Identity and Access Management (IAM) sits at the heart of what many cybersecurity professionals believe as the modern security thinking, primarily because Identities themselves are considered as the new security perimeter, certainly from the perspective of a “Zero Trust” model. There is also increasing emphasis within standards requirements such as ISO27001:2013, which dedicates an entire section (A.9) to the subject. Yet, there is much confusion as to how it works and should be implemented, particularly from the perspective of an existing enterprise environment.
Many businesses spend a lot of money solutionizing IAM only to end up with something that fails to meet expectations. The actual solution lays in understanding what it’s trying to achieve and the nature of identities or to be more precise digital identities. IAM is not a product or solution, it is a framework, a principle and to implement it effectively needs an understating of some key fundamentals. A digital identity is just a set of attributes used to represent an external entity, aka a real person and IAM is fundamentally about managing that identity from a what, why, how, who, where and when perspective, with specific emphasis on the ‘who’ are they and are they allowed in (authentication), ‘what’ are they allowed to do once in (authorization).
Understanding business goals and objectives
Like most things cybersecurity, it’s about people, processes, and technology in the form of business processes, roles, and assets. Typically the most common manifestation of IAM is through RBAC (Role-based Access Control). The key to understanding this is firstly to understand the business goals and objectives because of the business functions by way of a set of business processes, which in most cases require people and assets (logical as well as physical). It is the relationship between these three that is the key to RBAC because the person (identity) performs a role required by one or more business processes, which require that the role has a specific level of access privileges to one or more assets, required by the processes. To be effective this requires clearly defined and understood business processes, roles & responsibilities, and assets. It is also important to note that processes and assets both require owners, who decide what privileges are allowed within each.
And this is where we can run into problems. The challenge for many businesses is knowing where to start without trying to boil the ocean or being tempted into cyber-bling sprawl by the inflated promises of vendors. It’s a business problem that needs to be addressed objectively from the business perspective, has a clear objective of what you want to achieve from an IAM capability within the risk context of the business goals and objectives.
“IAM is not a product or solution, it is a framework, a principle and to implement it effectively needs an understating of some key fundamentals”
It’s important to prioritize critical processes, roles, and assets and adopting a recognized methodology such as the SABSA framework will help guide a strategy to identify these. It also requires support and buy-in from the whole business and particularly from HR, because from a process perspective, if you are going to start anywhere it’s the JML (Joiner, Mover Leaver) processes. These sit at the core of an IAM capability, and typically are the domain of HR who own the digital identities themselves and are the business function where the identity lifecycle starts and ends. Identities are connected to the assets by way of the business processes, so an initial approach would be to identify your crown jewels, those critical information assets you want to protect most, and build prioritization around the processes that act upon them and the roles(and their identities) that are required by the process.
Smarter use of functionality
From a technology perspective, many companies with tight budgets do not need to buy in special tools to affect IAM, remember it’s a framework and much of it can be achieved with a smarter use of functionality that is inherent within existing systems or tools, Active Directory for example. It depends on how deep you need to go. For example, if your risk profile requires that you need 802.1X network access control, then you may think about solutions such as Cisco Systems’s ISE (Identity Services Engine). If you use cloud services, you may need to look at Identity Federation and Cloud Access Security Bokder (CASB).
For larger enterprises with a complex and diverse infrastructure and a high threat profile, where for example a hybrid RBAC/ABAC (Attribute-Based Access Control) model is required, is when IAM specific solutions come into play.
IAM now extends well beyond the confines of just logging into and accessing files within a corporate network. The construction industry has mechanical excavators that are started with a thumbprint and PIN code. Through IAM, the system confirms the operator’s identity and that they are trained, licensed and authorized to operate that particular unit on that site at that particular time, before starting. Once running, the system will track how long the unit is in operation, feedback on the operator’s performance and ensure they are taking appropriate breaks, and implement a controlled shutdown if necessary.
It’s impossible to discuss IAM in just a few pages, there indeed many large books on the subject, but to summarize, IAM is a framework, with many solutions, which are decided by the business needs, and when planning IAM the first rule is begin with the end in mind’, what is it you are trying to achieve, once you get that right, you are halfway there.