Our previous article on Identity Access Management (IAM) introduced IAM in general, zero-trust security principles, and the implications of modern regulatory compliance frameworks, such as the Cyber Resilience Act and the Digital Resilience Act.

Now, we will dive deeper into the specific features, solutions, and technologies related to Identity and Access Management. This expanded discussion will explore various aspects of IAM, focusing on authentication and the most used technologies from the ecosystem.

Core Identity and Access Management Features

Modern Authentication

IAM solutions are shaping how authentication methods are used. Take the fundamental change towards passwordless authentication and its rising traction as an example.

One of the more notable improvements is with the FIDO/WebAuthn standard conversions. Authentication has evolved based on the FIDO2 standard (from the FIDO Alliance), which uses WebAuthn and CTAP to remove shared secrets between clients and servers. Using public key cryptography, WebAuthn keeps private keys on the user's device. This makes authentication phishing-resistant and mathematically impossible to replay across domains. Over 4 billion devices now support FIDO2 authentication, which the standard defines as including platform (device-built-in) and roaming (external hardware key) authenticators.

FIDO2 authentication, along with biometric authentication and platform-based security, are now the building blocks for next-gen enterprise authentication.

Also, authentication flows are switching towards multi-factor, with flows leveraging public key cryptography through FIDO2/WebAuthn, with biometric or passkeys tied to secure hardware elements like TPM or Secure Enclaves.

Next-gen enterprise authentication is already adopting biometric authentication paired with device platform security. Emerging technologies like voice recognition or retinal and palm vein scanning offer passwordless alternatives, though they aren't as refined and established as biometrics.

Facial Recognition

Current facial recognition technology includes 3D depth mapping and infrared imaging to generate distinctive biometric templates. For enterprises, this involves adapting to various lighting conditions, handling masked faces, and ensuring privacy with on-device processing.

Advanced Fingerprint Sensors

Enterprise fingerprint authentication uses various sensor technologies, including capacitive sensors (measuring skin's electrical conductivity), optical sensors (high-resolution imaging and pattern matching), and ultrasonic sensors (creating 3D maps via sound waves).

Behavioral Biometrics and Continuous Authentication

Biometrics analyse typing, mouse movements, and touch for unique user profiles. Continuous authentication via keystroke dynamics yields good results by analysing key press duration and inter-keystroke intervals. It's not yet ready to be implemented as a new standard, but the technology is seeing constant progress.

Mobile behavioural biometrics are designed for touch pressure, swipe velocity, and device orientation patterns, enabling background authentication during active sessions or session preservation. Here is where machine learning might come in handy to not only understand patterns in touch and swipe, but open new possibilities including medical measurements and analysis, behavioral analysis for stress detection, and many more.

Implementation challenges

Organisations might face device compatibility issues across multi-purpose endpoints, user enrollment complexity for backup authentication methods, and costly legacy application integration requirements. This, paired with the operational complexity of using the hybrid methods of both password and passwordless environments, makes progress to a modern solution slower and, many times, unsuccessful.

The leap from password to passwordless appears to be complicated by both the fear of completely removing passwords and the lack of a good enough replacement.

Single Sign-On (SSO)

This implementation has also evolved over time, extending beyond the SAML federation to integrate complex, multi-protocol scenarios that support modern application architectures. The multi-protocol evolution consists of:

• SAML 2.0 for enterprise application federation

• OpenID Connect for modern web apps

• OAuth 2.0 for API authorisation

• WS-Federation for Microsoft-compatible environments

The architecture patterns rely on Identity Provider (IdP) trust relationships with Service Providers (SP), enabling seamless authentication across applications.

SSO relies on careful consideration of session management policies, encrypted SAML for sensitive data, and multi-factor authentication prerequisites. A certificate for lifecycle management is also one of the implementation patterns.

Implementation challenges

In our experience, the most common implementation failures are insufficient session controls, inadequate logout implementation, poor or missing error handling, and weak certificate validation.

Role-Based (RBAC) and Attribute-Based Access Control (ABAC)

RBAC represents an evolution toward dynamic and context-aware access and a step up in sophistication for enterprise security enforcement.

Traditionally, RBAC relies on role hierarchy with permission and least privilege enforcement. This is one of the easier-to-implement models due to its simplicity, straightforward structure, and separation of duties requirements.

ABAC has a different implementation with a policy-based access decision. This results from context-aware access control. The architecture of ABAC includes PDB (Policy Decision Points), PIP (Policy Information Points), and PEP (Policy Enforcement Point), all working together to evaluate access requests against certain rules.

Implementation challenges

Ease of implementation does not mean a direct out-of-the-box setup. In terms of policy management with permission boundaries, RBAC might present complexity in integration. For ABAC, the number of custom roles with conditional access could slow down implementation or testing capabilities.

Identity Lifecycle Management

One of the most important leaps in IAM programs represents the transformation from manual processes to automated, policy-driven workflows.

Modern ILM consists of:

• onboarding with identity creation and initial provisioning

• ongoing provisioning with access rights assignment based on roles

• maintenance with continuous access

• deprovisioning

  and account deactivation

It's worth noting that SCIM (System for Cross-domain Identity Management) 2.0 provides a standardised provisioning protocol, while HR-drive provisioning automates user lifecycle based on employment status. At this stage, workflow automation engines orchestrate usually complex approval processes. SCIM is also compatible with API-based integration to maintain provisioning scenarios.

Privileged Access Management (PAM)

Compromised privileged accounts represent one of the primary attack vectors, and the recent shift toward zero-standing privilege and just-in-time access represents the evolution from traditional account management.

PAM architecture:

• privileged account discovery through automated scanning

• credential vaulting and secure storage

• session management with recording and monitoring

• just-in-time access with temporary privilege elevation

The architecture follows a vault-centric model.

API Security for Modern Architecture

API security has become a top priority for enterprises. The convergence of OAuth 2.0, rate limiting, and threat protection represent the minimum baseline for a secure API ecosystem. As this is a greatly pressured attack vector, it's best paired with an in-depth defence or zero-trust concept.

Merging OAuth 2.0 with scope-based authorisation, all while addressing OWASP API Security Top 10 vulnerabilities, the architecture flows from the client requests all the way through API gateways with identity verification and authorisation, in many cases rate limiting before reaching the API backends.

Understanding Different IAM Solutions

Microsoft Entra ID (Azure AD)

Rebranded from Azure ID, Microsoft Entra ID operates as a cloud-native, multi-tenant identity platform. With a distributed architecture, the platform supports more than 200 cloud services and thousands of SaaS applications, offering compatibility for various protocols: SAML, OAuth 2.0, OpenID Connect, and SCIM. As it is a Microsoft product, it goes without saying that it provides a deep integration with the Microsoft Ecosystem (M365, Azure, MS Teams).

Differentiators

Ai-powered risk-based conditional access is one of the main differentiators from other vendors. Identity protection is leveraged directly through Microsoft's threat intelligence tools and networks. Security Copilot integration for identity analysis is also worth noting here.

Integration complexity

It provides documentation through Microsoft Graph API, along with PowerShell and CLI automation tools. In this area, we note the extensive documentation and community support that can increase complexity for diverse technology stacks.

AWS IAM Ecosystem

This ecosystem is formed from three primary components:

• AWS IAM for policy-based access control

• Amazon Cognito, designed for scalable customer identity pools

• IAM Identity Center, for centralised access management

The ecosystem uses a serverless, pay-per-use scaling model and native integration across AWS services.

Differentiators

Policy management that enables easy-to-define permission, all protected with CloudTrail integration (advanced threat detection). This ecosystem is an API-first approach that optimises infrastructure-as-code implementation.

Integration complexity

Its SDKs support multiple programming languages with CloudFormation and Terraform (Infrastructure-as-Code support). REST APIs enable complete automation and integration within CLI tools. Scripting and joining the services together can raise the complexity bar.

Google Cloud Identity

This cloud-first platform is built on Google's global infrastructure and excels in mobile device management and organisational unit administration. Like the previous vendors, GCI offers seamless integration with its respective ecosystem, specifically Google Workspace and Google Cloud Platform.

Differentiators

• Strong mobile and device management features

• AI-powered security insights

Integration complexity

Google Admin SDK and Directory API are the main tools for programmatic management capabilities. The Workforce Identity Federation is to be referred to for IdP integration. While ample documentation is available, the quality is limited compared to enterprise alternatives, providing a mostly straightforward setup for Google-centric environments.

Other notable mentions

• Okta Identity Platform

• Ping Identity

• CyberArk Privileged Access Management

• SailPoint Identity Governance

Assessing your Identity Access Management needs

Vendor Selection Criteria

Strategic Considerations

Assess solutions against business alignment, integration needs, scalability, compliance, and risk tolerance.

Operational Factors

Factor in implementation complexity (time, resources, expertise), total cost (licensing, implementation, maintenance, training), vendor relationship (support, roadmap), user experience (adoption, productivity), and ongoing maintenance.

Implementation Priority

Phase 1 Foundation: (0-6 months)

For optimal user experience and security, organisations must prioritise single sign-on, implement multi-factor authentication, and establish a fundamental role-based access control (RBAC) framework.

Phase 2 Enhancement (6-12 months)

Improve operational efficiency with identity lifecycle management, enable digital transformation through API security, and protect against advanced threats with privileged access management.

Phase 3 Advanced (12+ months)

Deploy identity federation for partner and customer access, introduce passwordless authentication for a next-generation user interface, and implement Attribute-Based Access Control (ABAC) for precise authorisation.

The IAM landscape

The enterprise IAM ecosystem is heading toward platform consolidation. AI/ML integration and zero-trust architectures are the necessary next steps in offering both security and accuracy in authentication and authorisation mechanisms.

Our strong tech teams are ready to help you ensure your organisation implements a safe and efficient Identity Access Management solution. Let's get in touch and talk about the right solution for your business.