了解IAM如何在用户和本地或基于云的服务器之间有效地实现安全层, applications, and data.
Rapid7 Cloud Risk Complete身份和访问管理(IAM)为公司提供了用于控制用户访问其技术基础设施的工具. IAM有效地实现了用户与本地或云服务器之间的安全层, applications, and data. 每个用户根据其特定角色接收一组单独的权限. 为每个用户存储一个数字身份仍然是IAM管理的一个重要目标.
Depending on the nature of the company’s business, IAM platform provides either customer identity management (CIAM), employee identity management, or both. In some scenarios, 身份管理系统还为应用程序提供数字身份, cloud-based services, or microservices. IAM解决方案的最终目标是提供对特定身份的数字资产的访问, under specific contexts.
Obviously, 防止未经授权访问公司的技术基础设施, including applications and data, remains critical. This is especially the case in a modern technology world, where cyberattacks and data privacy breaches are in the news on a regular basis.
电子商务的发展加剧了网络犯罪的问题 ransomware continues to impact private and public organizations worldwide.
In basic terms, 任何遭受客户数据泄露的公司都会对其声誉造成重大打击. In a competitive business world, 这意味着消费者将把他们的业务转移到其他地方.
However, organizations in some business sectors, like banking, finance, and insurance, 当他们的技术基础设施遭到黑客攻击时,还必须处理法规和遵从性问题吗. In this environment, robust cloud security is essential. So, what is IAM?
Simply put, IAM旨在让正确的人(您的员工)进入,并将错误的人(威胁参与者)拒之门外。. 云中的每个服务和资产都有自己的身份,这些身份带有多层权限, IAM通过围绕以下方面构建的自动监控和修复来保护身份边界:
Least privileged access (LPA) is a key component of the IAM cloud lifecycle approach. 它设置了人或机器完成工作所需的最小访问量. 利用LPA的解决方案通常会根据用户的角色使用自动化来收紧或放松权限.
任何健壮的IAM平台都提供了一套技术和工具,旨在管理对公司技术资产的访问. This basic functionality includes:
These functionalities may seem like “the basics,但是管理它们的实现和维护方式很快就会变得复杂. 包含上述内容的解决方案可确保通过基于身份的策略进行正确访问, resource-based policies, permission boundaries, service-control policies, and session policies.
Over time, governance of these functionalities will change, as IAM boundaries evolve and security becomes ever tighter. 最后,IAM是任何组织战略SecOps方法的重要组成部分.
Depending on the needs of the company, 一些供应商为本地环境和基于云的环境提供单独的IAM解决方案. 此外,还存在其他IAM技术来满足某些身份管理场景.
For example, API security 为访问技术基础设施的移动和物联网设备提供单点登录功能. 这种方法对于B2B用例以及云和微服务集成都是有意义的.
As mentioned earlier, CIAM支持访问公司ERP的客户的身份管理, CRM, and other similar systems. 已经采用基于云的基础设施的公司需要考虑身份即服务(IDaaS)来满足他们的IAM需求.
Finally, Identity Management and Governance (IMG) supports companies with significant regulatory and compliance needs. 该技术利用自动化方法来识别生命周期治理. Additionally, 基于风险的身份验证(RBA)分析用户的身份和上下文以确定风险评分. 然后,系统需要高风险的请求使用双因素身份验证来获得访问权限.
Successful businesses don’t thrive in a vacuum. Instead, they rely on fostering relationships with customers, clients, vendors, and their own employees. Doing so requires providing access to internal technical systems, either on-premises, in the cloud, or a mix of both. IAM makes this access possible in a secure fashion.
As organizations continue to embrace mobile and IoT, driven by the growth in 5G networking, a robust IAM solution is necessary to support this extended access. 无论用户身在何处,身份访问管理都可确保安全性和合规性, or whether that user is a person, device, or microservice.
最终,实现IAM平台可以帮助公司的技术团队更有效地工作.
Naturally, 对许多企业来说,实现身份管理平台仍然是一个具有挑战性的过程, as its presence affects a company’s entire security stack. Because of this, 在采用新的IAM解决方案时,网络管理员需要意识到各种风险.
其中一个挑战是新员工、承包商、应用程序或服务的入职. 重要的是,负责任的经理或人力资源人员有权提供这种初始访问权限. 当出于任何原因需要修改访问时,也适用类似的概念. Properly delegating this authority is essential.
Note that newer IAM products leverage automation for this purpose, which also helps immeasurably when reducing or removing access rights. It’s an important regulatory compliance issue as well. Dormant accounts with network access are critical security holes that must be patched as soon as possible.
在授予访问权之后监控信任关系是实现IAM平台时的另一个重要挑战. Analyzing baseline user behavior helps in this regard; it makes it easier to detect when usage anomalies happen.
任何IAM解决方案还必须与组织使用的单点登录(SSO)方法紧密集成. SSO平台必须方便地提供对公司整个应用程序套件的安全访问, including those hosted on-premises or with a cloud provider.
Finally, 所选择的身份管理流程必须与多个云提供商无缝协调. 多云基础架构为身份和访问管理带来了最大的挑战, as each cloud provider likely brings their own security approach. 成功集成支持多云环境的IAM解决方案有助于防止任何重大安全风险.
Learn about Rapid7's InsightCloudSec product
Identity and Access Management (IAM): Latest News from the Blog