POV: You realize that your access rights to systems are not very effectively regulated in some cases and that the software landscape in your company generally resembles an intransparent jungle. So why don’t you take out the machete and clean up a bit? Well. One way or another. Introducing an IAM is pretty much the same, but with fewer mosquitoes.
And what are the most important features of an IAM? There’s no question that it has many good ones 😉. With an IAM, the right people can access the right resources at the right time and for the right reasons.
In this article, I’ll explain which features are offered with IAM and how you can use them most profitably and effectively. So read on if you want to optimize your access management or want more info on IAM possibilities.
Access Governance
Access governance deals with role concepts and the mapping of IT authorizations. Specific roles can be assigned authorizations and these can be monitored. This makes the unintentional assignment of unnecessary authorizations less likely. And if it does happen, it is noticed more quickly.
Access governance can be divided into three sub-areas:
Classifications: Data is classified according to risk classes. It is then determined which activities and areas must be subject to segregation of duties or separation of duties (SoD). A transfer of 10 million euros, for example, should always require the authorization of more than one person. Thus, it is deposited that person one gives an order, person two controls it and countersigns the order, and person three executes the order. None of these persons may be the same.
Attestation: This is the process of verifying current access and permissions. Access attestation is a never-ending process that ensures that every user has access to the data, systems, and applications they need. But none to those they don’t need. In large enterprises, constant changes and expansions of roles are normal. That’s why it’s especially important to maintain a good overview and prevent an accumulation of rights. After all, who wants the trainee to have more rights than the boss after 4 department changes?
When introducing an IAM system, department heads, managers and team leaders should therefore be asked who still needs access and whether the access rights are still correct. Regular reporting of rights is an important aspect for clarity.
Reconsolidation (target & actual comparison): Reconsolidation involves looking into systems and areas and comparing who still has access and who should still have it. It is therefore a target/actual comparison of access rights.
To do this, the IAM system takes the actual status of access rights and compares it with a target status list. Problems or inconsistencies are highlighted. In the next process, these problems are resolved. This can be done automatically or manually, whereby the goal is, of course, automation.
Audit Reporting
The audit does not start in the IAM but much earlier. Audit reporting helps to uncover risks and make them traceable by documenting system states and actions. Only if the risks are known can these be evaluated, checked, and controls introduced. And let’s be honest… who has a perfectly error-free process flow? Ultimately it’s better to closer analyze than to avoid the whole process.
Audit reporting is also divided according to different functions:
Audit trail: The audit trail shows changes that are made in processes. This makes it easier to control them. The function shows the auditor why access exists, who exactly granted it and how this access came about. In this way, processes can be continuously monitored and alarms can be sent directly in the event of misconduct or rule violations.
Audit Policy: The Audit Policy contains the rules of the organization. What should/must be recorded? Which sensitive data must be taken into account? For how long must data be collected? Who is allowed to see the data?
Audit Response: Once you have the list of critical processes and other findings, you need to respond to them. What action points are derived from it? Who needs to take action? How do you respond to lapses?
Role & Access Management
Here, it is determined which roles exist in the company and must therefore be available in the system. The goal is usually automatic account creation and automatic assignment of rights depending on the function of the employees in the company. Here you also have an added value for the company apart from the compliance with legal requirements.
For example, when a new editor is hired, an Active Directory account is automatically created and a Microsoft Office license is assigned. Access is granted automatically based on the role. Additionally, required roles must then be requested and authorized by another party.
However, rights can also be excluded from approval. For example, if an intern requests access to the company’s bank account and another person accidentally approves it, the IAM system still denies access. This happens because restrictions can be stored in the IAM for certain roles. After all, there is more adequate personnel for bank account management than an intern.
Approval Workflows
Who may confirm what and how many instances must confirm?
The criticality of accesses is determined and it is stored how many instances the approval of an access request requires, depending on the classification of the criticality. This is accompanied by a risk assessment of the operation. A trade-off is then made between the cost of access control and the cost in the event of a potential breach due to unauthorized access. For example, the risk of damage caused to the system is calculated at 1.5 million euros. The access control of each employee is calculated at 10 million euros. From an economic point of view, it is actually clear what should be done.
There must always be a trade-off between security/risk and productivity/usability.
Lifecycle Management
Lifecycle management encompasses all authorization-relevant processes surrounding a person during his or her period of employment at the company.
It starts when the person is hired by the company. Here it is ensured that the new employee has access to all the applications, systems and files he or she needs in order to work. If all the necessary access is already granted on day one, this makes a good impression on the new hire right from the start. And the new employees can be productive from day one.
New or different rights are also required in the event of a change of department or promotion within the company. Accesses from the old position should then be terminated to prevent an accumulation of access rights. Or when an employee goes on parental leave or a sabbatical. Here it is also advisable to remove access to critical systems. If access rights are not systematically removed, security violations may occur.
When leaving the company, all rights must be conscientiously withdrawn. This status must be mapped and monitored in the lifecycle.
Re-entry into the company is also a conceivable scenario. If a person leaves the company to gain professional experience elsewhere or to pursue further training and then returns, this can also be mapped in Lifecycle Management. In this way, persons remain recorded in the system if there are legal reasons to record the UserID (e.g. for the company pension).
Lifecycle management thus provides an overview of the internal lifecycle of employees from onboarding through change to offboarding.
Single Sign-on
Single sign-on is an authentication option. Once authenticated, you can log in to all systems for which you are authorized. The single sign-on can run via a certificate, but it does not have to. It can also run via a token. You verify yourself once. You may then have to press a button again in the other systems, but you do not have to enter any more login data.
This distinguishes single sign-on from seamless sign-on. With seamless sign-on, you log in once and your other systems log in automatically without you having to do anything else. The deluxe version.
Provisioning
Provisioning is writing, deleting or updating identity data from employees to a system. It is a process that distributes user data and roles to the systems.
When there is a data change in the IAM, this data is automatically changed in the connected systems. For example, the change of the name after the marriage of an employee and the related change of the mail address.
Provisioning is part of fulfillment. Fulfillment is the process, for example, from approving a role until it is created for the user in the system.
Password Management
When the password is changed, the system can automatically write the new password to the Active Directory via a dedicated password reset flow.
Depending on how you want to configure your password management, this can also result in a kind of workflow. For example, you can define that the manager’s approval must be obtained for every password change.
Multifactor Authentication
Multifactor Authentication ensures that more than just the password must be entered for verification when logging in. So password plus x plus x (so more than two independent features).
Multifactor authentication does not always have to be a password plus x. It is quite possible that you log in daily with Multifactor without knowing it. If your company uses device management, for example, i.e. your PC is permanently assigned to you on the basis of a certificate, plus you enter your password, this is already multifactor authentication.
The equation here is: Ownership (via certificate and device management) + password = login.
Even via Microsoft hello with face recognition, it is a multifactor authentication, since the certificate and the face recognition must fulfill several independent characteristics.
When logging into a highly critical system, another factor can be requested for login. This can be controlled according to risk. Depending on the assessment of the risk of a system, sometimes more, sometimes fewer identification factors can be requested.
Multifacor authentication with OOB (Out of Band) is also frequently used. After entering the user name on the PC, you have to approve the login with another device such as the cell phone. Microsoft uses the Microsoft Authenticator app for this purpose.
Conclusion
What should you look for when comparing the features? When choosing the right tools, you should pay attention to your main goal. In most cases, a combination of different vendors will be used to cover your specific scenario.
For rights assignment and lifecycle management, for example, Omada. Login, on the other hand, goes via Microsoft Azure with MFA authentication. If you have a particularly critical infrastructure and want to protect your systems, you can add a PAM system such as CyberArk.
to find the perfect solution for you, your company and your scenario, come to us and we will find the most suitable solution.
