Identity and Access Management
Identity and Access Management, often shortened to just IAM, is the practise of ensuring that identity of who and what is accessing your environment is under control – that is, you have systems and, by association, data that can only be accessed by users and devices that you have authorised.
But it’s a lot more than just that, in any organisation people come and go, it is also about making sure that when users (or devices) should no longer be authorised to access your systems that they are not still able to do so.
It sounds simple, but in a busy organisation it is easy for simply disabling a user account to be forgotten. Removing access for users or devices is a vitally important step in any cyber security strategy, especially under unfortunate circumstances when people leave a business on bad terms.
Identity and Access Management is a crucial aspect of cyber security. It involves controlling who and what can access your systems and data. Access to data, systems, and services need to be protected. Understanding who or what needs access, and under what conditions, is just as important as knowing who needs to be kept out.
Why do we need Identity and Access Management?
Data is the lifeblood of any business; in any digital organisation today it is a critical component in maintaining business as usual operation, theft, access denial or destruction of data is not only disruptive, but without good backups it can be devastating at scale.
The next step is controlling access to the data. Any organisation will have sensitive data, and that data is sensitive for a reason, it would likely be detrimental to the business if lost or released publicly. Ensuring the data is only accessible to parties that are trusted and need to access the sensitive data is another essential part of Identity and Access Management.
Implementing Identity and Access Management
Which brings us to the how. In modern IT the term identity encompasses much more than just the user account in active directory, there can be multiple associated devices the instantaneous status of which can be leveraged to provide additional security. For example, you could consider whether a device is managed by the organisation? What is the patch status of a laptop? Is the mobile device jail-broken or rooted?
The steps below are suggestions on things that can be done, they are by no means exhaustive and not every step is applicable or appropriate for every organisation; but by implementing these elements you can have confidence that you are doing IAM right:
Identity and Access Management Policies
Organisations should look to develop appropriate IAM policies and processes.
- Control who and what can access your systems and data. A good IAM policy that covers who should have access to which systems, data or functionality, why, and under what circumstances.
- Consider all potential types of user including full and part-time staff, contractors, volunteers, students, and visitors.
- Ensure the policy covers what and how audit records are acquired, and how they are safeguarded against tampering, and an identification of which actions or processes, if any, should require more than one person to perform or authorise them.
- Policies should not just cover systems you control, but also wherever your organisational identities can be used – for example, consider the websites or online services that staff can create an account by using their work email address.
Login Methods
Establish and prove the identity of users, devices, or systems, with enough confidence to make access control decisions. Single sign-on (SSO) may be available using your organisational identity for some online services to help you control access to those services (and revoke access along with someone’s work account when they leave your organisation).
New Starters, Movers and Leavers
Ensure your account management processes include a ‘joiners, movers and leavers’ policy, so access can be revoked when no longer needed, or changed for movers. Temporary accounts should also be removed or suspended when no longer required.
In Conclusion
By following these steps, you can ensure that only individuals and systems that are authorised to have access to data or services are allowed to do so. This will result in less impact on staff’s workday by getting IAM right across an organisation, smoother collaboration with customers, suppliers, and partners.
Detect. Protect. Support.
Free Posture Assessment
Understand your security risks and how to fix them.
Take the first step to improving your cyber security posture, looking at ten key areas you and your organisation should focus on, backed by NCSC guidance.
Claim your free 30-minute guided posture assessment with a CyberLab expert.
Leave a Reply
You must be logged in to post a comment.