Identity & Access Management – a business/security requirement.

[A-] [A+]

In the current day and age of Information Systems where workloads are quickly being consumed by Cloud Service Providers as offerings in the range of IaaS, PaaS or SaaS; its only Identity, Access & Data which is always kept as a customer responsibility or an ownership accountability. This is something that can be decided and assigned by owners who know “Who is Who”, “Who needs access to What” and “For how much Time”.

This further contributes to plans around Data Security, which is of course augmented by other Security best practices, but all of that depends heavily on a simple question: ​​​​​​​

“Does the new person/system – and more recently a robot – who has joined our organization have access and if yes, is the access based on the least privilege and need to know principles?”

If we split IAM as a program, it constitutes of some key sections described below.

Executive Summary

Identity and Access Management (IAM) is the process of creating value and addressing IT governance and compliance through effectively and efficiently managing:

  • Creation of user identities (accounts) in application systems
  • Authenticating the identity of users
  • Managing users’ access to information resources
  • Monitoring what users are doing with that access
  • Improving provisioning turnaround times

Weak controls related to current IAM processes are a significant obstacle to achieve audit controls reliance across key business systems. This is formally recognized by organizations, their businesses and security teams and that is when an IAM Program is born.

In addition, IAM processes (notably on boarding of new users, movement within the organization & final termination related controls) should underpin the organization’s own governance framework and regulatory compliance.

If left un-managed, this can result in an end-to-end lead-time of several days for a new hire to get the required access. Therefore, there may be sharing of user accounts with limited ability to track individual user’s authorizations and user activity. 

The lack of appropriate processes and controls for de-provisioning of users will lead to the existence of rogue user accounts in multiple applications even though the users have left the organization or have moved to other departments. In addition, there are users with access that they no longer require in order to fulfill their current job role. Key management stakeholders, such as the CISO/CTO, also consider this to be one of the main causes of various frauds in an organization.

An IAM program aims to design and develop a robust IT Controls Framework for the organization around an Identity and Access Management suite and thereby aid in creation of an effective IT Controls environment.

Business Drivers

Let’s try to define the business drivers behind the Identity and Access Management efforts within an organization. It also lists the Critical Success Factors, which must be met by the project to declare it a success.

​​​​​​​1) Goals

  1. Devise efficient systems to allow it to comply effectively with the compliance requirements of the organization such as SOX and other mandated regulatory frameworks.
  2. Protect Sensitive and Personally Identifiable (SPI) client data which will allows the organization to maintain and gain the trust of its customers.
  3. Streamline and make the user identity and access management process efficient across IT systems which would enhance productivity per person.
  4. Reduce the cost of administration related to user ID, passwords, account approval, etc. which in turn will lead to increased productivity of critical and specialized system administrators.
  5. Reduce the cost of audits and governance by allowing to have a consolidated, real time view of the access owned by each user across multiple IT systems. This will also allow the organization to be proactive in detecting frauds and take necessary action to avoid damage to their brand.

Based on the business goals, the following objectives will be derived from the improved Identity and Access Management processes and controls. This shall include improved compliance; financial, legal and regulatory and operational risk reduction; cost containment and business agility.

The objective of the organization’s IAM Program is to manage and to improve controls reliance on core revenue generating and high-risk systems through:

  • Creation of user identities in appropriate IT and business applications
  • Verification of user identities
  • Appropriate authorization of users into systems
  • Management of changes to users’ roles and their related access
  • Removal of user access when access is no longer required
  • Maintaining an audit trail of the end-to-end user account lifecycle
  • Rationalized and simplified provisioning processes
  • Tracked allocation of assets and software licenses to individual users​​​​​​​

2) Value Proposition

The proposed Identity and Access Management solution will help the organization in:

  1. Establishing unified user ID across its IT systems which will lead to increased productivity and better traceability of user activities.
  2. Streamline and automate user account lifecycle process (creation, modification, deletion) which will lead to shorter turnaround time subsequently leading to increased user productivity and simplified user account administration.
  3. Establish access governance process by using various proven features like Account Recertification, Reconciliation.
  4. Provide a unified, centralized view of access owned by an individual in real-time which will lead to increased security posture and aids in satisfying regulatory requirements.

3) ​​​​​​​Success Criteria:

An IAM Program can be considered a success, if it provides the below high-level functionalities.

  • Establish a framework for user account lifecycle management processes
    • Establish a user ID policy to allow use of a single user ID across the organization.
    • Automated approval workflow for requesting and verifying required system access
    • Automated granting of user access and profiles
    • Reduce the user account provisioning time
    • User account revocation is almost instantaneous on critical systems
  • Establish a framework for access management process
    • Establish framework and infrastructure for performing Single Sign On (SSO) across applications.
    • Portal for providing access to entitled applications which will improve the organizations security posture and provide enhanced user experience.
  • Establish efficient process to meet Audit and Compliance requirements
    • Centralized location which provides data on all accounts existing on managed IT systems, dormant (in-active) accounts, non-compliant accounts as an example.
    • Provide Self Service Console for users to request access and perform password resets (good to have)
    • Reduce password reset calls. (Cost efficacy)
  • Create a common, architecture driven, standards-based infrastructure with capabilities that should be shared across and possibly outside the enterprise to provide secured access, threat aware identity intelligence and compliance services across applications and systems. ​​​​​​​

With that we conclude this thought and hope to continue this series as an organic and evolving one where more information will be shared and put up for discussion.

About

Anup Menon is an Enterprise Lead Architect for Information Security focusing on Identity & Access Management as a Domain. Rich experience of over 16 years within the Identity, authentication, authorization, directory services and InfoSec as a domain. 10 years out of those has been spent with one of the leading Telecoms in the UAE. A keen learner of all things technology and a passionate video gamer and motor bike lover.

View all posts by

Leave a Reply

Your email address will not be published. Required fields are marked *