Access management has long been an essential consideration for securing enterprise computing resources, but the events of the past two years have brought its importance to the fore. With increasing cloud adoption, greater mobile device use and, of course, the rapid shift to remote work during the early days of the COVID-19 pandemic, ensuring that user accounts and identities are managed appropriately has become mission-critical.
Historically speaking, organizations first focused their access management efforts on controlling access, be it physical or logical, to resources located at company facilities. In today’s world, things are dramatically different. The prevalence of outsourcing, SaaS, Cloud, and widespread reliance on third-party partners and vendors means that many people need to authenticate to systems outside of their own organization Additionally, remote work means that large numbers of employees are located outside of physical facilities and offices.
In short, nowadays, identity is everything.
What is identity and access management, and why does it matter?
Analyst firm Gartner defines identity and access management as a “discipline that enables the right individuals to access the right resources at the right times for the right reasons.” The domain of access management encompasses methods of guaranteeing that users are who they say they are and ensuring that they have access to the data and applications they need to get their jobs done.
Poor access management can create major information security and business risks for the entire organization. From a security standpoint, there’s inadequate protection against account compromise. And, if compromised accounts have too many permissions, it may be easy for an attacker to move around the environment while evading detection. If a highly privileged account is compromised, the attacker may gain instant access to confidential, sensitive, or regulated data. In some cases, sloppy provisioning, shoddy change control, or weak recertification processes can cause an organization to lose control.
However, getting identity and access management right can be tricky. As IT environments grow in complexity, it can be challenging to keep roles and permissions straight. There’s a tendency for scope creep, too. It’s common for employees to have appropriate levels of access when they’re onboarded, but to accumulate more and more permissions over time. Often, access is added whenever people shift job roles, but without a review step, permissions are seldom de-provisioned.
Building an access control strategy: key considerations
Every organization should have an identity and access management strategy. This is something that stakeholders should formulate with forethought and care. Don’t just let pre-existing policies lead the way. Your strategy will ensure that you’re getting the basics right and that the systems or processes you’re using are accurate and reliable.
Begin the process of creating an access management strategy by inventorying your data and systems, risk ranking them, and identifying the groups that need access to resources. Ask questions during this inventory and assessment phase, such as:
- What kinds of data access are business-critical?
- Which business functions rely on which types of data?
- What are the appropriate authentication mechanisms to protect access to data and the performance of certain functions?
- How can we standardize and centralize access controls activities to maintain control?
Once you’ve completed your inventory, you’ll need to author a policy and set of standards that fits your organization, which govern identification, authentication, authorization, and access reviews. Your identity and access management policies should dictate how you go about provisioning and de-provisioning access to resources, and the routines you will employ to periodically recertify permissions.
Here are BTB’s recommendations for what to include in these processes.
- Use roles or groups. Don’t grant access to resources on an individual basis. Role- or group-based access strategies help with management, consistency and facilitate easier reviews.
- Establish a process for recording one-time needs. Because individual exceptions to your policies will sometimes be needed, it’s important to be consistent in how you manage these. Lean on systematic controls to enforce time-based or on-demand access needs. Setting dates when this access automatically expires can inhibit privilege sprawl.
- Centralizing access via Single sign-on (SSO) can simplify the de-provisioning process as well as the provisioning process. SSO helps reduce the opportunity for errors and the number of authentication points needing security monitoring.
- Centralize access with an identity management solution. Again, this ensures that your team won’t need to sort through multiple applications and databases each time you need to de-provision access.
- More mature organizations are leveraging automation for provisioning/de-provisioning. Automation simplifies the entire process and makes activities more consistent.
- Good recertification processes are risk-based. It’s unlikely that you’ll have time or resources to review all systems inside your organization’s environment, but by risk-ranking your systems, you can focus your efforts where material risk is involved.
- Build a consistent process and follow it.
- Ensure a good balance between thoroughness and depth. Engaging the right people in the process — those who understand the systems in question — can go a long way when it comes to effectiveness.
In today’s world, leveraging automation to help you simplify and streamline identity and access management processes no longer has to be a pipedream for small to midsized organizations. As technologies have matured, costs have come down, which means that even teams with fewer resources now have opportunities to implement access controls they’ve never had before.
Regardless of the technologies that you’re relying on, you’ll need a well-thought-out strategy and well-trained employees to carry it out. If any part of the people-process-technology triad is out of balance, you’ll likely see issues. The best technologies in the world won’t help if you don’t have solid, centralized processes in place, along with people who know how to carry them out. But carefully designed processes — ones that fit the business and its needs — both bolster security and ensure that employees always have the access they need to get their jobs done.
To learn more about how BTB Security can help your organization build an access management strategy that’ll work for your business needs today, and evolve right along with your future growth, check out our Governance, Risk and Compliance services, or schedule a free consultation with a member of our expert team today.