Navigating Identity and Access Management: A Comprehensive Guide
Identity and Access Management (IAM) is an information security discipline. IAM manages users and devices access across the entire organisation. IAM has many things incorporated which includes Governance, Risk & Compliance, Strategies, policies, programs, Controls & Monitoring, Security etc. It acts as a centralised place to manage all the organizations resources, devices and other components that are connected and configured within the organization.ย
Identity and Access Management is a foundational requirement for any organisation and its enterprise security program. IAM is at the heart of security as it manages physical, digital, and logical identities and assets.ย
Identity and Access Management allows the right entities (people or things) to access the right things at the right time for the right reasons which helps in achieving the CIA (Confidentially, Integrity, Availability) triad of Cyber security. Enforcing necessary policies, and programs, having the right tools in place, and properly implementing them make IAM be efficient.
Why Identity and Access Management is necessary?
Identity and Access Management is necessary irrespective of the size of the organization, it plays a vital role in standardizing the way one has to log in, managing the users, systems, roles, privileges, identities, password management, access provisioning /de-provisioning, rule/policy enforcements, etc.
Identity and Access Management helps to authenticate the right person, by comparing the unique identity provided by the user against the one available in the database. Additionally, multifactor authentication can be used to enhance security. Identity and Access Management verifies whether he/she/it is authorized to get into the particular system/application or not. As the system verifies each identity, it makes it hard for attackers to impersonate othersโ identities to gain access to the system. There are several access control models available that ensure the integrity of security policies that mandate how information can be accessed in a system.โฏThe most common access control models areโฏ
- Mandatory Access Control
- Discretionary Access Control
- Role Based Access Control.
Each model differs in its specifications and features it holds and this can be chosen based on the nature and size of the organization.
It also offers to monitor the user activities and alerts the administrators before something goes wrong. Information related to the login Such as., No of attempts, Failed logins, Access Amendment, etc., are saved in the application log entries. The controls & monitoring team constantly monitor these logs. Therefore, it makes it difficult for an attacker to bypass a login without leaving any log traces or being noticed by the Controls & Monitoring team.
Benefits of having efficient Identity and Access Management
- Leverage Technology to automate
- Providing least privilege access
- Address system access in a standard manner across the enterprise
- Meet user and compliance demands
- Make processes more efficient with increased productivity and user satisfaction
- Improved security and reduced risks
IAM Classification & App Onboarding
Identity Access Management (IAM) & Privilege Access Management (PAM)ย
โฏEven though it has been classified, both are exactly similar in the way they work. However, it differs in the use cases of accounts.
If an application has to be onboarded into an organization framework, application details such as application type, application use cases, accounts required, application users, access level required, and existence of privilege accounts, are required before proceeding with the onboarding. Additionally, the compliance and regulatory requirements that are applicable for the application will also be required.
A few common regulatory / compliance requirements are
- SOX โ Sarbanes โ Oxley Act,
- GDPR โ Global Data Protection Regulation,
- PCI DSS โ Payment Card Industry Data Security Standards,
- HIPAA โ Health Insurance Portability and Accountability Act,
Based on these details the application will be categorized.
Further, the application has to be checked for the type of accounts & roles. Standard operation procedures (SOP) of the application have to be created and approved by the application and business owners. The privileges of roles have to be checked in order to avoid Segregation of Duties (SOD) errors.โฏ
The application will have normal and privilege accounts.
The privileged accounts are which have root or super user access with elevated privileges. Used for specific high purposes like trading, payments, or used by senior level or executive level employees.
These privilege accounts are segregated and managed as Privilege Access Management (PAM) accounts.
Joiner โ Mover – Leaver (JML)
Joiner, Mover, Leaver is one of the important processes in Identity and Access Management and a key process for HR to maintain each userโs identity and to track records of the same. JML is the process of maintaining the identities and their associated roles, privileges, and details.ย The identity will be created for a new employee as he/she joins the organization. And the least privilege access will be granted to him/her to do the intended work. This will be considered as a Joiner request. Further access required to process the BAU, will be granted with the help of requests raised by the employee or the employeeโs manager.ย
If an employee moves from a team or department to a different team. The previous access/privileges the employee holds will be checked against the access required for the new team. It is to avoid the employee having previous and current access. The roles that are not required will be removed and the least privilege access for that particular team will be granted. Segregation of Duties (SOD) will also be checked while providing new access. This is considered as Moverโs request.ย
If an employee would like to exit from the organization. His identity will be checked for the privileges he holds. A leaver request will be raised to completely remove all access and to make the account and its associated details inactive.
Efficient automated JML process (or) how well JML is maintained defines the efficiency of IAM.
Access Control model like Role Based Access Control (RBAC) helps to understand the lifecycle of the identities easier. It holds the entire details of the identity from the time it has been created.