Strengthen Identity With These 6 Practices
Identity and access management (IAM) implementations often provide organizations with a baseline level of security, including an identity warehouse with master user information and some reporting capabilities. With that rich set of identity data, organizations can build further IAM functionality and capabilities to manage, monitor, and audit access to close the security gap and protect critical data from breaches and exfiltration.
Untapped capabilities of the IAM platform that can benefit organizations include:
- application onboarding;
- joiner, mover, leaver workflows;
- user access attestation/certification;
- user self-service and integration with service desk (including automated access provisioning);
- definition and enforcement of security policies; and
- role mining to manage user access by groupings instead of individuals.
All six represent untapped potential in IAM software for better security, improved workflows, and help desk cost savings. Organizations may wish to prioritize certain capabilities over others depending on their maturity level and requirements.
In the federal space, for example, organizations will have connectivity to some enterprise systems at the end of Continuous Diagnostics and Mitigation (CDM) Phase 2 program, but they won’t have connectivity to all their systems—particularly those they would consider high value, such as cloud applications, databases, and/or financial applications containing sensitive data. Even with most identities known, it is likely that IT managers have visibility into fewer than one-third of the enterprise application accounts and entitlements that are associated with each identity. With additional application onboarding, organizations can have a comprehensive view of who has what kind of access to many of their high-value systems and applications.
Analytics provides insight into questions like: how many inactive identities still have active accounts on some systems, costing money on licensing costs? How long did it take for a user to gain requested access? How long has a user held on to access credentials they don’t need? Which managed application entitlements/privileges seem over/undersubscribed?
- Connect identity management to all high-value assets, applications, and systems
- Apply continuous analytics to identity and access entitled data
- Answers the critical question of who has what level of access
- Enforce controls by automated provisioning/deprovisioning access and privileges on apps
Joiner, Mover, Leaver Identity Lifecycle Management
It is common for government employees to have multiple accounts with unique identifiers on different systems, where one account was created using an email address and another employee ID number, for example. Organizations will get a better view of that person—who they are and what their access looks like—by building an onboarding process that ties those together from day one. Improving the joiner/mover/leaver process also helps to reduce service desk costs.
This process has automated functionality enabled to rescind access as soon as the user leaves a role or job. Similarly, it is vital that employees moving between departments or teams have the appropriate access for their new assignment and, if applicable, have access associated with their old team removed.
- Quickly provision, modify, and deprovision user accounts and access entitlements
- Increase user productivity by allowing personnel to quickly gain access
- Increase security by implementing automated mover and offboarding scenarios
User Access Certification
Managers must regularly certify and attest that users need to retain certain privileges. This helps enforce a rule known as the “principle of least privilege,” which states that users should only have the privileges they need to do their job and nothing more.
- Allow supervisors and application owners to determine whether users still need the access they have
- Prevent over-entitling or under-entitling users and help enforce security access controls
User Self-Service and Integration with Service Desk
IAM enhancements will also bring self-service capabilities to users so they can request access for themselves. An employee requiring SharePoint access, for example, can initiate the request via the IAM software, which automatically routes the request to a supervisor(s), and if applicable to the supervisor’s delegates, for approval. End-user productivity is improved and the burden on managers and service desks is lessened when users can facilitate their own access.
The capability can also be integrated with the service desk system so a ticket can be linked to when access was granted—removing the need to manually record the approval process. This reduces service-desk burden by keeping access requests manageable, sustainable, and auditable in a large organization, especially if employees and contractors surge in number. The same capability exists in IAM solutions to automate password resets, which is another labor-intensive service desk function that can be alleviated.
- Allow user self-service to reset passwords and request access online
- Automated route access requests for approvals and provisioning
- Automated workflows with service desk integration
- Service desk integration harmonizes IT operation with IT security
- Automated password resets reduce service desk costs
- Reduced total cost of ownership
Solve Audit Challenges with Security Policies
The IAM platform can flag security policy violations in areas of separation/segregation of duties, for example, which prevents a single person from being both a requester and an approver of a sensitive/high-value account or privilege request. It can also prevent someone from having privileges to be both a server administrator and a database administrator.
- Define and enforce access policies and controls to mitigate audit findings/challenges
- Flag violations and enforce controls to prevent conflicts of interest in access
- Mitigate audit risks
- Improve the overall security posture
Entitlement Grouping & Meaninful Role Definition
IAM software can make it easier for organizations to define access by job description, business unit, or another grouping.
- Manage user access in groupings (e.g., meaningful business and IT roles) instead of as individual elements
- Allow roles to be defined that can streamline the provisioning/de-provisioning of appropriate access when users onboard, or change job functions
- Eliminate the need for managers to re-certify individual accounts/access entitlements that are not meaningful by themselves, unless related to a job function