Guide to Building a Secure Identity and Access Management (IAM) Program
Identity and Access Management (IAM) is the practice of defining and managing the enterprise roles and access privileges of network users, along with establishing any details that further qualify these access privileges. The goal of an IAM program is to create a single digital identity for each individual; key advantages of IAM include enhanced security, simplified auditing and reporting, and a streamlined user experience that boosts productivity by providing easy access from anywhere. Naturally, once each digital identity has been created, it needs to be maintained and adjusted as needed with technology-shifts, or as a user’s standing, employment status, or relationship with the company changes. In this guide, you can expect to learn more about:
Modernizing an Identity and Access Management (IAM) program to account for cloud and hybrid environments is becoming increasingly complex for organizations of all sizes. Migration to the cloud requires a strong IAM strategy. The first step is to understand how your IAM strategy aligns with business objectives. Also, consider how any applicable compliance requirements factor into your Identity Management strategy. Users will demand fast and simple access to resources. Without this efficiency, users won’t adopt—or will work around—the controls in place, if they can. Finally, the strategy and road map should share an end-to-end plan for IAM workloads, both on-premises and in the cloud.
IAM is a critical and complex issue that spans departments, requiring a strategy around people, process, and technology. The majority of today’s breaches are tied to compromised credentials, and the number of credentials per user continues to increase. According to a McAfee survey, users “have an average of 23 online accounts that require a password, but on average only use 13 unique passwords for those accounts. 31% only use two to three passwords for all their accounts so they can remember them more easily. And lists are far from dead, as the most common way to remember passwords is to keep a written or digital list of all passwords (52%).” Security through integrated technologies is only one key component. Without collaboration among all business stakeholders, and a clear understanding of responsibilities, there will be critical gaps in your IAM program. A technology or product alone will not solve this problem
Today’s Identity Access Management solutions do a lot more than just sync passwords or manage access rights. They need to be business-process oriented and tightly integrated with your business processes. Establishing an agreed-upon strategy will help align stakeholders, including IT executives and line-of-business managers. It’s essential to understand the interests and priorities of each area of the business throughout the IAM modernization project. Through this alignment, key stakeholders will understand the benefits of IAM (e.g. how it creates efficiency and security for them and their team) and will ensure the processes and technology accomplish your objectives and outcomes.
Now that you have a plan, the next step is to determine who is going to implement and manage your IAM modernization strategy. Often, several managers are needed to ensure every requirement is satisfied. Unfortunately, training existing IT Administrators is just not an option. In addition, you now have the operational aspect of running an IAM program to consider—fielding support tickets, incident monitoring and resolution, etc., as an IAM program is only as good as its management.
To address these challenges and acquire the skills necessary to successfully transition to a modern IAM solution, organizations rely on professional services providers like Anexinet. Anexinet provides services that help your organization with strategy and business alignment, IAM tool selection, implementation and operationalization, along with providing ongoing management. These services are available in many capacities, whether you want to supplement and train existing staff for a specific project or need Anexinet to lead and provide all managed services. Many flexible models are available to ensure your success.
Organizations have made significant investments in IAM over the past few years. Building a new, modernized IAM program that meets digital transformation initiatives requires new skills, experience and insights designed to grow the business. A holistic approach to modernization will help ensure your business is successful and secure.
From small and mid-sized businesses to Fortune 500 companies, IT organizations everywhere are abandoning on-premises software in favor of on-demand, cloud-based services. As more companies transition to hybrid configurations, maintaining tight control over resource access becomes increasingly important. In addition, users must keep track of the countless URLs, usernames, and passwords they use to access their applications and data. The following are the top five identity and access management (IAM) challenges associated with adopting a hybrid environment, along with some best practices for addressing each of them.
Enterprises eager to leverage the benefits of the cloud (e.g. scalability, customization, mobility, and more) are transitioning away from traditional environments at an astonishing rate. Specifically, we are seeing enterprises migrating IT workloads to a hybrid infrastructure, with cloud environments seeing the greatest growth in adoption. The hitch is that common, on-premises legacy identify management deployments can be difficult to replicate in a cloud environment.
Therefore, protecting cloud resources will require a shift in IT—whether that means expanding an existing legacy access management platform or implementing a new one. Both come with challenges. If remaining on-premises, mirroring components such as the heavy database infrastructure for session storage, policies and encryption keys is complex and expensive to manage. Deploying a new solution, however, means overcoming some migration complexities, as well as a learning curve. On the whole, however, pursuing a cloud-ready solution has a far greater upside.
IAM systems can be cloud-based (IDaaS) or on-premises; a modern cloud-IAM solution is generally much more lightweight and cloud-ready, allowing protection for resources hosted on-premises and in the cloud. Today, more organizations are moving to cloud IAM systems. Reports indicate only 38% of enterprises expect to remain on-prem for the next three years; 60% will rely on a third-party IAM service that supports multiple cloud environments and unifies access across on-prem and public-cloud resources. These hybrid or SaaS-based solutions and policies can be easily extended from on-premises to the cloud to ensure the right people have access to sensitive resources. Additional advantages of Cloud IAM include cost savings in infrastructure and maintenance, increased reliability, for reduced risk of downtime, and ease-of-upgrade, so your software is always current.
Remote employees are increasingly becoming the norm rather than the exception; in the last decade, the number of remote workers jumped 115%. One strategy for recruiting and retaining the best talent is providing a flexible work environment. However, with employees requiring access from all over the globe, maintaining a consistent user experience without sacrificing security is a daunting challenge for IT teams. Reduced visibility and control over employee work practices have made traditional workplace security methods impractical. To further complicate matters, BYOD enables employees, contractors, partners, and others to connect devices and access the corporate network. IT needs to address these devices and protect company assets without disrupting employee productivity and the user experience.
Many organizations have IAM best practices in place, however these practices and procedures are only effective if they are adhered to across the organization. Unchecked or mismanaged exceptions to IAM policies are the most common cause of compromised data. Even with policies in place, it’s critical to periodically review and validate your IAM program for areas of strength and weakness and make adjustments as necessary. In addition, IAM needs to be included in your overall modernization strategy to ensure the solution you implement today is still secure tomorrow.
The effective management and security of user identities and data requires visibility into all aspects of IAM, yet many organizations still lack this essential component. Without a unified approach and a centralized user directory, identity sprawl is (or will become) a real challenge. Identity sprawl occurs when a user’s identity is managed by siloed, unsynchronized systems, resulting in multiple identities for each user. Investment in a corporate directory (such as Microsoft Active Directory) is necessary to manage access to on-premises network resources. And as your organization adopts cloud-based services, most can be extended into the cloud. Oftentimes, however, an application isn’t—or can’t be—integrated with the central directory service, requiring the management of another set of user identities to support access and grant permissions. With cloud and SaaS-based services being accessible to IT and non-IT staff alike, this challenge is not going away.
One of the main challenges of identity sprawl is being aware of every system that contains identities and data security management, so the first critical step is to identify these systems. Once this step is complete, it’s essential to gather all requirements and layout a unified plan. If the chosen solution fails to support your requirements and provide the services users require, your project will also likely fail. In addition, when establishing a centralized repository, it’s important to analyze risk to determine the potential impact of centralizing critical data so appropriate countermeasures may be implemented.
This oneThe growth of cloud-based applications means users must remember an increasing number of passwords and may be required to use numerous authentication protocols. User frustration can result from the additional time needed to manage multiple passwords along with varying requirements for password complexity, history, expiration length, etc. Users tire of remembering passwords for different accounts and as a result use the same password for multiple accounts. The problem, of course, is that if one account becomes compromised, others can be easily compromised as well. Due to the prevalence of outside threats, passwords have become essential to holding and managing accounts, yet companies continue to rely on key accounts that serve critical functions (e.g. human resources, finance, access to protected data, and contract management). A balance of security and ease of management is essential to keep these critical accounts safe.
Enterprises can readily make password issues a thing of the past by federating user identity and extending secure Single Sign-On (SSO) capabilities to SaaS, cloud-based, web-based, and virtual applications. However, solid design and groundwork must be laid in order to trust the identities being federated. Assessment and cleanup of your Active Directory (or whichever directory is your trusted source) is absolutely vital. In addition, once implemented, having governance in place to ensure users are provided appropriate access is a key component of ongoing security.
The growing popularity of Cloud services (IaaS, PaaS, and SaaS) use by all organizations should come as no surprise, since they offer enterprises instant access and predictable expenses. The security of these cloud services, however, is much less predictable. Such a diverse cloud footprint creates a security and compliance risk for any organization. According to a Kleiner Perkins report, cloud-enabled applications have risen because they are cheaper to build and easier to adopt. But the report states they have “serious security and compliance implications” and that 94% of all cloud apps used are “not enterprise ready.”
For example, many breaches occurred on Amazon S3 buckets, and companies breached had cloud networks that were open for weeks, giving ample time for cyber-criminals to take advantage of the security holes. One leak involved a third-party contractor who misconfigured an Amazon S3 server and leaked 50,000 records of Australian employees. In another incident, Accenture misconfigured an Amazon server, accidentally exposing more than 137 gigabytes of data, including databases of 40,000+ credentials and passwords. The risk here is not only IaaS. With cloud infrastructure applications such as online backup, virtual desktops, platform services, and other tools growing significantly during the past three years, the risk vector has grown exponentially.
The type of enterprise data stored in the cloud is also the data most at risk, including emails, customer information, consumer data, employee records, and payments. It’s vital to have an integrated toolset that spans all these technologies—both on-premises and emerging cloud services—that can provide monitoring from a single pane of glass. Manually correlating events from multiple tools is too complex and labor-intensive to effectively address real concerns in a timely manner. By the time a breach is caught, it’s likely too late, if it gets caught at all.
Federal agencies and DoD components are required in order to maintain compliance with information security controls so sensitive government information and IT assets remain protected. Many of these compliance requirements also apply to private sector contractors and subcontractors who work with these government agencies (e.g. Defense Federal Acquisition Regulations Supplement (DFARS) certification and newly announced Cybersecurity Maturity Model Certification (CMMC)). Companies often struggle with the underlying technical complexities of implementing effective solutions in order to meet the information security controls specified by the National Institute of Standards and Technology (NIST) Security Engineering and Risk Management Group. Cloud services make this challenge even more difficult. Addressing these technical complexities takes integrated, comprehensive solutions powered by automation and extensible analytics. This approach significantly improves visibility into both on-premises and cloud operations, enabling data-driven decision-making that aligns with regulations and compliance requirements.
Adding to the challenges of the scale and diversity of these environments is the near-constant change introduced by the immediate availability cloud services provide. The dynamic nature of these systems and users requires continuous monitoring to truly understand the ideal security posture. It’s critical to establish a formal security program with a clearly defined owner, accountability, and governance structure. Key components of this program include clear business expectations, policies, and technical standards for security. Additionally, the program should include guidance on proactive security controls, such as implementation of patches and updates, change management, or secure configurations, along with Incident Response, Disaster Recovery, and Business Continuity plans. Finally, security-awareness training plans are invaluable for encouraging users to think security-first, since this is the area where most attacks originate. Though implementing this plan can be a monumental task, what with overwhelmed staff and inadequate budget. This is where a Managed Security and Operations Provider like Anexinet can help—whether through an augmentation effort, or by providing a fully managed service to maintain and enhance your security program.
Every security technology website today features at least one article about Identity Management (IdM). Many of these point to tools and products that magically give you a complete IdM system or fill some gap in your IdM posture. But for those who are less mature in their journey, or who haven’t revisited their IdM Program since iPhone 4, let’s review the process of building (or assessing) an IdM Program. Just so we’re all on the same page, an IdM Program is the playbook your organization will use to define, build, manage, and govern its IdM.
Start by articulating the overarching strategy of your IdM Program. State the strategy in terms non-technical users can understand. This is the core tenet of why your program exists and describes its value to your organization. Keep in mind this statement can be referred to in the future when securing funding for a new IdM initiative, so it is critically important to get it right.
Next, define the program’s business and technical requirements. Survey constituents throughout the organization to ensure you don’t miss a key requirement. Business requirements might include regulatory concerns, user/partner/customer satisfaction concerns, data and privacy issues, ability to support new initiatives, and costs. Technical requirements may include the use of automation for efficiency, open standards to allow federation across multiple systems, system capacity needs, process limitations, and SLA considerations.
Finally, define who and what the Program is meant to protect. Here, you would define the internal user groups, partner or supplier user groups, and customer user groups. You will also need to define the access vectors, audit requirements, and access requirements for each of these groups. Simply put, this is where you define who has access, what they have access to, how they would access it, how long they should have access to it, and who can approve or deny the access.
Further, this section of your Program should be reviewed on a regular basis to ensure the requirements remain aligned with the current reality of the business.
In this step of your Program you will define who has responsibility for the operation and governance of the IdM/IAM/PAM systems. You’ll want to provide a high-level overview of who has administrative responsibility within each IdM domain, along with their reporting and governance requirements. The goal here is to ensure you have adequate staff with the right experience to properly administer all systems, and that clear, consistent reporting and governance is implemented. This step is also helpful in determining whether you need to utilize contract or MSP resources.
In order to build the reference architecture, you must first inventory all the systems and applications that will leverage the identity platforms. This includes infrastructure, OS, core applications, customer applications, and cloud applications. If you’re leveraging APIs for application integration or microservices, you may also have identity requirements here, too. Ensure you’re gathering any technical requirements, dependencies or limitations with the inventory.
Next, you will need to inventory all associated IdM systems. These include directory, password management, vaults, SSO, provisioning, access, and auditing tools. You’ll want to list the major capabilities and standards each tool has. If you plan to integrate data or events across toolsets, you’ll also want to list API capabilities.
Finally, build your high-level reference architecture with a focus on how the systems will support IdM process during standard end-user or application workflows. This section tells the story of how toolsets will support your needs and should expose any gaps in your toolsets or capabilities.
That’s it! We hope you found our explanation of common Identity and Access Management (IAM) program adoption barriers, IAM challenges and considerations helpful and informative. If your organization has any trouble following our steps to building a secure Identity Management Program, please don’t hesitate to reach out to us. Further, if your organization needs additional help getting started, or would simply like an outside opinion on how well you’re progressing, Anexinet’s IAM Modernization Assessment will get you moving quickly by providing strategic direction around the steps necessary to strengthen, mature and modernize your Identity Management Program.