Identity and Access Management Domains

Identity and Access Management is without a doubt the first and most important function for a secure architecture. Any entity requesting access to IT applications and resources must be properly identified, authenticated and authorized. Unauthorized access to the applications and sensitive information is one of the high risks in any organization, and against least privilege principle.

A lot of organization slowly realize the need for a dedicated function for identity and access management. For those who are at the beginning of the path, this could become a multi-year program with lots of different components to consider.

A good identity and access management strategy should cover the following domains:

·        Access Management: Any transaction on the network must be identified, authenticated and authorized. That’s the idea behind access management. Traditionally, a lot of companies are using Microsoft Active Directory as the central directory for access management, but nowadays vendors are providing this as a service. Microsoft, Okta, Auth0, Oracle, and IBM are some examples of those vendors providing this service on their cloud environments.

·        Identity Lifecycle Management (ILM): User identities should be properly managed from the time a user is joining until leaving the company. When a user starts, his or her access requirements need to be identified and provided, and when leaves all those access permissions need to be taken away. In addition, if a user role is changed while working for a company, the permissions need to be adjusted to match his or her new role.

·        Identity Governance and Administration (IGA): Users need to have access to what they need only, and that’s what IGA is all about. Data owners need to review and validate the access controls on regular bases, as well as ensuring basic principles like segregation of duty is working efficiently. SailPoint, Saviynt, One Identity, Oracle and IBM are some of the players in IGA and ILM space.

·        Privilege Access Management (PAM): Privileged accounts are one of top concerns for organizations and not being able to monitor and control them properly could have severe consequences. Privilege access management solutions will help to increase security of privileged accounts and their usage. Some of the PAM vendors are CyberArk, BeyondTrust, Thycotic, and Centrify.

·        Data Governance: Obviously data protection is the core for any cybersecurity control. Whether we are dealing with structured data (e.g. databases) or unstructured data (e.g. files), there must be proper permissions and access controls in place to provide data access to those who need it only. In addition to the data access controls, DLP solutions can help with data governance and security.