Identity and access management (IAM) is a centralized and consistent way to manage user identities (i.e. people, services, and servers), automate access controls, and meet compliance requirements across traditional and containerized environments. One example of an IAM solution in action is when employees use a VPN to access company resources for remote work.
IAM is part of the solution to making sure the right people have the right access to the right resources—particularly across multiple cloud instances. IAM frameworks are essential for managing identities across bare metal, virtual, hybrid cloud, and edge computing environments from a centralized location to help mitigate security or compliance risk.
IAM methods control access to on-premise and cloud assets, applications, and data based on user or application identity and administratively defined policies. IAM methods are found in every stage of the DevOps lifecycle and can help protect against unauthorized system access and lateral movement.
IAM concepts include:
Authentication: verifying the identity of users, services, and applications.
Authorization: granting the authenticated users access to specific resources or functions.
Identity providers, secret vaults, and hardware security modules (HSMs): allowing DevOps teams to manage and safeguard security credentials, keys, certificates, and secrets, while at rest and in transit.
Provenance: verifying the identity or authenticity of code or an image, typically through some type of digital signature or attestation record.
As the security landscape continues to evolve, IAM can also include additional features like artificial intelligence (AI), machine learning (ML), and biometric authentication.
Authentication is the process of confirming or verifying a person’s identity. A user identity (or digital identity) is the set of information used to authenticate a person, service, or even IoT devices to specific sets of enterprise data or networks. A most basic example of authentication occurs when a person logs into a system with a password; the system can verify the presented identity by checking the presented information (password).
The process of authentication not only captures login information, but it also allows IT administrators to monitor and manage activity across the infrastructure and services.
There are several approaches to implementing a security policy that can help increase the security of your environment while still maintaining usability for your users. Two common ones are single sign-on (SSO) and multi-factor authentication (MFA).
SSO: Different services, devices, and servers all require separate authentication to be able to access them. SSO configures a central identity service that configured services can check for verified users. Users only have to authenticate once and can access multiple services.
MFA: An extra layer of security that requires multiple checks to verify an identity prior to granting access. For this method, consider using cryptographic devices such as hardware tokens and smart cards, or configure authentication types such as passwords, radius, password OTP, PKINIT, and hardened passwords.
You can also use other tools within your infrastructure to make it easier to manage identity, especially in complex or distributed environments like cloud or CI/CD pipelines—where user authentication can be difficult to implement effectively. System roles can be especially beneficial in a DevSecOps environment. With consistent and repeatable automated configuration workflows, IT administrators can save time and resources, reducing the burden and manual tasks associated with deployment, identity administration, and provisioning/deprovisioning over time.
Authentication is the process of identifying who is trying to access a service. Authorization is the process of defining what that user can do with that service, such as editing, creating, or deleting information.
Access controls take identity management a step further by assigning a user identity with a set of predetermined access rights. These controls are often assigned during account setup or user provisioning and operate under the practice of “least privilege," a foundation of the Zero Trust model.
Least privilege only gives a user access to the resources it needs for a specific purpose, like a project or task, and only allows them to take the actions (permissions) they are required. Access policies can also limit the amount of time available for certain resources.
For example, an employee may have permissions to access a broader range of resources than third parties like contractors, partners, suppliers, and customers. If a user is approved for a different level of access, IT administrators can go into the identity database and make user adjustments as needed.
Systems of access management that follow least privilege include privileged access management (PAM) and role-based access management (RBAC).
PAM is the most crucial type of access control. Admins and DevOps personnel who receive these assignments typically have the most unrestricted access to sensitive data and can make changes to enterprise applications, databases, systems, or servers.
RBAC grants defines roles, or collections of users, and then grants permissions to those roles to resources or functions based on their job responsibilities. RBAC makes applying access rights consistent and clear, which simplifies administration and onboarding and reduces privilege creep. RBAC can help save time and resources by automating the assignment of access rights based on a user’s role within an organization.
IAM provides a level of built in security through the app development pipeline and is crucial for implementing DevSecOps in your organization. It is one of the building blocks for creating a layered approach to security across bare-metal, virtual, container, and cloud environments.
It is important to ensure your IAM system can support solutions across multiple environments and workloads. This includes implementing IAM throughout the development, testing, operations, and monitoring of applications.
Because there is a wide range of IAM solutions available, enterprises can narrow down their options via the following:
Conduct an audit of new and legacy systems, especially if you have applications both on-premises and in the cloud.
Identify any security gaps for both internal and external stakeholders.
Define user types and their specific access rights.
Once you have defined your organization’s security needs, it is time to deploy your IAM solution. You can choose a standalone solution, a managed identity service, or cloud subscription service–like Identity as a Service (IDaaS)–from a third party.
Red Hat® Enterprise Linux® provides a simplified, dependable, and consistent authentication experience in an open hybrid cloud environment. It includes centralized identity management (IdM) capabilities that allow you to authenticate users and implement RBAC using a single, scalable interface that spans your entire datacenter.
Identity management in Red Hat Enterprise Linux can:
Significantly simplify your identity management infrastructure.
Help meet modern compliance requirements like PCI DSS, USGCB, STIG.
Reduce the risk of unauthorized access or escalation of access privileges.
Create a foundation for a highly dynamic and scalable, cloud and container-capable, operational environment.
Preconfigure access controls on new systems, virtual machines (VMs), and containers.
Reduce the cost of day-to-day operation and the security burden on IT.
Identity management in Red Hat Enterprise Linux also integrates with Microsoft Active Directory, lightweight directory access protocol (LDAP), and other third-party IAM solutions through standard application programming interfaces (APIs). You can also centrally manage authentication and authorization for services using certificate-based authentication and authorization techniques.
With the foundational automation, security, and lifecycle management provided by Red Hat Enterprise Linux, layered products that run on top, such as Red Hat OpenShift®, inherit the same security technologies and extend built-in cybersecurity to container-based application development.