Identity and Access Management – Lifecycle


   The management cycle of I&AM.


A popular description is; identity management, also known as identity and access management (I&AM) is the security and business discipline that “enables the right individuals to access the right resources at the right times and for the right reasons”. Another definition is; I&AM system is a framework for business processes that facilitates the management of electronic identities. The framework includes the technology needed to support identity management.

Beneath I explain some topics and touch them only on the surface. My goal is to give you an idea about Identity and Access Management.

Control – Access control systems

Access control systems are physical or electronically and their purpose is to control access to the building, network and other systems on the network. There are two types of access control:

  • Facility access control provides a history who accessed the network and who granted access.
  • Logical access control is a mechanism that authorises/limits users, devices and other resources (software) and determines the what type of access is needed.

Another way of accessing and granting systems and resources is looking at the access modes. There are generally speaking three modes:

  • Read only to read, or copy and print information
  • Read and write gives users, software the capability to view, print, add, delete as well as modify information.
  • Execute is granting a user, software to execute programs on systems.

Manage – I&AM Administration

To administering users, devices, software and other resources is a complex task and therefor is often the reason for vulnerabilities. Administration is about implementing, monitoring, modifying, testing and revoking access. I&AM decisions should be made on policies and ” need to know bases”  and should be supported by procedures and forms.

Administration is covering the following controls such as identity (uniqueness, authentication (validation) and authorisation (control).

Common administration implementation are:

  • Centralised administration
  • Decentralised administration
  • Hybrid administration approach

Manage identification and authentication

Identification (uniqueness). Ways of establishing identification are:

  • using identification badges
  • using access badges
  • using an UserID
  • using an account number/PIN
  • using Media Access control for all kind of devices
  • using IP-addresses for all kind of IP-systems
  • RFID tag components and chipless RFID tags

After identification you will have authentication (validation) where a users identity will be verified. This can be done through:

  • what somebody knows (password),
  • what he/she has (badge, token), a known form of this is two-factor authentication
  • what he/she is (biometric scan).

Authorisation is the final step and he/she must be granted (or limited) access to resources such as files, data, programs bases on the role he/she has.

In order to stay in control of I&AM there are several implementations based on appropriate processes and infrastructure as well policies.  Here are several identity management solutions:

  • password management for managing passwords consistently.
    • Password synchronisation
    • Password policies
    • Self manage / registration of passwords
    • Voice response systems for resetting passwords
  • account management
    • Cross platform account management
    • Workflow management where users can submit requests
    • Automatic replication
    • Facility for loading batch changes to user directories
    • Automatic creation, change or deletion of access to systems
  • profile management
    • Collection of information associated with a particular identity
    • Contains privileges and rights on specific systems
    • easy to manage and automatically propagated
    • self service for non-sensitive parts of the profile to reduce time and costs
  • directory management (x.500, LDAP, ADDS and X.400)
    • Comprehensive and central database
    • Contains a hierarchy of stored objects
    • Objects stored on more directory servers for redundancy and scability
    • It is important that legacy systems which are not supported by the directory server are decommissioned as quickly as possible
  • single sign-on management
    • Provide a central repository of user credentials
    • Applications are unaware ” slight of hand”
    • SSO client software

Integration – I&AM outside an enterprise (third-party)

Integrated access management is a combination of business processes, policies and technologies that allows organisations to provide secure access to confidential resources (systems, users, data, software). IAM software controls the enterprise flow of sensitive data in and out of the network. Integrated  I&AM tools have four distinct features:

  • A method of providing users access to applications, systems and documents throughout an enterprise.
  • The ability to authenticate a user at the proper access level, based upon the principle of “need to know bases”
  • A single sign-on (SSO)  to access resources to which they have been granted access.
  • Auditing features to confirm the IAM system is working properly and meet compliance requirements.

An external solution for I&AM is IDAAS. Identity as a service. A cloud-based offering to target systems on customer premises and Cloud. Main purpose of IDAAS is administration, account provisioning, authentication and authorisation, and reporting.

Advantage of IDAAS are:

  • Easy SSO authentication over multiple internal and external applications
  • Better federated identity across multiple authoritative platforms
  • A higher granular authentication and improved amount of secure control
  • Lower administration in a single management pane.
  • Integrated directory services with in-house LDAP, Active Directory and HRM-systems.

Considerations of IDAAS are:

  • API’s or connectors to integrate with (other) services
  • Authorisation mapping based on rules or attributes
  • Auditing for managing the internal logs as well as the logs of the Cloud provider. Especially in a multi tenant environment getting the logs of a Cloud provider can be problematic.
  • Privacy and sensitive data are pushed outside the enterprise to the Cloud and are not fully under control.
  • Latency, changes in one systems can slightly differ from systems in the Cloud or vice versa.
  • App identity, the chain between a system such as mobile is getting longer and longer to the backend system. In some cases the actual client is not verified anymore.

Implementing – Implement & manage authorisation  mechanism

Before implementing I&AM strategies think of the following points:

  • Strategy: There is no standard for addressing identity and access management and without education, you will not receive broad support.
  • Roadmap: Map out your Future IAM Roadmap. An roadmap can last for more than 18-24 month! A clear vision on the current situation and future situation is needed.
  • Monitor: Keep a good track on the performance and improvements of the progress of I&AM implementation. This will drive efficiency, avoid frustration and helps acceptance.
  • SSO: Think and design a very good SSO-implementation to avoid big risks that comes with a bad SSO-design.

Types of authorisation mechanism

  • Role-based access control: Role-based-access-control (RBAC) is a policy neutral access control mechanism defined around roles and privileges. The components  as role-permissions, user-role and role-role relationships simplifies user assignments. RBAC addresses needs of large commercial and government organisations. It supports administration of security.
  • Rule-based access control (also call context based access control): Rules Based Access Control allows or denies access to resource objects based on a set of rules defined by a system administrator. No one else can give you rights or permission than the administrator.  Access properties are stored in Access Control Lists (ACL) associated with each resource object. When a particular account or group attempts to access a resource, the operating system (of a firewall) checks the rules contained in the ACL for that object.
  • Non-discretionary access control or mandatory access control: Mandatory Access Control (MAC) is the strictest of all levels of control. The design of MAC was defined, and is primarily used by the government ( Defence/military). MAC takes a hierarchical approach to controlling access to resources. Under a MAC enforced environment access to all resource objects (such as data files) is controlled by settings defined by the system administrator.Discretionary access control. Mandatory Access Control begins with security labels assigned to all resource objects on the system. These security labels contain two pieces of information – a classification (top secret, confidential etc) and a category (which is essentially an indication of the management level, department or project to which the object is available).
  • Discretionary access control:Discretionary Access Control (DAC) allows each user to control access to their own data. DAC is typically the default access control mechanism for most desktop operating systems. Instead of a security label in the case of MAC, each resource object on a DAC based system has an Access Control List (ACL) associated with it. An ACL contains a list of users and groups to which the user has permitted access together with the level of access for each user or group.

Lifecycle management I&AM

iam_life_cycleProvisioning: Provisioning is the process of coordinating the creation of resources such as user accounts, e-mail authorisations in the form of rules and roles, and other tasks such as provisioning of physical resources associated with enabling new users.

Review: Access rights, permissions and privileges must be monitored on regular basis to avoid the risks that rights, permissions and privileges are too excessive.

Revocation: At some point in time Access rights, permissions and privileges must be revoked manually or better automatically based on monitoring tools. It is important that the data created by a user should be transferred to a designated user/group.

Improving – points of attention

  • End of life systems. Too many organisations are at a point in their IAM journey where they have one of every product in the marketplace. Legacy systems are increasingly insecure and costly to replace, often burdened by organisational politics or lack of program funding. Plus, IAM teams are pressured by vendors to maintain license compliance with the latest hot fixes and security patches.
  • Provisioning silos. Overlapping systems and manual processes frequently not enforced by a company’s governance, risk and compliance policies (GRC) increase threat vectors and, consequently, the cost and effort of maintaining compliance.
  • Weak architecture and strategy. Weak architecture and strategy occurs when too much time is allocated to tactical execution.
  • Failure to focus on end-to-end experience. Multiple logins, password proliferation, inconsistent user experience, loss of productivity, and frustrated users all result from a failure to plan, design, and integrate IAM systems from a strategic vantage point. Organisations grow organically and become more disparate and disconnected, causing customers to suffer from poorly connected customer information systems and disjointed customer service.