For this week’s Discussion, consider that you want senior management to support a new Access Management program at your organization. While this may involve technology-based solutions, your budget may be limited and it is therefore essential that senior management provide support and encourage efficient use of the resources that the organization already has.
- Why is access management critical to today’s enterprise?
- What benefits does an enterprise gain from proper access management?
Kelly Sharadin says
Access management is critical to today’s enterprises for several reasons, such as compliance but most importantly, because it serves as a preventative and a detective security control against cyber-attacks. Access management as a preventative control is achieved through role-based access control where users are granted the minimum level of access required to complete their job duties and nothing in excess, allowing organizations to prevent unnecessary information disclosure. As a detective control, access management can alert security personnel when an individual is accessing resources they shouldn’t or if a foreign identity that cannot be accounted for within the system adds themselves to privileged groups such as domain admin. The security operations team should immediately action these high-fidelity alerts and investigate unauthorized access. Access control as a preventative control is built from solid policies and security architecture and can be achieved with a limited security budget. Access control as a detective control requires an organization to have a more mature security program but alerting can be leveraged from pre-existing identity management tools. In short, enterprises gain a robust security foundation by implementing access management.
Anthony Wong says
Kelly,
I agree that a strong identity and access management program creates an enhanced security for the entire enterprise. Great job highlighting the different types of controls within access management.
Kyuande Johnson says
Great Points Kelly,
Ensuring that users have the minimum amount of access as possible is essential. This greatly reduces the attack surface and reduce the impact of malicious insiders. Keep in mind sometimes there are gonna be situations where users may need additional access to system resources or access to sensitive material. It’s imperative for systems administrative to continuously monitor users right to ensure that users have the proper access. Once the user no longer needs access to that particular group of information the systems administrator should revolk that additional un needed access. There should also be an approval process for users seeking additional access to system resources. Doing so ensure that the user is requesting access to the appropriate information along with the manger approval. It also places accountability on the user and the manager.
Kelly Sharadin says
Hi Kyuande,
Completely agree, many organizations overlook revoking permissions once a employee has been terminated. I actually presented this concept as a table exercise for a client because I believe it is so overlooked. Reminds me of this wild story of a disgruntled HR employee who went on a warpath after being fired.
https://www.msn.com/en-us/news/crime/disgruntled-hr-executive-trashed-personnel-files-and-deleted-17000-resumes-after-being-fired-e2-80-94-now-faces-up-to-15-years-in-prison/ar-AANrXx4
Shubham Patil says
Kelly,
Access control surely does gain enterprise a robust security foundation, but broken access control is one of the common vulnerabilities mentioned in the OWASAP Top 10. Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user’s limits.
Kelly Sharadin says
Nice callout with OWASP Top 10, really demostrates how valuable identities are to attackers and how organizations really need to prioritize detection for abuse.
Mitchell Dulaney says
Hi Kelly, I hadn’t considered access management within the context of the different control types. It’s interesting that it is often thought of as a preventive control, but when audit logs are properly configured and used appropriately, it can be a powerful tool to detect intrusion attempts.
Anthony Wong says
Access management is one of the primary methods of protecting the enterprise and its data. Access management controls users access into a corporate network and determines what resources that user is authorized to read/write. Additionally, access management controls should have the ability to audit and keep track of what the user is doing. Within an identity and access management program, the principal of least privilege should be utilized to adequately protect data, which will help enable zero trust architecture model. With proper access management, enhanced security is gained to prevent unauthorized disclosure of data and meet compliance requirements for highly regulated industries.
Shubham Patil says
Anthony,
I agree with the points you made but a lot of companies today are using zero trust architecture as a marketing term, The challenge is that is very hard to implement a zero trust model throughout an enterprise environment because it would hinder productivity and efficiency.
Anthony Wong says
Shubham,
While I agree it would hinder productivity and efficiency and result in unhappy users, there is a middle ground. One thing organization’s can do is have monthly attestations to review user’s access and their manager can determine what access to remove.
Kyuande Johnson says
Great Points Anthony,
I agree access management helps control user access to the corporate network. Having an effective and properly implemented AAA (Authentication, Authorization and Auditing) is essential in protecting an organization. Proper Authentication ensures that the user is who they say they are. Having proper Authorization ensures that the user has access to only what’s needed for their job function. Having proper Auditing, ensures non repudiation. Meaning a user can’t deny sending a message or performing an action on the information system. This accountability aspect is essential in ensuring that the organization can without a doubt deem a user responsible if an incident occurs.
Vraj Patel says
Hey Anthony,
That’s a great point. Access management is helpful in setting up the access permissions, as such as read/write accesses. It would be beneficial to the company to manage its data in order to keep it secure while allowing end-users access.
Mitchell Dulaney says
Hi Anthony – each organization needs to decide what logs its IAM solutions should be generating based on what kinds of audits (internal and external) the organization anticipates it will need to perform. The IAM solution they implement should be evaluated for its ability to meet their auditing needs along with the other requirements that are important to the company.
Shubham Patil says
There are various factors involved when it comes to access management spending, it is never a “one size fits all” situation. Here are a few pointers to consider while budgeting: Determine your IAM budget when you estimate your security budget. Determine the areas in which to invest and ensure the right risks are adequately managed. Determine the specific IAM components that will address not only your short-term considerations but also a longer-term security strategy. It is expensive to switch from one solution to another within a few years. Compare your IAM spending to those of your industry peers.
My recommendation would be to implement IDaaS solution, IDaaS providers enjoy translating into cost savings for their customers. Even if you have the talent in your workforce to implement IdM on-premises, it would almost certainly be cheaper to outsource it to one of the many established vendors in this space. The visibility that an IDaaS provider has not only across your organization but also across the entire space of its customers allows it to detect and respond to threats faster and better than might otherwise be possible.
Kelly Sharadin says
Hi Shubham,
You are spot on in your analysis. I am currently in the process of selecting a idP provider and one size certainly does not fit all. Many vendors partner with other providers to offer both idP and MDM which is annoying for smaller organizations who don’t have large budgets to stack products. I agree with you that the centralized visibility gained by implementing a idP is ideal for security teams. The ability to detect newly added devices or account compromise is paramount for cyber defense.
Kelly
Mohammed Syed says
Yeah, Subham, there are many different types of IDaaS, and currently, IDaas is growing and accelerating digital transformation while reducing cost and risk. Also, Identity as a services provider helps ensure that users are who they claim to be.
Vraj Patel says
Hey Shubham,
I agree that there is no one-size-fits-all approach for access management implementation. As a result, if a company is smaller, there’s a good chance it won’t need a robust access management program, but larger companies will be processing more data, both business-related and customer-related. This would require having effective controls in place to safeguard all of the data.
Antonio Cozza says
Great summary Shubham,
In a normal / non-emergency scenario, it is best to take the time to confidently assess and evaluate an implementation decision that fits an organization’s specific requirements, rather than choose a risky provider that may change down the line. For many organizations, outsourcing this function to one of the established cloud IDaaS vendors would to your point surely be cheaper and more effective overall with limited resources on-prem in comparison.
Mitchell Dulaney says
Hi Shubham, you’re right that identifying an IAM solution that works for your organization and implementing it to meet your specific needs is very important. Like any security solution, all products are not the same and aren’t designed to meet the needs of every organization.
Kyuande Johnson says
Access Management is the process of ensuring that users have the correct system resources. There are four types of access controls. Mandatory Access Controls, Role-Based Access Controls, Discretionary Access Controls, and Rule-Based Access Controls. Mandatory Access Controls restrict the ability individual resource owners have to grant or deny access to resource objects in a file system. Role-Based Access Controls restrict network access based on the roles of individual users within an enterprise. Discretionary Access Controls to grant or restricts object access via an access policy determined by an object’s owner group and/or subjects. Rule-Based Access Controls Systems Administrator sets access management rules that can allow or deny user access to specific areas, regardless of an employee’s other permissions. Implementing effective Access management helps centralize the IAM process by keeping all user credentials, login information, and passwords in one place to streamline your monitoring efforts.
Vraj Patel says
Hey Kyunande,
That was a great overview of those 4 access controls. In addition, installing an access management program would help in the establishment of user accountability. Which would make it easy to trace any malicious activity performed by end-users.
Mitchell Dulaney says
Access management is critical to a modern enterprise because of the expansion of the kinds of assets and of the ways those assets can be accessed, in addition to the sheer number of assets that an average organization now owns. Whereas fifty years ago, information assets existed primarily in physical form as paper documents that would be organized in locked file cabinets in specific rooms in the organization’s facilities, now assets can exist in a huge variety of digital forms, can be saved to all sorts of storage media, and can be transported quickly and without warning between those media. Access management is critical, because without it all of these assets can be accessed and moved without the organization consenting or even knowing about those changes taking place. A company needs to be able to look at any asset it owns, and it should be able to identify who can access that asset and how they can access it.
Proper access management offers a number of benefits to an organization. First, access management streamlines the process by which new or existing employees can gain or lose access to a given resource. When a process for handling these changes is clearly defined, and a system is implemented to fulfill that workflow efficiently, the organization benefits from that transparency and efficiency in the form of less time spent on those processes and, by extension, increased productivity. Additionally, asset management reduces the information security risk that an organization is exposed to. By properly controlling which internal and external entities can access a given asset, and limiting the methods that can be used to access that asset, and defining what each entity can do to that asset, the organization minimizes the likelihood of a their information security being compromised. It will be less likely that the company’s data is stolen, leaked, or improperly changed, and they will be less likely to face financial, legal, or reputational liabilities.
Mohammed Syed says
Also, we need identification components requirements, each identifier should be unique for user accountability and standard naming scheme. The value also should be nondescriptive of the user’s position or tasks. And the matter should be shared between the users.
Vraj Patel says
Hey Mitchell,
That was a great point, that individuals in the business might gain or lose access when deploying an access control solution. As a result, effective preparation ahead of time is required to ensure that everyone has access to perform their task while also ensuring that the roles allocated to them do not conflict with any other roles already assigned to that user.
Antonio Cozza says
Nice view on this one Mitchell,
It is interesting to observe how these methods change so vastly over the course of a couple decades. The complexity of modern IAM is a continuously evolving challenge that changes with business needs and advances in resource storage.
Mohammed Syed says
The growth of the internet, cloud computing, and increased distributed work make it complex daily for Enterprises’ Access Management. Every enterprise wants a robust identity and proper access management strategy to succeed and face today’s challenges to access management. Access management can enable enterprises to achieve employee productivity and manage overall security challenges. Driving business growth, satisfying customers, and adequately delivering services without damaging the business reputation is the biggest challenge for enterprise organizations. When adopting new technology or needing to change strategy, enterprises must be aware of the most critical trends in authentication identity and control access management for corporate applications services. Enterprises always face attacks from insiders and intruders for necessary applications. Hence, enterprises must ensure that access management is tightly secure to keep data safe from various threats and upcoming new challenges.
Proper Enterprise access management benefits users, security administrators, and whole enterprises. While effective and appropriate access management gives many essential benefits to enterprises, such as improved efficiency of security teams, improved regulatory compliances, Reduced security operating costs, enhanced security, employee confidence to work, and success in achieving business targets, it reduces password issues, improves user experience and trust of customers which is very beneficial to all enterprises.
Antonio Cozza says
Good points Mohammed, cloud computing is a major area of concern for access management right now as many companies are not adequately protecting business resources and identities there.
Vraj Patel says
The identity and access management program assists organizations in providing end users with access to their IT resources. It also helps businesses to keep track of what their end users are doing on their network. Identity and access management could be utilized to set up a role-based access for the end users. As a result, end users would only have access to the information they require to do their work, allowing the organization to protect its business-critical data. To keep accounts safe, organizations may use multi-factor authentication, which Identity and access management software would effectively allow to be applied to all accounts. Identity and access management also enables organizations to implement Single Sign-on (SSO), which enables employees to get easier access to all their company’s applications.
Mohammed Syed says
Also, it is essential for security teams to understand all the technologies that make up a complete enterprise IdM solution because the IdM requires managing uniquely identified entities and their attributes, credentials, and entitlements.
Antonio Cozza says
Access management is critical to today’s enterprise because it can be used to maintain foundational security concepts like least privilege. Improper access controls can directly cause a business to incur major financial and reputational damages, which may be difficult and costly time-wise to restore if the efforts succeed. Proper access controls uphold least privilege, and support modern security standards which in turn demonstrate some compliance requirements for relevant items like privileged and temporary accounts, which require varying access management to ensure that the correct users are able to complete their appropriate tasks without access to extra areas that are not needed. With many identities across cloud environments being somewhat complex now, having strong access management in these environments will protect organizations more suitably while also allowing them to upscale business and resources into cloud environments.
Mitchell Dulaney says
Hi Antonio – good point that the the need to integrate with various cloud service providers seriously changes access control requirements. Instead of only managing access to on-premises resources controlled and maintained exclusively by the organization, access to external resources has to be managed too.