A New Approach to Identity and Access Management
By Christian Aboujaoude, Sr. Director of Enterprise Architecture, Scripps Health
As the internet continues to evolve, it is becoming increasingly difficult to maintain control of all the elements that identify who we are as a user. With the proliferation of mobile smart devices and online services offered to consumers, a single individual now has well over two dozen internet-based accounts. Such a high number of accounts pushes the average user to recycle their credentials in their personal and professional lives. The risk to enterprises is apparent as these recycled credentials are exploited, leading to security breaches and financial harm.
Many organizations provision new accounts and accesses based on the current needs of the employee. This traditionally begins with human resources, leveraging their onboarding process, and ends with a provisioning action that is typically managed by their IT department. As that employee moves from one position to the other, access is typically granted to new areas and applications. Previous accesses that were granted in past positions are rarely reconciled or reviewed as job titles change. A very common symptom where the identity has been established; however, the access was never truly managed; it was simply granted. This creates larger security exploits if the user’s credentials were compromised.
Organizations are becoming increasingly aware of this threat and concerned about the impact on financials and perceptions. However, before they can address the issue, they must first understand what identity and access management is. Furthermore, Identity and access must be decoupled, uniquely governed, and no longer unilaterally controlled by a username and password. The access should be provisioned by a predefined set of job expectations. It takes the Role Based Access Control (RBAC) concept to a higher level where workflow is a catalyst to the level of access an individual may require, and only granted when needed. Creating identities that are tightly controlled and access that is tied to a functional purpose. Traditional customs would suggest that the username and password are the defining elements of an identity. The problem with that logic is that this basic authentication method is compromised on a regular basis using simple social engineering attacks and data breaches. A layered approach should be used to ensure the credentials authenticated to your resources are being used by the appropriate individual. There are a variety of security technologies that will assist an organization in achieving this goal. Geolocation services are capable of establishing trusted and untrusted boundaries. These boundaries can be governed in a variety of ways such as building location, networks, country of origin or a combination of each. These services can be leveraged to layer multi-factor solutions and base the number or required factors on the location of the user. 802.1x security authentication can ensure that the appropriate devices are connected to the proper networks.
As previously mentioned access needs to not only be provisioned but managed. Managing begins with creating a robust RBAC module. This foundational step allows you to appropriately provision the required accesses based on the functional purpose of the individual. As the person changes positions, their accesses are automatically adjusted to accommodate. Once RBAC has been established, then auto-provisioning can be implemented. Most large organizations leverage employee resource planning (ERP) solutions to manage their employee populations. An access management system could be configured to receive a feed from that system and automatically adjust changes to the user’s permissions accordingly. Elevated access can be completely removed from the person’s identity and proxied through a privileged access management system (PAM). Rather than granted elevated access directly to the individual, PAM would manage the elevated access and proxy the connection to the resource. Depending on the PAM solution, the session could be recorded and stored for further review or validation.
The ideas presented in this article are easy to discuss but difficult to implement. It would first require the support of the organization. Multiple departments would have to collaboratively work on processes and workflows. Information Services would have to create new skill-sets to support the effort. Multiple communications would have to be distributed to the general population. All these things must happen because security inevitably sacrifices conveniences to a certain degree. Users must understand that while they may simply authenticate while working in a trusted low-security building, they may require a second factor in an untrusted environment. The IT professional accustomed to unfettered access with a single account should be made to understand the security risks and the reason for PAM.
Traditional identity and access management is no longer a manageable approach to allowing the enterprise user to exist both within the wall of an enterprise and on the social networks that consume much of our interactions these days. It is time to start looking at identity in methods that complement our daily lives rather than impose unmanageable barriers.
While this type of approach is not easy to implement, the benefits are immeasurable.