There has been overwhelming incidents of data breach and unlawful access to information and sensitive data across business organization and governmental agencies across the world. The new age of cyber threat and attacks has now risen beyond just rouge individual phishing for information on consumers by luring then with suspicious emails asking for bank account numbers to deposit large sums of amount money from a foreign country. The treat now encompasses the likelihood of company and governmental secretive information been stolen by organized groups of highly trained and sophisticated computer wizards. Often times these threats are identified within an organization’s own four walls. It has become evident that the most common places where data breach occur is right within an organization—where employees mistakenly or purposefully access data that they are not privileged to access.
These issues have made organizations become more aggressive in protecting their sensitive data from such intrusions whether within or outside their premises. An example of a global data breach is the massive Panama papers. According to this article, “Nearly half of companies do not evaluate the risk of vendors before transferring them data, but change may be underway. Law firms report facing more diligent scrutiny of their security capabilities, but all industries should pay attention to the missteps of Mossack Fonseca. The Panamanian firm employed outdated software with critical vulnerabilities, including that for its customer portal”. This is where Identity and Access Management policies and initiatives come into play.
Identity and Access Management (IAM) is the security discipline and process of managing who has access to what information, applications and systems over time within an Organization. Resources within an organization must have access to systems and applications in order to be efficient and productive. Such resources are often granted access based on their roles and job functionality. The introduction of role-based access control (RBAC), as part of a holistic IAM initiative gives accesses to these resources and individuals through roles that relate to characteristics such as the individual’s job function. The Cross-functional process provided by identity and access management system (IAM) is to initiate, capture, record, and manage the user identities and related access permissions to the organization’s proprietary information and systems- among these are a defined user rights, access rights and their active and inactive periods.
Identity and access management has not been a top priority for many organizations nor has it been systematically organized at different platforms until recent years. Although many executives view IAM as an Information Technology (IT) function, but this process also affects every business unit throughout an organization. The IAM system is a centralized user and access rights database integrated to many different target systems-These users may extend beyond corporate employees. Businesses are currently experiencing an ongoing transformation when it comes to information security. In light of this, a best practice for an enterprise is to implement an Identity and Access Management (IAM) solution that handles the creation and management of connected device, information as well as user’s access and authentication into external and internal applications, databases, or networks. For instance, users could include vendors, customers, floor machines, generic administrator accounts, and electronic physical access badges. Identity management can be roughly divided into user rights management, access management and provisioning. However, the core premise remains the same.
The choice between a cloud-based and on-premise IAM system often depends on the business’s strategic goal. Some of which could be a mixture of cost savings and security. There are several challenges that urge businesses to embark on an effective implementation of an on-premise solution or cloud-based identity and access management system. For many organizations, this is as much a compliance decision as it is a business decision. Many still believe that on-premise solutions provide greater security and control, and, realistically, it’s often the path of least resistance for a large enterprise with the resources to manage the operation and integration. On the other hand, cloud solutions offer immediate cost savings, faster implementation, easy scalability, and much greater flexibility. There’s no right answer here and you’ll find many solutions offer both cloud and on-premise, as well as hybrids of the two, which may be the best answer for getting something in place sooner rather than later. With or without an identity and access management system, there is always the existence of a weakest link, a link that could lead to risks that cannot be easily mitigated and among such risks are:
- Lack of Regulatory Compliance.
Corporate governance and data privacy protection depend on strong security over applications and IT infrastructure. Without such security, internal controls cannot be relied upon and regulatory compliance cannot be assured. One of the weaknesses of manual user administration is that people are not consistent – they make mistakes. As a result, security administrators cannot be expected to reliably enforce standards regarding what access rights users should have. Regulatory compliance like Sarbanes-Oxley, HIPAA, SOX, and other regulations have significantly impacted organizations worldwide. Organizations must be able to provide auditable evidence that these controls are in place and effective. Section 404 of Sarbanes-Oxley specifically states that management must assess the effectiveness of internal controls on an annual basis. Organizations must automatically inspection a request to check whether it violates any business rules. For example, requests should not trigger violations of Segregation of Duty (SOD) rules, nor should it specify invalid department or location codes, etc. Periodically inviting managers and application owners to review users and security entitlements within their scope of authority and flagging inappropriate entries for removal should be an ongoing activity if a company wants to boost its regulatory compliance initiatives. A user awareness program should also be considered, to ensure that all users understand what the system is, what it is intended to accomplish, where to find it and how to use it.
- Information Security Risk.
If an organization fails to deactivate the access rights of a departed user, then that user or an intruder impersonating him might abuse the infrastructure or compromise sensitive data. In many organizations, the removal of user access rights or access rights for a digital identity can take several weeks if not months. This may present an unacceptable risk to the organization, especially if an individual is able to continue accessing company systems and resources during the access removal period. With that said, Access termination must be quick, to minimize the time window available for the aforementioned exploits. The difficulty in modeling complex, heterogeneous entitlements is compounded by the fact that although users accumulate entitlements over time, they rarely ask IT to terminate old, unneeded rights. Moreover, it is difficult to predict when, after a change in responsibilities, a user will no longer function as a backup resource for his old job and so old entitlements can be safely deactivated. It is not enough to deactivate a departed user’s login IDs on major systems. Every access right should be revoked, to eliminate the possibility of abuse by users inside the network.
- IT Operating and Development overheads
Considering the different number of credentials often needed or giving to an employee, where a typical employee may have a username and password for their desktop, a different Usernames and password to gain access to other systems, multiplied by their frequently expiring passwords, credential maintenance can become overly complex and unreasonably costly in terms of department overheads and often times result in employee writing down these numerous passwords in an attempt to remember them when needed—these actions often result in the potential of an employee leaving a notepad full of passwords that could be stolen, which in this case could result in a security breach. Wouldn’t it be better if we all have one login credential for all our office systems and applications? The common answer will be yes, right? The benefits of single sign-on (SSO) are compelling; reduced password fatigue from different user name and password combinations, reduced time spent re-entering passwords for the same identity, and reduced IT costs due to less IT help desk calls about passwords.
- Ineffective Systems Access Control
Users typically require access rights that span multiple systems. High-value, high-risk employees and contractors are often unique and are consequently not usually well served. A new user may need a network login, an e-mail mailbox, and firewall access and login rights to multiple applications. These accounts are typically created by different administrators, using different tools. Some people in the organization often bypass defined processes and protocols in an attempt to get their requests implemented more quickly. This is often done by calling a helpful friend in IT rather than going through the standard IAM process. These activities often undermine the effective control of system access across the organization. For an organization to effectively control its user access, the following questions must be answered: How will each type of access request be validated?; Who are appropriate authorizers for each type of request?; What is the expected response time from authorizers?; What parts of a request are authorizers allowed to see?; What parts of a request are authorizers allowed to modify?. Once these questions are answered and measures are put in place to control these variations then a more sound and secure access control environment can be created.
Organizations have faced the complex problem of managing identities and credentials for their technology resources. What used to be a simple issue that was confined within the walls of the data center has become a growing and exponentially complex problem facing organizations of all sizes. To mitigate some of such complex problems, implementing an IAM solution should not only be limited to the “NOW” problems, but rather gauge future need especially if your business is poised to expand its processes. Simple questions like; is the solution simple to implement across disparate systems? Is it scalable? Is it well supported with fixes, updates, and new releases? Will your solution be developer-friendly and cost-effective for the duration of its deployment? Even the simplest things are important. For example, you wouldn’t buy a solution that is only offered in English when you’re planning to open an office in China in two years, a holistic approach and strategic implementation should always be a part of management’s decision-making not just from a compliance stand point alone.
Acknowledgement: Some content in this blog can be attributed to. “GTAG-Identity and Access Management”.