malicious pages, many of them landing pages for phishing sites, most of them coronavirus or unemployment related. Hackers have only increased their activities related to the pandemic, with some of them trying to take advantage of the scramble for medical supplies. Even well-informed employees can be phished, so IAM, configured to the principle of least privilege, limits access by role and responsibility, and can at least mitigate a successful exploit tied to a compromised employee identity. Most cloud-based IAM also have forensic and auditing tools that allow you to trace the consequences of a breach through your system.

4. IAM is the foundation for secure interactions among the Internet of Things.

A key component of older on-premise authentication systems is the notion of perimeter — at one time a technical construct that paralleled a physical reality. But with the Internet of Things, the perimeter has exploded, offering an unprecedented attack surface for hackers. Statista estimates there will be 75 billion connected devices by 2025. The scale here is so radically different than in regular application development that it’s virtually impossible for an older on-prem authentication service to effectively manage the interactions required by IoT. But cloud-based IAM is far more scalable and flexible, supports a Public Key Infrastructure (PKI) security architecture and blockchain and ensures that human management and oversight of the system is optimized and effective. IAM also has the advantage of traversing the entirety of IoT requests against a corporate system, ensuring that you can identify devices and groups of requests that are making the greatest demands on your corporate systems.

5. IAM is the best way to secure web apps, native apps and a cloud-based infrastructure.

IAM provides an effective Single Sign On (SSO) solution and can manage the sign-on process and all the password management that comes with it — especially important in a world where password and credential stuffing are an increasingly common vector for attack. IAM allows you to automate the rotation of passwords and demand compliance from users, helping to insure the safety and integrity of your stack, and it usually integrates seamlessly into federated authentication from Google or Facebook. IAM can manage access keys and rotate them effectively for all your mobile devices. And IAM is built to scale to new multifactor authentication, and to utilize the multifactor authentication features of smartphones and other devices.

6. IAM is the best technical foundation for complying with GDPR, CCPA, and other data protection regulations.

Increasingly, it’s not just employees and developers who need role-based access to your system — your customers do, too. In 2016 the EU passed the General Data Protection Regulations (GDPR), and in 2020, California has enacted the California Consumer Protection Act (CCPA). Both are designed to allow consumers access and control over their own data. And both acts require companies to potentially return data to consumers, or delete it on request, and consumers can request some data be deleted, while other data is persisted. Additionally, there are many specialized statutory regulations, such as Sarbanes-Oxley or HIPAA regarding both employees and customers that also require different levels of privacy for users. So now companies have to track consumer identities and their uses the same way it would employees — and IAM is well suited for this purpose.

7. IAM is the best technical foundation from which to build out better security monitoring, including ML based security auditing.

Many organizations are building out their security infrastructure with the help of cloud-based Machine Learning and Artificial Intelligence, such as Azure ML, Google Cloud AI or Amazon SageMaker. These systems promise to provide access analysis and automate both risk assessment and response, but they are notoriously difficult to integrate into continuous development pipelines and are often difficult to scale effectively. Cloud-based IAM can eliminate some of this complexity, especially in CI/CD, and can be a useful instrument in scaling the manageability of these systems.


If you’re a cloud-based startup, you’ve probably already introduced IAM to your stack, because it generally comes with the terrain. But if you’re an older enterprise with an on-premise system, you are probably struggling with cloud authentication, a distributed workforce, and a multidevice world. You are probably wondering what is the best way to start towards a cloud-based IAM. You’ll want to start by ensuring that your IT staff are up to speed on cloud IAM, which is deployed and configured quite differently than on-premise systems, and you don’t want to start without that expertise in place. You might begin by using IAM for any cloud-based project you greenlight, or you could use IAM for your new hires, and your contingent and distributed staff, while you use your on-prem or other enterprise based auth system for your FTEs and legacy products. Many cloud-based systems also support federated identity that works with your existing identity systems, such as Active Directory. That is a good half-step forward, but in itself introduces some administrative and technical complexity that will be challenging; it might be your best choice if you have a deep legacy system with business critical information. But your best bet is to move as quickly as possible to cloud-based IAM, make it easy on yourself, and set your organization up for a future where a distributed workforce, IOT, ML/AI and an expanded threat landscape are ubiquitous.

Written by

Vic Bondi a Business Technologist. He has worked in technical leadership roles at small, medium and large companies for the last 20 years.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store