The recent Verizon Data Breach Investigation Report concludes that stolen credentials now account for 61% of all data breaches. A zero-trust security framework is your enterprise’s best defense against bad actors and exfiltration of your most valuable data, and identity access management (IAM) is the cornerstone of that framework.
There are four primary functions of IAM:
- Identity management, the process of user account creation and deletion
- Access management, the process of assigning or de-assigning user access to specific resources
- Identity governance, the policy-based centralized orchestration of user identity management and access control
- Privileged access management, which safeguards identities with special access or capabilities beyond regular users.
These functions are interdependent and overlapping.
This blog will focus on identity management and governance—core capabilities that are instrumental in a zero-trust security approach.
Successful identity management and governance consists of four main pillars:
- Certification of user access
- Policy enforcement
What exactly is each of these pillars? Let’s break them down.
Certification of user access
With COVID and issues such as the great resignation, more and more employees were asked to take on additional roles and responsibilities until businesses could return to normal. To survive in the face of a global crisis and accommodate the new remote workforce, privileged and remote access multiplied across users, creating a perfect storm for bad actors to exploit vulnerabilities around that access. Ideally, temporary access is removed once it is no longer essential. The reality, however, is that IT personnel and managers often lose sight of who has access to what. And when they do finally get a chance to address these discrepancies, it’s a difficult mess to untangle—especially when those in IT have little insight into what resources each individual employee needs or does not need access to. The problem is further compounded when there is little to no automation to aid the process.
The certification capabilities provided by IAM governance solutions are helping to resolve access and privilege discrepancies and minimize access creep. These solutions typically handle certification of access using eight steps.
Where certification of access is central to identity governance, automation is the mechanism by which it is maintained. Solutions with an automation component eliminate the need for manual tracking and generally include full audit and reporting capabilities, alleviating IT security and leadership workloads.
Establishing extensive security policies provides clarity for your employees and direction for proper security procedures, and ensures that you are doing due diligence to protect your organization against security threats. Identity management and governance solutions help you manage and enforce these policies, especially where provisioning, certification, and segregation of duties is concerned.
- Provision policy defines which resources users are authorized to access. Most often, these policies are implemented automatically for users according to their role.
- Certification policy is the process of confirming that an individual still needs access to a specific resource to perform their job.
- Segregation of duties policy is a control that requires different user roles to complete different parts of a task, in order to reduce the risk of inappropriate actions that could lead to a loss or misappropriation of assets.
Identity management and governance solutions are critical components to solving these very serious security risks.
In the new world of remote work, access creep is one of the largest security threats to organizations. Users are granted access to various resources at various times during their timeline of employment. Without the proper auditing tools in place, that access might be sustained unnecessarily throughout the user’s tenure. This contributes to multiple separation-of-duties violations and widens the attack surface for potential threats. Certification audits used to be for complying with regulatory requirements, but while compliance with those regulations is still required, certification of access is now much more important than simply passing your SOX, HIPAA, or other regulatory audits. To minimize vulnerability, it is critically important that users have the right access at the right time, and that access is removed after it is no longer needed.
Traditionally, audits have been performed by already overburdened IT departments, often leading to “rubber-stamping” of certifications to meet deadlines and ultimately resulting in failed audits. Today’s IAM governance solutions provide tools that automate this task to a large extent, alleviating some of the burden on IT. They also distribute access responsibility across the organization by placing accountability on users’ managers or application owners who have firsthand knowledge as to whether the user still needs access to critical applications. This function drives down cost and, more importantly, risk. An audit of access certification or attestation campaigns can be scheduled on a regular basis. Additionally, these campaigns can be run in an ad hoc manner based on major events like changing roles or locations within the organization.
All activity that is performed by or on an existing identity is now easily accessible through out-of-the-box reporting, whether regarding current or revoked access privileges. This can help identify user accounts in directories that are not found or correlated with an identity in your identity governance and administration (IGA) tool, as well as accounts that have toxic access combinations violating your organization’s separation-of-duties policies. Beyond compliance reporting, these tools can also provide reporting on the status of assigned tasks in the IGA tool.
Solution experts alleviate the heavy lift
At Sirius, we see identity as a business process built on cutting-edge technology. Through conversations and getting to know your IT and business leadership, we work with you to build out a program that is dynamic and scalable. That includes implementation of scheduled, ad hoc, and event-triggered certifications; discovering the accesses that pose a greater threat to your organization; setting the level of automation and scrutiny accordingly, and bringing any toxic combinations of access to light.
Our goal is to help you get beyond the audits to an environment that can follow a principle of least privilege, giving you the security you need and expect for your employees, contractors, and the organization at large. Let us do the heavy lifting. Talk to your Sirius representative today about our IAM assessment.