IAM : Identity and Access Management

Excellium Services Newsletter February 2019

One of the most important topics for an organisation nowadays is to address the management of its digital identities and access to its Information Systems. This is not an easy task, and requires strong commitment from a wide range of stakeholders, as well as good preparation and planning in terms of both time and budget.

by webmestre

IAM : Identity and Access Management

Excellium Services Newsletter February 2019

One of the most important topics for an organisation nowadays is to address the management of its digital identities and access to its Information Systems. This is not an easy task, and requires strong commitment from a wide range of stakeholders, as well as good preparation and planning in terms of both time and budget.

by webmestre

by webmestre

One of the most important topics for an organisation nowadays is to address the management of its digital identities and access to its Information Systems. This is not an easy task, and requires strong commitment from a wide range of stakeholders, as well as good preparation and planning in terms of both time and budget.

What is Identity and Access Management, and why it is important?

Identity and Access Management refers to a set of business processes and supporting technologies that enable the creation, maintenance, and use of a digital identity. Overall, it covers three primary areas: governance, provisioning and intelligence.

Identity and access management is a vital information safeguard. It exists to protect sensitive information from the ever-evolving landscape of security threats. When properly implemented, IAM solutions assist in enabling proactive security risk identification and mitigation, allowing a company to pinpoint policy violations, or remove inappropriate access privileges.

Governance and Intelligence

The field of Identity and Access Governance covers four main components:

  • Processes to validate that existing permissions are appropriate and comply with corporate policies;
  • Processes to audit identity and access processes and results, demonstrate controls, define policies about who should have access to what resources (governance), demonstrate compliance with regulatory requirements and company standards, and remediate any issues uncovered;
  • Processes to define roles and to request and approve access to data, applications and other information technology resources;
  • Monitoring and analysis tools to detect vulnerabilities, assess risk, and improve compliance with requirements and standards.

Provisioning

Identity and Access Provisioning covers the automation of the provisioning and de-provisioning of access to applications and IT resources, and manages access throughout the user lifecycle within the organisation. Key IAM functions, such as password management, advanced authentication and single sign-on, are part of provisioning and life cycle management.

IT requirements drive Identity and Access Provisioning:

  • Provisioning application and server access;
  • Providing trusted authentication mechanisms that ensure users are who they say they are;
  • Simplifying secure sign-on processes;
  • Allocating access for SaaS resources and mobile devices;
  • Administering Active Directory functions;
  • Providing detailed, privileged administration capabilities for IT personnel.

The tools involved are very powerful and address complex issues. They are designed to perform automation behind the scenes and are not typically used by average business users.

An example of IAM program implementation

Even if the program involves many actors, it must be driven by an Information Security representative (typically, the Chief Information Security Officer). In addition to intervening directly in the program, he must, with the help of other stakeholders, define the main steps of the program. The following approach gives an overall idea of what may be proposed:

1 Analysis of the current situation of the organisation
  • Scope and context;
  • Organizational structure/roles and responsibilities;
  • Needs and constraints (business, budget, functional and technical needs, etc.);
  • Identification of stakeholders and their integration into the project: IAM is a transversal project that requires the business, IT and Human Resources.
2 Definition of the governance component
  • Definition of the security policies related to IAM to formalize the organisation’s objectives/requirements;
  • Validation of these policies by the Management to support potentially significant changes;
  • Definition of processes that will support the identity/access lifecycle:
    • Identity management: arrival, change/mutation, departure;
    • Access management: access request, modification/exception request, deletion request;
    • Re-certification process: periodic review of accesses;
  • Definition of access based on:
    • A modelling of organizational roles (RBAC approach – Role Based Access Control);
    • The principle of least privilege;
    • The segregation of duties;
3 Selection of a solution
  • Comparative study of existing solutions on the market, taking into account the needs and constraints identified in the first step
4 Proof of concept
  • Deployment of the selected solution in a test environment;
  • Implementation of a sample of processes and roles to validate the solution.
5 Progressive deployment of the solution
  • Installation of the solution;
  • Technical configuration;
  • Functional configuration in accordance with the governance component (step 2).
6 Training
  • Training and assistance of stakeholders in the use of the solution

 

Communication is essential  throughout the implementation of the program: speaking with a single voice aligned with IT, the CISO should give all stakeholders visibility of the evolution of the program, including any difficulties encountered, upcoming modifications and changes, etc.

Of course, the momentum that established the IAM program should not stop once it is implemented. In a similar way to the Deming cycle (Plan, Do, Check, Act), a successful program should adapt to industry changes and stakeholder viewpoints, through periodic review and refinement.

Top