Identity and Access Management (IAM) is the set of business processes, information and technology for managing and using digital identities. IAM includes the people, processes, and technology required to provide secure and auditable access to systems and applications. The operational improvements and benefits delivered by IAM will help advance each of these core business drivers:
Improve End User Experience
- Increased user productivity through self-service capabilities and a reduced number of accounts used to login
- Eased end user burden in the performance of compliance controls through business oriented language
- Decreased excessive access reviews utilizing a risk-based approach supported by roles
Improve Efficiency and Control Cost
- Decreased time required to provision, de-provision, and review user entitlement assignments
- Improved efficiency of access requests with a centralized user interface
- Increased timeliness of access reviews due to online process and business oriented language
Reduce Risk and Improve Security
- Decreased risk of fraud and inappropriate user access
- Increased likelihood that users have the correct access to perform their job
- Reduced risk by utilizing a repeatable process for application integration into the access management framework
Enhance Audit and Meet Regulatory Compliance
- Increased access review reliability via meaningful reports and easily understood terminology
- Reduced likelihood of users having conflicting access rights
- Improved management of privileged account tracking
Core IAM service areas for CISSP
Identity Administration – Identity Administration refers to the management of user identities (user ID) and their privileges across systems. It is commonly referred to as provisioning/de-provisioning. This would also include any tools or utilities used to manage groups or other administration areas.
Access Certification – Integrated reporting around user access (who has access to what with approvals) including certification of that access with actionable steps to resolve identified access issues.
Role Based Access Control (RBAC) – RBAC is a recognized industry standard methodology adopted by an organization that defines, manages, and enforces access control privileges through the use of roles between the end user and permission assignments. Under RBAC, access is defined by creating roles based on job responsibilities.
Access Management – Access Management refers to the tools and technologies used to enable or limit access to systems and applications. Examples include SiteMinder, Tivoli Access Manager for Operating Systems (TAMOS), CA Access Control, etc.
Password Management – Automation of password management with features such as self-service password reset, password synchronization, forgot password, etc.
Privileged User Management – Management of user identities such as system or service accounts with elevated access rights in platforms or applications. Examples of this would be “root” access on UNIX servers, “Administrator” on Windows servers and “SYSTEM SPECIAL” on mainframes.
Identity and Access Management Governance – Governance is focused on establishing the elements necessary to effectively achieve IAM program vision through the alignment and coordination of disparate teams and activities.
The following guiding principles provide general direction for developing a future state framework allowing the achievement of a higher level of IAM maturity.
- Common Governance: Provide enterprise IAM standards while also supporting the flexibility of autonomous execution across various business functions. Align IAM projects with key strategic initiatives to maximize business impact.
- Simplify: Invest in commercially available products and cloud solutions when possible and deploy with minimal customization. Reduce developing in-house solutions/tools which can be costly to maintain and difficult to integrate.
- Centralize/Standardize: Where possible, centralize IAM process execution, reuse existing technologies, replicate proven processes and standardize technologies and architectural patterns.
- Expand Automation: Where possible, provide process automation and/or system driven execution. Streamline account intake and fulfillment processes. Establish workflows and accountability matrices for sustainability.
- Innovate: Enable the business by investing in people, training and communication as an integral component of execution. IAM processes and solutions are operationalized across the organization for sustainability.
- Measure: Measure and monitor the IAM program at various levels, considering the customer, key performance indicators, key risk indicators, compliance and adherence to SLAs.
IAM Organizational Functions
An organization that manages logical access effectively typically has two key functions:
- An Identity governance function that oversees Identity related processes; and
- An Identity operations function that delivers the Identity processes. These functions can exist in multiple groups in an organization.
Identity Governance Function – primarily includes Operational Processes and Procedures Maintenance, Monitoring and Reporting, Identity Rules and Matrices Maintenance, Project Operational Readiness Advisory and Process Change Management Advisory. This function:
- Defines system-independent Access Control Operational Standards (process-level and procedural details on enforcing access controls and managing exceptions)
- Defines risk based approach for Access Review
- Facilitates the definition / modification / decommissioning of roles and access rules, including helping business units define cross-functional roles
- Advises projects to determine that artifacts (e.g. access rules and roles) are defined as part of the project
- Facilitates adoption of logical access processes through change training, communications, etc., and
- Monitors compliance with logical access policies, standards and effectiveness of controls.
Identity Governance Capabilities: Key Identity governance capabilities are needed for organizations to have effective control over their logical access management environment.
The key capabilities include:
- Operational Documentation Maintenance – consists of Access Control Operational Processes and Maintenance of Operations Processes. With this capability it develops a structure, provides oversight and direction for local access controls. It also establishes governance model, defines processes, and ensures compliance with operational processes and procedures.
- Monitoring and Reporting – consists of Monitoring Compliance with Policies/Standards, Monitoring Effectiveness of Access Controls and Executive Dashboards and Reporting. This capability enables the monitoring of access control processes to ensure their effectiveness, efficiency (meeting service level targets) and compliance with standards and control objectives.
- Access Rules, Roles, and Entitlements Maintenance – consists of Exception Management, Rules Definition, Rule Update, Rule Certification, Rule Decommissioning, Roles/Entitlements Definition, Roles/Entitlements Update, Roles/Entitlements Certification and Roles/Entitlements Decommissioning. These facilitate the lifecycle processes around rules/roles, i.e., who works with application owners on both business and technology sides.
- Operational Readiness Advisory – consists of Requirements Stage, Design Stage, Testing Stage and Operational on-boarding. It provides advisory and consultation to system development projects regarding logical access controls that need to be defined, as part of the solution development lifecycle.
- Change Management Advisory – consists of Develop and Administer Communications, Develop and Conduct Training, Process Change Management and Facilitate Adoption. It provides change management advisory services and proper communications through training and other channels in order to adopt Identity governance processes.
- Identity Operations Function – primarily includes Access Review and Reporting, Access Requests and Fulfillment, Privileged Access Request and Fulfillment and IAM Technology Support.
This function is:
- Responsible for the day to day operations of access request, provisioning and administration processes.
- Responsible for execution and enforcement of logical access controls, as part of access request, provisioning and administration processes.
- Enforcement of rules related to ID/access request approvals, completeness validation, and correctness checks, as defined by the Access Control Operational standards and system-specific access rules.
- Responsible for remediation processes and corresponding access controls, as defined by the Access Control Operational Standards.
- Responsible for the day to day operations of the IAM technologies including infrastructure and application configuration, patching, and code changes.
Identity Operations Capabilities: Key Identity governance capabilities are needed for organizations to have effective control over their logical access management environment.
The key capabilities include:
- Access Request – consists of Verify Request Completeness and Validate Approvals, Enforce Access Rules and Access Matrices, Reminders and Escalations. These manage the access request process and enforces key access controls, such as approval validation, verification of completeness of user data, appropriateness of access and keeping the audit trail of all requests.
- Privileged Access Request – consists of Verify Request Completeness and Validate Approvals, Enforce Access Rules and Access Matrices, Reminders and Escalations. These manage the privileged access request process and enforces key access controls, such as approval validation, verification of completeness of user data, appropriateness of access and keeping the audit trail of all requests.
- Access Fulfillment – consists of Provisioning Fulfillment and Fulfillment Management. These manage the Identity fulfillment process as part of the user Identity lifecycle, which includes access provisioning, access modification and access de-provisioning.
- Privileged Access Fulfillment – consists of Provisioning Fulfillment, Fulfillment Management and Credential Retrievals. These manage the privileged access fulfillment process, which includes privileged access provisioning, privileged access modification, privileged access de-provisioning and credential retrievals.
- Access Review and Reporting – consists of Prepare Certification Reports, Facilitate Certification Process, Facilitate Remediation Process and Privileged ID Inventory and Monitoring. These manage the Access Review and reporting process. Also, facilitates the Access Remediation processes which result in removal of inappropriate (or no longer required) user access.
- IAM Technology Support – consists of Infrastructure, Application, Database and Directory support. These manage the operational support for the IAM technology, including patching, upgrades, and configuration for operating systems, databases, directories, and application code.
Key IAM Concepts – Provisioning
Provisioning solutions address administration of accounts (i.e., user IDs) and assignment of access privileges. Properly implemented, a Provisioning solution provides standard processes for On-boarding, Transfer, Periodic Access Review and Off-boarding of enterprise employees, contractors, third party business partners and customers.
A provisioning system consists of several components: request system, authoritative sources, administration interfaces, workflow, provisioning engine, connectors/agents/directory integrators, identity repository, reporting and managed resources
The key business challenges faced by most of the organization includes:
- Escalating costs of user account administration and Help Desk services
- Low service levels for account creation, approval processes
- Cost of ongoing compliance audits of user account administration activities
- Complex provisioning processes unique to each business application and
- Accounts for terminated users are not deleted in a timely manner.
These affect end users, User Administration, Help Desk, IT Audit, Risk Management including others and result in:
- High user account administration and help desk workloads
- Low user satisfaction with account administration service levels, timeliness
- Risk of unauthorized access to business applications and systems and
- Access control policies are difficult to enforce.
These challenges are addressed by provisioning through:
- Enabling centralized access request process
- Automating account provisioning and de-provisioning based on HR triggers and
- Defining standard user administration workflows for account creation, update, disable, and audit reporting.
Key IAM Technical system components & their functionality and sub-component descriptions
Request system – Provides business users with the ability to request creation, modification, revocation of user accounts, and to participate in user access reviews.
Authoritative Sources – Provides an authorized origination point or “system of record” for user identity data attributes.
Administrative Interface – Provides process and technical controls over user account administration processes via central and delegated administration functionality.
Provisioning – Manages the creation, modification, and revocation of user accounts according to defined security policies, provides unified view of user accounts and permissions across managed applications/systems, and reporting. The Provisioning component is also a means of propagating security policy, for example, by setting access rights on managed systems based on group memberships and/or role assignments.
Integration adapters and agents – Provides data feeds from Authoritative Sources to IAM “stack” components such as the provisioning engine and directory repository, data filters, formatting, unidirectional and bi-directional synchronization of identity and account attributes with connected systems, based on policy and rules.
Identity Repository – Foundational component that provides persistent storage of user identities, associated accounts and privileges for use by other IAM components.
Reporting – Automated reporting on identity controls for IAM integrated applications and systems.
Managed Resources – IAM integration provides lifecycle management of user accounts for applications, platforms, databases, or systems.
Provisioning solution context
Business users enter requests for creating, modifying, and revoking digital IDs, which are passed to IAM for processing and fulfillment. Managed resources may be integrated at process or technical levels. The following diagram illustrates the key aspects on a high level:
Recent Identity and Access Management Articles and Updates
- Access Control Categories
- Mitigating Access Control Attacks
- Identity and Access Management and the CISSP
- Understanding Access Control
- Communications and Network Security
- Software Testing & Acquired Software Security
- Security Governance Principals
- The CISSP CBK Domains: Info and Updates
- Vulnerability of Web-based Applications
- CISSP Risk Management Concepts 2
- Threat Modeling