Controlling user access to critical information

Kirsten Doyle
By Kirsten Doyle, ITWeb contributor.
Johannesburg, 13 Dec 2018
Jessica Tandy, Bizmod.
Jessica Tandy, Bizmod.

Digital transformation, the extended global enterprise, and the consumerisation of IT have shifted Identity and Access Management (IAM) to the core of digital businesses.

Once used as a means to manage user identities and access to systems or devices, IAM is now employed to uniquely profile users, track their needs and behaviours, and drive efficiency and engagement.

"While digital transformation initiatives deliver significant value, they potentially put more resources at risk and increase the enterprise security threat surface. You have no choice but to play the game of identity," says John Notman, director, Product Marketing, at OpenText.

The first step is understanding what the company is trying to accomplish. There are often scenarios where companies need to securely connect a large ecosystem of users, such as a bank or insurance company wanting increased security as well as more control and visibility of their customers' online banking or insurance experiences. Or there could be a need to establish and manage identities for internet-enabled devices within an industrial supply chain.

Notman says there are shifting definitions of identity management for enterprises that are connecting their supply chains across all possible touch points. "We see two dominant models: the traditional inside-out model and the more holistic outside-in model."

The traditional identity management model has been narrowly defined to provide the right information to the right user at the right time, for the right reasons. It was a single directory serving as the system of record for people within an organisation, and was limited to the administration, authentication and authorisation of employees to provide and control access to internal network resources. It was a means to deliver convenient employee access via single sign-on, and to prevent people external to the company from accessing privileged information.

Make the circle bigger

This model provisions employees based on the roles within the company, but it's entirely different handling a community of external parties. "To connect a supply chain, enterprises will need to go well beyond an employee-centric model," he says.

The 'outside-in' model refers to provisioning identities to individuals, systems and things outside of, but connected to, the company. Enterprises are managing a growing breadth of applications like homegrown or commercial open source, on-premise or cloud SaaS, native, web and mobile.

To have a truly connected supply chain, an identity strategy needs to touch every aspect of the business, instead of only controlling internal employee access. It needs to extend beyond the enterprise boundary to customers, partners, suppliers, distributors, connected products and things, and the relationships between them. These relationships and connections need to be established, implemented, and managed and they represent the touch points to systems and data, which is also exactly where the security risk exists.

"It seems conceptually at odds with corporate security teams to let others outside the organisation into their systems, but it's actually haphazard and out of the central organisation's control if they don't have an IAM offering to handle this outside-in access."

According to Notman, matching and managing internal employees to internal systems and resources is one thing, and while it remains necessary, it's not the same as connecting a supply chain community that has IoT expectations: these are simply two different outcomes. "Extending one technology to the other might work as an optimistic philosophy in conversation, but we all know that applying an enterprise technology to a different use case will likely end in headaches related to missed deadlines, bloated budgets, and maybe even your next security breach."

It seems conceptually at odds with corporate security teams to let others outside the organisation into their systems, but it's actually haphazard and out of the central organisation's control if they don't have an IAM offering to handle this outside-in access.

John Notman, OpenText

He says it's crucial that an identity management platform contains integrated identity governance capabilities, and includes features such as user administration, privileged identity management, identity intelligence, role-based identity administration and analytics. "A business must be able to define, enforce, review and audit identity management policies and map your identity function to regulatory compliance requirements and records retention policies."

Regulatory requirements

Jessica Nyarayi Tandy, executive director at Bizmod, agrees. She adds that one of the primary controls, which can affect legislative and regulatory requirements, is IAM.

"Organisations need to secure their systems' access and data. How they govern and protect their information starts with how the data is being accessed, and by whom. In instances where access is within an employee's role, activities that users perform need to be monitored and controlled as routine access reviews. A clearly defined information solutions policy and access standard is critical in the facilitation of access governance for an organisation. Data security leans mainly on identity verification and access control, and without these, almost no other security techniques will make a difference."

IAM is leading the path in an exciting world filled with endless business opportunities that will reduce risks while implementing security policies and processes.

Tonderai Kariwo, BSG

According to her, many organisations are currently battling with IAM as a result of operational issues, which require automated tools and solutions to facilitate access management. "For businesses to protect themselves, it's crucial to have identity and access governance in place from the point of onboarding a user type, granting access that's role-based, performing routine access reviews, access reporting and off-boarding of users when they exit an organisation. This end-to-end view isn't only about enabling technologies, but has a strong emphasis on the business users. This enforces the right accountabilities and effective embedding of access controls and risk management within the organisation."

Organisations, she says, also need to look beyond threats that may come from outside, as insider user threats are just as critical to manage.It's important for organisations to have access governance in place for all internal user types, including permanent, temporary and contract staff, as well as third-party partners, across their different lifespans in order to manage the access risk that comes with these identities.

Access control requirements are driven by a variety of concerns, with the main ones being customer confidence, privacy of personal information, preventing unauthorised access to assets and usage of systems, and adherence to professional conduct, says Tandy.

Defined by what you do

Organisations need to have role-based access control (RBAC), and access should be granted based on the individual's job function or role. RBAC supports the least privilege security principle, where access to a company's data and permissions are granted to only those users required for the activities conducted.

A clearly defined information security policy and access standard are vital in the facilitation of access governance in an organisation, she says. "One of the most critical elements to implementing IAM is getting the role mapping right between HR's definition of job profiles and system access required for the job. Access privileges should be granted based on one's role."

The policy should also include the handling of ad-hoc access requests with timeframes for revoking said access. The underpinning approval process should be standardised, where granting access moves through a set approval process to the correct line manager. In cases where there's a deviation in the policy, a deviation process should be defined and followed, which will give the right traceability of all actions taken.

With all the above controls in place, access may be denied when there's a deviation to the policy. This could be when a user's role doesn't align with the access being requested or during access reviews where abnormal activities are observed or there's non-compliance.

IAM is also leading the way in an exciting world filled with endless business opportunities that will reduce risks while implementing security policies and processes, comments Tonderai Kariwo, senior business consultant at BSG. "However, it can be daunting to educate, prioritise, pick and implement solutions, and then maintain all of it with thoughtful governance.

"Everyone becomes frustrated at times with the amount of passwords and the hassle of having to remember these, along with the frustration from not getting access, changing passwords and the impact of cyber crime," he adds.

"Worryingly, for businesses that are already faced with these challenges, additional risks often arise that challenge how the typical business leader should structure and secure the business operations. Combining this with the advent of digital transformation, the results are a multitude of complex technology environments."

Kariwo says there are several practical steps that business should take when implementing IAM. Firstly, the business needs to identify critical process experts to own key processes or functionality that will guide the controls and measures supporting access entitlement provisioning to the job profiles.

Next, the business must enable internal audits to set up the internal controls that would govern, resolve and report against IAM metrics. The technical solution, be it on-premise or cloud, must be fully understood, and the environment, including the infrastructure, must be known and the different integration points validated to facilitate easier deployment and interaction of the data flows.

The business must also ensure that there's ongoing alignment to the business strategy and operations that determine the responsibilities within the job profiles and ultimately the correct access entitlements throughout the implementation phases.

Finally, the business must make sure that key capabilities, such as risk-based authentication, behavioural analysis and automated workflows are in place to get the full benefit of IAM and ensure direct interconnectedness to functions such as fraud, security and governance.

Secure platforms

"IAM centres around processes, and changing processes can be a time-consuming and difficult thing to do in any organisation. IAM implementation affects nearly all of an organisation's systems, and may take months, or even years, to complete, exposing many organisations to immense risk as they're left vulnerable while these systems and processes are put in place," says Martin Potgieter, technical director at Nclose.

In particular, it involves organisation-wide identities and access controls, and so touches on almost all aspects of a business, adds Potgieter. Most people think of Microsoft Active Directory when thinking about an identity store, however, when taking a deeper look, there are several other areas where identities are stored, including, but not limited to, cloud, non-windows infrastructure and HR platforms.

"Getting all these identities together, applying consistent policies and correlating where there's overlap is a phenomenal technical challenge. When one throws in the business process changes required, it becomes even more daunting and challenging, hence the long timelines typically associated with IAM projects."

This is where other tools and solutions can be beneficial. "Managed detection and response (MDR) can expose many of the common violations that these IAM processes are designed to mitigate, including detection of identity theft, use of stolen credentials or attempts to brute-force credentials; detection of when users are given administrative or other privileged access; and detection of when there's a deviation in the pattern of when credentials are used, such as administrator access during unusual or non-business hours."

Potgieter believes MDR can complement IAM and provide interim risk mitigation while IAM processes and systems are put in place. "Most people wouldn't associate MDR directly with IAM. At a quick glance, the only link between these concepts is that they fall under cyber or IT security. IAM is all about installing proper controls around an organisation's identities, and what these identities may access."

The reason IAM is so important, says Potgieter, is that we know that abused or misconfigured identities are often the starting stages to any attack, whether it's a phishing attack aimed at getting non-privileged credentials to gain some sort of foothold, or abuse of privilege credentials to escalate an attack once a foothold is already in place. While MDR doesn't only address detecting these types of abuses, it's a strong focus of mature MDR providers, due to the understanding that abusing identities are often what attackers leverage to infiltrate an organisation.

So where IAM puts controls in place to mitigate much of the risk of the various identities within an organisation, MDR is able to detect when these controls are violated or other anomalous activity is seen around an organisation's identities.

He sees the relationship between MDR and IAM as a symbiotic one. "Where IAM processes and controls allow organisations to lock down identities and what they should and could access, an effective MDR could detect many breaches where the controls are either bypassed by an attacker or not yet implemented by the organisation. So while MDR is a quick win, in terms of this detection capability, there's certainly value in making use of MDR even if one has a fully functional IAM system in place."

This article was first published in the January 2019 edition of ITWeb Brainstorm magazine. To read more, go to the Brainstorm website.