Managing User Access and Identity for Better Security
Managing user access and identity has been a growing pain for years. We are no longer supporting just human identities. The latest explosion of new smart devices is not making governance over identity access easier. We have very little control over these devices, yet they are penetrating our networks and connecting to our systems. We can no longer ignore IoT (Internet of Things) as they are becoming an integral part of running information and operational technologies. Existing and emerging regulatory and compliance requirements are enough to last us a lifetime. If you are a public company, Sarbanes-Oxley requires rigorous discipline around granting, revoking, and auditing access controls. So are many other compliance programs (i.e. PCI DSS, FFIEC)and frameworks (i.e. NIST, ISO). These regulations and standards require, at minimum, a proper user management including timely onboarding and offboarding, segregation of duties or least privileges, and regular audits. Compliance is not easy; manual compliance is even harder. That is why many audits still find orphan accounts and lack of proper termination across business applications year after year.
According to 2018 Verizon Data Breach Investigation Report compromised accounts and circumvented access controls were responsible for the majority ofbreaches in 2017.
To succeed, business leaders need to understand and acknowledge that identity management is a business problem, IT can’t solve it alone
Mergers and acquisitions add complexity to already exacerbated the problem. Enterprises often under a timeconstraint to integrate another entity in record times which often lead to multiplying directory services and adding foreign user identities that are not properly accounted for. Legacy applications and duplication of services put a strain on the already complex problem we are trying to solve.
Lack of proper governance over user identity has hunted us for decades. For years we are trying to find a silver bullet. One just does not exist. Identity Governance and Administration (IGA) is an integralpart of the Identity and Access Management program and focuses on access entitlement and certification, policy provisioning. The key word in IGA is governance. Governance over identity comes first. It is not uncommon to create processes and not review or adjust them for years. Manual processes are not effective. To succeed, business leaders need to understand and acknowledge that identity management is a business problem, IT can’t solve it alone. There are plenty of tools that can help, but they don’t solve the problem with broken processes and lack of business involvement.
So,what are the steps tocreating Identity Governance Administration program that works?
• Focus on what is important to the business. Not everything connects to everything. Many times, complex customization is required. Thus, not everything can be automated. Find the biggest risk or biggest pain point. We are often driven by quick results to address business risk or compliance problem; accounts provisioning and termination, amount of time and resources to perform Segregation of Duties (SoD) review to name a few. Risk, dependencies,and cost of automation should be evaluated before moving forward with your project. Ask business leaders what their pain points are. Successful IGA requires buy-in across all business units and management support
• Get the processes corrected. Deficiencies in original processes carried over and automated will not produce expected results. IGA is not about end-to-end automation but about efficiency and consistent business processes. These can differ across applications or lines of business. That is okay. Iron out the process, the tool can help automate and produce a consistent outcome.
• Business participation is crucial. The entitlement and onboarding should be driven by Human Resources. Different processes have to be built for internal vs. external identities. Contractor and vendor accounts pose the highest risk and usually have weakest processes. The HR, contingent workforce and vendor management groups should serve as a source of truth for identity entitlement. Access to system or application should be designed based on business functions or roles. System, data or application business owners are the one who determines a level of entitlement. Automating controls helps alleviate rubber stamping entitlement approval and certification nightmare. Regular entitlements should be achieved with role-based or policy-based access. Any emergency, contingent worker,and temporary access should be handled through access approval workflow
• Start small. Full IGA is hard to implement – most vendors overpromise. Small wins help to drive the program, but lack of consistency and regular success creates business fatigue. So, start with small wins. Focus on most risky and critical accounts/applications. Deal with individuals first, then investigate groups and leave service accounts for last.Access entitlement and provisioning, user roles and policy management can get complex. Start with one application or business unit. Access certification can help with regulatory and compliance. Don’t underestimate – many components may have dependencies that need to be evaluated. Existing bad processes is what breaks most IGA implementations. Additionally, any tools involved user must be frictionless, reduce existing pain points or they won’t matter
• Look outside of IGA for compliments and small wins to support your IAM program. For example, Self-Service Password Management in many cases is a standalone product, has little or no dependency but can be a big win from user acceptance. If properly implemented, it allows users to take full control over managing password reset and account lockouts without calling services desk. Privileged Access Management is an IAM discipline on its own, but many vendors provide discovery tools that can aid in learning what you have in your environment. If you have a very large and complex environment, this can help withan inventoryof your universe
Solving Identity and Access Management problem is a long journey. It requires vision, planning, and business support. Start with the latter to pave the path to successful implementation.