Identity & Access Management (IAM)

Identity & access management is a critical part of any enterprise security plan, as it is linked to the security & productivity of organizations in our digitally enabled economy. It is a specialty discipline within cybersecurity that ensure only the right people can access the appropriate data & resources, at the right times & for the right reasons. Enterprises use identity management to safeguard their information assets against the rising threats of ransomware, criminal hacking, phishing & other malware attacks. 

The typical business user has numerous of applications they must access in order to do their jobs. These applications span cloud, mobile & on-premise solutions which hold restricted, confidential & sensitive information. With this increase of applications, many enterprises have turned to identity management to increase productivity while securely enabling access to applications & systems. This is where identity governance is needed to manage who has access to what, who should have access to what & how that access is being used.

Without proper identity & access management solutions, user access controls & login credentials need to be created manually for each user on each individual system. However, this approach is tedious & prone to delays & keying in errors.

IAM Systems

IAM systems hold the keys to some of the company’s most valuable assets & critical systems, so the consequences of an IAM system failure are significant. Security professionals are concerned about integrating IAM with legacy systems (50%), moving to the cloud (44%) & employees using unapproved technology (43%).

The core objective of IAM systems is one digital identity per individual. Once that digital identity has been established, it must be maintained, modified & monitored throughout each user’s “access lifecycle.” The overarching goal of identity management is to “grant access to the right enterprise assets to the right users in the right context, from a user’s system onboarding to permission authorizations to the offboarding of that user in a timely fashion.

A typical IAM system comprise 4 basic elements:

• a directory of the personal data the system uses to define individual
• a set of tools for adding, modifying & deleting that data
• a system that regulates user access
• an auditing & reporting system

Regulating user access involves a number of authentication methods for verifying the identity of a user, including passwords, digital certificates, tokens & smart cards. Identity management systems now incorporate elements of biometrics, machine learning & artificial intelligence including risk-based authentication. Hardware tokens & credit-card-sized smart cards serve as 1 component in 2FA, which combines something you know with something you have to verify your identity. A smart card carries an embedded integrated circuit chip that can be either a secure microcontroller or equivalent intelligence with internal memory or a memory chip alone. Software tokens can exist on any device with storage capability, from a USB drive to a cell phone. 

The components in an IAM system include: 

1. Provisioning or On-boarding - inbound/outbound provisioning of user accounts. Just-in-Time provisioning is used to create regular & portal users on the fly the 1st time they try to log in. This eliminates the need to create user accounts in advance. Approval workflow manages & tracks all human tasks involved with the approval process & provides a record of the process when completed.
2. Accounts Management - privileged accounts management, credential management, users/groups/roles management. In many organizations, users sometimes have more access privileges than necessary. A robust IAM system adds an important layer of protection by ensuring a consistent application of user access rules & policies across an organization.  
3. Identity Governance - role engineering, identity analytics, role consolidation, identity delegation, segregation of duties, attestation, reporting, self-service, risk management, compliance.
4. Identification or Authentication - MFA, adaptive/risk-based authentication. Authentication must be easy for users to perform, it must be easy for IT to deploy & it must be secure. Mobile devices are increasingly being used for user authentication because smartphones can provide a user’s current geolocation, IP address & other information that can be leveraged for authentication purposes. At the user level, user authentication methods help to better protect identities. Mobile phone users are familiar with fingerprints, iris scanning or facial recognition as authentication methods. Biometric identification answers the question “who are you?" The organization captures a biometric from that individual & then searches a biometric repository in an attempt to correctly identify the person.  Biometric authentication asks the question “can you prove who you are?” It does a 1 to 1 match to see whether your biometrics matches the identity who you claim to be you. Most of the enterprises use biometrics to authenticate users, as a second factor. Biometric enrolment & matching are done by a specialized biometric engine which stores biometric templates against the user. 

5. Access Control or Authorization - dynamic authorization, attributes or roles & policies. De-provisioning access privileges for departing employees can fall through the cracks, especially when done manually, which is often the case. Reporting an employee’s departure from the company & then automatically de-provisioning access across all the apps, services & hardware he or she used requires an automated, comprehensive identity management solution. IAM therefore provides an important element to a defence in depth strategy. 

6. Identity Federation - single sign on, single logout, session management, attribute sharing.

Well-managed identities mean greater control of user access, which translates to reduced risk of internal & external breaches. Approximately 60% of all data breaches are caused by employees. Of these, 75% were malicious while the remaining 25% were accidental. 

Compromised user credentials often serve as an entry point into an organization’s network & its information assets.

The move to MFA

2FA can offer more security; enterprises can mandate employees use a secondary authentication factor such as an SMS messaging system to help confirm their legitimacy before granting access. However, hackers have learned how to spoof those SMS messages & deceive employees into handing over the rest of their credentials.

Some organizations are moving from 2FA to 3FA - something you know, something you have & something you are (facial recognition, iris scanning or fingerprint sensors). Going from 2FA to 3FA provides additional assurance that you are dealing with the correct user. 

59% of corporations indicated that data protection was their biggest concern. Only 15% said they were completely confident their organization would not be hacked due to their access control system. Much of that concern stems not from the current IAM technology itself, but with their organization’s ability to implement it well. Practices which were implemented to secure legacy systems do not work with newer technologies.

Confidence & trust in IAM grows when companies gain experience administering the solutions. Organizations are learning that they can actually unify their administration approach, streamline operations, remove much of the workload from IT & place it in the hands of the line-of-business.

Multi Factor Authentication (MFA)

MFA is one of the most important identity management tools because passwords alone cannot secure enterprise IT environments. Hackers have developed numerous methods to crack or steal passwords from employees & privileged users. With the prevalence of data breaches exposing passwords, credential stuffing tactics allow hackers to brute-force their way past password-only authentication systems.

MFA asks for several factors before granting employees or privileged user’s access to their baseline resources. Hackers cannot brute-force past an MFA system. They have to carefully subvert each factor to penetrate the network. The extra authentication factors in an MFA system include:

• Typing Biometrics - behavioral biometric of Keystroke Dynamics uses the manner & rhythm in which an individual types characters on a keyboard or keypad. The keystroke rhythms of a user are measured to develop a unique biometric template of the user's typing pattern for future authentication.
• Email Verification - the process of verifying an email address is valid & improves the odds that it belongs to a real person.
• Time-based One-Time Password algorithm (TOTP) - an algorithm that computes a one-time password from a shared secret key & the current time. Essentially, both the server & the client compute the time-limited token, then the server checks if the token supplied by the client matches the locally generated token.
• PUSH mobile device notification - a message that pops up on a mobile device. users do not have to be in the app or using their devices to receive them.
• Universal Second Factor - authentication standard that strengthens & simplifies 2FA using specialized USB or NFC devices.
• Client Certificates - a digital certificate used by client systems to make authenticated requests to a remote server.
• Geolocation - the identification or estimation of the real-world geographic location of an object, such as a radar source, mobile phone, or internet-connected terminal. 
• Physical Biometrics - based on a physical trait of an individual such as fingerprints, hand geometry, retinal scans & DNA.

MFA also allows enterprises to enact step-up or granular authentication. This system triggers more authentication requests as the sensitivity of the access requests increase. In this way, enterprises can balance security & user experience. 

Third-Party Access Management

Employees & privileged users constitute the majority of logins. However, they do not constitute the only logins. Third-parties include vendors, business partners & customers each has its own identity & permissions within your network. Unless third-party access is carefully monitored, the potential for abuse runs high. These identities may already possess permissions beyond their job duties, or they may acquire these permissions by neglect or accident.

The Principle of Least Privilege

The Principle of Least Privilege states employees should only possess the permissions necessary to perform their job processes. Anything beyond the absolute necessity constitutes a threat to the entire enterprise. This extends even to privileged users.

Secure Lifecycle Management

True identity security begins with the onboarding process, the first part of the user identity lifecycle. Your enterprises’ identity management capabilities should allow you to provision each new identity with the necessary permissions to perform their specific job functions. In this way, the enterprise not only ensures a secure start to the users’ digital identity but also ensures that the employee can begin working soonest possible.

On the other hand, your lifecycle management should prove capable of quickly removing all permissions from an identity when the employee leaves the enterprise. Deprovisioning must become a top priority - even a slight delay can invite an insider threat in retaliation. Moreover, the IT security team must be capable of adjusting users’ permissions as they change roles within the organization or as special projects arise. These principles also apply to non-human identities & to third-parties. 

--------------------------

Endro Sunarso is an expert in Security Management, Physical Security & Counter Terrorism. He is regularly consulted on matters pertaining to transportation security, off-shore security, critical infrastructure protection, security & threat assessments, & blast mitigation. He is also a Certified Identity & Access Manager (CIAM).

Endro has spent about 2 decades in corporate security (executive protection, crisis management, business continuity, due diligence, counter corporate espionage, etc). He also has more than a decade of experience in Security & Blast Consultancy work, initially in the Gulf Region & later in SE Asia.