Identity and Access Management: Access Control Tools and IAM Procedures
This is the third in a multi-part series of articles on Identity and Access Management (IAM). In the first installment, we presented an overview of IAM and its historical background. In the second article we covered policies, tools, and procedures for user authentication. In this post, we’ll discuss the basics of Access Management, the “AM” of IAM, as well as the importance of proper procedures to support IAM deployments.
Identity and Access Management enables people who need access to certain data to get it, while preventing others who do not need the data for their work from doing the same.
Access management can refer to physical controls via locked doors, keys, card keys, and so on. But in this article, we focus on virtual access – specifically, managing access to data on a network.
The first step for managing access is to positively identify the individual who wants it -- a process known as authentication. Once a user has been authenticated, authorization is next: We know who this user is, but are they permitted to access the information they’re requesting?
Access Control Schemes
Logical structures that can be used to limit access to information to only authorized users include role based, discretionary, mandatory, and attribute-based forms of access control.
Role-Based Access Control (RBAC)
In a business setting, the need to access different types of information is often a function of a person’s role in the company: executives, engineers, and accountants each need access to different kinds of data. Some small companies set privileges on an individual basis – each time someone is hired, their access is authorized for the information they need. For larger companies this is unwieldly. Instead access profiles are established for each specific role in the organization, and when someone is hired, they are given the access that goes with their role. Software tools are available to help administer RBAC, which is the most common form of access control today.
The National Institute of Standards and Technology (NIST) has a RBAC model with four increasingly sophisticated levels: flat, hierarchical, constrained, and symmetric. The purpose of the model is to encourage development and use of RBAC.
Discretionary Access Control (DAC)
With discretionary access control, control over who can access a given piece of data can be pushed down to the level of the owner of a data resource. Lack of centralized control can result in inconsistencies across an organization, and if a particular resource owner isn’t sufficiently strict, the firm’s data security could be compromised.
Mandatory Access Control (MAC)
MAC is a rules-based approach to access management that is often used in government or military settings. Access is granted or denied based on centrally-set policies and rules, which are applied to each user on an individual.
Attribute-Based Access Control (ABAC)
Attribute-based access control is more dynamic than other types of access control, taking into account factors beyond just the identity of the user. For example, users may be granted access only during certain times of the day, or from certain devices or IP addresses.
ABAC is more complex to set up and maintain than RBAC since many different attributes of interest must be defined and specified. Its primary benefit is that it makes it easier to fine-tune access for individuals without having to create new roles.
Privileged Access Management (PAM)
Privileged Access Management (PAM) is also called Privileged Identity Management (PIM) or just “privileged management.” “Privilege” indicates that specific users have “privileges” to access more data than standard users. Privileged users, such as admins, pose particular security risks because they generally have much broader access and have the ability to alter files that are locked to normal users. If a privileged user account is hacked the consequences can be dire.
PAM solutions aim to limit privileged access to what’s needed for the task at hand. Different PAM solutions take different approaches to securing privileged accounts. One technique is to create temporary privileged users only on a per session basis, so that hacked credentials can’t be used later.
Single Sign-On (SSO)
With SSO, once a user is logged into a system, they are granted access to other systems they’re permitted to access, without needing to sign in or provide passwords. For example, a company may have separate systems that would normally require separate logins, such as the HR system, financial management system, email, instant messenger and so on. With SSO, once the user is logged in, they don’t need to login separately to each other system. Instead, after the initial log in, they’re automatically authorized by the SSO system to access all other apps and systems.
For password-protected systems, users are the weakest link. Loaded with too many passwords, they tend to get sloppy or lazy and reuse passwords, fail to change them periodically or choose simple, easy to remember and easy to hack passwords. The security benefit of SSO is that since it reduces the number of passwords each user must manage, they are more able to remember one that it stronger and more secure.
SSO offers other benefits as well. It lowers costs by reducing help desk calls for password resets. It also provides a much more streamlined and pleasant experience for the users.
Most people are familiar with SSO, although they might not recognize the term. Google, for instance, uses SSO extensively. Once a user logs in to their Google account, they have access to all of the Google services that they use -- Gmail, Google drive, photos, and so on. Without SSO, each of these separate apps would require a separate logon. Want to learn more about SSO? See What Extending Single Sign-On (SSO) to Remote Desktops Means for Cloud Migration for more info.
Most businesses have employees, service providers or other users who access network resources from outside the physical premises of the company. Such remote access entails special security concerns, which should be considered as a part of a company’s overall IAM strategy.
Virtual computing solutions are among the best ways to secure remote access. Read more about how they do so in “Virtual Computing as a Security Solution.”
Along with putting appropriate IAM tools in place, organizations must establish procedures to ensure that the tools are used in compliance with the organization’s own policies.
These procedures should cover creating new accounts; determining which resources can be accessed by different types of users or individuals; password hygiene requirements; tracking compliance; monitoring issues; and so on. It’s important to keep in mind that even the most robust tools can be ineffective if procedures governing their use are lax.
Cybercrime poses a huge risk and creates ongoing headaches for businesses, not-for-profit organizations, and government agencies. According to Cybersecurity Ventures, cybercrime cost $3 trillion in 2015. Look again -- that’s trillion, not billion. And it’s forecast to double to $6 trillion by 2021. Of course, no one really knows the scale of cybercrime: another estimate, from Web of Profit, puts the cost in 2018 at $1.5 trillion. Better -- but still more than the combined revenues of WalMart, Google, Facebook, Amazon, and Apple.
Getting hacked can cost a company dearly. Small and medium size companies have been forced to shut their doors or declared bankruptcy after falling victim to cybercrime.
A systematic approach to Identity and Access Management is one of the most powerful tools for preventing your organization from becoming a cybercrime victim, and one that every sizable organization should explore.
Stay tuned for our next article, where we’ll discuss enterprise-scale best practices for IAM.