Imagine granting someone access to your front door, without giving them any rules for visiting – like whether they must pay for breakages, bring their own milk for the fridge, or that it’s lights out at 11pm. It’s not something most of us would be comfortable with.
When it comes to our enterprise’s network, however, there seems to be a different story. All too often, organisations are forgetting about the ‘identity’ in identity and access management (or ‘IAM’), granting entry to users without considering whether they should have access.
Instead, focus is too frequently placed on the ‘A’ part of IAM – that is, the access management; the process of allowing users to access all sorts of tools, systems and applications – and stopping there without considering their wider corporate cyber security strategy.
Identity governance is integral to the whole process of IAM, and missing out the ‘I’ part of IAM can have serious security implications, with access becoming a potential exposure point.
Deciphering the difference between identity and access
Despite being closely interlinked, “identity” and “access” are very different processes. In the digital world, identity refers to the data and unique attributes that help to distinguish one user from another. These attributes could include job title, project role, level of seniority, or location, depending on the rules set for identity.
On the other hand, access decisions are yes/no questions: can this user have access to this place? When we enter our password or another identity attribute such as an email address or username to gain entry, access management fires off that data to the system’s database, and the answer comes back as ‘yes’ this identity is authorised, or ‘no’ it is not.
Without matching identities to access rights, the organisation runs the risk of saying “yes” to everyone having access to everything. This results in users having much more access than they need for their day-to-day jobs. This approach can lead to critical vulnerabilities, because if one of those users is compromised, then the door is wide open for a hacker to gain entry to every system in use.
Identity isn’t a “nice to have”, and having an access management policy alone is not “good enough.” When your authorisation process stops at the “yes/no” question of access, you’re not only giving anyone off the street entry to your building, but also allowing them entrance into all office space, conference rooms and the server room, too.
Many companies are under the impression they’re “doing identity,” when really all they’re doing is granting access. Worse still, some companies know they should be doing more, developing identity governance processes, but keep putting it off because they don’t have time for it. Yet all it takes for a data breach is for a single user account to be compromised.
Establishing and understanding identity needs to be the prerequisite for granting access – rather than a lofty strategic goal. In practical terms, it comes down to this question: “Based on their identity, should this user be granted access?” Once the user identity is authenticated, it then pings off into the access control decision. If the authentication procedure has established that the user should have access based on the identity attributes at hand, then the process evaluates the attributes and makes the yes/no decision.
Determining identity is not just about how an employee is viewed through the lens of IT, but rather in relation to others. Silos between IT security, tech support, compliance and audit teams, and anyone else who has a say in user access rights must therefore be teared down to enable greater cross collaboration. By setting policies and workflows in advance as a joint organisational effort, you can make IT’s life a little more efficient. Once an overarching policy is agreed, automation can be used to answer those simpler yes/no questions. Lessening the burden on IT staff to closely manage identity and access requests means more time to work on the bigger picture, such as compliance projects or business continuity systems planning.
Automating identity governance and access management questions can also make organisational systems and applications more secure. They can become a supportive function to help your IT team track, monitor and control the accounts that have access to sensitive information, while also protecting that data with secure authentication that goes beyond name and password.
Identity governance and access management are both crucial steps to ensuring your users can securely gain access to information and that accounts aren’t compromised. The identity element is an essential part of the framework, empowering users with the right access at the right time while helping you to keep control over your systems.
Author: Ben Bulpett, EMEA Director at SailPoint