Realize it or not — you have an IAM; you do manage your identities somehow. The real question is whether the way you manage them is smart or not. Doing Identity & Access Management (IAM) smartly lets you know and prove what is happening in your company. For example, how many people use the CRM, are there a lot of unnecessary access rights, or which systems can person X access. IAM can automate a lot of processes related to identity and access. Proper management of identity and access is a basis for risk management [fi].
Here are 7 viewpoints to Identity & Access Management, giving insights about what to concentrate on in different situations and phases of IAM maturity.
You decide to take a new cloud service, say Salesforce, in use. Typing in your name, email, and other details is really quick — no problem there. However, when your organization have dozens of cloud services and hundreds of users changing their roles, positions, and last names, it gets complicated. Some of the changes never get done in all of the services, only the most important ones. Even so, doing this manually by Helpdesk will cost easily hundreds of thousands per year. Still, the data is lagging behind, users get frustrated, accesses are wrong, and you don’t have a clue which data is wrong and which is right. This can also generate a lot of unnecessary direct license costs [fi].
Automating the management of access rights (Provisioning) for cloud services with IAM is easy and has a quick return on investment (ROI). For systems that have only a few users full automation is not necessary. IAM processes can still be used to get the benefits of auditability and reporting.
Enterprise applications have often the same issues than cloud services, but also different ones. Perhaps Active Directory (AD) is used to manage users and accesses. If so, is your AD data and groups in good shape? Does a change in HR position or location data automatically change access rights in the end systems? Is the functionality unified in all systems? Many legacy systems do not support managing everything through AD or LDAP. Also, you might not want to have all people in AD, nor all required access groups. There may be requirements to restrict visibility, and some types of users might not be in AD or even HR at all. The controlling layer needs to be in lower level.
The longer a person has worked in an organization, the more access rights are usually accumulated. This means more risk; hence the problem needs to be mitigated. This can be done by recertification process, i.e. periodically or continuously attesting the access rights. The attestation should be prioritized based on the risk level of the access, and self-review can further ease up the workload of the people responsible for the access rights. Recertification and attestation belong in the area of Identity Governance and Administration (IGA).
The key elements in IGA are:
For people changing roles and especially leaving the organization, timely de-provisioning access rights is important. De-activation of the AD account is not safe enough when a person leaves the organization, the accounts in all the end systems also need to be either de-activated or de-provisioned.
In addition to added security, this can also have a great impact on license costs. In cloud services, the license cost impact is often more or less immediate and very direct cost saving. Security-wise, cloud services sometimes authenticate using their local credentials, which means that a leaving person can just continue using the service and seeing all data. You would not want your CRM to be usable by an employee leaving for a competitor!
Cloud services can often be used conveniently via an app on the phone. But how to control that access? A stolen phone can become a huge liability for the company. Should you let a user log in to the accounting system in the middle of the night, from a non-standard device, or from an unusual location? I don’t think so — at least not without additional authentication methods. Access Management solution provides a smart way to implement this.
Enterprise applications might be accessible from the company intranet only, providing one layer of security. This, however, is an old way of thinking security. There is a growing need to access anything from anywhere, which means that identity is the new perimeter. All systems need to be accessible easily, while not compromising in security.
Signing to all systems separately, maybe having to remember different passwords for each, is extremely frustrating and inconvenient, while adding little extra security. Single Sign-On (SSO) provides an easy and secure way to use much less passwords and logins for both cloud and enterprise applications, while also adding security and control. SSO can ask for stronger authentication when the risk factor gets above a certain limit — not all the time.
It is not only about signing in. A session left open can introduce risks. It is important to be able to know that you have signed out of all the services, especially in shared environments. This is achieved by using a Single Sign-On solution.
I hope these themes gave you good insights what to concentrate on. Depending on the size of your organization, the current maturity level of your IAM, as well as many other things, Spellpoint can help you taking the next step: Spellpoint Navigator maps your way to the best direction, providing an optimal ROI in the long term. Spellpoint Navigator is good for starting to think IAM from the scratch, or when further roadmapping feels necessary. Spellpoint Little Pilot will make a production-ready pilot of a solution, and Spellpoint Craftsman will forge a complete solution based on your needs, using the specification work done by Spellpoint Navigator or you. For support and maintenance, Spellpoint Mechanic runs your solution care-free.
You can always start small and implement more automation incrementally. We always make future-proof solutions and have a long-term mindset.
Chief IAMist, Spellpoint