Protecting Privilege: Identity and Access Management

Enterprises are not only faced with the existential threat of hackers targeting their businesses but also the challenge of complying with global data protection regulation. While the two are not necessarily synonymous, both are increasingly being addressed through the application of what many are referring to as Identity and Access Management (IAM).

In many respects a framework of business processes made feasible by supporting technologies, IAM enables the necessary management and control of electronic identities within an organisation. The modern IT environment is comprised of a diverse array of devices and applications – each interconnected – with differing relationships and dependencies. Traditionally these were hosted internally. However many now reside externally to the enterprise itself, in one of the many different guises of the cloud.

The challenge in securing and controlling access to every device, endpoint and application is not an insignificant one. Companies must achieve a rather delicate balance by providing their employees with the access to systems and data that is required to perform their roles. Though absolutely no more than that. Anything short of this risks a system being compromised by rogue employees afforded more access than they should have. This level of precision requires a comprehensive strategy and corresponding set of processes be put in place. Understandably, IAM technologies are crucial to the success of any strategy being implemented and polices being enforced. The eco-system for IAM solutions has evolved significantly in recent years and continues to do so. What started as a landscape of Privileged Access Management (PAM) solutions has now grown in complexity and capability – to offer enterprises a platform for more holistic management of identities and access.

It is common place within a large organisation for a role-based security model to exist. Role-Based Access Control (RBAC) grants access based on the differing roles that exist within that enterprise. Roles are defined and access permissions granted according to the strict needs of a role. A user is then granted at least one and often multiple roles – in order to perform their functions within the organisation. Attribute-Based Access Control (ABAC) represents an alternative to RBAC, which instead relies on a user’s attributes to determine their system access. Considered by some to be the ‘next generation’ it comprises context-aware, dynamic access control, with each attribute consisting of a key-value pair. ABAC policies evaluate and grant access based on the attributes assigned to a user. Both RBAC and ABAC have their strengths and their weaknesses. Fortunately, many IAM suites now support both – enabling companies to pursue a HYBRID model.

IAM platforms are now a crucial part of the enterprise armoury. Though not all IAM platforms are created equal. In order for an IAM system to be effective it must integrate with the myriad of devices and systems that comprises your IT environment. Partial coverage is simply enough. Secure, centralised storage of privileged account credentials is also a key characteristic of an effective IAM system. Preferably with the ability to update, synchronise and rotate credentials – either via a planned schedule or on-demand. Accountability and auditability are equally important facets of IAM. Session monitoring, whether by keylogging or session recording, provides companies with the ability to audit precisely who did what, where and when. Increasingly, IAM analytics also offer enterprises an ability to spot rogue behaviour in real time – rather than retrospectively. Combining IAM tools with helpdesk support and change management systems (often through API integration) further enables tickets to be raised during certain events – to request privileges be temporarily increased.

While traditional models of managing electronic identities and access are still being pursued by enterprises, it’s clear that IAM platforms are the future. We advise organisations on the development of IAM strategies and the implementation of IAM technologies – which collectively play a key part in realising their cyber-security objectives.