By Scott Smith
Security Practice Lead
Whether talking to people at large companies or small companies, when we bring up the topic of Identity and Access Management (IAM) we often hear a lot of the same comments…
- “I am concerned that we have employees who have been here 10 years, and have access to everything, but I don’t know how to control that risk.”
- “Of course we have password policies…but I’m not sure they’re being enforced.”
- “I recently discovered an account for someone who left the company 14 months ago.”
- “Half the people in our IT department have global permissions—they can access anything.”
Given the fact that IAM is at the core of a strong security program (as explained in my previous article, “An Introduction to Identity and Access Management”), getting IAM right is vital. Here are some of the current leading practices in Identity and Access Management:
- Deploy Strong Multi-Factor Authentication – As part of the identity management process, the leading practice is to use multi-factor authentication, such a one-time password sent via text or email, or better yet, as a software token. This helps ensure that the person who logged in is who you think they are, and not someone else who has stolen their login credentials.
- Use Privileged Access Management – Privileged access management, which focuses on the special requirements of user accounts that have high level access to an IT system, is typically applied to the administrators and engineers who work “under the hood” in databases, operating systems, and network devices. While this access is necessary, there is a greater risk associated with these user accounts. Privileged access management tools offer greater control and accountability.
- Enforce Segregation of Duties (SoD) – When deciding who will have access to which parts of your system, it’s important to define and implement appropriate SoD policies, and ensure that the system checks for this.
A good example of SoD in IAM is in the area of software development. Most software developers only need access to the development servers; they should not have access to the production servers. This ensures that proper quality control takes place before the code is moved from the development servers to the production environment.
- Institute Periodic Recertification Campaigns – What often happens in organizations is that as employees move around within the organization they just keep adding new system access permissions (see Least Privilege, above). In many organizations, nobody ever thinks to go through and ask why this person still has access to the accounts receivable system now that they’re in the marketing department.
To avoid situations like this, and to ensure least privilege, the IAM leading practice is to have a regularly-scheduled recertification process for sensitive systems, whereby once a year or once a quarter all access permissions must be recertified. While some organizations must do this for regulatory compliance reasons, it is a leading practice for all organizations.
- Ensure Least Privilege – Each person should only have the accesses which they actually need to do their job. No one should have unnecessary privileges, or privileges that were once appropriate but no longer apply. Attackers often target users who have large aggregations of entitlements, as this makes it easier for them to expand their access to a target network.
- Put Joiner/Mover/Leaver Workflows in Place – When a worker joins a company or moves into a new department, a system needs to be in place to determine what accesses that person now needs. Leading practices call for having automated, well-defined approval processes for whatever access is requested, as well as connectivity with the HR database.
For example, say Mary moves from Accounts Payable to Accounts Receivable. In addition to “standard entitlements” for her position, Mary’s new manager says that she needs special access to a particularly sensitive set of financial data. Policies should be put in place to ensure appropriate approvals for this added access. These policies may include escalated approvals, etc.
Some access—such as the ability to login to the Human Resources system and see your own personal information, the ability to receive email, etc.—will often be granted as “birthright accesses,” since approvals may not be needed, and could hinder productivity.
It is especially important to discontinue unneeded permissions for those who move to a new role, and to suspend or remove all access for those who leave. These policies need to be in place for anyone who has access to the system, including employees, contract workers and outside vendors.
- Apply Roles Modeling – An important aspect of access management is to define who should have access to what based on their job function. In roles modeling you look at the business role of every position in the company and define accesses based on the job requirements of these roles. Roles modeling creates standard “least privilege” access combinations that reduce risk, and also creates standard approval cycles for management.
For larger organizations the leading practice here is for the governance committee to create a workflow that enables each department to define and approve roles and their associated entitlements. Generally speaking, a manager will define the roles and entitlements for their direct reports, and that person’s manager will approve it.
- Create Audit Trails – As with any system, it is important to ensure that all changes, additions and deletions result in an audit trail. This is important for trouble-shooting purposes if something goes wrong, and for governance purposes to ensure all such changes are appropriate.
Need help getting an IAM system in place that addresses all leading practices? Give us a call. We’re experts at completing all of the strategic work (including creating the plan), handling the change management aspect of the project, and partnering with others for technical deployments. Let’s talk!
About Scott Smith
Scott is an experienced cyber security executive with more than 25 years of technology strategy, management and advisory experience. With an emphasis on driving technology success through effective business stakeholder engagement, he has strong project leadership experience on IT security strategy, governance and transformation projects.
About CIO Professional Services
Based in the San Francisco Bay area, CIO Professional Services LLC is a top-rated Information Technology (IT) consulting firm focused on integrating Business and Information Technology. Our consultants are all hands-on executives who are veteran CIOs and Partners of Big 4 consulting firms. Companies come to us seeking assistance with their information technology strategy as well as for interim or fractional CIO / CTOs, and negotiation and program management/project rescue assistance.
