August 22, 2019

Effective Identity and Access Management Policies Protect Data Privacy

Karen Walsh

Effective Identity and Access Management Policies Protect Data Privacy

Almost every day, the news heralds the disaster of another data breach. Meanwhile, organizations struggle to create effective digital transformation strategies while maintaining data privacy. Whether your organization is looking to create a “cloud-first” or “cloud-only” strategy, you need to incorporate Identity and Access Management (IAM) as the foundation of your privacy program. While your cloud service provider (CSP) limits their users’ access to the cloud infrastructure, you need to manage your users’ access to and within the architecture. Creating effective IAM policies protects data privacy by limiting user access to resources and act as a defense against unauthorized access.

What is data privacy?

Data privacy focuses on how organizations collect and share personally identifiable information (PII) and the technologies they incorporate to protect that information from unauthorized access. Additionally, many industries need to comply with data privacy regulations, such as the General Data Protection Regulation (GDPR), and industry standards, such as the Payment Card Industry Data Security Standard. As organizations continue to move data to the cloud, data privacy becomes increasingly difficult. Managing data security in on-premises meant controlling access to hardware the organization owned. However, with the cloud, organizations add additional access points which increase the attack surface.

What makes data privacy difficult in cloud-based infrastructures?

Instead of using company controlled computers, employees use mobile devices and personal laptops so that they can work remotely. Every device connected to your cloud becomes a potential attack vector. Moreover, the data no longer lives on individual hard drives. Cloud-based data access can rely on a device, but even more relies on the way in which the organization defines the user’s identity. Protecting access to PII now relies on creating rules around user data and application access. Unlike traditional on-premises infrastructures which protected data privacy by focusing on user authentication, cloud-based infrastructures rely on authentication as a starting point but must go further than that. Data breach research, such as the 2019 Data Breach Investigations Report, highlight the importance of securing user access, particularly privileged access. The Data Breach Report noted that privilege misuse was the primary internal cause of data breaches and that administrator accounts as a data breach vector increased significantly.

How is identity changing?

Digital transformation also changes the way we define identity. Traditional definitions were human – employees, contractors, or part-time/contingent staff. Digital transformation increases the number of identities that need to be managed. Today, an organization with a modernized IT infrastructure uses robotic process automation (RPA), Internet of Things (IoT) devices, automated functions, service accounts, and other non-human identities. For example, if you use an Infrastructure-as-a-Service (IaaS) or Platform-as-a-Service (PaaS) vendor, you need to make sure that you can control how and why the service account for your operating system or application accesses your infrastructure.

How Identity and Access Management policies promote data privacy

IAM policies protect personal data from unauthorized access by ensuring that the right users have the right access to the right resources at the right time for the right reason. The first step to managing identity and access is to ensure that users are who they say they are. Many organizations use federation and couple it with a single sign-on solution. This process involves creating an identity and then ensuring that the identity uses something they know, such as a password. Best practices suggest multi-factor authentication, which involves each identity using a password as well as either something they have (token, smartphone) or something they are (biometrics, fingerprint, face ID). After the process of authorization, you need to manage the resources within the infrastructure. Within each connected Software-as-a-Service (SaaS) application, you have different data sets. In an ERP environment, you may have payroll, accounts payable, and accounts receivable. These services often incorporate PII such as names, birth dates, bank account numbers, and social security numbers. To protect these assets, you need to use the principle of “least privilege” when granting access. Additionally, you need to maintain segregation of duties (SoD). In other words, the person who access accounts payable should not be able to access accounts receivable. Creating effective IAM policies enables you to limit access to least privilege by creating entitlements or privileges to the resource.

Why Attribute-Based Access Controls (ABAC) enable effective IAM policies

An effective IAM policy incorporates detailed context-aware privileges. Traditional role-based access controls (RBAC) relied on static user identities. Each job function, for example, may have been created as a role. That role would always be allowed to access the same resources. The on-premises infrastructure was limited by the hardware’s capabilities. An on-premises server, for example, has a limited amount of memory and the applications stored on it rarely changed, thus creating static role-based identities. For example, anyone with the role “manager” can always edit data. However, digital transformation lacks that limitation. Organizations use cloud-based infrastructures because they enable need-based scalability. If you need additional storage or expect additional activity, then you can increase your cloud usage for a short period of time. Identity in a modernized infrastructure needs to be dynamic because the infrastructure is dynamic. To meet these evolving needs, you need to create IAM policies that incorporate context, not just role. Attribute-based access controls (ABAC) enable you to create detailed access definitions that link a user’s role to context such as resources, IT environment, or user location. By creating detailed privileges, also called “fine-grained entitlements,” you can create a multi-dimensional access control that goes beyond access to an application and help define the resources within the application that the user can access.

How using automation can ease data privacy burdens

Effective IAM policies are difficult to create, particularly across complex on-premises, hybrid, and cloud ecosystems. As you add more cloud-based infrastructure and applications to your IT infrastructure, you increase the complexity of your IAM policies. Each cloud service and application uses its own, internally defined definition for roles, groups, and other attributes. For example, even the term “user” differs from one service provider to another:

AWS considers the title a human identity
Azure defines it as a person in the Azure Active Directory (AD)
Google Cloud Platform does not use “user” but refers to “Google account” as any user with an email associated with a Google account
Alibaba uses the term “RAM-User” which can be human or service account

Automation enables your organization to simplify the way in which you manage and monitor identity across the ecosystem. With an automated tool, you can decide on an authoritative source for your identity definitions then use analytics to find the commonalities across the ecosystem to create a holistic approach to IAM. Instead of having to monitor each application or cloud-service location separately, you can streamline your processes, reducing human error and operational cost. Automation that can bring together all your monitoring activities into a single location also streamlines your access request/review/certify process. As more users request more access, automation can help manage those requests so that your IT department no longer needs to respond to them individually, again reducing human error risk. Instead of reviewing each request or elevating it, automation does the work for you providing continuous assurance over your least privilege data privacy controls.

Why Saviynt? Assured IAM Compliance-as-a-Service

Saviynt’s intelligent analytics provide customers a holistic approach to managing identity across a complex on-premises, hybrid, or cloud infrastructure. Our platform allows you to choose an authoritative source of identity, either created within the platform or from another application such as human resources, then uses peer- and usage-based analytics to role-mine across the ecosystem. After creating a standardized definition of identity across the ecosystem, our intelligent analytics leverage those definitions to create fine-grained entitlements that protect data privacy. Fine-grained entitlements allow you to limit access to the read/write level, going beyond federation and application access. Our Gartner-recognized Identity Governance and Administration (IGA) platform streamlines the request/review/certify process by providing a self-service platform that leverages our intelligent analytics to grant users necessary access while also preventing potential SOD violations. Our identity management analytics continuously monitor for anomalous access requests and automatically elevate risky ones. Our Cloud PAM solution converges IGA and Privileged Access Management (PAM) to secure your cloud privileged identities. Saviynt’s cloud-native Cloud PAM continuously monitors for real-time risks to identify new workloads, servers, and containers that pose a data privacy risk. Maintaining a strong data privacy program requires a strong IAM program. For more information about how Saviynt can protect your data, contact us today.