How to properly implement identity and access management
Identity and access management (IAM) is all about ensuring that the right people have the right access to the right resources and being able to prove that all the access is legitimate. But as those heavily involved in IAM know, that is much easier said than done. There’s a lot that goes into getting all of these elements "right."
First, you must set up the accounts that enable a user to get to the resources they need -- often called provisioning (and its dangerous sister, de-provisioning, when said user no longer needs that access). Second, in order for that account to grant the appropriate access, there has to be a concept of authorization which provides a definition for what is allowed and not allowed with that access. And third, there should be some way to make sure that provisioning and de-provisioning are done securely with efficiency and that the associated authorization is accurate -- i.e. everyone has exactly the access they need, nothing more and nothing less.
Everyone has been provisioning and de-provisioning since we first started networking PCs. As soon as larger numbers of users began using those computers, it forced the need to implement some concept of authorisation. The problem is that the practices that worked so well in these relatively closed networks with relatively few users simply don’t cut it in today’s open (close to boundary-less), fluid and modern network architectures. The result is loads of inefficiency, elevated risk and the potential for catastrophic breaches.
One Identity’s global IAM study
In recent research sponsored by One Identity, the dangers of old-fashioned practices for provisioning and de-provisioning and authorisation were stripped bare before the world. Stated plainly, the practices and technologies that served companies so well in the past simply are inadequate in today’s digitally transformed world.
Some of the key findings gleaned from responses from more than 900 IT-security professionals worldwide showed that 87 percent have dormant accounts and 71 percent were concerned about them. And more than three-quarters of those interviewed have not de-provisioned accounts that are no longer needed, either because users are no longer with the organization or have switched roles. In addition, only a third expressed that they were "very confident" that they even knew which dormant user accounts exist. So not only do they have dangerous entry points into their networks, most people couldn’t even tell you what accounts they were.
For 97 percent of respondents, there exists a process for identifying dormant accounts, but only 19 percent have tools to help find them. In addition, 92 percent report that they regularly check for dormant accounts. This is where there is a disconnect. If the majority have dormant accounts and most have a process to find them, obviously the process is not working. In spite of best efforts (or as I would say old-fashioned de-provisioning practices) the risk is still there.
Organizations inadvertently offer open doors to systems
The risk is not in the fact that there are dormant accounts, the risk is what can be done with those hidden doors into systems and data that resides there. Most high-profile breaches are the result of a bad actor compromising a legitimate user account. That could be gaining access through phishing or social engineering or hunting for and finding a dormant account that the organisation doesn’t even know exists. Once in, a series of lateral moves and rights escalation activities can result in access to those systems and that data that you are trying to protect.
So here’s where the second set of data becomes remarkably intriguing. When the same 900-plus IT security professionals were asked a series of questions about the rights and permissions that their users possess, and revealed that only one in four expressed that they were "very confident" that user rights and permissions are correct. That means that three quarters of our respondents were unsure of the fundamental aspect of access control -- authorization. Any user with excessive rights (rights that are more than necessary to do the job) is an easy path for bad actors to execute those lateral moves they are so good at.
Furthermore, less than 1/3 are "very confident" that users are de-provisioned properly. By properly we mean fully and immediately (only 14 percent of respondents reported that users were de-provisioned immediately upon a change in status). De-provisioning is the process of turning off accounts and revoking rights when they are no longer needed. Poor de-provisioning, either through outdated and cumbersome manual processes or limited tools, is the primary cause of dormant accounts.
In fact, 95 percent reported that while they have a process for de-provisioning, it requires IT intervention. In other words, someone has to put hands on a keyboard to make it happen. Any amount of time that an unneeded account remains “open” is an invitation for disaster as evidenced by so many of the high-visibility breaches over the past several years.
So what can be done? There are many ways to modernise these processes and get IAM right:
Determine a single source of the truth for authorization. Define business roles once and use them everywhere. And most importantly, let the line-of-business be the decision makers here. Many instances of inappropriate rights are simply the by-product of IT doing the best they can with the knowledge they’ve been given. It’s all too common for the line-of-business to ask IT to "give Joe the same rights as Bill" when there was no oversight into what rights Bill has, how he got them, and whether they are still appropriate for the job he does.
De-provision immediately and completely. Tools exist that can update permissions at the instance status changes in an authoritative data source. For example, as soon as an employee’s status in the HR system switches from active to inactive, that user’s access rights across every system in the enterprise (including cloud-based services) can also be immediately terminated as well -- effectively closing all those doors and eliminating dormant accounts.
Implement identity analytics. A new class of IAM solution called identity analytics will proactively and constantly evaluate your systems to find instances where user rights are out of alignment with what is "right." These technologies quickly find dormant accounts, mis-provisioned accounts, and instances of rights elevation that are often the smoking gun in breach detection and prevention.
Just like the technology companies rely on every day is evolving and the boundaries expanding, the identity and access management practices used to secure access to those systems must evolve as well. As this survey reaffirmed, what worked well a few years ago is almost certainly inadequate given today’s realities. But there is hope; with simple shifts in responsibility, IAM practices and IAM technologies organizations can significantly reduce risk, modernize business and sleep better at night.
Andrew Clarke, EMEA director, One Identity.
Published under license from ITProPortal.com, a Future plc Publication. All rights reserved.