Tag: IDM

Governance in IAM

We have seen the importance of Identity and Access Management in the present times in a previous blog. Now, going a step further, how does one verify or ensure the IDs are functioning in the proper manner and no user has access beyond of what is needed by them? With the Covid pandemic triggering a new set of challenges and organizations choosing to allow employees to work from the safety of their homes, beefing up the organization security has taken more precedence than ever before.

With most organizations operating globally across geographies, involving plethora of distributed technologies, applications residing in the cloud and private and public networks, compliance and data security measures become even more important. Any breach as such can have far reaching ramifications from financial, brand and legal perspectives even.

Once an identity is established for an individual, it is modified on an ongoing basis depending on the roles the person undertakes in the organization. Periodic audits are mandatory to ensure that the IDs are functioning in the proper manner. This is where Governance comes into picture.

Identity and Access Governance products are typically deployed on top of IAM systems to enable organizations to define, enforce, review and audit IAM policies, map IAM functions to compliance requirements and audit user access, to support compliance reporting

Governance solutions are designed to link people, applications, data and devices to allow organizations to determine who has access to what, what kind of risk that represents, and take action in situations where policy violations are identified. It provides organizations with better visibility to identities and access privileges, and better controls to detect and prevent inappropriate access.

In addition to providing the guidelines, Governance solutions also impose the monitoring mechanisms required to evaluate the access and usage rights of individual users on an ongoing basis and flag off anomalies.

.

Segregation/Separation of Duties (SoD)–

Rules that prevent risky sets of access from being granted to a person. For example, User should not be granted both Purchase Order and even the Approval role for same.

Access Review (Recertification)-

Streamlines the review and verification of users access to different apps and resources. The reviewer(s) may choose to revoke any access if user no longer needs it.

Analytics and Reporting Tools –

Log activities, generate reports and provide analytics to identify issues and optimize roles if required using Role Mining.

IBM’s Identity Governance and Intelligence (IGI), RSA, Sailpoint, Saviynt are few of the leading Governance tools in the market.

Stay tuned for more. Please do leave comments/suggestions if any.

Identity and Access Management – Let’s get started

Information security and Identity management are both current major concerns for enterprises especially with the growing use of mobile applications and the sensitive data that these handle.

Information Security?

InfoSec is the state of being protected against the unauthorized use of information, especially electronic data, or the measures taken to achieve this without hampering
organization productivity. This is largely achieved through a multi-step risk management process that identifies assets, threat sources, vulnerabilities, potential
impacts, and possible controls (like industry standards on password, antivirus
software, firewall, encryption software etc) followed by assessment of the
effectiveness of the risk management plan.

Identity and Access Management?

IAM, IDM, IDAM are all acronyms of Identity and Access Management and is intended to be the primary focus of this blog. It is the branch of InfoSec that enables the right individuals to access the right resources (could be an application, data or even hardware) at the right times and for the right reasons. Identity is the consumer that needs to access a resource. This consumer while most of the time is best viewed as a
person or a digital persona but could also be other resources like a Database or other applications.

Identity management is a process applied to ensure the integrity and privacy of
identity and how it is created, managed and also how it translates to an access.
This brings us to another important question, what is access? Access is essentially a Yes/No decision. Access Management is a deployment that is tasked with the Yes/No decision making in lieu with an identity.

Identity Management creates an identity and manages the attributes related to the user whereas Access Management evaluates these attribute values and authorizes the user. Note that Authorization is not the same as authentication. In simple terms, authentication is the process of verifying who you are, while authorization is the process of verifying what you have access to.

image

Since examples are the best way to remember concepts, let’s consider a couple of them. A certain Media Sharing Platform requires any user that uses it to create an account by
registering.  During registration, some data is collected to store in the platform’s database. These are a part of Identity Management. Now, once the account is successfully created, the user has to enter his unique id and password to login to his account. This is authentication.
This platform allows everybody to view each other’s shared photographs while browsing
through other people’s videos is a paid feature. Whether a user has activated this paid feature or not is stored in an attribute (DB column) in the platform’s database. The storing and managing of this attribute is a part of identity management, whereas checking the attribute value once the user has logged in and tries to browse through other users’ profiles is authentication. This decision making of whether a user is a “paid user =Yes/No?”  is authorization and is handled by Access Management. If a user is authorized (paid=yes), the Access management module allows the user to browse through and play the videos and if not authorized (paid=no), the user is stopped from doing so.

As another example, consider a Windows desktop. Creating account on the desktop is the Identity Management. Logging in to the desktop is by authenticating against the Windows Local Registry and the permissions that you have on data on a specific location (Read Only, Read/Write, Delete etc) is based on the authorization level against your identity. Administrator account has all access whereas a guest account may have read-only access to Windows C drive.

Few well known IDAM tools are IBM’s ISIM for Identity Management and ISAM for Access Management, Sailpoint, Microsoft’s Azure Active Directory etc.

Stay tuned for more blogs on IAM and it’s tools. Leave comments/suggestions if any.