The ever-vigilant battle of Identity and Access Management (IAM)
Updated: Aug 13, 2020
In today’s always-connected work environment, knowing who has access to your company’s digital assets and, more importantly, the level of access they have is paramount. After all, one of the best lines of defense in the never-ending battle of cyber security is simply controlling the known—the unknown is a different story.
The best way to tackle controlling the known is to follow the basics of Identity and Access Management (IAM)—something that never gets old, but in many instances can be trapped at a point in time, whenever that last IAM or Active Directory cleanup project was completed. The important thing as it pertains to IAM is that it’s not a “set and forget” practice. It takes ongoing due diligence that must be continually managed through organizational and technological change to ensure your digital assets are safe. But the question then becomes: Who is responsible for guarding the proverbial gates?
In many cases, the practice falls directly on IT, a somewhat logical place to begin as IT security usually falls within the realm of the IT department. However, with so many changes in the rapidly evolving cloud era the idea that IT can seemingly do it all is no longer realistic. Though IT will almost always be responsible for the systems and infrastructure itself, the management of IAM can and should fall on the administrative side of the business.
An easy way to look at this is through the “gatekeeper.” There are many roles such as employees, contractors, partners, and others, but many of these roles are largely managed through administrative silos. This means that the information regarding what these roles should have access to is largely managed by those in HR, Payroll, Project Managers, Application and System Owners, and so on. As new people come on board, employees move between roles and departments, and people leave or are terminated—these scenarios should fall squarely on security administration teams through a set of Identity and Access systems, along with a set of policies and procedures dedicated to IAM and all things compliance related.
But like any managerial procedure the question of “how” ultimately presents itself. There are a few simple steps organizations can follow that can help with IAM.
The first is that of defining those who work within your organization. Knowing who is who may seem trivial to some; however, being able to identify the difference between employees, contractors, consultants, etc., becomes the building block of a solid IAM practice. Often, there are multiple systems of record and some person types that are managed on spreadsheets in departments. Centralizing an identity store is a must.
Secondly, once your workforce is defined in a way that is uniquely identifiable, the ability to manage identities will become evident, even if not simple. The best way to do so is to implement a centralized system of management for all identities within the organization. This system should provide a consolidated view of all identities, enable the management of many access types through a management console available to appropriate roles, have integrated automation that will get rid of older, out-of-date identities, orphaned identities, or simply unneeded ones. This ensures that every user account ID is accounted for at all times. Furthermore, a good place to start are the primary systems within a company’s inherent IT infrastructure, including systems such as Active Directory, Mail, and critical systems such as ERP, etc.
These aforementioned systems, though not completely thorough as there are always exceptions to every rule, will provide the majority of insight in the most expedited way. And once these disparate systems have been integrated and audited, the next step will become one of ongoing access review, attestation, and access management.
Implementing a company-wide program for IAM will require providing business owners with both the knowledge of who resides in the system and to grant those owners control and accountability over access. Working closely with IT to identify current access of individuals—an inventory of identities and permissions—and providing standardized IAM practices will enable business owners to then become the true custodians of systems, data, and applications as typically defined by policy.
This will require implementing workflow. This can be represented by a request and approval process to ensure changes are well managed and documented, as well as enable those seeking permissions to request it through a centralized Identity Management system driven by person systems of record. It’s this centralization and workflow that will help remove IT from the decision-making phase, enabling them to concentrate on IT service delivery.
A primary outcome of a qualifiable and quantifiable Identity Management system and process, driven by person systems of record, combined with well-defined procedures that outline all aspects of IAM, is that companies will inevitably become compliant with key access related regulatory mandates. This is a critical requirement as more and more organizations must adhere to strict industry and government regulations and simultaneously open the IT service landscape to the cloud.
Always follow the cardinal rule of “check, re-check, and then check again.” Maintaining a watchful eye on all things associated with IAM is essential for success. As mentioned, IAM is never a set-it-and-forget-it scenario. Knowing who has access to what, when, and how is just part of the ever-vigilant battle of Identity and Access Management—a war that is never won, but can be one of success when keeping an eye on the fortress gates.