Secure Cloud RADIUS with IAM
Identity access management is a fundamental concept in wireless security. Here's how to implement it.
Identity Access Management (IAM or IdAM), also sometimes called Identity Management (IdM), is a vital part of securing a wireless network. As organizations and data continue to migrate to the cloud, IAM becomes even more relevant as security by proxy is no longer sufficient in a wireless world.
Fortunately, there are a number of solutions for implementing IAM principles that automate the complex parts of identity management. This article will describe the importance of IAM, cover some common implementations, and detail some best practices for IAM on your network.
What is IAM?
Identity access management is an umbrella term that covers a variety of frameworks, policies, technologies, and standards. The underlying goal is to ensure that only the correct people have access to network resources, and that those people are limited to only the resources they need. IAM has a degree of overlap with Zero Trust on this principle.
To accomplish that goal, users are identified, authorized, and authenticated to those resources via various methods (like RADIUS). Importantly, machines and applications also need to undergo similar vetting before being allowed to interface with a network.
List of Identity Access Management Protocols
There are quite a few protocols relevant to IAM, many of which you have likely seen in the field already. Here are the important IAM protocols with a brief description:
- The quintessential AAA (Accounting, Authorization, Authentication) server, RADIUS has been used to protect 802.1X networks for decades now; it’s the foundation for much of the world’s wired and wireless network security.
- The Security Assertion Markup Language protocol is usually used in conjunction with Single Sign-On (SSO) to enable users to use one set of credentials to authenticate to multiple programs. It’s useful for quickly switching between multiple cloud-based applications without needing to reauthenticate each time.
- Lightweight Directory Access Protocol is a ubiquitous open-source protocol most commonly seen in Active Directory environments managing directory access for the RADIUS. It’s a useful tool for more dynamic authorization, but it is mostly limited to on-premise environments.
- OAuth is a useful protocol that allows applications to be authenticated indirectly using the credentials of an approved third-party application (technically called “secure, third-party, user-agent, delegated” authorization). If you’ve ever used a Google or Facebook account to sign up (or login) to another application, it was likely via OAuth.
- OpenID is similar to SAML in many respects, but instead of using third party credentials to authenticate to another application, it’s simply a set of universal credentials that allows the user to maintain a consistent identity across multiple platforms.
- Kerberos is mostly seen in Microsoft environments where it facilitates the automatic sign in process throughout the Windows ecosystem. It’s useful for transferring information over unsecured networks.
- While blockchain technology is usually talked about in the context of cryptocurrency, it’s fundamentally an information storage ledger. Identification attributes and login credentials can be stored in the chain and accessed directly for authentication.
- Terminal Access Controller Access Control System is maintained by Cisco. It was designed to allow users to move between machines in an internal network without the need to login frequently. Usually used on UNIX systems.
- System for cross-domain Identity Management is a protocol that simplifies credential lifecycle management by exchanging identity information between systems. It can automatically provision and deprovision users to maintain up to date authorization across applications.
- Diameter was developed as the next step in AAA, meant to replace its predecessor – RADIUS. It addressed several shortcomings in the original and enabled more dynamic authentication. However, Diameter has yet to see industry adoption and new technologies like the Dynamic Policy Engine have brought the same capabilities to RADIUS.
Why is IAM Important?
The importance of managing the identities and access of users and devices to a network hardly needs explaining. It’s a fundamental pillar of security whether you’re protecting something physical or virtual.
In regards to cybersecurity, IAM systems are the frontline of defense against threats like over-the-air attacks, but also against more insidious on-premise hacks like the Solarwind breach. Having redundant authorization, especially to internal resources, would have been a necessary part of an effective countermeasure to that attack.
In addition to the security benefits properly configured IAM systems confer, they are effective human resource management and machine management tools. The ability to see the state of your network at a glance – user and device authentication events, anomalous requests, resource usage stats, etc. – is critical to a healthy and efficient IT environment.
Cloud RADIUS with Built-In IAM Tools
We know that the security of a network depends on an IT team’s bandwidth more than any network bandwidth, which is why we designed our Cloud RADIUS and PKI Suite to include an impressive array of identity and access management tools.
We are most proud of our Dynamic Policy Engine, a novel technology that allows the Cloud RADIUS server to directly interface with other cloud directories like Google, Okta, and Azure. For the first time, you can have truly passwordless certificate-based authentication with any cloud directory. Utilize user attributes stored on certificates for policy enforcement, accessed dynamically at the moment of authentication by the RADIUS server.
Feedback from customers indicates that our most popular IAM tool is our JoinNow MultiConnector – an automatic 802.1X onboarding solution that is rated #1 in each app store. It takes the hassle out of onboarding new users and devices with a foolproof self-configuration flow.
Coming in at a close second is the intuitive, single-pane management interface that comes with all of our products. Admins can view the state of their entire network at a glance and manage users, devices, policies, lifecycles, and more all within the same portal. You can create certificate templates to automatically assign roles to new users or push automatic configuration payloads to MDMs while surfing a CRL.
A secure network has to be solid from the ground up, so set your foundation with strong identity and access management tools. SecureW2 has affordable options for organizations of all sizes. Click here to see our pricing.