Reviewing Your Identity and Access Management (IAM)

In today's digital landscape, securing access to sensitive systems and data is more critical than ever. Identity and Access Management (IAM) plays a vital role in ensuring that the right individuals have the appropriate access while keeping unauthorized users out. IAM encompasses a set of policies, processes, and technologies designed to authenticate, authorize, and manage user identities across an organization. By implementing effective IAM strategies, businesses can enhance security, maintain compliance, and reduce the risk of data breaches.

There are 4 key areas for an IAM program:

• Identity Governance (IG)

• Access Management (AM)

• Privileged Access Management (PAM)

• Directory Management (DM)

When evaluating your IAM structure, here are a few questions and considerations to review:

DO YOU HAVE AN INVENTORY OF ACCOUNTS?

IDENTITY GOVERANCE (IG)

IG is generally the process for how accounts are requested and managed. This typically involves addressing the following:

• Provisioning and de-provisioning

• Entitlement management

• Access review processes and workflows

• Access Certification

• Role-based access assignment

• Compliance management

• Separation of Duties

When evaluating your IG capabilities here are a few considerations to consider:

• Are accounts linked to a central directory?

  • If not, how do you manage accounts outside of the directory?

• Do you use a standard nomenclature for IDs?

  • Is there a common password complexity and expiration enforced?

• How often do you reuse IDs?

• How do you identify the access to include in roles?

HOW DO YOU APPROACH DEFINING ROLES?

ROLE-BASED ROLES

Role-based access control (RBAC) is effective—but has its limits.

• While core systems are typically assigned based on roles, it becomes challenging to define all access through a single role.

Three key factors determine a person’s role:

• Who they are (identity, department, seniority)

• What they do (job function, responsibilities)

• Where they are (location, network access, security zones)

Attribute-based access control (ABAC) offers a scalable alternative. Assigning access based on attributes allows for greater flexibility and improves auditability within your directory.

DEFINING ROLES

Identifying Key HR Attributes for Access Control

• The goal is to pinpoint specific HR attributes that determine whether an individual is authorized for a given position.

• These attributes could include job title, department, employment status (full-time, contractor, etc.), clearance level, and tenure within the organization.

Streamlining Access Assignment and Automation

• By leveraging these HR attributes, organizations can automate the process of assigning access, reducing manual provisioning and the risk of human error.

• This method also enhances directory validation, ensuring that access rights are consistently aligned with an individual’s role and employment status.

Expanding Role Definitions for Greater Flexibility

• Traditional role-based access control (RBAC) relies on broad categories like who they are, what they do, and where they are.

• Incorporating HR-driven attributes into the model results in more granular and dynamic roles, improving security and enabling better access governance.

• While this may create more distinct roles, it provides greater precision and scalability, making it easier to adapt to organizational changes.

  
  

By integrating HR attributes into access control, organizations can enhance security, improve compliance, and simplify identity management at scale.

ACCESS DELEGATION

Do you have a structured process for delegating access when an employee leaves or takes an extended leave, such as FMLA?

When access is transferred, how do you track actions taken by the delegated individual versus the original account owner?

• For temporary access during FMLA, is the original account owner notified that their account was accessed?

• During compliance investigations, how do you ensure transparency and accountability for actions taken while access was delegated?

Establishing clear policies and auditing mechanisms is crucial to maintaining security, compliance, and accountability in these situations. How does your organization handle it?

IDENTITY NOMENCLATURE

Many organizations use the local part of an email address as a user’s unique identifier (ID). While this approach may simplify user management, it also introduces several security and operational concerns:

1. Exposing Half of Login Credentials

• If an email address serves as a user ID, it effectively exposes half of the login credentials in every email sent or received.

• This increases the risk of credential-based attacks, such as phishing and brute-force login attempts.

  
  

2. Handling Name Changes in User IDs

• What happens when an employee changes their name?

  • If their email-based ID is tied to their name, updating it can create consistency and access management issues.

  • Systems that don’t support ID changes easily may require manual intervention, leading to operational inefficiencies and potential account duplication risks.

    
    

3. Challenges with Name Length in Various Systems

• Some legacy or third-party systems have character limits on usernames, often restricting them to 8 characters or less.

• This can cause issues when integrating with modern identity and access management (IAM) systems, requiring workarounds like truncation or alternate user IDs.

• Inconsistent naming conventions across platforms may lead to authentication failures and user confusion.

ACCESS MANAGEMENT (AM)

AM is the part of IAM that focuses on managing access into systems. Typically, this is done through a central directory.

This typically involves addressing the following:

• Authentication

• Authorization

• Monitoring

• Reporting

  
  

IDENTITY VERIFICATION CHALLENGES

How do reset access to accounts when a password is forgotten?

How do you know who the person you are talking to is who they claim to be?

• When AI can be used to mimic voices and video, what approach do you take?

• How do you verify third parties that may need access restored?

HOW DO YOU MANAGE EXTRNAL ACCESS FOR VENDORS?

PRIVILEGED ACCESS MANAGEMENT (PAM)

PAM tools are designed to manage and facilitate access to accounts with a higher level of access.

Some of the typical features managed by a PAM solution include:

• Central storage and management of privileged accounts.

• Approval workflows for checking out accounts.

• Temporary assignment of privileges.

• Session monitoring, recording, and analysis.

  
  

PAM solutions can also be used to manage emergency or third-party access.

DIRECTORY MANAGEMENT (DM)

DM is the overall process and technology for managing the central directory, typically Active Directory or Google.

Typically, this involves the following outcomes:

• Integrating the directory with external identity providers.

• Monitoring and auditing changes to the directory.

• Reporting events to compliance or cybersecurity.

• DM includes how objects and OUs are organized.

  
  

DM CONSIDERATIONS

Do all the authentication servers/domain controllers have the same importance?

• Are there any critical functions tied to a specific server?

  
  

Do you have a replication lag site?

• This is a server with intentionally delayed replication.

  
  

Do you have a way to identify the type of account (admin, service, generic, vendor, etc.) and who it is assigned to?

At CyberForce|Q, we are committed to supporting your team with all aspects of Identity and Access Management (IAM). Whether you're building a new IAM program, refining existing policies, or tackling complex security challenges, our team of experts is here to help.

Every organization is unique, which is why we meet you where you are in your cybersecurity journey, and tailor our solutions to your needs. – reach out to solutions@cyberforceq.com.

Learn more about CyberForce|Q.