Identity and Access Management

Why do we need Identity and Access Management?

Data is the lifeblood of any business; in any digital organisation today it is a critical component in maintaining business as usual operation, theft, access denial or destruction of data is not only disruptive, but without good backups it can be devastating at scale.

The next step is controlling access to the data. Any organisation will have sensitive data, and that data is sensitive for a reason, it would likely be detrimental to the business if lost or released publicly. Ensuring the data is only accessible to parties that are trusted and need to access the sensitive data is another essential part of Identity and Access Management.

Implementing Identity and Access Management

Which brings us to the how. In modern IT the term identity encompasses much more than just the user account in active directory, there can be multiple associated devices the instantaneous status of which can be leveraged to provide additional security. For example, you could consider whether a device is managed by the organisation? What is the patch status of a laptop? Is the mobile device jail-broken or rooted? 

The steps below are suggestions on things that can be done, they are by no means exhaustive and not every step is applicable or appropriate for every organisation; but by implementing these elements you can have confidence that you are doing IAM right:

Identity and Access Management Policies

Organisations should look to develop appropriate IAM policies and processes.

• Control who and what can access your systems and data. A good IAM policy that covers who should have access to which systems, data or functionality, why, and under what circumstances.
• Consider all potential types of user including full and part-time staff, contractors, volunteers, students, and visitors.
• Ensure the policy covers what and how audit records are acquired, and how they are safeguarded against tampering, and an identification of which actions or processes, if any, should require more than one person to perform or authorise them.
• Policies should not just cover systems you control, but also wherever your organisational identities can be used – for example, consider the websites or online services that staff can create an account by using their work email address.

Login Methods
Establish and prove the identity of users, devices, or systems, with enough confidence to make access control decisions. Single sign-on (SSO) may be available using your organisational identity for some online services to help you control access to those services (and revoke access along with someone’s work account when they leave your organisation).

New Starters, Movers and Leavers
Ensure your account management processes include a ‘joiners, movers and leavers’ policy, so access can be revoked when no longer needed, or changed for movers. Temporary accounts should also be removed or suspended when no longer required.

In Conclusion

By following these steps, you can ensure that only individuals and systems that are authorised to have access to data or services are allowed to do so. This will result in less impact on staff’s workday by getting IAM right across an organisation, smoother collaboration with customers, suppliers, and partners.