Qu'est-ce que la gestion des identités et des accès (IAM) ?

La gestion des identités et des accès (IAM) représente aujourd'hui les fondements de la cybersécurité pour toute entreprise. Auparavant, toutes les applications étaient hébergées dans le centre de données d'une entreprise, et tous les utilisateurs qui accédaient à ces applications se trouvaient sur le réseau. Pour assurer la sécurité de ses données, il suffisait d'inspecter l'ensemble du trafic qui tentait d'accéder au réseau et le trafic qui tentait d'en sortir. Dans ce paradigme, les pare-feux ont fait un excellent travail.

Today, that world, which relied on creating a secure perimeter around the network, is long gone. While most organizations retain some applications in the data center, the majority are now hosted in public and private clouds, and access over the internet. And employees that were once tethered to the network are now working from anywhere using a variety of managed and unmanaged devices.

Au lieu de se contenter de sécuriser le réseau et le centre de données, la cybersécurité doit désormais se concentrer sur la protection de chaque connexion entre les utilisateurs, les appareils, les applications et les ressources. La technologie qui permet cette sécurité vérifie l'identité d'un utilisateur ou d'un appareil qui tente d'obtenir un accès, puis applique des contrôles pour s'assurer que l'accès est autorisé. Les technologies de gestion des identités et des accès (IAM) identifient, authentifient et autorisent les utilisateurs, et interdisent les utilisateurs non autorisés. Cette approche de la sécurité s'éloigne des cadres obsolètes et correspond davantage au monde d'aujourd'hui, dans lequel l'utilisateur peut se connecter n'importe où. Nous appelons ce nouveau cadre « périmètre d'identité ».

L'identité a gagné en importance depuis que la COVID a relégué les frontières physiques au second plan.

– Andras Cser, vice-président et analyste IAM, Forrester Research

Workforce Identity vs. Customer Identity

The scenario described above largely describes workforce identity, whereby companies provide their employees and partners with secure access to applications. But there is a much larger demand for identity solutions that protect customers who are increasingly living their lives online. The rise in online activity has created the need for customer identity and access management (CIAM) solutions to protect consumers as they access online banking, e-commerce sites, government services, tele-health services, and much more.

Why Digital Identity is so Important

Everyone and everything that connects to the internet has an identity. In IAM terms, these may include employees, partners, contractors, customers, suppliers, computers, servers, smartphones, IoT devices, applications/workloads, and APIs. Each of these entities has an identity that must be confirmed and its permissions must be assessed before access to any resources can be granted. It's not unusual for an enterprise to have many millions of identities connecting to its resources.

La tâche consistant à confirmer les identités et à gérer leurs autorisations d'accès est effectuée de manière optimale par une plateforme IAM complète. Celle-ci doit être rapide et évolutive pour prendre rapidement et efficacement des décisions d'accès intelligentes sans affecter les performances, même pendant les périodes de trafic élevé.

What should an IAM solution offer?

Single Sign-On (SSO) – SSO allows users to login once to gain access to all their applications and services whether they're in the cloud or data center. It prevents the frustration of repeated logins, which harm productivity in the enterprise and cause customer drop-off for e-commerce sites.

Multifactor Authentication (MFA)– MFA improves security by requiring an added credential, such as a fingerprint (biometric), acceptance of a push notification via authenticator app, or a one-time password (OTS) delivered via text message or email. With MFA, even with login credentials, an attack will not succeed in gaining access to targeted resources.

Authorization – Authorization is used to determine the [authenticated] user's approved level of access. In the enterprise, entities are granted certain privileges related to what may be accessed, based on their roles, and such access may be extremely granular. For example, an accountant may have extensive privileges within most financial applications, but not those related to compensation.

Comment l'IAM prévient les menaces

According to the U.S. Census Bureau, retail e-commerce alone grew 18.3% in 2021₁, even after the massive, pandemic-fueled growth of 31.8% in 2020². The increase in online activity has proven to be lucrative for attackers, who are using previously stolen credentials to execute new, more wide-ranging, attacks. In fact, the latest ForgeRock Identity Breach Report, showed that unauthorized access was the leading cause of breaches for the fifth consecutive year, accounting for half of all breaches.

Questionable yet common practices, like simple passwords and password reuse, enable bad actors to gain access to valuable data, such as birth dates and Social Security numbers. Attackers can steal this data and sell it on the black market, or they can use the data to carry out fraudulent activities, such as account takeover (ATO), which increased 307 percent from 2019 to 2020. In a successful ATO, an attacker can move money, open other accounts, and create financial havoc for the customer and the institution. Read more about ATO in this blog.

Organizations can reduce the likelihood and cost of breaches by using an IAM solution infused with artificial intelligence (AI) and machine learning (ML) to quickly identify and contain attempts at unauthorized access. Such solutions also ensure that the right access roles, entitlements, and policies are in place within your organization to protect against overprovisioned access.

AI specializing in risk decisioning can…prevent attempts to gain unauthorized access by incorporating multiple contextual signals into the decision process, such as login location, IP network reputation, and the distance between login attempts and registered MFA devices.

Rapport ForgeRock Identity Breach 2023

How IAM Enhances the User Experience

Whether you're talking about IAM in the enterprise or CIAM for providers of consumer services, user experience is a top priority.

In the enterprise, it's important to connect users, especially employees, to their resources as quickly as possible to keep workflows moving and productivity high. In the consumer marketplace, the stakes are even higher. A company's registration or login page is the "front door" to its business. If a consumer has a bad experience upon entering the "store," the company has a very high chance of losing that customer. In the financial services sector, for example, 40% of consumers abandon their registrations when opening a new bank account for reasons that include an overly lengthy process, time-consuming authentication, and difficulty filling out forms.¹

An intelligent IAM system also reduces helpdesk calls. A 2022 Total Economic Impact study by Forrester Consulting on behalf of ForgeRock showed that CIAM could reduce security-related calls to the help center by 40%, resulting in a cost savings of $24 million.

IAM's Role in Compliance

All organizations are subject to regulatory audits, and they must demonstrate compliance and repeatable results. That's why many companies are turning to IAM solutions based on a Zero Trust model, which removes all implicit trust and grants access to resources based on the continuous evaluation of user identity, device posture, and fine-grained access policies defined by the organization. Zero Trust, built on the principle of least-privileged access, removes the risk of overly permissive policies, which are a compliance risk, and eliminates the ability of unauthorized users to move laterally across a network.

IAM infused with AI/ML also supports compliance by fully automating the access review and approval processes. It also reduces human errors and the problems that can occur as a result of too many access requests, which often lead to over-provisioned users and failed compliance audits.

Finally, data sovereignty is a key requirement of many regulations, and companies must be able to prove that data is being stored in its country or region or origin. You need a cloud architecture with full tenant isolation to meet the strictest global privacy and data residency requirements, and to keep your sensitive data and backups under your control and in the required region or country.

ForgeRock IAM

The ForgeRock Identity Platform offers the sophisticated IAM capabilities you need to protect every identity in your organization — people, systems, applications, and things. It includes AI-powered solutions to manage digital identities at scale and ensure that entities are who they claim to be.

The ForgeRock Identity Platform is the only offering for AI-driven access management, identity management, user-managed access, directory services, and an identity gateway, designed and built as a single, unified platform.