Creating an effective Identity and Access Management (IAM) program is rapidly becoming a data security and privacy imperative. As organizations adopt digital transformation strategies, they move sensitive data offsite, choosing serverless over on-premises data repositories. While each cloud services provider, Software-as-a-Service (SaaS) application, on-premises, and hybrid infrastructure requires IAM policies, each has its own unique definitions and requirements. These differences make creating a holistic IAM policy across the enterprise IT ecosystem difficult. However, buried within all the differences lie many similarities that can help you determine the best IAM policy approach for your organization.
What is an Identity and Access Management Policy?
An Identity and Access Management Policy defines access controls within your IT infrastructure. Unlike other written documentation such as cybersecurity policy, an IAM policy requires you to align specific business needs to technical identity and access definitions. Creating an effective IAM policy ensures that the right users have the right access to the right resources at the right time and for the right reason.
Why is it difficult to create an IAM Policy?
Problematically, complex, integrated architectures often create a poor end-user experience. As your organization scales and incorporates new technologies, you may find yourself struggling to create a holistic, unified identity and access program. Many organizations complain that their current IAM strategies lead to:
- Lost Productivity: Users need to request access to resources and wait for IT administrators to review the approvals.
- Poor User Experience: Users need individual accounts for each resource which becomes cumbersome.
- Siloed Applications: Lack of interconnection between applications leads to lack of common data across users.
- Increased Administrative Cost: Help Desk and IT staff spend too much time responding to basic issues like password management arising from the poor user experience of multiple accounts for resources
- Increased Information Security and Compliance Risk: More applications and access points increases the threat surface which increases the risk of unauthorized access as well as audit and compliance violations.
If you take a look at online resources, for example, AWS, Google Cloud, and Azure have different definitions for users, roles, groups, and attributes. Once you start connecting collaboration tools such as Box or O365, you add another layer of user, role, group, and attribute definitions. Moreover, as users move throughout your organization, their roles and access needs change.
In short, IT infrastructures are dynamic. Applications are dynamic. Users are dynamic. Creating an effective IAM policy and maintaining compliance with it requires a flexible and dynamic approach to defining users, resources, and access.
Why organizations struggle to create cohesive identity data for users
The digital era evolves the definition of user from human to human and non-human. Although we traditionally consider users workforce members or human contractors, defining users today needs to include robotic process automation (RPA), Internet of Things (IoT) devices, programmatic functions, and service accounts.
The identities are the digital representations of user, either human or virtual entities, that interact with information systems, software, and data. Each of these identities needs to be granted a credential that authenticates its access to the appropriate resource. Then that authenticated identity needs to be granted permission within the system or application to access the resources necessary to fulfill its job function or automated role.
When creating an IAM policy, you want to create a baseline definition for all users. A primary struggle in a modernized IT infrastructure is the lack of unified definitions across the ecosystem. For example, many organizations who have on-premises, hybrid, and multi-cloud infrastructures struggle to create a unified definition of “user” because:
- AWS considers the title a human identity
- Azure defines it as a person in the Azure Active Directory (AD)
- Google Cloud Platform does not use “user” but refers to “Google account” as any user with an email associated with a Google account
- Alibaba uses the term “RAM-User” which can be human or service account
The problem many organizations face is that they began expanding their infrastructures before creating a cohesive approach to IAM. As such, they have inconsistent identity data. Moreover, as users and identities change roles within the organization, the proliferation of identities makes managing joiner/mover/leaver provisioning and deprovisioning a burden. Thus, many of these “orphaned accounts” remain active, which leads to a security risk because they often remain unmonitored and forgotten.
Why organizations need to move beyond Role-Based Access Controls (RBAC)
Most organizations started by creating Role-Based Access to resources. They aligned users to job functions or roles. Then, they provided access to resources based on these definitions. As organizations scale, defining roles becomes increasingly burdensome. One user can have many roles, and one role can have many users attached to it. For example, RBAC focuses on the user’s job such as administrator, manager, or standard user and then applies the level of access needed to fulfill the job role. As the infrastructure becomes more complex, enterprises find that RBAC is no longer effective.
Proliferation of Identities
An enterprise may have multiple internal teams, each developing its own access rules. As the teams use different resources, the roles become more complex. Each role needs to meet “least privilege necessary” requirements to protect data privacy and security. If you provide too much access to a role, you no longer meet “least privilege necessary” requirements and create a privilege misuse risk.
Since RBAC assigns access rights based on the group to which the user belongs, non-human identities such as RPA and service accounts may be granted too much access. For example, many RPAs require privileged access to systems and networks. However, when RBAC assigns the group role, it does not account for the RPA’s unique access needs within the group. Therefore, it may provide continuous access, since the group would need continued access, rather than short-term access to complete its function.
How intelligent analytics that provide Attribute-Based Access Controls streamline IAM Policy creation
Although many cloud service providers offer IAM policy generation tools, organizations with complex infrastructures find that individual tools and home-grown solutions lead to human error risk as well as increased operational costs. Onboarding new users, for example, may require creating multiple accounts, one for each resource the new user needs. In some cases, one department may create a new role for a user that provides the same access granted to a differently named role created in another department. This redundancy increases the number of roles that need to be managed which, in turn, creates additional monitoring requirements. Ultimately, as the enterprise grows and evolves, managing RBAC in this complex architecture becomes untenable. Attribute-based Access Controls (ABA) provide a way to manage the dynamic nature of modern identity.
Intelligent Role-Mining with Context
Organizations can streamline their IAM Policy creation by incorporating automated tools that enable ABAC. Creating a holistic IAM Policy requires you to incorporate all identity, role, and group definitions across the ecosystem. Automated tools enable the organization to aggregate that information, leverage Big Data analytics, and create a cohesive definition of identity and access based on user attributes. Automated tools that incorporate intelligent analytics enable you to create attributes such as user, object, action, and environment characteristics then apply those to how a subject can operate within the environment. These if/then rules provide more detailed and granular access controls.
Using an automated tool that incorporates intelligent analytics for role-mining allows you to find the similarities in definitions and access permissions across the divergent ecosystem to create an authoritative source of identity.
Maintaining Least Privilege Necessary
With ABAC focused intelligent analytics, you can better manage least privilege necessary access requirements. For example, if you’re using an ERP system like SAP, you need flexible, task-based application access controls. With ABAC, the “if/then” statements that define the identity’s access limit access not just to the application but within the application as well. Since you are creating focused definitions of access within the IAM policy, you can more easily prevent Segregation of Duties (SOD) violations by focusing the access rather than having broad definitions.
Finally, automation with intelligent analytics enables you to use your universal identity warehouse and least privilege access settings to continuously monitor access within your ecosystem. Automated tools that use intelligent analytics monitor for anomalous access requests and alert your IT administrator to help prevent SOD violations or other access risks. Since the tools use ABAC, they can review based on peer and usage to determine whether the access request aligns with other users who have similar attributes.
Why Saviynt? Intelligent Identity for Smarter Security
Saviynt’s Gartner-recognized Identity Governance and Administration (IGA) platform uses intelligent peer- and usage-based analytics that enable organizations to create comprehensive, cross-application and cloud-platform IAM policies. Our intelligent analytics ingest your identity warehouse information and reconcile identity definitions so that you can create an authoritative source of identity.
With our intelligent analytics, the enterprise can streamline the request/review/certify process. Our analytics instantly compare the attributes of the requesting user against users with similar attributes to provide real-time analysis and access. If the request does not match the peer-based information, the Saviynt platform elevates the request for review. Moreover, these analytics also enable organizations to maintain compliance with internal, industry-standard, or regulatory required controls. When our analytics detect a potential SOD violation, the platform sends an alert that incorporates preventive actions to remediate the situation.
Our Cloud PAM solution enables organizations to establish and monitor privileged access across on-premises, hybrid, and cloud infrastructures so that you can create a holistic, identity-based information security and privacy program. Our Cloud PAM provides real-time detection and monitoring help discover and remediate risky workloads, instances, containers, and other code-based identities.
For more information or to schedule a demo, contact us today.