What are the most common IAM implementation methods for information security?

Presently, the solutions mentioned above are all prevalent; however, the optimal IAM implementation for each organization is contingent on a multitude of factors, including the technologies employed, the feasibility of integration, and user behavior and culture. Drawing from past projects, it is my belief that while a more sophisticated and robust IAM may be suitable for engineers, it is unsuitable for non-technical personnel. Nevertheless, we must ensure that security is not compromised in favor of performance.

RBAC minimizes the risk of unauthorized access and allows administrators to manage users in groups, making assigning and revoking permissions easier. It can help organizations comply with proper regulations by precise and controlled access based on defined roles. Auditing and reporting become easy.

Role-Based Access Control (RBAC) is a method for restricting network access based on the roles of individual users. RBAC allows employees to access only the information they need to do their job. Employee roles in an organization determine the privileges granted to individuals and prevent lower-level employees from accessing sensitive information or performing higher-level tasks.

ABAC takes into account various pre-configured attributes or characteristics, which can be related to the user, and/or the environment, and/or the accessed resource. Implementing ABAC often requires more time, resources, and expensive tooling, which add to the overall cost. However, a successful ABAC implementation can be a future-proof, financially viable investment.

Real-life implementations are usually hybrid and in many cases, the intented outcome is executed via other methods. For example, RBACs may be implemented using identity 'attributes' i.e an access policy may be defined for a 'branch manager role', which is identified via their 'job code' and 'location' attributes in the IGA or identity repository. The 'role' is essentially defined using 'attributes'. Similarly, PBAC may include policies defined using the role construct or using attributes, as well.

Another interesting mechanism worth checking out is Graph Based Access Control. GBAC represents the possibility of a more flexible method for configuring access permissions and managing access to content in information systems. GBAC also allows describing rules with more natural language without oversimplifying or forcing to a very limited number of choices.

While reading this article, I couldn't help but think about the disruption AI is bringing to this space. Many of the highlighted deficiencies in the methods above, are already being addressed by AI. ML based dynamic role modeling for RBACs and ABACs, makes them less rigid, easier to maintain and always aligned with business requirements. Leveraging NLP/Gen AI for PBACs makes it easier to create and maintain policies. Initial set can be created using ML, as well. Today's ITDR (identity threat detection and response) is driven by AI/ML and directly improves Risk-BACs. Makes it easier to set up conditional access policies and similar controls based on risk signals.

Application of which IAM methods should always be based on the assessment of the current scenario. A risk assessment should be performed so appropriate selection of IAM method in a specific scenario should be implemented. Continuous monitoring of deviations and incidents must be done over time to see if policy calibration should be made both for common user groups and those with admin functions.