Understanding Identity and Access Management Compliance
What is Identity and Access Management?Identity and Access Management (IAM) programs protect data privacy and security starting with user authentication and authorization, often by using a single sign-on solution that incorporates multi-factor authentication, and then assign users’ access rights to resources with Identity Management (IDM) solutions to continuously monitor access for proving enforcement of and governance over “least privilege ” access rights.
What are IAM Identity-Based policies?IAM identity-based policies, or resource-based policies, control user access permissions to resources, such as full access or read-only access, once you have authenticated and authorized the user’s credentials. Identity-based policies also allow you to incorporate additional constraints based on user attributes – such as company, device, location, and application types – when users access digital resources, such as AWS. For example, if you want to limit access to your cloud resources to maintain Payment Card Industry Data Security Standard (PCI DSS) compliance, you need to make sure that users with access to cardholder data (CD) can only access your cardholder data environment (CDE) from the right device or location. By limiting the access, you can protect your segmented network environment for a more robust compliance posture.
What are Compliance Requirements for IAM?The compliance requirements for IAM, such as in PCI DSS, use identity management and access management to help protect data security and privacy. Managing the IAM lifecycle requires you to set policies that enable user access requests, identity reconciliation, and the review/certify process.
Provision/DeprovisionThe provision/deprovision process acts as the starting point for the IAM lifecycle by granting the appropriate entitlements and access in a timely manner or revoking access upon job termination or transfer. Most regulations and industry standards set a grant/remove access timeline to ensure data privacy and security with appropriate data access management. As such, IAM policies need to incorporate:
- User Identity Definitions
- User Authentication Methods (such as multi-factor authentication)
- User Access to Resource Locations
- User Access within Resource Locations
- User Access Reviews
EnforcementAfter granting permissions, you need to enforce your IAM policy controls such as authentication and authorization to Software-as-a-Service (SaaS) applications, Infrastructure-as-a-Service (IaaS)/Platform-as-a-Service (PaaS) environments while also maintaining compliance with access management policies. As such, IAM policies need to incorporate:
- Access Management Policies
- Consistent Role-Based, Rule-Based, or Attribute-Based Access Requirements
- Segregation of Duties Policies (SOD)
Review/Certify ProcessAlthough the review/certify process requires enforcing your IAM policy rules, the process is often managed by IT administrators or department managers who become inundated with requests as the organizations incorporates new technologies. As such, IAM policies need to incorporate:
- Who reviews requests
- Succession ownership over the process
- Context for user access needs
Documentation for AuditAt its core, compliance requires documentation. As part of creating identity-based IAM policies, you need to define business-relevant key performance indicators (KPIs) and document your overarching IAM program. As such, IAM policies need to incorporate:
- Business-driven metrics
- Audit process
- Suggested documentation for proving governance