Why Lifecycle and Governance Should Form the Baseline for Your IAM Program
In this article
A robust Identity and Access Management (IAM) program is made up of multiple components, including single sign-on (SSO), multi-factor authentication (MFA), network access control (NAC) and privileged access management (PAM). However, the base component for any IAM program should be lifecycle and governance.
SSO, MFA, NAC and PAM are all wonderful technologies that can enhance your organization's security, but without a solid foundation of lifecycle and governance, those solutions can quickly become unwieldy and difficult to manage. After all, you wouldn't build a house by starting with the windows and doors — you would first build a solid foundation.
Digital identities are the central source of truth for all components of IAM. Lifecycle refers to the policies, processes and technologies for provisioning, modification and de-provisioning of digital identities in an organization.
Governance is responsible for establishing the requirements for identities and assuring their reliability in line with the business objectives and risk landscape of the organization. Together, lifecycle and governance provides a foundation for all other IAM components by defining digital identities and specifying how they must be managed.
IAM governance council
Establishment of an IAM governance council, made up of stakeholders responsible for creating IAM policies for the organization, is often the first step of setting up an IAM program. To be effective, this council must be broad enough to exert authority throughout the organization. It also must be authorized to establish policies that mitigate risk while being highly visible throughout the organization. Simple executive sponsorship may not be enough.
IAM policies and procedures
Clearly documented policies and procedures related to the entire IAM process are necessary to establish a robust IAM program. These policies and procedures should cover every aspect of a user's lifecycle, including Joiner, Mover and Leaver phases.
Joiner: This phase encompasses the onboarding process for new users.
Mover: This phase covers instances in which users move to different departments, gain additional responsibilities, etc.
Leaver: This phase covers when users leave the organization.
Such policies affect each of the other four components of IAM. They define requirements for authentication and authorization, including privileged authentication throughout the enterprise. They embody the organization's risk tolerance in the application of NAC and encryption. As such, lifecycle and governance is a critical starting point for the development of a comprehensive IAM program.
Role-based access control
The next step is to define role-based access control (RBAC). At its core, RBAC lets employees have access rights only to the information they need in order to perform their jobs. All other access is prevented. This security principle is known as the principle of "least privilege."
RBAC consists of a list of roles that are typically tied to a user's HR title. These roles correlate directly to a list of applications and application-specific roles, which clearly defines the level of access that each user should have across the organization.
A user can be assigned one or more roles. In fact, it is best to create fewer, more generalized roles rather than hundreds of specific roles, as this provides for easier management. For example, a basic user role could be created that includes the access needed by every employee, such as e-mail and a general file share. Another role could be "finance admin." This role would have read and write access to the finance share, as well as admin-level access to a finance database. A "finance user" role might have only read access to the finance share and database.
RBAC is key to reducing overhead and streamlining process. RBAC allows you to set up a user's access via a single access request consisting of a list of roles, rather than tens or hundreds of access requests consisting of granular access levels across the organization. A documented exception process can be used in instances where a user needs access that exceeds pre-defined roles.
One final benefit of RBAC is that it greatly enhances the ease and ability to perform audits of user access, as a mature set of RBAC roles provides a clear baseline from which to perform audits.
Audit policies and procedures
Periodic audits of user access should be performed in all organizations. Audits help identify users with inappropriate access, terminated users that no longer require access and instances in which users have access which violates segregation of duties (e.g., a user that can both edit and approve payroll information). User access audits a requirement of regulations and standards such as SOX, HIPAA and PCI-DSS.
Lifecycle and governance solutions help enable and enforce the policies and requirements defined by the IAM governance council. These solutions correlate the "who" and the "what" for Identity & Access Management. They are responsible for ingesting identity information (the "who") from an initial source, such as an HR platform, and then ingesting entitlement information from various applications and sources of truth (i.e., "what" access is available to each account).
Lifecycle and governance platforms then perform relationship matching and role mining to build a "profile" for each user. These solutions are the central source of truth for identity, provisioning and de-provisioning, access governance, role-based access and the source which updates the primary network authentication identity source.
User access audits and reviews can be performed directly within lifecycle and governance solutions, levering the data that has been gathered when building user profiles. These solutions can be configured to perform automatic access reviews on a periodic basis and send alerts when inappropriate access has been granted to a user.
These products can also help automate the user provisioning and de-provisioning process. Once a user is added in a company's HR system, the lifecycle and governance solution can be configured automatically create the necessary accounts and roles on all systems that user requires access to, based purely on their RBAC roles.
Modern lifecycle and governance solutions provide full visibility to user access across all applications and services, both on-prem and off-prem. They also provide advanced risk-based analytics which combine business context with entitlement data to identify anomalies in user access permissions.
As stated early on, a robust lifecycle and governance program and modern solution form the baseline for all other Identity and Access Management functions. It's quite difficult to configure a privileged access management product if you haven't first established clear user roles based on the principle of least privilege (RBAC). This is also true for single sign-on and network access control.
Without proper the foundational building blocks of a solid lifecycle and governance program, it quickly becomes an administrative nightmare to configure, manage and maintain the more alluring IAM technologies like PAM, SSO and NAC.
You don't have to be a new organization to develop a lifecycle and governance program. Many mature organizations are afraid to return to the foundational level as they have a huge sprawl of disparate users, applications and roles to try and sort out.
WWT recommends starting with a single application. Build out lifecycle and governance processes and procedures for that one application, along with all corresponding user roles. Use the knowledge from this effort to then expand into the other applications in your organization.
Building a modern, mature Identity and Access Management program is a difficult and often daunting task, but WWT has the expertise to help you navigate this process. We can help you build a solid foundation to work from, without first boiling the ocean. If you would like to learn more about our approach, schedule an Identity and Access Management Workshop or feel free to connect with me directly.