Identity access management demystified
In a time of ubiquitous networks, multiple applications, and limited control over assets, we security professionals need to ensure that our companies’ information remains safe and available only to certain individuals. It’s my view that identity access management should be at the top of our list of priorities.
However, the sheer number of identities with which today’s corporate users are issued, makes achieving robust identity access management tricky. People typically have a different set of credentials for email, internal applications, HR systems, etc., and each system has its own password policy.
IT teams also need to closely monitor internal staff movements, such as resignations and new hires, on an ongoing basis. What happens when someone’s promoted into a new role? What privileges do they retain? Does an extension of privileges represent a breach in separation of duties? What about that audit report on dormant accounts and privilege use?
These issues aren’t new; they were around when I conducted my first IT security audit in 2001. I believe that overcoming them calls for more than technology; it also involves process and policy change. A good place to start is to clearly define the various roles in your organisation, and link them to a profile of applications. Include HR onboarding and termination processes, so you have visibility of the lifecycle of the identity. Revisit your policies on information and system classification, and put in place formal measures to track your progress, twice a year. Finally, make use of available technologies to streamline the process of provisioning and de-provisioning identities, based on the user’s role. This will enable you to provide users with a single identity, throughout the organisation.
Identity access management needs to be considered as a programme rather than a project, due to the various touchpoints it has with internal policy and processes, technologies, and functions such as HR. Also, remember that it’s likely to be a two-to-three year journey … but there’s no better time to start.