Some Leading Practices in Identity and Access Management

Leading practices in identity and access managementBy Scott Smith
Associate

Whether talking to people at large companies or small companies, when we bring up the topic of Identity and Access Management (IAM) we often hear a lot of the same comments…

  • “I am concerned that we have employees who have been here 10 years, and have access to everything, but I don’t know how to control that risk.”
  • “Of course we have password policies…but I’m not sure they’re being enforced.”
  • “I recently discovered an account for someone who left the company 14 months ago.”
  • “Half the people in our IT department have global permissions—they can access anything.”

Given the fact that IAM is at the core of a strong security program (as explained in my previous article, “An Introduction to Identity and Access Management”), getting IAM right is vital. Here are some of the current leading practices in Identity and Access Management:

  • Deploy Strong Multi-Factor Authentication – As part of the identity management process, the leading practice is to use multi-factor authentication, such a one-time password sent via text or email, or better yet, as a software token. This helps ensure that the person who logged in is who you think they are, and not someone else who has stolen their login credentials.
  • Use Privileged Access Management – Privileged access management, which focuses on the special requirements of user accounts that have high level access to an IT system, is typically applied to the administrators and engineers who work “under the hood” in databases, operating systems, and network devices. While this access is necessary, there is a greater risk associated with these user accounts. Privileged access management tools offer greater control and accountability.
  • Enforce Segregation of Duties (SoD) – When deciding who will have access to which parts of your system, it’s important to define and implement appropriate SoD policies, and ensure that the system checks for this.

A good example of SoD in IAM is in the area of software development. Most software developers only need access to the development servers; they should not have access to the production servers. This ensures that proper quality control takes place before the code is moved from the development servers to the production environment.

  • Institute Periodic Recertification Campaigns – What often happens in organizations is that as employees move around within the organization they just keep adding new system access permissions (see Least Privilege, above). In many organizations, nobody ever thinks to go through and ask why this person still has access to the accounts receivable system now that they’re in the marketing department.

To avoid situations like this, and to ensure least privilege, the IAM leading practice is to have a regularly-scheduled recertification process for sensitive systems, whereby once a year or once a quarter all access permissions must be recertified. While some organizations must do this for regulatory compliance reasons, it is a leading practice for all organizations.

  • Ensure Least Privilege – Each person should only have the accesses which they actually need to do their job. No one should have unnecessary privileges, or privileges that were once appropriate but no longer apply. Attackers often target users who have large aggregations of entitlements, as this makes it easier for them to expand their access to a target network.
  • Put Joiner/Mover/Leaver Workflows in Place – When a worker joins a company or moves into a new department, a system needs to be in place to determine what accesses that person now needs. Leading practices call for having automated, well-defined approval processes for whatever access is requested, as well as connectivity with the HR database.

For example, say Mary moves from Accounts Payable to Accounts Receivable. In addition to “standard entitlements” for her position, Mary’s new manager says that she needs special access to a particularly sensitive set of financial data. Policies should be put in place to ensure appropriate approvals for this added access. These policies may include escalated approvals, etc.

Some access—such as the ability to login to the Human Resources system and see your own personal information, the ability to receive email, etc.—will often be granted as “birthright accesses,” since approvals may not be needed, and could hinder productivity.
It is especially important to discontinue unneeded permissions for those who move to a new role, and to suspend or remove all access for those who leave. These policies need to be in place for anyone who has access to the system, including employees, contract workers and outside vendors.

  • Apply Roles Modeling – An important aspect of access management is to define who should have access to what based on their job function. In roles modeling you look at the business role of every position in the company and define accesses based on the job requirements of these roles. Roles modeling creates standard “least privilege” access combinations that reduce risk, and also creates standard approval cycles for management.

For larger organizations the leading practice here is for the governance committee to create a workflow that enables each department to define and approve roles and their associated entitlements. Generally speaking, a manager will define the roles and entitlements for their direct reports, and that person’s manager will approve it.

  • Create Audit Trails – As with any system, it is important to ensure that all changes, additions and deletions result in an audit trail. This is important for trouble-shooting purposes if something goes wrong, and for governance purposes to ensure all such changes are appropriate.

Need help getting an IAM system in place that addresses all leading practices? Give us a call. We’re experts at completing all of the strategic work (including creating the plan), handling the change management aspect of the project, and partnering with others for technical deployments. Let’s talk!


About Scott Smith

Scott is an experienced cyber security executive with more than 25 years of technology strategy, management and advisory experience. With an emphasis on driving technology success through effective business stakeholder engagement, he has strong project leadership experience on IT security strategy, governance and transformation projects.

About CIO Professional Services

Based in the San Francisco Bay area, CIO Professional Services LLC is a top-rated Information Technology (IT) consulting firm focused on integrating Business and Information Technology. Our consultants are all hands-on executives who are veteran CIOs and Partners of Big 4 consulting firms. Companies come to us seeking assistance with their information technology strategy as well as for interim or fractional CIO / CTOs, and negotiation and program management/project rescue assistance.

Contact CIO Professional Services

An Introduction to Identity and Access Management

Intro to IAMBy Scott Smith
Associate

Four years ago Target suffered a data breach that caught the attention of consumers and executives everywhere. By starting with a stolen dormant login from an HVAC contractor who was no longer working with Target, attackers were able to gain root access directly into Target’s data center. Once in, they found a web application vulnerability and managed to use this to steal the PII (personally identifiable information) for over 70,000 people, and seize the data for over 40 million credit and debit cards from a Point of Sale system that was not directly connected to the internet.

This massive data breach was a wake-up call that organizations of all sizes need to have robust Identity and Access Management (IAM) systems in place, as the lever point of the overall attack was Target’s failures in the areas of access governance. The bottom line is, Target had neglected to follow a number of basic principles of access governance, including having a system in place to suspend accounts for employees and contractors who no longer worked there. And while the Target story is not exactly “new,” the risks that organizations face if they do not have appropriate IAM systems in place is just as relevant now as it was in 2013. These vulnerabilities have not magically gone away.

What is Identify and Access Management?

At its core, Identity and Access Management is the process of knowing who you (and every other person who accesses the system) are and controlling what you have access to. This includes having a way of determining: that it is really you when you log in, and not someone who has stolen your credentials; exactly what assets you have access to and what you can do with that access; how you received that access; why you received that access; and when you have actually exercised these access privileges. Perhaps most importantly, IAM also includes knowing when you should NO LONGER have that access. As such, IAM is at the hub of a strong cyber security program.

IAM encompasses two main processes:

  • Identity proofing and authentication – As new hires and contractors are onboarded, HR typically verifies the identity of the individual and adds them to their system of record. After that, the next step usually is to provide them with login credentials for your system and any “birthright” access that has been defined, such as email or VPN access.
  • Access management and control – Once a person has access to the system, what exactly should they have access to, and for how long should they have access to it? What reporting is necessary? What policies need to be applied? How do access “entitlements” correspond to job roles?

What are the benefits of automating Identity and Access Management?

As the heart of a strong security program, a robust IAM process can:

  • Provide a basis for protection of vital data and reputation – Data breaches like that suffered by Target can be extremely costly. In addition to whatever damage mitigation measures need to be taken, there are also the costs of reputation damage, lost business, and more. Strong IAM can help provide protection of PII and other sensitive data, and reduce the chances that your organization will have a “CNN moment” like the one Target suffered.
  • Automate and lower the cost of SOX, PCI or other compliance – Get the necessary access controls in place, and simplify the back-end auditing and reporting processes.
  • Provide physical access control – This is basically badging and other aspects of physical security. Many organizations manage this separately, but some leverage an effective IAM system to control physical security.
  • Know who has the “keys to the kingdom” – Good IAM includes privileged access management, to control who has access to databases and other underlying systems.
  • Boost employee productivity – Enable easy access to the system no matter where the user is physically located, and reduce costs from manual joiner/mover/leaver processes.

How do you put Identity and Access Management in place?

To put IAM in place you need to address three key IAM activities:

  • Planning and strategy – As with any planning process, the starting point here is an assessment. What is it that you need to protect? Where is the risk, and where is the cost of a breach going to be highest? What are the sizes and profiles of user populations?

Once you know what you need to protect, the next step is to determine the protection strategy and roadmap, then select the software tools for implementing it. From the tools standpoint, you’re likely to need software for authentication and single sign-on, access governance and privileged access management.

As part of the planning and strategy process you’ll also need to create a governance/steering charter. What exactly will you be tasking your governance team with accomplishing? Normally, IAM program governance includes such things as defining workflows for access approval and re-certification, role management and segregation of duty policy, among others.

  • Deployment – To ensure things go smoothly it is best to have a Project Management Office in place to oversee deployment of the tools, and to drive change management within affected parts of the organization.

Many executives believe that an IAM program can be delivered by simply installing the tools. However, the most challenging part is getting agreement from all the affected stakeholders for: (a) defining and quantifying the detailed business requirements, such as access approval workflows or roles definition, that form the core structure of a strong IAM program, and (b) leading the organization through the change process to get from either no tool or the previous tool over to the new system. Tool deployment is generally relatively straight-forward once the “business logic” has been defined.

  • Governance – To make the change work you really need to understand the business logic behind everything. Governance is where all of the details of what is needed and who will be responsible for what are worked out. This includes defining the workflows for the access and re-certification processes, creating a roadmap for connected systems, defining roles, creating a Segregation of Duties (SoD) policy, and much more. Once all of these things are defined and in place, Governance also includes policy enforcement as well as periodic health checks, audits and re-assessments.

When we work with an organization on the business side of getting IAM in place, what typically happens is that we’ll work with the key stakeholders to understand how the business currently functions, refine and document business logic and work flows, then stand up a governance committee to ratify and maintain it all.

Need help getting IAM in place?

Whether you need to audit and improve your existing IAM system or are starting from scratch, CIO Professional Services has the expertise to help you get the job done right. Our focus will be on the business and change management sides of the project; if desired, we can help with management of the technical aspects of deployment as well. With CIO Professional Services you’ll get the advantage of Big 4 experience but with added flexibility and lower overhead. Let’s talk!

 

About Scott Smith

Scott is an experienced cyber security executive with more than 25 years of technology strategy, management and advisory experience. With an emphasis on driving technology success through effective business stakeholder engagement, he has strong project leadership experience on IT security strategy, governance and transformation projects.

About CIO Professional Services

Based in the San Francisco Bay area, CIO Professional Services LLC is a top-rated Information Technology (IT) consulting firm focused on integrating Business and Information Technology. Our consultants are all hands-on executives who are veteran CIOs and Partners of Big 4 consulting firms. Companies come to us seeking assistance with their information technology strategy as well as for interim or fractional CIO / CTOs, and negotiation and program management/project rescue assistance.

Contact CIO Professional Services

Are You Getting the Return on Your IT Investment that You Should?

IT Effectiveness AssessmentBy Jeff Richards
Managing Partner

Your company is growing. You know your organization needs to move fast, but in focusing on the business you may have underinvested in IT. Now IT has become such a constraint that you’re not sure your systems can keep up with the growth. On top of that, you’re concerned that IT and the lines of business may not even be on the same page.

Or perhaps the CIO thinks that IT is doing fine, but the rest of the management team doesn’t understand what they’re getting for their IT investment. There’s even a concern that IT is too expensive. To make matters worse, you’re in a situation where the CEO can’t “speak IT,” and the CIO can’t “speak business”...and a complete disconnect has ensued.

To get on track you need to quickly get your bearings and determine if you’re doing the right things, in the right order, and doing them well. An excellent way to do so is through an IT Effectiveness Assessment.

What is an IT Effectiveness Assessment?

An IT Effectiveness Assessment is a 360 degree review of an organization’s IT operations, applications and alignment with the business strategy. The goal is to determine what IT is doing well and what it is not, and then provide specific recommendations as to how to get IT where it needs to be. The assessment addresses technology’s capabilities to support improved business processes, and enables the organization to more quickly integrate business and IT.

What are the benefits of an IT Effectiveness Assessment?

An IT Effectiveness Assessment can show you how to get the maximum benefit from your IT investment. It will identify ways that you can better align IT to the business strategy, get positioned for the future, address risks and be more efficient and cost-effective. The end result of an IT Effectiveness Assessment is a multi-year “roadmap” describing the path to the future. This includes the costs and benefits for various options, high-level estimates of your staffing and resource needs, and an outline of implementation plans.

How does CIOPS approach IT Effectiveness Assessments?

CIO Professional Services has extensive experience performing IT Effectiveness Assessments for enterprises in a wide variety of industries. We offer a fixed-price assessment that gauges how well your IT portfolio supports all aspects of your business strategy. Our 3-step approach is as follows:

1. The “Data Dump” – We start by meeting with IT and the CEO to get the “lay of the land,” after which we gather up anything remotely relevant to your business. This includes strategic plans, technologies architectures and process documentation, secondary research on your competitors, and an understanding of cost structures by location. We then analyze this information while getting step #2 on your team’s schedules.

2. The “ThinkTank®” Sessions – The key to understanding what’s aligned and what’s not is a set of 90-minute facilitated group sessions and select one-on-one interviews with representatives of all stakeholder groups, such as Finance, Sales, Marketing, Customer Service, Operations and lastly IT to get that 360 degree view. To get maximum value in minimum time we use ThinkTank®, a unique web-based collaboration system tool, to run these sessions.

3. The Improvement Portfolio – Invariably the assessment will show that there are areas where the IT plans align with the business and areas where they don’t. Based on all of the input gathered, as well as our expertise, we develop an integrated portfolio of recommendations (a “technology road map”) for getting you to where you need to be.

This portfolio, which takes into consideration the current IT environment and project portfolio and supports the company’s business initiatives, ensures that your strategy for IT is an enabler of the organization’s future success. It prioritizes key issues and includes quick wins, near-term projects and long-term plans, along with dependencies and cost/benefit statements.

What’s unique about how CIOPS does IT Effectiveness Assessments is the speed with which we finish the project (typically just 3 to 5 weeks), our facilitated group sessions, our use of the ThinkTank® web-based collaboration system tool, and the level of detail provided in our deliverables. The improvement portfolio is defined well enough that you can put these projects out to bid, undertake them yourself or continue with CIOPS as you see fit. And because each action item includes linkages to business outcomes, the value of each project is readily understood.

A side benefit of evaluating the return on your IT investment is that this exercise nearly always leads to improved business processes. Every company will benefit from periodically asking the question, “Are the business and IT aligned?”

For more information about how CIOPS’ IT Effectiveness Assessment can help your organization, give us a call today.

 

About Jeff Richards

As an inspirational leader with the ability to develop the “big picture” strategy then drive it down to executable tactics for implementation, Jeff leads our Professional Services team. Clients

benefit from Jeff’s 25+ years of experience developing and implementing transformative business strategies.
Jeff’s experience spans both industry (including Materials, Operations and IT Management) and consulting. He developed a unique global perspective during his tenure in significant P&L management-level positions in both Asia and Europe.

About CIO Professional Services

CIO Professional Services LLC is a top-rated IT (Information Technology) consulting firm, based in the San Francisco Bay Area, specializing in strategic IT consulting and business / IT alignment. Companies come to us seeking assistance with their information technology strategy as well as to source interim CIO / CTO employees or fractional CIO / CTOs.

Contact CIO Professional Services

CIO Professional Services is a member of:

IAOP logo


Churchill Club Logo


2016 SVTC Proud Sponsor Logo


The CFO Alliance


Council of Supply Chain Management Professionals logo

CIO Professional Services LLC is a top-rated IT consulting firm, based in the San Francisco Bay Area, specializing in strategic IT consulting and business / IT alignment. Companies come to us seeking assistance with their information technology strategy as well as to source interim CIO / CTO employees or fractional CIO / CTO's. Our IT experts can assist with integrating IT into your business processes - better - up to and including 'project rescue' in areas such as ITSM / ITIL, IT service strategy, and IT outsourcing. Business / IT strategy projects we have worked on include upgrading ERP systems, cybersecurity and IT consulting, IT assessment and organizational change. Cloud computing and business IT remain critical in today's business systems, and beyond that to the migration to the cloud of business IT. Our IT consultants can assist with all aspects of business / information technology alignment. Contact us today for a free phone consultation - we service clients not only in San Francisco or San Jose, but throughout the United States.

Copyright 2017. CIO Professional Services, LLC. All Rights Reserved.