An Introduction to Identity and Access Management
- Published: Thursday, July 13, 2017 07:00
By Scott Smith
Security Practice Lead
Four years ago Target suffered a data breach that caught the attention of consumers and executives everywhere. By starting with a stolen dormant login from an HVAC contractor who was no longer working with Target, attackers were able to gain root access directly into Target’s data center. Once in, they found a web application vulnerability and managed to use this to steal the PII (personally identifiable information) for over 70,000 people, and seize the data for over 40 million credit and debit cards from a Point of Sale system that was not directly connected to the internet.
This massive data breach was a wake-up call that organizations of all sizes need to have robust Identity and Access Management (IAM) systems in place, as the lever point of the overall attack was Target’s failures in the areas of access governance. The bottom line is, Target had neglected to follow a number of basic principles of access governance, including having a system in place to suspend accounts for employees and contractors who no longer worked there. And while the Target story is not exactly “new,” the risks that organizations face if they do not have appropriate IAM systems in place is just as relevant now as it was in 2013. These vulnerabilities have not magically gone away.
What is Identify and Access Management?
At its core, Identity and Access Management is the process of knowing who you (and every other person who accesses the system) are and controlling what you have access to. This includes having a way of determining: that it is really you when you log in, and not someone who has stolen your credentials; exactly what assets you have access to and what you can do with that access; how you received that access; why you received that access; and when you have actually exercised these access privileges. Perhaps most importantly, IAM also includes knowing when you should NO LONGER have that access. As such, IAM is at the hub of a strong cyber security program.
IAM encompasses two main processes:
- Identity proofing and authentication – As new hires and contractors are onboarded, HR typically verifies the identity of the individual and adds them to their system of record. After that, the next step usually is to provide them with login credentials for your system and any “birthright” access that has been defined, such as email or VPN access.
- Access management and control – Once a person has access to the system, what exactly should they have access to, and for how long should they have access to it? What reporting is necessary? What policies need to be applied? How do access “entitlements” correspond to job roles?
What are the benefits of automating Identity and Access Management?
As the heart of a strong security program, a robust IAM process can:
- Provide a basis for protection of vital data and reputation – Data breaches like that suffered by Target can be extremely costly. In addition to whatever damage mitigation measures need to be taken, there are also the costs of reputation damage, lost business, and more. Strong IAM can help provide protection of PII and other sensitive data, and reduce the chances that your organization will have a “CNN moment” like the one Target suffered.
- Automate and lower the cost of SOX, PCI or other compliance – Get the necessary access controls in place, and simplify the back-end auditing and reporting processes.
- Provide physical access control – This is basically badging and other aspects of physical security. Many organizations manage this separately, but some leverage an effective IAM system to control physical security.
- Know who has the “keys to the kingdom” – Good IAM includes privileged access management, to control who has access to databases and other underlying systems.
- Boost employee productivity – Enable easy access to the system no matter where the user is physically located, and reduce costs from manual joiner/mover/leaver processes.
How do you put Identity and Access Management in place?
To put IAM in place you need to address three key IAM activities:
- Planning and strategy – As with any planning process, the starting point here is an assessment. What is it that you need to protect? Where is the risk, and where is the cost of a breach going to be highest? What are the sizes and profiles of user populations?
Once you know what you need to protect, the next step is to determine the protection strategy and roadmap, then select the software tools for implementing it. From the tools standpoint, you’re likely to need software for authentication and single sign-on, access governance and privileged access management.
As part of the planning and strategy process you’ll also need to create a governance/steering charter. What exactly will you be tasking your governance team with accomplishing? Normally, IAM program governance includes such things as defining workflows for access approval and re-certification, role management and segregation of duty policy, among others.
- Deployment – To ensure things go smoothly it is best to have a Project Management Office in place to oversee deployment of the tools, and to drive change management within affected parts of the organization.
Many executives believe that an IAM program can be delivered by simply installing the tools. However, the most challenging part is getting agreement from all the affected stakeholders for: (a) defining and quantifying the detailed business requirements, such as access approval workflows or roles definition, that form the core structure of a strong IAM program, and (b) leading the organization through the change process to get from either no tool or the previous tool over to the new system. Tool deployment is generally relatively straight-forward once the “business logic” has been defined.
- Governance – To make the change work you really need to understand the business logic behind everything. Governance is where all of the details of what is needed and who will be responsible for what are worked out. This includes defining the workflows for the access and re-certification processes, creating a roadmap for connected systems, defining roles, creating a Segregation of Duties (SoD) policy, and much more. Once all of these things are defined and in place, Governance also includes policy enforcement as well as periodic health checks, audits and re-assessments.
When we work with an organization on the business side of getting IAM in place, what typically happens is that we’ll work with the key stakeholders to understand how the business currently functions, refine and document business logic and work flows, then stand up a governance committee to ratify and maintain it all.
Need help getting IAM in place?
Whether you need to audit and improve your existing IAM system or are starting from scratch, CIO Professional Services has the expertise to help you get the job done right. Our focus will be on the business and change management sides of the project; if desired, we can help with management of the technical aspects of deployment as well. With CIO Professional Services you’ll get the advantage of Big 4 experience but with added flexibility and lower overhead. Let’s talk!
About Scott Smith
Scott is an experienced cyber security executive with more than 25 years of technology strategy, management and advisory experience. With an emphasis on driving technology success through effective business stakeholder engagement, he has strong project leadership experience on IT security strategy, governance and transformation projects.
About CIO Professional Services
Based in the San Francisco Bay area, CIO Professional Services LLC is a top-rated Information Technology (IT) consulting firm focused on integrating Business and Information Technology. Our consultants are all hands-on executives who are veteran CIOs and Partners of Big 4 consulting firms. Companies come to us seeking assistance with their information technology strategy as well as for interim or fractional CIO / CTOs, and negotiation and program management/project rescue assistance.