Identity Management Considerations

Updated: Dec 15, 2018



The topic of Identity Management, Access Management and Identity Governance often has different meanings and features depending on what company’s software marketing literature you are reading. Securience has years of experience not only implementing various IAM solutions, but also setting up and running the IAM Programmes and Projects to deliver those solutions. Our thoughts on what your organisation will need to consider for their IAM Programme.


Governance


Data Discovery

The first key step in governing your employees access rights across an organisation is first understanding what permissions they have on the end platforms. Application Control Lists (ACL) need to be collected either directly from the platform or from a data export.


ACL collections can be managed directly by the IAM solution or more commonly in large organisations, by a data staging solution. In order to make sense of these permissions, they need to be unified to single accounts, which in turn are matched to individual employees.

Adding business context to your collected data is key to a successful IAM solution.


Permissions are often collected from a technical platform such as Active Directory, individual servers, cloud based apps. The names of these permissions and target systems often have no meaning to a business user, so at this stage we would group the permissions into meaningful “Business Applications”. Business Applications can have direct ownership from both a technical, business and audit/compliance point of view.


Data Quality

Before implementing business processes and policy to manage your Identities, it is advisable to address any data quality issues first. Investment of time & effort doing this now, will ensure a clean well-structured infrastructure that will support the implementation of greater levels of automated processes. This will show immediate savings by removing manual processes and also ensuring smoother audit. Some common examples of data analysis/clean-up that should be performed:

  • Active Directory/Domain analysis

Active Directory domains are common in all organisations. Many common bad practices can be identified and removed with Active Directory Health Checks

  • Application Ownership

Simply categorising individual access into “Business Applications” is not enough unless the accountability is assigned to a business and technical owner. Care should be taken to ensure that all business application have owners

  • Orphaned Accounts analysis

Often part of Active Directory Analysis, however, this warrants specific efforts to be made to ensure that accounts are assigned to individuals. It’s no good simply knowing what authorisations are there if you do not know who has access to it.


Reviews/Re-certifications

Finally, once we have a view on who has access to what. Reviews or “Re-Certification” campaigns, can be run periodically to validate whether that access is still appropriate or not. These Reviews can be categorised into three main types:

  • User Access Reviews

Direct access to items such as Security Groups, Application Roles, Permissions, File Shares can be reviewed for each employee. This is often carried out by someone who has an understanding of that persons job and accountability within the organisation. For example, the Line Manager.

  • Application Reviews

All direct access within a particular platform can be reviewed using an Application Review. However, given the size of the platforms it is often not realistic to expect a single person to be able to take ownership for all decisions about access within a platform. It is therefore advisable to break down the contents covered in the review by:

  1. Splitting technical platforms into smaller functional “Business Applications”

  2. Include only access which has not been already reviewed as part of a User Access Review. Orphaned account access for example would need to be reviewed here.

  • Role Reviews

If an organisation is using Business or Technical roles to group access together, assignment and review of access may be done at the role level. Therefore, the contents of the role will need to also be reviewed periodically to ensure it is still valid.


Remediation of Access

Any access that is not approved during a Review should be automatically requested to be revoked. This can be done in the following ways depending on the maturity of your access management infrastructure:

  • Reports can be shared with platform administrators

  • Service Desk tickets can be raised to request that access is revoked

  • Access can be automatically revoked via direct provisioning

  • Once remediation of access is executed, further ACL collections are necessary to verify that the access is no longer there on the end platform, thus “closing the loop” on the access remediation request.


Process Automation


Joiners/Movers/Leavers

When users join an organisation, universal access can automatically be granted by means of ‘birth right access’. Any specific functional access can also be granted automatically.


When users move within an organisation any functional access can be automatically removed or changed. Any non-functional or direct access should also be automatically reviewed by a line manager.


Once a user leaves an organisation automatic de-provisioning of access should be triggered and any associated disabling or archiving activities.

Integration with Existing Service Desk

Identity and Access Management solutions can have direct integration with existing service desk solutions. This allows for several possibilities such as a single place for users to go to manage User Access Requests, or any access requests to be generated automatically in the Service Desk application and directed to specific application teams/owners


Direct Provisioning to your Domain and other Applications

Direct provisioning of accounts and access to applications will save time and effort while also improving the accuracy of access changes. Customers with large application estates can have hundreds of applications integrated to their Identity Management platform, providing centralised access control and governance.

Privileged Access/Identity Management

Any elevated levels of access or access to information deemed “privileged” can be easily managed by integrating a PAM solution. The advantages include:

  • Monitoring and control of elevated access – not only who and when someone get elevated access, but also what they do with that elevated access

  • Removal of common passwords

  • Removal of shared accounts


Roles Based Access

Permissions to platforms can often be grouped together into technical or functional roles. This can save time/effort and also provide a cleaner access to end platforms. However, it’s key to ensure that these roles have ownership/accountability.


Securing your Applications


API Gateway

All applications will have a measure of security built in. However, by standardising what ways you can communicate with an application can have many key benefits.


This will reduce integration efforts between applications and allow best practices with regards to securing your endpoint. For example:

  • Token/Credential based Authentication

  • Rate Limiting/DDOS Prevention

  • White Listing/Black Listing IP Addresses

  • Easy integration with monitoring tools and SIEM solutions


Single Sign-On

This can have a huge impact on user experience across an organisation. It is the process of authentication that enables a user to use a single set of credentials to access multiple applications.


From a technical perspective, a user’s session information is shared with other applications. There are different protocols to choose from that will allow this to happen: OpenID Connect, SAML, Facebook Connect.


The benefits from enabling SSO are:

  • Remove the need for end users to remember multiple credentials for each application

  • Reduced helpdesk calls for forgotten password

  • Manage authentication and authorisation policy from a single location


Multi-Factor Authentication

Though this journey we have managed Identities, provided the correct level of access for them, and re-validated that the level of access is still appropriate for that particular user. But now we need to ensure that the user who is currently logged on is actually who they say they are (and not someone who has stolen that persons password).


By using a secondary form of authentication other than a password when protecting access to sensitive data or applications, your organisation will add significant levels of assurance that your active users are actually who they say they are and not fraudsters.


There are several different methods of Multi Factor Authentication these days to suit different use cases for user experience requirements and security requirements. Ranging from the more traditional hardware OTP tokens/keyfobs, soft OTP tokens, SMS messages, or user friendly push notifications to a mobile phone that now utilise modern mobile phone technology such as the phones gyroscope, touchscreen or biometric fingerprint or eye scanner.


  • White LinkedIn Icon
  • White Twitter Icon
  • White Facebook Icon

Securience Limited is a company registered in England & Wales under company registration number 09365922.

© Copyright 2020 Securience Limited. All rights Reserved.