As more organisations move into the cloud, implement remote and hybrid work models and run a multitude of disparate systems, the traditional perimeter is no longer enough to secure critical data. Identity has to be the primary control plane, and identity life cycle management is a key component of this.
This is according to Muzi Langa, MD of ManTK IT Solution, a specialist IT security and services provider. Langa says: “Traditional security initiatives focused on the perimeter in the belief that if the perimeter is secure, the data which resides within the perimeter would also be secure. In the cloud environment, hypothetically, that perimeter still does exist conceptually, but is no longer a reliable control boundary. This means that weak identity controls are a significant risk.”
For example, he cites risks such as unmanaged service accounts that access the data that resides in cloud environments. “We see growing concern when it comes to issues such as shared credentials and a lack of multi-factor authentication,” he says. “These issues still exist even in major enterprises, and they increase the risk of account takeover and lateral movement within the cloud environment. We often see organisations that are adopting cloud at scale failing to prioritise strong identity governance and identity life cycle management. They struggle to implement the principle of least privilege – locking down the user as much as possible, but still giving them access to what they need to do their job.”
Implementing sound identity life cycle management
Zero trust is widely accepted as a key component of identity risk management; however, many organisations overlook proper identity life cycle management as another key focus area, Langa says. Identity life cycle management extends far beyond onboarding and off-boarding, he explains.
“When a person joins the company, an account is created for them with a specific set of role-based access control permissions, but as they change divisions or get promoted, their permissions will change. Life cycle management is the whole process of following the user during their life cycle with the company, assessing whether they need more, less or different permissions,” he says.
Securing, managing and monitoring identity life cycles is an increasingly complex task, which could require certain organisational changes and the implementation of an identity governance and administration solution to support it, Langa says.
“It raises the question of whose job it is to manage identity life cycles. Managing role-based access control is an IT function. But broader identity life cycle management goes beyond an IT function,” Langa notes. “It's a multi-party responsibility involving stakeholders like HR and IT, with guidance from the security officer and the CIO or the CISO, depending on the maturity of the organisation. There might be other systems that the user would need access to, which would then require pulling resources from the departments that those systems reside in, to grant that user that level of access that they need.
“If you think about user life cycle management from a RACI matrix perspective, first we need to know who is the user owner – that would be the user's line manager. And then we need to know who's responsible for granting that user the access that they need to do their job. That would sit with the identity and access management/IT security division. And then there would be the trigger authority, which would be where HR comes in, initiating the joiner, mover and lever events, providing authoritative employee status data, and ensuring timely communication of employee change. Then there's the technical execution, that is the IT operations layer. That user might need access to certain line of business applications. So then the application owner needs to be brought in as well: they would be responsible for integrating applications with IAM systems, implementing approved access changes and maintaining role-based access control.
"And at the end of it all, you have oversight and assurance. Here, the CSO, the governance, risk and compliance officer and the internal auditor would come in, and their roles would be on a policy and standard level to conduct regulatory reviews, check compliance with regulations and make sure that evidence is available for auditing purposes.”
“In my experience, identity life cycle management is a ‘Jack of all trades’ situation in many organisations. We find they do not actually execute each and every one of the necessary roles in as much depth as is required. Small to medium-sized organisations – including local municipalities and some of the government organisations – are not that well organised when it comes to roles and responsibilities,” Langa says.
“ManTK IT Solution offers consulting and solutions to help organisations bolster access control and identity life cycle management,” he concludes.
Share