SECURING THE ENTERPRISE:
Mitigating Cyber Risk With Identity & Access Management @secureITsource
www.linkedin.com/company/secureitsource/
3
INTRODUCTION: Getting It Right With Identity Management
4
CHAPTER ONE: Lifecycle of Implementing An Identity Governance Framework
6
CHAPTER TWO Is Your IAM Program Healthy?
9
CHAPTER THREE Rein in Roles With Access Management
12
CHAPTER FOUR Improving Identity Governance
15
ABOUT SECUREITSOURCE Your IAM Provider
Contents
Securing the Enterprise: Mitigating Cyber Risk With Identity & Access Management
The proliferation of technology coupled with our interdependence on the
INTRODUCTION:
Getting It Right With Identity Management
Internet and cloud-based solutions have changed the way we work and share information. Many argue that data has surpassed the value of oil in today’s modern economy. While technological advances have afforded us multiple opportunities, it has also opened up the enterprise to numerous risks in the form of data breaches such as the Equifax data breach in 2018. As a result, security now more than ever, has become the most critical concern for the modern enterprise. For the modern enterprise, a robust security program will ensure that it is equipped to meet the standards of security regulations (SOX/PCI/GDPR) and safeguard the private, personal, and sensitive information of its customers. To be truly successful in this data-driven world, the enterprise needs to not only have an Identity & Access Management (IAM) Program in place, but it also needs to incorporate Privileged Access Management (PAM) as a formula for success. In this e-book, you’ll learn how to secure your organization by: Determining if your IAM Program is healthy and how to clean it up by reining-in user roles through access management Knowing the difference between IAM and PAM and how they work together to provide the best protection for your business Successfully deploying a tailored security program that meets your organization’s specific needs
secureITsource
Securing the Enterprise: Mitigating Cyber Risk With Identity & Access Management
3
Comparing IAM implementations between organizations is a futile exercise. Regulation, compensating controls, and executive direction will not align between Company A and B. Instead of looking outside, it
CHAPTER ONE:
Lifecycle of Implementing An Identity Governance Framework
is much more productive to reflect and identify where your IAM Program stands from a service offering model. As a comparison in this discussion, we will use Carnegie Mellon University’s Capability Maturity Model Integration (CMMI).
1
Level 1: Initial State All organizations start here. The product was purchased, perhaps without a realistic integration plan, and an appointed team sets out to learn how the various pieces fit together. Shoulder taps are common as the implementation team begins to learn the product’s capabilities. Standards are created in an ad hoc manner, and some standards are quickly abandoned, as new use cases begin to surface. Any success achieved with the implementation is the result of “heroes” and trench work instead of proven or repeatable processes. The team may still have some success, but that success comes at a cost of minor chaos, a longer time-to-market, and additional resource costs. At this point, the project probably lacks well-defined processes, but THAT’S OKAY. This is a starting point, and an opportunity to experiment and learn.
2
Level 2: Managed Ah, finally we have defined some specific use cases and some definition is created around those use cases. We graduate to the second level as we begin defining the path to succeed with something specific. At this level, we create processes that suit the tactical wins around a use case and specific problem to solve. Unfortunately, this level does not consider the big picture and spawns temporary fixes when the implementation team is presented with an emergency or resource constraint.
secureITsource
Securing the Enterprise: Mitigating Cyber Risk With Identity & Access Management
4
3
Level 3: Defined
Level 4: Quantitatively Managed
4
Replication of ad hoc process deployments will only get you so far.
Now we are getting closer. At level 4, an enterprise has established
To reach the “defined” level, we need to account for current as well
quantitative objectives to identify high-level opportunities to take
as future use cases. This refined approach requires a proactive team
advantage of the solution that they have purchased. Measurable
to understand organizational objectives and plan for the future of
objectives are developed with priorities that begin to lead to a long-
the solution. Many modern enterprises are expanding to the cloud
term vision.
at a very high speed. Are the strategic processes in place to handle expansion to the cloud and beyond?
The big-picture starts to emerge resulting in a more focused view of how high-value aspects of the solution can be used to make high-
5
This level requires executive endorsement and an overarching/
value and measurable improvements to the organization. A true
global view of the enterprise. If you have trouble attaining this level,
plan starts to come together that prioritizes the strategy in terms of
it may be that you are lacking adequate executive participation and
positive impact, cost, and time-to-market. The direction is now helping
executive ownership.
to move the project to the final stage – Optimizing.
5
Level 5: Optimizing Once a deployment reaches the optimizing level, there should be plenty of data to reflect upon. Organizations that are at Level 5 have realized that automation and feature/functionality may take a back-seat to fixing process and cleaning up data. Under-performing processes can be optimized. The organization can begin to exhibit true operational excellence and return maximum value back to the organization. While it might seem like utopia, organizations can reach this level with the proper planning and support of the Executive Team. Collaboration between the business, operations, technology, compliance, and HR can help to drive the process, particularly when we are considering something as invasive as IAM. In addition, most organizations who reach this Level have gone through five (5) key strategic thought processes: 1.
Envisioning: This includes workshops and architectural design sessions
2.
Planning and preparation: Collaborative sessions across the enterprise to define the Program and the impact to multiple business groups
3.
Credibility: Specific use cases are identified which demonstrate how the strategy works
4.
Program expansion and sustainability: The appointment of key executives and business leaders to provide advisory and continuously validate the Program Roadmap
5.
secureITsource
Optimization: Continuous enhancement with a focus on the solution’s primary capabilities that allow automation and consolidation of processes
Securing the Enterprise: Mitigating Cyber Risk With Identity & Access Management
In Scrum, there is a concept of “smells”. They are simple signs that something may be wrong. They are not definitive or explicit identifiers, but rather a prompt to investigate potential problems further.
C H A P T E R T W O:
However, the idea of smells is not only effective for Scrum. An IAM program can have smells too. Check
Is Your IAM Program Healthy?
your IAM program for the smells below. If any of these stinks at your organization, it may be time to look for bigger problems.
1
Who Has Access to What? Answering this question is the entire purpose of IAM. Can you answer this question immediately? Can you do it for a population of people in the organization? If not, it is time to evaluate the weaknesses in your IAM program. Is the data organized and easily accessible? Is the access easily identifiable or are the roles and groups ambiguous? Whatever the root cause of the smell, it is significantly hindering the performance of your IAM program.
2
It Takes a While to Get Access In an ideal world, access would be granted automatically and instantaneously. However, this level of automation isn’t practical for many organizations. That does not mean that granting access itself should take a while though. What is your average time to complete an access request? An hour? A day? If it takes more than a day to grant the type of access that virtually everyone in your organization has, there are likely some serious bottlenecks in your delivery process. For things like directory access and email that a bulk of the organization uses, automation usually has a pretty good ROI. Does the process for granting access itself make sense? Lowrisk requests should require simple approvals, if any. Any approvers need to be accountable to completing requests in a timely manner. For manually fulfilled requests, there should be sufficient staff to handle the volume. These staff members should be well trained, and the processes should have as few bottlenecks as possible.
secureITsource
Securing the Enterprise: Mitigating Cyber Risk With Identity & Access Management
6
3
Changes Take Forever If a simple change to your IAM system or processes takes a while, there may be a problem. Are you trying to fulfill unrealistic/unachievable requests? Often, others in the business will ask a lot from IAM. It is important to stay focused on the business value that you and others in the business are trying to add. Avoid the low-impact fluff that is difficult to add – forget requests that are simply unrealistic. Additionally, you should validate that your organization’s change management process can keep up with the changes. If not, you may need to work with the owners of that process to fix the bottleneck. Regardless of the reason, being unable to keep up with change is a sign of an unhealthy IAM program.
4
Changes Always Break Something Are there problems in configuring your IAM software? If so, perhaps you suffer from software fragility. Introducing something new should not break something that already exists. If this happens often, it should be a strong smell that something is wrong. Fragility happens when corners are cut. This could be due to overly aggressive timelines, overburdened staff, or inexperienced software engineers or administrators. Regardless of the reason, cutting corners can create serious technical debt, and you are paying interest on that debt every time something breaks on a change. Refactoring and redesign can be an expensive and timeconsuming proposition, but if the downtime and lost productivity with every change are high, it can make for a strong business case to sell your IAM budget to the top-brass. The health of your IAM program will most certainly benefit.
secureITsource
Securing the Enterprise: Mitigating Cyber Risk With Identity & Access Management
7
5
8
Supporting New Applications Is Difficult Supporting new applications can be time consuming, especially for legacy
Of course, no IAM program is perfect. Very few get to an ideal state, but that
or complex applications. However, it should not be overly difficult in the
does not mean that yours cannot be healthy and delivering business value
majority of cases. A number of factors can contribute to the difficulty in
consistently. These are just a few of the major problems that can plague an
onboarding new applications.
IAM program. However, diligence and focus in treating the ailments can bring even the most unhealthy programs back to life.
Is your IAM software or processes fragile, as mentioned above? Does the business have unreasonable requirements? Are application owners too busy or too stubborn to properly support the IAM onboarding process? Getting new applications introduced is a collaboration between all 3 parties: IAM, the application owners, and the business. If they are all doing their part, the hardest aspect of onboarding should be the technical challenges. If not, it will definitely smell, and should be addressed.
secureITsource
Securing the Enterprise: Mitigating Cyber Risk With Identity & Access Management
A fundamental dilemma that the modern enterprise needs to address is role definition. What is a role and
CHAPTER THREE:
Rein in Roles With Access Management
what does it constitute? How fine-grained should you get in defining a role? Who should have the privilege to access highly sensitive assets, when, and how? Rein in roles by adjusting your organization’s access model to restore the benefits of your Identity & Access Management Program and pave the way for the integration with a PAM solution.
Role Explosion Recall that a role is simply a set of references to entitlements. (E.g., an “Accounts Payable Manager” role may include the entitlements “Timesheet Preparer” and “Timesheet Approver.”) Role explosion may occur when an access model is structured to contain roles that only represent a single entitlement. (E.g., “Timesheet Preparer” is its own role, and only contains the entitlement “Timesheet Preparer.”)
secureITsource
Securing the Enterprise: Mitigating Cyber Risk With Identity & Access Management
9
The Problem With “1-to1-Entitlement” The problem with “1-role-1-entitlement” is that the advantages of defining roles in the first place becomes overshadowed by new issues that arise; way too many roles. Symptoms of the problem will start to surface in application onboarding, certification/recertification, and maintenance tasks, all of which will consume too much time and will take performance hits. There’s no doubt that the recertification of roles will become burdensome, as a manager will need to certify the same (or close to the same) set of roles for several employees. Clearly, many of the roles could be condensed into one broader role and individual access rights could be provided separately. The access management process should be made as simple as possible so that standards and consistency emerge over complexity. Modeling access at an organization also brings about the question of what to do with privileged accounts. For example, an application may have a team of administrators who each have their own “admin” account, and each can perform more operations than a standard account. Additionally, some of these administrators may have access to a “sysadmin” service account that is built into the application. A key detail to note here is that the user’s privileged account should be deprovisioned when that user no longer requires that access or leaves the organization. If the privileged user changes roles (where they do not need service account access), the service account remains intact – logic follows that the user should lose access to the service account as well as other access they do not need in the new role. (Keep in mind that a user with access to a service account can eventually update the “sysadmin” password). This is where privileged access management comes in to play.
secureITsource
Securing the Enterprise: Mitigating Cyber Risk With Identity & Access Management
10
11
Privileged Access Control In Gartner’s latest Magic Quadrant for Privileged Access Management report, it was noted that by 2021, 40 percent of organizations that utilize formal change management practices will integrate with a PAM tool – up from 10 percent in 2018. According to BeyondTrust’s 2015 report Privilege Gone Wild in which over 700 responses were collected from information security professionals, 47 percent of respondents acknowledged that their users continued to have privileged access that was unnecessary to fulfill the duties of their roles. The majority of organizations participating in the report had a PAM solution in place. Gartner’s 2018 report indicates that few organizations are effectively managing privileged access. When roles are improperly defined and provisioned, security risks follow.
secureITsource
Securing the Enterprise: Mitigating Cyber Risk With Identity & Access Management
IAM covers a considerable portion of the information security domain, from providing employees and customers access to systems and applications, to managing the lifecycle of the accounts used to
CHAPTER FOUR:
Improving Identity Governance
access them. IAM can create “identities” that encapsulate a user’s access to assets in the organization, or well, most all of them. It’s also decent at providing a workflow for requesting access to most applications. It can also provide single sign-on capabilities that allow users to log into these accounts with a single password. But the scope of most IAM products is at the application level. They don’t consider access to servers, hardware consoles and network devices, and when they do, they do not secure the systems proficiently. That is why there are no products that try to tackle both IAM and PAM.
12
secureITsource
Securing the Enterprise: Mitigating Cyber Risk With Identity & Access Management
IAM vs. PAM Privileged access refers to accounts that have elevated permissions on a
While there are intersections in practice, they have their own maturity paths
system. The person with access to a privileged account typically has full
and should be managed separately. IAM is intended to manage access to the
access to the system and can perform actions that an organization may not
application, versus managing elevated access. Elevated credentials should
want to allow. IAM may provision a user to the correct security group to be able
have limited exposure and be recycled frequently. The administrators of an
to access a server but cannot control how the user accesses the server or what
application may have server access, but the overall administrator group is
the user does while logged in.
not mutually exclusive. You may have business users administering a line of business applications and an engineer administering the server that runs the
This division between access to applications hosted on systems or the cloud
applications. While both scenarios provide privileged access, they provide
and access to the systems and cloud consoles themselves is why two products
access to different things with varying consequences if their accounts were to
are needed to cover the full scope of identity governance in an organization.
be compromised.
Typically, the scope of most IAM products is at the application level. They don’t consider access to servers, hardware consoles, and network devices, and when
PAM can indeed be used in both scenarios, securely storing account passwords,
they do, they do not secure them proficiently. There are some products that are
tapping into applications and servers to change passwords periodically.
starting to consider both IAM and PAM, but we highly recommend our client’s to
Additionally, PAM can provide isolated and monitored sessions to applications
consider separate “best-of-breed” solutions for each use case. It should also be
and systems. While PAM is typically slated towards access to servers and
noted that IAM and PAM Programs are distinctly different.
network devices and IAM is focused on access to applications, the two join forces to create an auditable, secure channel for all identities, whether human or not, so that all can accomplish their jobs.
secureITsource
Securing the Enterprise: Mitigating Cyber Risk With Identity & Access Management
13
Why You Need Both IAM and PAM Many organizations use shared accounts to manage systems. They may also have service accounts to manage applications and the interactions between those applications. These
14
accounts likely don’t belong to any specific person (although all accounts should have an owner), and thus, are not considered as part of the equation for identity governance. However, these accounts are some of the most important accounts in your ecosystem, which, if compromised or used maliciously, can cause the most damage. Using both IAM and PAM tools in an overall identity governance program helps secure privileged and non-privileged, human and non-human accounts by monitoring the identity that accesses these accounts. The lifecycle of privileged accounts, including the provisioning and deprovisioning of accounts, can be kicked off automatically by rules in the IAM system. Directory services can be enhanced by feeding identity information back and forth between systems. An advanced integration of these systems can provide capabilities such as limiting the privileges an identity has on an account and providing analytics around the use of these accounts throughout the enterprise.
secureITsource
Securing the Enterprise: Mitigating Cyber Risk With Identity & Access Management
ABOUT SECUREITSOURCE:
Your IAM Provider
secureITsource was founded with the goal of raising the bar and changing the status quo in IAM Consulting and Professional Services. Our proprietary methodology and approach was developed under the premise of doing a few things, but doing them better than anyone else. Our select list of IAM/PAM software partners are best-of-breed technologies, including SailPoint, Okta, CyberArk, and ForgeRock. The secureITsource advantage is perspective. Our management and consulting team come from a variety of industry backgrounds, including financial services, healthcare, government, manufacturing, consulting, and transportation. We have been on both sides of the desk, and we understand the realities and challenges of successful IAM. Our goal is to work collaboratively as an extension of your team to achieve your IAM Program goals.
15
Ready to Modernize Your IAM Program? LEARN MORE
FOLLOW US ON SOCIAL
secureITsource
@secureITsource
www.linkedin.com/company/secureitsource/
Securing the Enterprise: Mitigating Cyber Risk With Identity & Access Management