As organizations become increasingly reliant on the digital resources and the data they process, they also want to restrict access to these resources to authorized users only. This is no small task. “Just look at the recent avalanche of news reports revealing security breaches in both large private companies as well as public organizations: these breaches are most often caused by a compromised user ID,” noted Maher Chaar, Associate Partner, Identity and Access Management for IBM Canada.
As the number of breaches rises, identity and access management (IAM) is emerging as a key element in a corporate cybersecurity strategy. While various security measures were implemented long ago, successive deployments of information systems and production materials have gradually eroded their efficiency.
Since each system has its own access control functions, employees must create and memorize a multitude of passwords. Systems also force them to use a minimum number of characters, use special characters, and periodically change these passwords.
These constraints can be a sore point for users. Consequently, they try to cut corners by adopting unsafe practices, such as using similar passwords for different systems, sharing these passwords with other users, or scribbling their access codes on paper and leaving the notes near their devices.
The advent of cloud computing and the proliferation of mobile devices have added a layer of complexity to access management. Users can remotely access company systems from external locations and on a variety of devices; they interact as often with systems installed within the company as with applications hosted in the cloud; and companies cannot fully control how cloud service providers manage the security of the IT resources they sell to their customers.
In such an environment, instituting an IAM program is crucial. “The principle behind IAM is simple,” Roger Ouellet, Senior Solutions Designer and Security Practice Leader at NOVIPRO, noted. “It’s about ensuring that the people accessing the systems are who they claim to be, and then granting these people access to the resources they need for their work - and only those specific resources.”
Conceptually, two steps are required to set up an IAM program:
- Defining the organizational rules that must apply for proper management of digital identities; and
- Implementing the technologies required to apply and enforce these rules.
Starting at “Zero Trust” to determine access rules
First and foremost, a security needs analysis should define the roles a user must play within an organization, from the perspective of the digital resources required for her/his work. “These roles don’t necessarily correspond to the employee’s job description,” claimed Roger Ouellet. “Companies are used to segmenting roles based on reporting relationships and deliverables, rather than on that role’s need to access a specific system to handle a specific category of data.”
Each role is associated with a precise set of access rules. Previously, these were seen as restrictions on full and open access. “By default, employees had access to everything, and we would remove access rights considered unnecessary,” Ouellet explained.
Today, this paradigm has been replaced by an approach founded on the opposite principle and documented by research firm Forrester: the Zero Trust model. “With this approach, access to a system is granted only if a user’s position warrants it,” Ouellet continued. “This method prevents blind spots, such as granting unjustified accesses which we then forget to monitor because they don’t correspond with expected work processes.”
A range of coordinated, integrated technologies
A range of technologies is required to put the established access rules into practice. For a full IAM, some desirable functions include:
- A centralized directory — it lists all internal and external users who would benefit from accessing one of the company’s systems. Updates to this directory facilitate the secure onboarding of new employees and consultants, as well as the departure of former staffers.
- Single sign-on (SSO) — this function enables users to identify themselves only once (when signing into their work session) to obtain access to all systems authorized for their role. Users are not required to enter new authentication codes when switching between different systems.
- Multi-factor authentication (MFA) — requires users to identify themselves through two different means. For example, a user might need to enter a personal password and also provide a fingerprint scan. MFA significantly reduces the risk of an unauthorized user infiltrating a system.
- Privileged access management (PAM) — some users hold privileges beyond simply consulting or using a system; for example, they can access confidential data, modify configurations, create or delete user accounts, or install/uninstall applications. Assigning and revoking these privileges should be rigorously managed, and the way each user leverages these privileges can be automatically monitored and logged.
- A password vault — this vault contains all user passwords in encrypted form, and stored on a secure server. Coupled with an SSO system, it enables users who have already identified themselves once to use (but not see or handle) the passwords for the systems they require for their current work session.
All technologies related to identity and access management must be orchestrated within a program that ensures IAM rules will be executed. “An effective IAM program allows users’ identities to be authenticated with certainty, so that security governance may be applied in an integrated, consistent manner across the entire business,” concluded IBM Canada’s Maher Chaar. “In this way, the company can exercise an appropriate degree of control on accesses and security, without compromising users’ productivity or condemning them to unpleasant experiences when they connect to the network.”
Read the last article in our "Security, a corporate challenge" series: Cybersecurity: some essential technologies for your business