The acronym IAM stands for Identity and Access Management.
Identity and Access Management is a set of processes set up by the IT department to manage the authorizations of users (who may be employees, service providers, temporary workers, etc.) in order to regulate access to the network and cloud computing applications.
Table of contents
We will deal with 4 important points for these parts.
What is identity access management?
With the explosion in recent years of the number of software applications used in companies and the accelerating mobility of employees, identity and access management is more necessary than ever in a company.
IAM can be summarized as a process for adapting the access rights or authorizations of corporate users according to their role or hierarchical responsibility.
You certainly already have identity and access management in your company, even if you are not familiar with the acronym IAM. When an employee comes into your company, you create his access to different software with the correct rights. This step of account creation is always carried out because it is the only step necessary for the “business” operation of the company. The employee needs tools to work, these tools are therefore requested from the IT department by the manager or the new employee.
A little more than 10 years ago, it was simply necessary to create the new employee’s Active Directory account as well as his or her mailbox. The next step in the onboarding process was mainly the preparation of the new employee’s workstation (desktop or laptop) to install and configure the various software.
Nowadays, the workstation is only a terminal for displaying tools and everything has been implemented by the CTO so that the workstation requires little maintenance or configuration: setting up GPOs for automatic deployment of software on the workstations, setting up VDI (Virtual Desktop Infrastructure) workstations, making thin clients available, using RDS servers for the Remote Desktop, etc…
The CTO is therefore more focused on uses rather than on tools: Cloud services are multiplying and the “business” departments are naturally lobbying to have different business tools, which are thus multiplying within the company.
For a new employee, several dozen accesses to different business tools must be created when he arrives: access to files, mailboxes, instant messaging, CRM, reporting tools, corporate intranet, expense report management tools, etc…
These account creations when an employee arrives are often painful but eventually happen. Multiple return trips are sometimes necessary between the manager, HR, IT department etc… so that the new employee has access to the right software he needs.
But this “onboarding” of the IAM is only the tip of the iceberg, because Identity Management has 4 main steering points:
- Arrival Management: when a new employee arrives.
This step is usually performed… but not necessarily correctly. The opening of accounts is done but often painfully. The manager finds himself tossed between HR and IT, the former not having informed the latter and the latter not always quick to create accesses. These back and forth trips often create friction between managers and the IT department.
- Departure management: when an employee leaves the company.
This is the most painful point. No one “needs” to close the accounts of a user who has left, no one is comfortable with suspending accounts: “Shouldn’t we wait?”, “Maybe we can leave them open, just long enough to take over the files?”.
And who’s in charge of that step? The CTO is only rarely informed of the departure of a collaborator, and must, therefore make use of the means available on board to properly close the accounts of the user who has left.
Since the processes are not always followed, the CTO has been obliged to set up an “account review” at regular intervals: this involves going through the list of accounts and comparing them with the “active” staff provided by HR at a given time.
This “inventory” is often done manually using excel files that we try to merge together. It is relatively cumbersome and is only done on an annual or biannual basis.
- Movement Management: when an employee benefits from internal mobility
In this step there are 2 points: when a user changes position, he benefits from new applications and new rights that correspond to his new function, but he also “loses” access to the software and rights of his old position. As much as this first point is carried out correctly (as for the arrival of a new collaborator), the second point is only carried out very little because it is complicated: it is not a question of suspending an account but of modifying the rights, the perimeter of access. For example, a sales representative who changes sectors should no longer have access to prospects or customers in his or her’s former sector.
- Reconciliation: consistency analysis of active accesses
This step has no trigger like the arrival or departure of an employee. It is the maintenance of the “usernames inventory” of each user to be able to follow up on the previous points. Above all, however, it is a crucial point in identity management to monitor all access accounts and ensure that they each have a valid reason for existence (the main reason being that they are used by this or that user). In an ideal world, the identifiers correspond exactly to the users, but there are “system” accounts, shared accounts, accounts created for testing, temporary accounts, etc…
These usernames must be inventoried and clearly identified in an identity and access management system.
It is thanks to these 4 points that define IAM that the company, and more particularly its IT department, will control and secure the digital identity of its employees by managing access rights to resources such as applications, software, files, and others. It will be able to follow the employee from his arrival to his departure including all progression within the company, as well as additions, modifications and deletions of his access rights.
Thus, IT and more broadly speaking, companies are able to meet security and compliance standards, have better software management, a major reduction in security loopholes and an effective fight against shadow it.
As for human resources, they have a better approach to the employee through a successful onboarding that provides all the resources they need when they arrive, a progression of their career and a controlled offboarding.
The management of computer access meets the requirements of AAA computer security protocol. This rather barbaric term refers to the IT triangle which is :
Authentication: manage user authentication and identity management. This can be formalized by the question: “does the user have a contractual relationship with the company? This contractual relationship can be in the form of an employment contract but also a contract for the provision of services, subcontracting, temporary work…
Authority: to verify the legitimacy of this user to utilize a specific resource with this level of authorization.
Audit/traceability: audit and follow up all the events around this identity. The user was perfectly identified and controlled so it is possible to know his or her use of the resources. Everything is registered, therefore auditable.
Why do you need to implement solutions to manage the IAM?
Short answer: to finally find out who has access to what.
The 2 following questions seem harmless but they generally make CTOs uncomfortable because it is very difficult to answer them at a given time:
- Do you know the totality of the resources to which your collaborators have access to?
- Do you know the eligibility of each employee’s access to resources according to his or her level of responsibility? Is the access appropriate for what they intend to do with it? For his or her hierarchical level?
Generally speaking, employees have access to a large number of tools: files, applications, systems, cloud services, network, database, pro phone, virtual platform… This inevitably introduces a higher risk of fraud and attack on the company network. We note this with alarming cyber attack figures. What can we do about it? Safeguard your company’s resources to have only a small official list? That would simply be counterproductive. We can see it today, uses are changing, changes in behavior such as teleworking prove it, the company must adapt to new uses, especially driven by the cloud.
Concretely, the evolution of these uses accelerates and multiplies the requests for modifications on the access on the various software, cloud platforms, etc… which complicates in an exponential way the follow-up of these various accesses.
In order to successfully carry out identity monitoring missions, the IT department must deploy best practices, monitoring, reporting and control tools that are very time-consuming on a daily basis.
There is, therefore a strong need for automation. In this respect, the IAM will considerably help the IT department by setting up workflows with the delegation of validations by the business lines.
An IAM software must be a tool managed by IT but used by managers and the HR department.
IT departments are often reluctant to delegate part of their job to operational staff: IT departments do not want managers to manage account creation for their teams themselves. But consider the following analogy: in the same way that it would be counterproductive to call your electrician every time you want to turn on the light in your home, the IT department should not be asked to create accounts or change rights. On the other hand, the CTO must provide the switch, i.e. a system, a software that allows the operational staff to be autonomous on the operations that concern their teams.
The challenges of IAM are also focused on controlling users’ computer access and identity. In this way, we can finally “reconcile” (in accounting we speak of “reconciliation”) the user profiles of the Active Directory with the company’s employees.
In this way it is possible to associate the type of position occupied with certain software. Management of access rights to applications is set up which allows access to be allocated according to the level of responsibility. In this way, one of the major problems that arise during an audit is: is access to sensitive company data by external people such as service providers controlled? The answer is yes.
Each manager has the possibility to manage application access and each access to a platform is monitored, so we control the software connections.
Be careful not to confuse IAM and SSO: many CTOs believe that it is possible to solve the identity management problem by implementing Single Sign On for all applications. The initial objective is to have a single point of user management (for example Azure Active Directory, GSuite or Okta) and to attach other applications to it so that they can rely on the identity provider for authentication.
This practice, rather fashionable, has 4 major drawbacks:
- The security risk linked to authentication relies on a central point which is the identity provider which becomes a point of vulnerability.
- The SSO brings comfort for the user who has only one password to manage, yet this password also becomes a point of vulnerability because it gives access to everything.
- SSO does not (yet) allow the management of authorization levels on the different software attached to it. This management must be done on each software, which decreases the interest of using a central directory if then the adjustments must be done in a unitary way on each account of each software.
- SSO currently only covers compatible software. The most important software can be integrated (Office 365, Salesforce, Gsuite…) but not the dozens or hundreds of other business applications used in the company. The “Single” of the acronym “Single Sign On” is therefore just wishful thinking.
In short, for CTO, it is necessary to bring flexibility to a business model that constantly demands it while managing tools such as the cloud and SaaS that are the most complex to secure. Of course, IAM is not a magic wand and nothing will replace exchanges with different entities to discuss application needs and share best practices in IT security.
In concrete terms, how is identity management implemented?
To set up an identity management system, you need to follow these 4 steps:
1. User directory
It is a matter of building a list of people who have a contractual relationship with the company, which is generally a prerequisite for opening an account on a software.
In this directory, it is necessary to inform the collaborators obviously but also the other users (temporary workers, service providers, freelancers…).
This directory must only include “physical” persons, and no generic names because it is a question of identifying the holder of the accounts that will be assigned to him.
What is very important is to keep this directory up to date: connecting to an HRIS is obviously comfortable because it allows you to have a list of employees with their arrival and departure dates, their manager, etc., in almost real time.
But you can also add several data sources: csv files that are updated and sent by business directions, etc…
Some IAM tools even go so far as to detect names and surnames directly on the software and thus alert you or suggest users that you have forgotten in your directory. This makes it easier for you to control users that have been created “out of system”.
2. Software and accounts directory
This directory is an inventory of all the software you want to supervise. It is sometimes also possible to add in this directory access equipment such as security badges, keys etc…
It is necessary, as for the user directory, that the inventory of the existing accounts on each software is done automatically and regularly.
To list software, rely on the architecture of the systems you know, but this list must also be scalable: as soon as a new software enters the CTO’s radar, it must be added (manually or automatically) to the list. User awareness is important so that they report new software to the CTO and thus avoid shadowing it.
3. Reconcile the 2 directories
The 2 directories previously established and maintained must be “reconciled”. It is a matter of attaching each account, which by default is “orphaned”, to one or more users. The first reconciliation can be done manually (this operation is tedious but is possible) or automatically with intelligent automatic association systems. Thereafter, it is according to the account creation requests that the linkage will be done automatically if you use an IAM tool to generate the account creations.
4. Define the strategy for allocating accounts and rights
This strategy must be done in collaboration with the business departments and even the managers themselves, because they are the ones who must be made aware: they must adapt the rights to the strict necessity of their employees and not define all users in “admin” profile on their business software under the pretext that “it works very well like that”.
It is impossible to set up a strategy worthy of the name for all software. On the one hand because the list of software evolves every day, and on the other hand because it is unreasonable to set up a strategy for a software that has only 2 accounts and that are part of the “long tail” of the list of software used.
Finally, here are some important points to remember:
It is fundamental to see the use of the IAM as a whole, there is the management:
- of arrivals well known to all,
- departures much less pleasant but very important in terms of safety,
- movements, the follow-up of the employee in his professional career, which is currently difficult to deal with,
- reconciliations between user accounts and access to an application.
Then it is necessary to respect the implementation steps:
- A directory of users that you can have through a link with HR.
- A directory of software and accounts
- Making a link between the two directories is an important step that allows having a good vision on the internal security of IT.
- Define your identity and access management!