The topic of Identity Management, Access Management and Identity Governance often has different meanings and features depending on what company’s software marketing literature you are reading. Securience has years of experience not only implementing various IAM solutions, but also setting up and running the IAM Programmes and Projects to deliver those solutions. Our thoughts on what your organisation will need to consider for their IAM Programme.
The first key step in governing your employees access rights across an organisation is first understanding what permissions they have on the end platforms. Application Control Lists (ACL) need to be collected either directly from the platform or from a data export.
ACL collections can be managed directly by the IAM solution or more commonly in large organisations, by a data staging solution. In order to make sense of these permissions, they need to be unified to single accounts, which in turn are matched to individual employees.
Adding business context to your collected data is key to a successful IAM solution.
Permissions are often collected from a technical platform such as Active Directory, individual servers, cloud based apps. The names of these permissions and target systems often have no meaning to a business user, so at this stage we would group the permissions into meaningful “Business Applications”. Business Applications can have direct ownership from both a technical, business and audit/compliance point of view.
Before implementing business processes and policy to manage your Identities, it is advisable to address any data quality issues first. Investment of time & effort doing this now, will ensure a clean well-structured infrastructure that will support the implementation of greater levels of automated processes. This will show immediate savings by removing manual processes and also ensuring smoother audit. Some common examples of data analysis/clean-up that should be performed:
Active Directory/Domain analysis
Active Directory domains are common in all organisations. Many common bad practices can be identified and removed with Active Directory Health Checks
Simply categorising individual access into “Business Applications” is not enough unless the accountability is assigned to a business and technical owner. Care should be taken to ensure that all business application have owners
Orphaned Accounts analysis
Often part of Active Directory Analysis, however, this warrants specific efforts to be made to ensure that accounts are assigned to individuals. It’s no good simply knowing what authorisations are there if you do not know who has access to it.
Finally, once we have a view on who has access to what. Reviews or “Re-Certification” campaigns, can be run periodically to validate whether that access is still appropriate or not. These Reviews can be categorised into three main types:
User Access Reviews
Direct access to items such as Security Groups, Application Roles, Permissions, File Shares can be reviewed for each employee. This is often carried out by someone who has an understanding of that persons job and accountability within the organisation. For example, the Line Manager.
All direct access within a particular platform can be reviewed using an Application Review. However, given the size of the platforms it is often not realistic to expect a single person to be able to take ownership for all decisions about access within a platform. It is therefore advisable to break down the contents covered in the review by:
Splitting technical platforms into smaller functional “Business Applications”
Include only access which has not been already reviewed as part of a User Access Review. Orphaned account access for example would need to be reviewed here.
If an organisation is using Business or Technical roles to group access together, assignment and review of access may be done at the role level. Therefore, the contents of the role will need to also be reviewed periodically to ensure it is still valid.
Remediation of Access
Any access that is not approved during a Review should be automatically requested to be revoked. This can be done in the following ways depending on the maturity of your access management infrastructure:
Reports can be shared with platform administrators
Service Desk tickets can be raised to request that access is revoked
Access can be automatically revoked via direct provisioning
Once remediation of access is executed, further ACL collections are necessary to verify that the access is no longer there on the end platform, thus “closing the loop” on the access remediation request.
When users join an organisation, universal access can automatically be granted by means of ‘birth right access’. Any specific functional access can also be granted automatically.
When users move within an organisation any functional access can be automatically removed or changed. Any non-functional or direct access should also be automatically reviewed by a line manager.
Once a user leaves an organisation automatic de-provisioning of access should be triggered and any associated disabling or archiving activities.
Integration with Existing Service Desk
Identity and Access Management solutions can have direct integration with existing service desk solutions. This allows for several possibilities such as a single place for users to go to manage User Access Requests, or any access requests to be generated automatically in the Service Desk application and directed to specific application teams/owners
Direct Provisioning to your Domain and other Applications
Direct provisioning of accounts and access to applications will save time and effort while also improving the accuracy of access changes. Customers with large application estates can have hundreds of applications integrated to their Identity Management platform, providing centralised access control and governance.
Privileged Access/Identity Management
Any elevated levels of access or access to information deemed “privileged” can be easily managed by integrating a PAM solution. The advantages include:
Monitoring and control of elevated access – not only who and when someone get elevated access, but also what they do with that elevated access
Removal of common passwords
Removal of shared accounts
Roles Based Access
Permissions to platforms can often be grouped together into technical or functional roles. This can save time/effort and also provide a cleaner access to end platforms. However, it’s key to ensure that these roles have ownership/accountability.
Securing your Applications
All applications will have a measure of security built in. However, by standardising what ways you can communicate with an application can have many key benefits.
This will reduce integration efforts between applications and allow best practices with regards to securing your endpoint. For example:
Token/Credential based Authentication
Rate Limiting/DDOS Prevention
White Listing/Black Listing IP Addresses
Easy integration with monitoring tools and SIEM solutions
This can have a huge impact on user experience across an organisation. It is the process of authentication that enables a user to use a single set of credentials to access multiple applications.
From a technical perspective, a user’s session information is shared with other applications. There are different protocols to choose from that will allow this to happen: OpenID Connect, SAML, Facebook Connect.
The benefits from enabling SSO are:
Remove the need for end users to remember multiple credentials for each application
Reduced helpdesk calls for forgotten password
Manage authentication and authorisation policy from a single location
Though this journey we have managed Identities, provided the correct level of access for them, and re-validated that the level of access is still appropriate for that particular user. But now we need to ensure that the user who is currently logged on is actually who they say they are (and not someone who has stolen that persons password).
By using a secondary form of authentication other than a password when protecting access to sensitive data or applications, your organisation will add significant levels of assurance that your active users are actually who they say they are and not fraudsters.
There are several different methods of Multi Factor Authentication these days to suit different use cases for user experience requirements and security requirements. Ranging from the more traditional hardware OTP tokens/keyfobs, soft OTP tokens, SMS messages, or user friendly push notifications to a mobile phone that now utilise modern mobile phone technology such as the phones gyroscope, touchscreen or biometric fingerprint or eye scanner.