Navigating Identity and Access Management: A Comprehensive Guide

Identity and Access Management

Identity and Access Management (IAM) is an information security discipline. IAM manages users and devices access across the entire organisation. IAM has many things incorporated which includes Governance, Risk & Compliance, Strategies, policies, programs, Controls & Monitoring, Security etc. It acts as a centralised place to manage all the organizations resources, devices and other components that are connected and configured within the organization. 

Identity and Access Management is a foundational requirement for any organisation and its enterprise security program. IAM is at the heart of security as it manages physical, digital, and logical identities and assets. 

Identity and Access Management allows the right entities (people or things) to access the right things at the right time for the right reasons which helps in achieving the CIA (Confidentially, Integrity, Availability) triad of Cyber security. Enforcing necessary policies, and programs, having the right tools in place, and properly implementing them make IAM be efficient. 

Why Identity and Access Management is necessary?

Identity and Access Management is necessary irrespective of the size of the organization, it plays a vital role in standardizing the way one has to log in, managing the users, systems, roles, privileges, identities, password management, access provisioning /de-provisioning, rule/policy enforcements, etc. 

Identity and Access Management helps to authenticate the right person, by comparing the unique identity provided by the user against the one available in the database. Additionally, multifactor authentication can be used to enhance security. Identity and Access Management verifies whether he/she/it is authorized to get into the particular system/application or not. As the system verifies each identity, it makes it hard for attackers to impersonate others’ identities to gain access to the system. There are several access control models available that ensure the integrity of security policies that mandate how information can be accessed in a system. The most common access control models are  

  • Mandatory Access Control
  • Discretionary Access Control
  • Role Based Access Control. 

Each model differs in its specifications and features it holds and this can be chosen based on the nature and size of the organization. 

It also offers to monitor the user activities and alerts the administrators before something goes wrong. Information related to the login Such as., No of attempts, Failed logins, Access Amendment, etc., are saved in the application log entries. The controls & monitoring team constantly monitor these logs. Therefore, it makes it difficult for an attacker to bypass a login without leaving any log traces or being noticed by the Controls & Monitoring team. 
 

Benefits of having efficient Identity and Access Management

  • Leverage Technology to automate
  • Providing least privilege access
  • Address system access in a standard manner across the enterprise 
  • Meet user and compliance demands
  • Make processes more efficient with increased productivity and user satisfaction
  • Improved security and reduced risks

IAM Classification & App Onboarding

Identity Access Management (IAM) & Privilege Access Management (PAM) 

 Even though it has been classified, both are exactly similar in the way they work. However, it differs in the use cases of accounts. 

If an application has to be onboarded into an organization framework, application details such as application type, application use cases, accounts required, application users, access level required, and existence of privilege accounts, are required before proceeding with the onboarding. Additionally, the compliance and regulatory requirements that are applicable for the application will also be required.  

A few common regulatory / compliance requirements are 

  • SOX – Sarbanes – Oxley Act, 
  • GDPR – Global Data Protection Regulation, 
  • PCI DSS – Payment Card Industry Data Security Standards, 
  • HIPAA – Health Insurance Portability and Accountability Act, 

Based on these details the application will be categorized. 
Further, the application has to be checked for the type of accounts & roles. Standard operation procedures (SOP) of the application have to be created and approved by the application and business owners. The privileges of roles have to be checked in order to avoid Segregation of Duties (SOD) errors.  

The application will have normal and privilege accounts. 
The privileged accounts are which have root or super user access with elevated privileges. Used for specific high purposes like trading, payments, or used by senior level or executive level employees. 

These privilege accounts are segregated and managed as Privilege Access Management (PAM) accounts. 

Joiner – Mover – Leaver (JML) 

Joiner, Mover, Leaver is one of the important processes in Identity and Access Management and a key process for HR to maintain each user’s identity and to track records of the same. JML is the process of maintaining the identities and their associated roles, privileges, and details. The identity will be created for a new employee as he/she joins the organization. And the least privilege access will be granted to him/her to do the intended work. This will be considered as a Joiner request. Further access required to process the BAU, will be granted with the help of requests raised by the employee or the employee’s manager. 

If an employee moves from a team or department to a different team. The previous access/privileges the employee holds will be checked against the access required for the new team. It is to avoid the employee having previous and current access. The roles that are not required will be removed and the least privilege access for that particular team will be granted. Segregation of Duties (SOD) will also be checked while providing new access. This is considered as Mover’s request. 

If an employee would like to exit from the organization. His identity will be checked for the privileges he holds. A leaver request will be raised to completely remove all access and to make the account and its associated details inactive. 

Efficient automated JML process (or) how well JML is maintained defines the efficiency of IAM. 
Access Control model like Role Based Access Control (RBAC) helps to understand the lifecycle of the identities easier. It holds the entire details of the identity from the time it has been created. 

Passwords 

  • Passwords are critical for each authentication; hence it has to be strong and complex enough. As it cannot be guessed or broken easily by others. 
  • Employees must have proper training and awareness about these, which will help them to have a strong password.
  • A strong password should have to be a minimum of 8 or 10 characters in length.
  • It should have a combination of Lower- and Upper-case letters, Numbers with at least one special character.
  • It should not be dictionary words, frequently used words, or names of any person or pets, or Date of birth of closed ones or cities.
  • Every normal password has to be changed or has to expire in 90 days, password rotation has to be in place, whereas the privilege accounts password will have to be changed after every use and some accounts password has to be reset in an interval of 30 days.
  • The application should not accept the before used passwords.

Author: Nathersha Sahulhameed is a Senior Consultant at Fusion Practices

Similar Posts

Compliance 101: Understanding the Basics

Compliance 101: Understanding the Basics

ByNeelam Chavan

Compliance ensures that organisation adheres to government regulations domestically as well as globally if applicable and avoids missteps that could result in fines, legal ramifications and reputation damage. 
 
Compliance involves meeting various controls (usually enacted by a regulatory authority, law, or industry group) to protect the confidentiality, integrity, and availability of data. Compliance requirements vary by industry and sector, but typically involve using an array of specific organisational processes and technologies to safeguard data.

Leave a Reply

Your email address will not be published. Required fields are marked *