One of the most important topics for an organisation nowadays is to address the management of its digital identities and access to its Information Systems. This is not an easy task, and requires strong commitment from a wide range of stakeholders, as well as good preparation and planning in terms of both time and budget.
What is Identity and Access Management, and why it is important?
Identity and Access Management refers to a set of business processes and supporting technologies that enable the creation, maintenance, and use of a digital identity. Overall, it covers three primary areas: governance, provisioning and intelligence.
Identity and access management is a vital information safeguard. It exists to protect sensitive information from the ever-evolving landscape of security threats. When properly implemented, IAM solutions assist in enabling proactive security risk identification and mitigation, allowing a company to pinpoint policy violations, or remove inappropriate access privileges.
Governance and Intelligence
The field of Identity and Access Governance covers four main components:
- Processes to validate that existing permissions are appropriate and comply with corporate policies;
- Processes to audit identity and access processes and results, demonstrate controls, define policies about who should have access to what resources (governance), demonstrate compliance with regulatory requirements and company standards, and remediate any issues uncovered;
- Processes to define roles and to request and approve access to data, applications and other information technology resources;
- Monitoring and analysis tools to detect vulnerabilities, assess risk, and improve compliance with requirements and standards.
Provisioning
Identity and Access Provisioning covers the automation of the provisioning and de-provisioning of access to applications and IT resources, and manages access throughout the user lifecycle within the organisation. Key IAM functions, such as password management, advanced authentication and single sign-on, are part of provisioning and life cycle management.
IT requirements drive Identity and Access Provisioning:
- Provisioning application and server access;
- Providing trusted authentication mechanisms that ensure users are who they say they are;
- Simplifying secure sign-on processes;
- Allocating access for SaaS resources and mobile devices;
- Administering Active Directory functions;
- Providing detailed, privileged administration capabilities for IT personnel.
The tools involved are very powerful and address complex issues. They are designed to perform automation behind the scenes and are not typically used by average business users.
An example of IAM program implementation
Even if the program involves many actors, it must be driven by an Information Security representative (typically, the Chief Information Security Officer). In addition to intervening directly in the program, he must, with the help of other stakeholders, define the main steps of the program. The following approach gives an overall idea of what may be proposed:
1 | Analysis of the current situation of the organisation |
|
2 | Definition of the governance component |
|
3 | Selection of a solution |
|
4 | Proof of concept |
|
5 | Progressive deployment of the solution |
|
6 | Training |
|
Communication is essential throughout the implementation of the program: speaking with a single voice aligned with IT, the CISO should give all stakeholders visibility of the evolution of the program, including any difficulties encountered, upcoming modifications and changes, etc.
Of course, the momentum that established the IAM program should not stop once it is implemented. In a similar way to the Deming cycle (Plan, Do, Check, Act), a successful program should adapt to industry changes and stakeholder viewpoints, through periodic review and refinement.