The IAM Maturity Model
@secureITsource
www.linkedin.com/company/secureitsource/
www.secureitsource.com
secureITsource Š 2019 . All rights reserved. The information contained in this document is proprietary to secureItsurce and shall be used solely for educational purposes. Reproduction of any part of this document is not authorized.
4
INTRODUCTION: Preface
6
CHAPTER ONE Maturity Model
13
CHAPTER TWO Identify
16
CHAPTER THREE Certify & Categorize
18
CHAPTER FOUR Automate
22
CHAPTER FIVE Manage Risk
24
CHAPTER SIX Evaluate & Enhance
27
IAM MATURITY MODEL CHECKLIST
30
ABOUT SECUREITSOURCE Your IAM Provider
Contents
The IAM Maturity Model
IDENTIFY IAM Level One • Build Environment • Standardize
IAM Level Two • Data Clean Up • Attribute Sync
CERTIFY & CATEGORIZE IAM Level Three • Certification • Identify Privileged Accounts
AUTOMATE
IAM Maturity Model
IAM Level Four • Termination process (LCM)
IAM Level Six • Organizational Roles and Birthright • Departmental Roles
IAM Level Five • Password Sync • User Password Management • Single Sign On
IAM Level Seven • Other LCM (Joiner, Mover) • Access Request
MANAGE RISK IAM Level Eight • Risk Levels for Entitlements • Risk Levels for Roles • Separation of Duties • Risk-Based Certifications
www.secureitsource.com
EVALUATE & ENHANCE
@secureITsource
IAM Level Nine • Review Processes • Update/Improve Processes
www.linkedin.com/company/secureitsource/
INTRODUCTION:
Preface 4
In almost all disciplines, the notion of “maturity” is a thought-provoking topic.
The IAM Maturity Model developed in this paper is not offered as right or
Since many ask the question of what is “maturity,” a myriad of ideologies have
wrong, but more as perspective to consider the many different sides of a topic
emerged to define it. Identity and Access Management (IAM) is no exception.
that is as complex and invasive as Identity. Both functionality and approach
Some ideologies are derived by the solution providers, while others by the
are important in the grand scheme of a successful IAM program.
consulting community to provide “objectivity” to the definition. In this whitepaper, we have tried to build an IAM Maturity Model that introduces Most of the models that are developed are high-level and used to bring
provocative questions that helps an organization to determine their level of
potential customers to the table to talk about their IAM plan. Regardless of
maturity with a healthy roadmap to IAM Maturity. These questions lead to
the approach or the source of the theory, there are many differing views.
defined targets and steps that beg the question, “What is IAM Maturity to us?”
secureITsource
The IAM Maturity Model
IAM Journey Identity and Access Management (IAM) is a journey. As a security organization focused on identity, we talk about the journey frequently. Conceptualizing and understanding what the journey entails is difficult, particularly if you have not been through it before. The model presented here is developed to provide perspective to our clients of what the journey entails. The model does not provide a timeline. However, it does help to qualify and quantify the IAM journey by building the roadmap to IAM Maturity. Prior to setting out on this journey, you must first understand why you set out on this journey and why it is important to you in the first place. Executive support and endorsement are critical, and without it, the IAM journey will end quickly in failure.
Identity Governance and Administration – It’s not a Pursuit, It’s a Culture The term Identity Governance and Administration, and the associated acronym
5
“IGA” are loosely defined and frequently overused. Too many times, it is about a specific tool and trying to fit a process into a tool, or a tool into a process. Unless your process and data are already perfect, this will never work to achieve your long-term strategy. Alternatively, we find that it helps our clients to think of Identity Governance as an organizational standard. Standards are built around business, technology, operations, and legal requirements. If you approach Identity Governance as a standard, you quickly realize that the most important ingredients are the purpose and the mindset (the culture, especially at the executive level). If the culture is not present, deploying something as invasive as an IAM Program will be extremely hard, if not impossible. For this reason, it is highly recommended to conduct workshops and readiness assessments that help to bring the mindset to the equation. Identity Governance, when executed the right
secureITsource
way, establishes accurate and repeatable processes. The culture that it creates ensures that the organization does not have to reinvent the wheel each time a new use case or IAM challenge arises, and conversely, the new use case is solved using the standard/framework that has been established. The IAM Maturity Model starts at IAM Level 0 and evolves to IAM Level 9. There is not a timeline around the journey, but rather a checklist of tasks that should be considered to meet the maturity level requirements. It is not expected that 100% of the tasks are completed before subsequent tasks are started; however, the goal should be to complete as much as possible at each level to better enable your organization for success. The achievement of each level is predicated on establishing technical and cultural adoption that includes standards and repeatability.
The IAM Maturity Model
CHAPTER ONE:
Maturity Model Understanding your current state is an imperative first step when it comes to assessing your Identity and Access Management program. If your organization doesn’t have an IAM program, you probably would be classified at IAM Level 0.
IAM Level 0 At IAM Level 0, there are no standards (or very few of them), and there is no IAM culture. In the modern enterprise, IAM Level 0 is not sustainable for long before regulatory/audit issues arise, or a data breach occurs that will cause irreparable harm.
Current State - IAM Level 0 Access across the organization is unknown Access is requested by phone, email, and/or through multiple portals New employees are unproductive for days and perhaps weeks due to lack of access Service tickets are actioned manually Provisioning is manual Accounts are created by copying a similar employee’s accounts De-provisioning is manual Certification processes are manual
secureITsource
The IAM Maturity Model
6
Risks Copying accounts can potentially give additional access to a user which is not required Elevated access is provisioned without validation Certifications are immediately outdated, and take a long time to complete The organization is exposed to regulatory issues, audit issues, and potential breach
A proactive organization at IAM level 0 who intends to embark on the IAM Journey is going to require executive-level support and participation to ensure that they are ready to invest the time and budget to begin this IAM journey. The thought processes should go as follows:
Consciously making the decision to establish a modern identity culture The appointment of executive steering and accountability for the journey 7
IAM Level 0 readiness - the hard questions: What are the business drivers? What defines success? To which compliance standards does the organization adhere? Where are the organization’s greatest exposures, and what needs to be addressed first? IAM Level 0 readiness - what is our current state? Conduct assessments to establish if the organization is really at IAM Level 0 Participate in workshops with business, operations, technology, human resources, and legal to establish the baseline (where are we?) Determine the minimum standards that are in scope for the journey
secureITsource
The IAM Maturity Model
(IAM Level 1 – IAM Level 9) You may not be ready for an advanced IAM Program. Regardless, it is imperative to establish a baseline of what you want to achieve in IAM before considering an IAM program. Establishing a realistic budget, timelines, and resource allocation will be key to building a successful roadmap.
Interview solution providers in an objective manner, and be sure to specifically address the minimum standards you want to achieve Evaluate solution providers in terms of their capacity to achieve your minimum standards Prioritize the requirements for the program based upon ROI, business value, and risk to the organization Develop a phased deployment model that achieves the goals you set for your program 8 The outcome of IAM Level 0 needs to be your IAM program roadmap. The outcome should also answer the following questions: How far will you go on the journey? What will you spend? What partners will you choose? Most importantly, success at Level 0 is establishing an IAM Culture that results in standards, frameworks, and repeatability.
secureITsource
The IAM Maturity Model
Choosing The Right Software Solution
Management (PAM) solution to ensure that your organization’s most sensitive
A solution on its own will not solve your IAM pain, but the right solution will
assets are managed through your identity governance system. Simply put, your
make your journey much easier. The goal of the right solution is to address
product selection will impact everything that is on your long-term IAM roadmap.
your IAM roadmap and to define specifically what you are trying to solve. At
Choosing the wrong solution means that you may hit roadblocks for objectives
this stage, it is most important to consider the basic questions of what you
you established on your roadmap. While roadblocks can be overcome, they will
want to accomplish and how committed you are to the IAM Journey.
inevitably delay your progress and increase the cost of achieving your goals.
The Solution’s “Out-of-the-Box” Functionality
Roadmap
The basic capabilities of a solution are a crucial decision that will impact
What is the organization’s short and long-term strategy for adding functionality?
everything that you can do with the product “out of the box.” Out of the box
You should be prepared to establish a three (3) year plan that also includes
means what the manufacturer intended for the product without significant
periodic reviews with your IAM vendors to better understand their product
customization.
roadmap as well as the competitive landscape. The roadmap process is one that you will not want to go alone, whether you utilize an industry expert or industry
You should consider features that are available for compliance, process
research (Gartner, Forrester, KuppingerCole). The roadmap strategy must be
automation, the integration of specific applications, and access requests.
owned by your executive team and include feedback from your business teams,
An important consideration is the integration with a Privileged Access
as they are the ultimate beneficiary of your IAM Program.
secureITsource
The IAM Maturity Model
9
Vendor Recommended Approach One path to researching the solution market is by working with the vendors directly. Buyer-beware – even if you choose the most expensive, market-leading solution, the successful deployment of the solution is only as good as your approach and your plan. While most vendors have a recommended approach, you have to keep in mind that their approach is very tactical (focused on deployment and going into production vs. reaching milestones and functionality throughout the IAM Journey). This approach may entail multi-tasking, such as gathering requirements while doing development (not recommended). While it may appear to be a path to quick wins, it puts less emphasis on defining specific targets and requirements, and more emphasis on getting the software into production. A roadmap with defined requirements is a key component to your program’s success and abandoning that best-practice can quickly lead to scope creep and budget issues due to poor planning and “redo’s.”
Customer References Each vendor should have enough customers in your geographic location to have references. Some things to consider asking include customer retention (AKA renewal rate), successful multi-year implementations, issue resolution, case support, on-time, and on-budget projects, and the ROI their customers are generating by deploying their solution.
Partner Community
Some things to check in this category include training and certification offered to partners, customer success programs, the number and quality of technology partners (with native integrations). Finding a list of partners should be as easy as going to their website.
Independent Research Firms Gartner, Forrester, and KuppingerCole can be excellent sources of information. While independent research is good, be cognizant that you can’t believe everything you read. You should utilize a multi-pronged evaluation approach to get the most objective opinions from many different sources.
The partner community of resellers and certified deployment partners will be indicative of your solution vendor’s success. A substantial partner community of successful resellers and implementation partners is a good sign, of course.
secureITsource
The IAM Maturity Model
10
How Vested is the Vendor in Identity Governance? New companies appear all the time, and there are massive companies that have a small stake in IAM (essentially their primary revenue driver is not IAM). If your investment is in Identity Governance, you should focus some of your research towards understanding the solution provider’s investment in R&D. Identity solutions change as the landscape changes, and Identity Governance is constantly being reinvented. You will want to make sure that the vendor you select is at least as invested as you are in your IAM Program.
Choosing a Delivery Partner Choosing a delivery partner is more important than choosing a solution. The company you decide to work with will be your partner over the next few years and will need to be accountable for the solution that they implement. Each partner will have their methodology with regard to the best approach for delivery. There are some simple things to consider when picking a partner.
Question Everything Each solution was built in a specific way for a specific reason. If the default
Implementation Methodology
response is “Yes” rather than “Why,” you need to question the response.
Your deployment partner’s approach must be in line with your business drivers. If you choose the right partner, they will listen to your requirements and
This is the moment your implementation partner should shine in providing
help you to align the approach in achieving those goals. If a potential partner
best-practices, industry standards, and an informed approach that is centered
appears “too good to be true,” and the price, functionality, and timelines appear
around the business case. Most solutions can be customized, but customization
overly ambitious, that is probably the case.
comes at the high price of a non-standard code base that must be meticulously documented so that it can be re-deployed down the road if required.
Failures result from trying to achieve too much all at once. Cutting corners in defining the Program objectives will be detrimental to the success of
Best practices come from the “been there, done that” experience of your
your program. The best approach is to define incremental wins and build a
implementation partner. If your partner is experienced with the product you have
solid foundation that you can build upon. Your foundation will be your only
chosen, they will be well aware of the potential “gotchas” and pitfalls that can
assurance of success, regardless of how far you go in the IAM Journey.
occur in your environment.
secureITsource
The IAM Maturity Model
11
Is Your Partner a True Expert in the Solution You Have Chosen? It can be opportunistic for a professional services firm to work with as many solutions as possible. While they may have the diversity of experience, they may also lack the SME depth and knowledge that is required to be an expert. Investments in training, certification, and developing experienced professionals with a single product can be daunting to achieve. Your partner should have a mature and recognized practice focused on the solution that you choose. Their practice team should be able to deliver an end to end solution with a dedicated delivery team that includes experienced Solution Architects, Developers, and Engineers. The practice and delivery team should have collaboration channels with the solution partner and a direct support process for escalating to the vendor when challenging situations arise. Inexperience can cause your timelines and project deliverables to extend past agreed upon deadlines. A lack of specific product knowledge and best practices may result in significant rework. Your implementation partner should be able to demonstrate their experience through customer references, case studies, and articles/whitepapers/eBooks that speak to the experience of their team.
Critical Takeaways in Your Search for an Implementation Partner
If a consulting firm assisted you with your workshops and assessments, that same partner would be an ideal choice for the implementation phase
12
(provided they possess the product deployment expertise). They know your team, your culture, and your environment, which will save time and cost. Ensure that your deployment partner’s standard practices meet the requirements of your organization. An example of standard practices includes project methodology, documentation standards, and “go-live” procedures. Be wary of a partner that emphasizes deploying extensive feature and functionality of the solution in the early stages of your journey. Features and functionality are tempting because it shows progress in a measurable manner; however, the early stages of your program are not the right time to deploy them, and it will take you off course.
secureITsource
The IAM Maturity Model
The foundation of any complex process is to understand what you have to work within terms of data and the sources of that data. We call the first phase of the IAM Maturity Model “Identify.” It is focused
CHAPTER TWO
Identify
on learning about your environment and building the basic framework of an identity program, which is the data itself. The types of data that you have, where it originates, and how it is organized will impact everything that you can achieve in the long-term. If the data is not clean or easily accessible, then how can it be trusted? Are there multiple sources of truth, AKA “Authoritative Sources” that may conflict with each other? Certainly, you have heard the familiar adage, “garbage in, garbage out.” For this reason, the start of our journey is to ensure that we have clean data, trustable sources, and good process. Given the amount of money and time you have budgeted to get this right the first time, this is a phase where you cannot cut corners. The foundation that you build during this phase will impact the success of everything that you do in subsequent phases. Take your time in these early phases, as it will pay dividends in the long term. 13
IAM Level 1 Environment Build Embarking on the Identity and Access Management (IAM) journey is never without struggles. IAM can be one of the most intrusive initiatives that your organization will ever undertake. And, like a tall skyscraper, it is important to build a strong foundation. How you approach the implementation of the first few levels will determine how successful your IAM program will be in the future. While it may be time consuming and offer limited operational efficiencies initially, taking the time to do things the right way will allow your program to grow faster and to be more agile in the future. At this point you have chosen an IAM solution, identified an implementation approach, and defined your roadmap. At IAM Level 1 you must ensure that you have successfully built your solution to match your long-term goals.
secureITsource
The IAM Maturity Model
During the Environment Build phase you will be focused on the following:
Standardization It is natural to want to implement some form of automation at this phase.
Connecting or onboarding authoritative sources Connecting or onboarding application sources Out of the Box Connectors Direct API / Webservice Connectors JDBC Connectors Flat files
However, it is important to curb those desires and continue to focus on building the foundation. In the standardization phase, the first step is to draw a line in the sand and to develop standards that will be established for the future. Standards will help to keep your environment consistent, creates standards for the future, and makes your environment easier to maintain. Having standards will allow for the successful deployment of automation (in the future).
Basic solution configuration
Automation includes Single Sign On (SSO), Password Management, and
Creation of identities from the authoritative sources
automated provisioning and de-provisioning.
Linking application source accounts to identities There are five core standards that you must consider: Reviewing the accounts that have been correlated is important at this phase. This will provide you with a very high-level understanding of underlying inconsistencies and will also provide insight into standards that can be used
Usernames: the account that identities in your organization
across your organization.
utilize to log into applications Password policies: consistent password requirements across all applications Audit requirements: the minimum required information that you must be able to show auditors for each application Logging: actions that should be logged or tracked Retention: how long data should be stored, or how long accounts should be retained
secureITsource
The IAM Maturity Model
14
IAM Level 2 Data Clean-up It is one thing to draw a line in the sand to implement processes and standards going forward, but what about legacy data? Cleaning up your data is a task that can take years to fully accomplish. There are many important factors to consider when you begin the process of cleaning up legacy data:
What is the user impact?
The modification of accounts to match the standardization policies should begin during this phase. The process will likely continue for the duration of your IAM implementation. Keep in mind that completion of data clean-up is not a requirement to move into the next level of IAM, but the process should be started at this point of your IAM journey. Attribute Sync Now that you have verified the account base and each account is associated
Are there sufficient benefits that offset the risk of a potential
to an identity, it is important to ensure that this information is replicated and
business disruption?
synchronized across all applications. The attribute syncing phase will ensure
How long will the current user community be using this application? What does the future hold for the application?
that attributes used in more than one application will have the same value in all applications. Attributes that are out of sync will cause confusion and result in gaps in your standards. Anytime that attributes are changed in one application, they should update the identity attribute and push the same attribute to all the other
While there are some risks, the default approach should be data clean-up and
associated applications.
standardization across the enterprise. A truly valid business case should be the only impediment to initiating a data clean-up program across as many parts of your organization as possible. The purpose of the data clean-up phase is to reduce your account base to only those accounts that are required and ensuring the required accounts fall into the standardization policies. Accounts that are not associated with an identity should be a red flag. These accounts should be reviewed very carefully and disabled or removed if not necessary (this should be performed according to the organization’s policy). If the accounts are required, they should be associated with an identity.
secureITsource
The IAM Maturity Model
15
In the Certification and Categorization phase, your organization will start the process of defining and implementing ongoing access certifications, as well as categorizing the types of accounts within your
CHAPTER THREE
Certify & Categorize
environment.
IAM Level 3 Certification A primary objective of your IAM program is to maintain compliance. However, at this stage in your IAM maturity, the organization has a limited understanding of user access. The Certification phase is an effort to better understand individual user access by initiating a certification campaign. The initial certification campaign for user access will likely be painful as there will be a significant amount of data to review. Department and business unit managers should be involved in the initial certification campaign, and work directly with the staff conducting the campaign for their team. We also recommend working closely with a consulting partner who can bring experience, best-practices, and proven methodologies that will save your organization time and frustration. Certification and recertification are an iterative process. You will not solve all of the pain on the first campaign. The initial certification process is required to clean up as much data as possible and to identify and remediate any blatant access issues that may be present within the organization. It is also intended to represent an initial review which can be shared with your internal auditors or any 3rd party auditors as a demonstration of progress. The first campaign can take a great deal of time, depending upon the size and complexity of your organization. Keep in mind that it is intended to establish the framework for better processes and that it will improve with each subsequent recertification. The recertification schedule should be planned with intended goals for each subsequent cycle. If you can remove just 10 percent of the work on each subsequent cycle, you should start to see measurable results within the first year. There will be additional benefits to your recertification program as you enter subsequent stages of the IAM Maturity lifecycle. As identities, entitlements, and access become better defined, you will see measurable improvements in the time and effort dedicated to access recertification.
secureITsource
The IAM Maturity Model
16
17
Identifying Privileged Accounts Identifying Privileged Accounts should be easier to accomplish at this point in your maturity. By initiating data clean up and completing your first certification campaign, the majority of accounts that have elevated access should have been identified. These accounts should be labeled as Privileged Accounts, and the policies and access rights for those accounts should be clearly defined. If your organization has a Privileged Access Management (PAM) Program, these accounts should be managed by the PAM solution. This is also a good time to integrate your IAM and PAM solutions for better account management. Depending upon the solution you have chosen for both IAM and PAM, native integrations may already exist to make this process easier. Your service partner should be able to assist you with these integrations in order to take advantage of “out-of-the-box� features that are available with your software.
secureITsource
The IAM Maturity Model
The Automation Phase is really the core of your IAM program. The main objectives of this phase include:
CHAPTER FOUR
Automate
Securing access and enforcing security policies and procedures. The automation of provisioning and de-provisioning processes will yield an accurate and repeatable account management process Establishing password uniformity across the organization by creating standards and automating password workflows
IAM Level 4 Lifecycle Management Termination Process At this point, your organization has begun to identify and validate access. This begs the question, “How do you maintain these standards and policies?” The answer is automation, specifically, Lifecycle Management. As mentioned previously, your organization’s reason for implementing an IAM solution and IAM process is heavily influenced by compliance, not necessarily functionality. Now that you have built a solid foundation, you will want to enable functionality and processes that will ensure the baseline is repeatable. Lifecycle Management – Leaver (also known as Termination) is one such process. The Lifecycle process of “Leaver” is intended to automate the removal of accounts and the associated access when someone leaves the organization. The removal of access and the ability to disable accounts that are no longer required is instrumental in preventing external threats from gaining access through an orphaned account. When all of your key applications are connected to your IAM solution, the accounts can be disabled, and related access can be removed at the same time. This dual functionality eliminates human error in the process and will ensure that the access rights associated with the disabled account are removed simultaneously. Lifecycle “Leaver” will accomplish that goal.
secureITsource
The IAM Maturity Model
18
IAM Level 5 Password Management Securing your environment is not limited to managing what people can
Basic password synchronization is the first step towards standards. The best
access within an application. It also incorporates securing access to the
long-term solution is to deploy a Single Sign On (SSO) technology. SSO will
application. Password Management, which is sometimes overlooked in
provide far more capabilities to manage passwords with corresponding policies
the IAM conversation, is a leading reason why accounts are compromised.
and standards. SSO will also establish a significantly better user experience
Additionally, poor password management is the primary contributor to a poor
and will help to drive efficiency within your organization since users only have
user experience, which leads to users establishing weak passwords. For
to authenticate one time for all applications managed within SSO. Traditionally,
threat actors, this is a welcome-mat to crack passwords in order to obtain the
most SSO vendors also offer Multi-factor Authentication (MFA) as part of their
keys to your castle.
suite.
As part of your standardization efforts, it is crucial to put password standards
MFA will introduce an additional layer of security that will help validate that users
in place. This means that all applications will use the same formula for what
are who they say they are, especially for sensitive applications or situations
constitutes a strong password. However, unless passwords are synced, users
that present higher risk (e.g., logging in from a foreign country). Leveraging a
may still have to create and remember multiple passwords. This results in
combination of SSO + MFA will enhance the user experience while also providing
weak passwords that can easily be remembered by users. In a utopian world,
stronger security. As your organization matures, you can develop risk-based
the goal would be to increase the complexity of passwords while eliminating
strategies that will only flag a user for authentication or secondary authentication
the need for users to remember or even enter their passwords.
when certain anomalies are present (time of day, IP, frequency, etc.). Both MFA and Risk-Based Authentication are optional strategies at this level of maturity,
As in most areas of IAM, password management is a process of small
but a plan and roadmap for their implementation should be part of your overall
incremental “wins” over time, to achieve the desired state. Some applications
Identity plan.
may be using the same authentication source, such as Active Directory. In this scenario, users need only to authenticate to one source where users are given permission to access these connected applications. More likely, however, there are large numbers or even a majority of applications that are not Active Directory aware. There are ways to “push” password sync among applications with disparate authentication sources, but this will require users to log into the system each time they need to access those resources.
secureITsource
The IAM Maturity Model
19
IAM Level 6 Roles As you continue to clean up your organization’s access and refine the certification/recertification process, some common denominators will begin to emerge among your user base. There will be patterns of access across your organization for individuals in similar roles. As part of the program automation process, the roles solution should be able to provision or de-provision access so that the user only has the access required to perform their job functions. This is an iterative process and one that will achieve small wins over time. The roles journey will begin at a high level; e.g., what basic access do 80 percent of our users need the moment they login? From there, you build down the hierarchy of business units and departments until fine-grained roles start to emerge. The process evolves as follows:
1
Organizational Birthright Roles
3
Departmental Birthright Roles
This is the highest level of roles and will provide most employees
Just as organizational roles are created, so too are departmental roles.
with the basic access they require when joining the company.
This is the more fine-grained access that is required by specific job
Initially, Organizational Birthright Roles will represent 40 percent of
functions, (i.e., Accounts Payable). At the current maturity state, the
their access, and slowly grow to 60 - 70 percent of the access that
purpose of creating roles is to allow your support team to easily assign
most people require from day one. An Organizational Birthright Role
the right entitlements/access to users. As time goes on, role definition
will be assigned to every employee upon hiring.
will bring measurable results to your organization. A good example is recertification delivery time. Managers will only need to approve the birthright roles, and there should be few exceptions to that birthright role
2
Employee Type Birthright Roles Full-time employees (FTE) and contractors may require different entitlements. If so, there is an opportunity to create a role specifically for an employee profile when they join the company. As an example, only full-time employees may require or be permitted to have VPN access. If this access is granted through an Active Directory group, that group would only be assigned to an FTE. As a result, that group would be added to the “employee only” birthright group and be absent in the contractor birthright group.
among a department or group. The goal is to only recertify “outliers,” or those who have access that is different from the department birthright role. In a future state of more Mature IAM, roles will automatically be provisioned when a user is hired or moves from one role to another. Automated provisioning will greatly reduce your risk and the delivery time to provide user access. It is important to note that just because a group of users have a specific entitlement, does not mean that they should. The initial certification campaign should identify instances where certain access is not required for a population of users. In these cases, the access should be removed from the entitlements and provisioned on an as-needed basis.
secureITsource
The IAM Maturity Model
20
IAM Level 7 Other Lifecycle Management Processes (Joiner, Mover, etc) As roles become defined and the authoritative sources are updated with the appropriate role definitions, we can begin to establish more complex Lifecycle Management (LCM) Processes. So far, the only Lifecycle process that is automated is termination. The full lifecycle process is where organizations begin to see measurable results of the IAM Program. As a result, it is tempting to try to force the lifecycle management process at earlier stages of the Program. While true that there is tangible value in the lifecycle process, forcing this into earlier stages of the IAM Maturity Model will delay your program and make it more costly. Why? IAM is about the process, standards, and frameworks. Automating bad process is the worst way to get an IAM Program off the ground and will typically result in Program failure.
21
Now that your organization has created roles, it makes the implementation of the lifecycle process much easier, since a role can be tied directly to a specific value in each attribute of the identity. When defining the LCM processes, it is recommended to fully document each step. Documentation is not limited to the steps in assigning LCM within the identity solution. It also involves documenting any complementary IT solutions such as IT Service Management (ITSM), and any business processes that complete the LCM process. Understanding each step will allow you to build a process that is easy to modify and maintain as new variables arise in your organization (i.e., acquisitions, mergers). It also provides great value to the developers as they have a full and clear picture of the process.
Access Requests By utilizing automated LCM processes, the majority of access that a user needs will be provisioned to their accounts at the appropriate time (80 percent). However, there will be cases when users will require additional access that is not part of the entitlement for their role. An access request process will allow users, or their managers, to request the additional access required on an ad hoc basis. If your LCM process is properly defined, access requests should be an exception and not the rule. It is also important to consider the duration of the exception request (i.e., additional access granted during an audit), as well as any approvals required to complete fulfillment.
secureITsource
The IAM Maturity Model
Risk Management reviews are meant to proactively identify access scenarios that
CHAPTER FIVE
Manage Risk
could introduce risks to your organization. This would include entitlements that allow users to act in an elevated state or access that may conflict with other access (Separation of Duties or SOD). This phase also moves the organization towards a risk-based and exception only based certification process. By defining access risks within the organization, recertification becomes (over time) a process of evaluating the outliers vs. normal users with standard access.
IAM Level 8 Risk Levels for Entitlements As all entitlements represent access within your organization, it is important to identify the risk associated with each. Companies should use a risk model (i.e., 1-5 or 1-100) that is consistent with how the organization looks at risk in other areas. While it is unrealistic to generate a risk score for all entitlements within an organization, it should be your goal to identify risk with those entitlements that represent a majority of the company’s employees, or entitlements that represent the highest levels of risk. The most logical starting point is to identify the entitlements with the highest level of risk. These are entitlements that allow users to access or perform functions that can negatively impact that organization if used maliciously. The goal is to work with the highest risk entitlements first. By identifying entitlement risk levels, your organization will be able to implement an approval process that is appropriate for different types of requests. In return, it will also enable the certification process to focus on users that have high-risk access, ensuring that the highest risk access is not overlooked in the process.
secureITsource
The IAM Maturity Model
22
Risk Levels for Roles Entitlements make up a role, and therefore, the risk of entitlements should be considered when determining the risk of the roles. If a role has a large number of moderately risky entitlements, it may increase the risk level of the role. The risk level of the role should be reviewed and take into consideration all of the access that the role provides. Separation of Duties (SoD) Users tend to move from one department to another within an organization, and by doing so, the potential for conflicting access may arise. The best example of an SoD exception is a user who has access to Accounts Payable and Accounts Receivable. Conflicting access should be subject to a high-risk score and frequent reviews. Defining and implementing SoD checks and controls will allow your organization to monitor risky access. This can be managed through the approval processes, frequent access recertification, and automatic rejection or even automatic removal of the access. 23
Risk-Based and Exception Certifications Now that your organization has standards, automation, and controls in place, over time, certifications should become easier and more consistent. Depending on your audit requirements, you may be able to reduce the number of certifications your organization is completing by only certifying based on Risk and/or Exceptions. Once your organization is comfortable that the access rights are aligned with the appropriate roles, another question should arise. Is it necessary to continue certifying that access is accurate? Most auditors will accept Role-Based Access, as long as your organization can demonstrate that the right access is aligned to the right role and that there are no SoD conflicts. If that is the case and it can be validated, then most organizations are not required to perform quarterly recertification. The exact frequency of recertification will depend on your industry, compliance requirements, and previous exception findings. Over time, the desire is to reduce the need for quarterly recertification to high-risk roles and to greatly reduce the frequency of recertification for the majority of your organization. The highest risk roles in an organization should be identified and likely subject to higher scrutiny by your audit team. Hopefully, by this point in your IAM Journey, you have already implemented a PAM Program (for the highest risk access), and those assets are managed by other requirements that are dictated by the PAM solution. Regardless, it is the goal at this point that the highest levels of access risk have been identified by your organization. These “outliers� will pertain to just a few with the goal of making recertification easier and less time-consuming.
secureITsource
The IAM Maturity Model
Risk Management reviews are meant to proactively identify access scenarios that could introduce risks to your organization. This would include entitlements that allow users to act in an elevated state,
CHAPTER SIX
Evaluate & Enhance
or access that may conflict with other access (Separation of Duties or SOD). This phase also moves the organization towards a risk-based and exception only based certification process. By defining access risks within the organization, recertification becomes (over time) a process of evaluating the outliers vs. normal users with standard access.
IAM Level 9 Review and Update Processes Your IAM program now has a lot of mature processes. However, they can still be improved. Roles are a very good example of processes that need to be maintained regularly. Reviewing the roles to ensure that the entitlements within a role are still being used and are relevant for the job function is critical to a healthy IAM Program. It is common for entitlements to include “required access,� but upon further review, those entitlements are rarely utilized or used by only a few. Since roles are the core data that feed your IAM system, they must be maintained on a regular basis.
24
LCM processes, certification processes, frequency, and password management requirements were all built based upon the definitions established at the beginning of your program. They will, over time, become outdated, whether by changes within your organization or enhancements in the industry. Constant improvement will allow your Identity program to mature as your company and the industry mature. Incorporating solutions that are complementary to IAM are also considerations. Privileged Access Management (PAM), Data Access Governance (DAG), and Public Key Infrastructure (PKI) are just a few of the complements to Mature IAM, and many of the solutions on the market today have native integrations with select IAM tools, which can result in an easier and faster implementation.
secureITsource
The IAM Maturity Model
Summary Implementing an Identity Program is difficult. The road is long and arduous; however, a few basic principles can help to drive your success. If you embark on the journey with the right mindset and executive support, it is possible to achieve your goals. Please keep in mind that this particular Maturity Model focuses on Identity Governance and Administration. There are other important aspects of Identity, including access, privileged access, and data access governance, to name a few. As for this phase of the IAM Journey, the four precepts that are crucial to your success are highlighted below. Reflecting on your adherence to them will make your journey smoother.
secureITsource
The IAM Maturity Model
25
1
Executive Support and Steering The process of deploying Identity Governance involves changing mindset and culture. These high-level ideals must come from the top. Otherwise, buy-in and support across other levels of the business will be challenging, if not impossible.
2
Roadmap and Strategy You must know your endgame. What are you out to achieve? What defines success to you and your organization? How much are you willing to invest in time and money to achieve it? Knowing your destination is very important, as it implicates your product selection and how you will staff your project over the long haul.
3
Foundation If you have the first two ingredients, you are on the right path, but not out of the woods. It is easy to get distracted by the feature/functionality of the product. How do we show value to the executive team if we aren’t automating? Like anything, the foundation will determine how much value your IAM Program will bring to your business. Don’t be
26
swayed to sacrifice good process and standards for early feature/functionality. 4
Best practices IAM has been around for a while, although it has evolved greatly since the early 2000s. Learn from other’s mistakes and take the advice of industry experts who have “been there, done that.” Best practices are important from several perspectives.
Industry: there are many do’s and don’ts (as described in this model). Keep them in mind as you forge ahead in your journey. Product: all products have advantages, disadvantages, and limitations. Utilize the expertise of your deployment partner as well as that of your solution provider. Together, they can help you avoid the biggest pitfalls that can delay your progress.
secureITsource
The IAM Maturity Model
IAM Maturity Model Checklist
27
As you go about implementing your company-specific IAM Maturity Model, use our checklist to ensure you complete each step as you build your IAM roadmap.
secureITsource
The IAM Maturity Model
IAM Level 1
IAM Level 4
IAM solution is deployed on-prem or a SaaS IAM solution is live
Completed IAM 3 checklist
Authoritative source(s) are identified
Standards implemented to disable rather than remove accounts (where possible)
Key applications source(s) are identified Authoritative source(s) are connected to the IAM solution
Defined and Documented LCM – Leaver Process for Scheduled Terminations
Identities are established from authoritative source(s) in IAM solution
Defined and Documented LCM – Leaver Process for Unscheduled Terminations (Immediate)
Key application source(s) are connected
Initiate LCM – Leaver (Termination) Process
Accounts from key applications are correlated to Identities The five core standards are established
IAM Level 2
IAM Level 5 Completed IAM 4 Checklist Unified Password Standardized Across Applications
Completed IAM 1 Checklist
Password Reset Options by Application for Users
Review of accounts that are not correlated to an identity
Same Password or Synced Passwords Across Applications
Removal of unnecessary accounts
One Password Reset Option for All Applications
Modification of legacy accounts to meet new standards
Single Sign On for All Applications
Syncing of attributes across key applications
Multi-factor Authentication
IAM Level 3
Risk-Based Authentication
Completed IAM 2 checklist Initial certification campaign Defined ongoing recertification schedule Accounts with privileged access have been identified Integration with PAM solution (if PAM solution exists), or, adoption of a PAM solution
secureITsource
The IAM Maturity Model
28
IAM Level 6
IAM Level 8
Design/review/create/validate departmental type roles
Completed IAM 7 checklist
Identification of departmental lowest common denominator entitlements
High risk entitlements identified
Design/review/create/validate employee type roles
Review of entitlements within each role
Identification of employee type lowest common denominator entitlements
Risk level associated to all roles
Design/review/create/validate organizational roles
Defined separation of duties within each application
Identification of organizational lowest common denominator entitlements
Defined separation of duties across applications
Completed IAM 5 checklist
Defined separation of duties based on roles
IAM Level 7 Completed IAM 6 checklist Defined joiner (new hire) process flow chart Defined mover (transfer) process flow chart Implement processes using roles Access request portal Access request approval process
secureITsource
High level of confidence in controls, and provisioning/de-provisioning processes Risk and exception based certifications
IAM Level 9 29
Completed IAM 8 checklist Continued review of all IAM processes Scheduled dates for process review Change management process for updates
The IAM Maturity Model
ABOUT SECUREITSOURCE:
Your IAM Provider
secureITsource was founded with the goal of raising the bar and changing the status quo in Identity Management Consulting and Professional Services. Our proprietary methodology and approach were developed under the premise of doing a few things but doing them better than anyone else. Our select list of IAM/PAM software partners are best-of-breed technologies, including SailPoint, Okta, CyberArk, ForgeRock, SecZetta, Venafi, and Varonis. The secureITsource advantage is perspective. Our management and consulting team come from a variety of industry backgrounds, including financial services, healthcare, government, manufacturing, consulting, and transportation. We have been on both sides of the desk, and we understand the realities and challenges of a successful Identity Program. Our goal is to work collaboratively as an extension of your team to achieve your Identity Program goals.
Ready to Start Your IAM Maturity Model? LEARN MORE
FOLLOW US ON SOCIAL
@secureITsource
www.linkedin.com/company/secureitsource/