This is the fourth article in a mini-series on Identity and Access Management, IAM. In the first installment we provided an introduction with historical background and the fundamentals of modern IAM. In part two, we focused on user authentication. The third article covers “access,” managing which assets an authenticated user can access. In this fourth article in the series, we’ll look at best practices for enterprise-scale IAM.
Identity and Access Management (IAM) – controlling who has access to what data on your corporate network – is the crucial first line of defense in your overall cybersecurity plan.
The first step in implementing best practices for IAM is to be aware of your needs. There is no “one size fits all” solution. A small business with limited amounts of sensitive information does not need the same type of IAM as a bank, medical center or a government agency.
In this article, we focus on IAM for enterprise-scale organizations – organizations that are large, complex, and have many employees and other users who need to access different resources.
Centralizing IAM is the only effective way to make sure that it is applied consistently throughout an organization. Having different divisions, departments, or locations manage IAM on their makes it difficult to ensure that policies and procedures are consistently applied, and creates many opportunities for system failure. Under decentralized IAM, if a user moves from one department to another, their access might not be closed out in the old department, leaving an “orphan” account that could be vulnerable to hijacking. People tend to be very diligent about getting access to the new data they need, but are less attentive to giving up access to information they no longer need.
Implement Strong Identity Controls
Our previous article about user authentication has lots of valuable details about identity controls. But for the sake of completeness, these are a few of the most important best practices:
- Require strong passwords that must be regularly changed
- Implement multi-factor authentication
- Consider making biometric authentication one of the multi-factors.
Just as you wouldn’t settle for a flimsy door with an easy-to-circumvent lock to protect your physical plant, weak passwords shouldn’t be the only protection for your intangible assets.
Role-Based Access Control and Principle of Least Privilege
As described in depth in our Access Control post, for most corporations Role-Based Access Control (RBAC) is the method of choice. People who have a particular role in the organization, such as “Human Resources Specialist,” need access to specific, relevant types of information. Everyone in a given role is automatically granted access to the resources essential to that role.
The Principle of Least Privilege, a more restrictive approach, is similar to what the military or intelligence communities would call “need to know.” Under this policy, users should have no access to any information that isn’t strictly needed to get their job done.
Even with strong policies and procedures in place, human error is inevitable. Someone will leave the company and their user account will not be deleted. Someone will change roles within the company, yet still have access to sensitive information that was relevant for their old position but is not for their new one.
It’s important to periodically scan for users who are no longer active to avoid “orphan accounts.” It’s also important to periodically review permissions; in an organization using RBAC you should audit both which information a particular role needs – needs can change over time – as well as verifying that employees are assigned to the proper role.
Many modern IAM systems can automate the onboarding process, so that when an employee is added to the HR system, a user account is created automatically, with the proper role assigned to enable immediate access to the information they need to do their job. Of course, there will always be occasions when some manual intervention is needed, such as when an employee is assigned to a project in another department and needs to access additional resources. But automating what can be automated ensures that policies will be implemented quickly and consistently.
Eliminate or Isolate High-Risk Applications
All software applications eventually reach “end-of-life,” (EOL) when the vendor no longer provides updates or patches to the software. An application that is no longer supported can be a real security risk – if a vulnerability is found in the software it’s available for hackers to exploit, with no one providing fixes to stop them. The preferred alternative is to switch over from discontinued software to software that’s supported. If for whatever reason that’s not practical, running EOL applications in a secure environment is advisable, as described in our article on coping with Windows 7 EOL.
Implement a Zero Trust Approach
Zero Trust means no one – not even the CEO – has completely unlimited access. Every user, every email, every website visited is treated as suspicious. If this seems a little paranoid, well, maybe it is. But paranoia is essential in today’s cyber space, which is truly filled with malicious agents who are out to get you! After all, if an account of a user who has unlimited access is violated, you’ve lost your most valuable corporate assets.
In the old model, your network was like a medieval fortress. Strong walls to keep outsiders out, but relatively free access within. In the new model, the king in the fortress has become (legitimately) paranoid. He has strong walls, a moat, and a drawbridge to keep outsiders away. Now, within his castle walls, there are many more locked rooms and guards, and people are granted access only to the particular parts of the fortress where they have business being.
Zero Trust can also help prevent or vastly slow “trusted insider” attacks, when hacking is done by an employee or other authorized user. Of course, to protect your organization, Zero Trust philosophy must be extended beyond IAM to the websites your employees visit, since web-based malware is a huge security risk. As such, Remote Browser Isolation is an important part of an overall Zero Trust security landscape.
Choose the Right Software Tools
Every organization has a unique set of needs based on its size, geographic dispersion, data sensitivity, regulatory requirements, competitive stance, budget, and more. All of these factors must be considered when selecting software tools for implementing an IAM solution.
The system that can’t be compromised has not yet been invented, and probably never will be. And the bad guys will continue to make efforts that are directly proportional to the value of what they can steal. Following identity and access management best practices can at least minimize risk and maximize chances of not falling victim to cybercrime.