The importance of Identity and Access Management
Olly Jones, Senior Cyber Security Consultant with Paul Traill, Senior Information Assurance Consultant
When we help our clients with their cyber and information security, one area that we sometimes find neglected is identity and access management (IAM). A robust IAM process is a crucial part of any information security management system—it ensures a user is who they say they are and only enables them appropriate user access to your systems and data.
Access management is now more important than ever. With the widespread change in working practices and homeworking due to the COVID-19 pandemic, many organisations have been forced into enabling their employees to work from home before many potential security risks have been fully assessed. During these times of increased security risks—because of the rush to enable remote access to corporate systems—effective IAM policies can help mitigate the risk by carefully managing access to your company’s assets.
So, what is Identity and Access Management?
IAM refers to the framework of corporate policies, processes and technology solutions which support the management of digital identification, authentication, and authorisation within your infrastructure. It enables IT teams to manage user access to critical information using methods such as role-based access control which provides access based on documented job roles.
Effective IAM requires each role in an organisation (including those related to systems administration) to be defined in terms of competency, authority and responsibility (and, where possible, to take into account segregation of duties to avoid potentially costly acts of asset misuse and fraud), so that appropriate access levels can be allocated. Based upon the principle of ‘need to have’, this allows users to perform specific tasks such as viewing, creating or modifying files. Other types of permissions might include the ability to access staff and HR data, perform changes to industrial control processes or other administration systems.
Why should I worry about IAM?
Notwithstanding the cyber security benefits of having control over who can (and cannot) access data within your organisation, IAM is an important aspect of compliance for international regulations, such as the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standards (PCI DSS). IAM is also part of ISO regulations; Section 9 of ISO 27002 contains detailed identity and access management guidelines which organisations can follow and be assessed against.
PCI DSS is a set of security controls that organisations dealing with payment cards are required to implement to protect payment card data. From an IAM perspective, it addresses the requirements for ensuring businesses restrict access to the card data environment to only people who are authorised, as well as ensuring that strong authentication mechanisms are in place, such as use of multi-factor authentication (MFA) i.e. something you know, something you have, and / or something you are (for example, a biometric).
Policies and Identity Management
Two important aspects of an IAM framework are Identity Management (IM) and the policies themselves. An organisation’s IM regime will set out how they establish the identity of a person, during initial contact and for any subsequent interactions with your systems or processes. The policies themselves are critical to IAM as these will determine who has authority to access your systems and data and will govern how access requests can be processed. Just as important is governing when user access to systems and data should also be revoked once that user either moves departments, projects, or even leaves the organisation entirely.
This final point is very important because just having an IAM system in place in an organisation is not enough, they are almost worthless unless they are proactively managed and consistently implemented. For example, it is quite common for members of staff to be given access to sensitive parts of a network when working in small teams on a time-specific project, and for their access permissions to not be amended and reverted back to their original levels on completion. Remarkably, it is not uncommon for many organisations to not even revoke user access and permissions after an individual leaves an organisation entirely, and case studies have demonstrated where disgruntled employees with a sense of grievance have used this access to conduct malicious attacks.
How PGI can help
PGI’s cyber and information security experts can assist you with developing or improving IAM-related policies and processes; auditing existing processes to assess their effectiveness and maturity across a wide-range of standards such as ISO 27001, PCI DSS, and Cyber Essentials+; or provide advice on best practice tools and solutions that can be implemented to optimise and automate key IAM-related requirements. We can help you on a project basis or as part of our Cyber Assurance as a Service solution.
Get in contact with us to talk about your requirements and goals: firstname.lastname@example.org or +44 (0) 845 600 4403