Organizations rely on Identity and Access Management (IAM) systems to control access to their critical assets, data, and applications. My organization recently implemented IAM processes from a top-level management approach. A Security Steering Committee was established, composed of C-Suite leaders and Data and Asset Owners from the various Business Units. This committee established the governing policy around IAM processes, covering Mandatory Access Control Policy and Trust Policy. These policies are automatically enforced as baselines on default.
To ensure our organization aligns with local and international regulations, as well as industry-related regulations, these regulations are also enforced and applied to IAM systems. The organization is currently running with a mix of customized IAM frameworks embedded in the holistic ISO 27001 Cyber Security Framework. An element of NIST SP 800-63, Digital Identity Guidelines and ISO 27001 and 27002 are combined and applied as one framework in the Integrated Information Security Management System (ISMS).
Microsoft Kerberos Authentication Framework is used to promote single sign-on (SSO) and minimize single point of failure. This framework has helped reduce administrative bottlenecks and promote multi factor authentication (MFA). The organization is also working to embrace more borderless and wireless authentication frameworks. Each human and non-human identity is uniquely defined with a standard naming convention. For example, human identities are a combination of the employee’s first name initial and last name with the employee identity number. Non-human identities, such as machine identities and application identities, are named with a combination of the identity set and a respective automated unique identity.
The IAM life cycle follows an Account Provisioning and De-provisioning concept, aligning with the concept of ‘IAAA-Identification, Authentication, Authorization, and Accountability’. Identification is verified with an authoritative identity source, such as a contract letter or service level agreement for vendors, or a letter of employment for employees. Authentication is done in three ways: something you know (such as passwords or Personal Identification Number, PIN), something you have (such as token device, mobile gadget, or smart card), or something you are (such as biometrics). Most non-human identities leverage on the combination of ‘Something You Know’ or ‘Something You Have’.
Authorization is only applied after successful authentication of the claimed identity, and all stakeholders must align with the Authorization Policy Framework and Access Control Matrix. Mandatory Access Control Model is enforced as the minimum standard, while Discretionary Access Control Model is driven by the asset and data owners. Role Based Access Control is assigned based on roles and functions, and Rule Based Access Control is driven by rules and policies. Attribute Based Access Control grants or denies access rights based on the attributes and characteristics of the identity and the resource.
Finally, my organization ensures that the IAM system is running with the acceptable risk appetite. Adequate security measures are applied with defense-in-depth in mind and to assure that the IAM system is running with the organization’s acceptable level of confidentiality, integrity, availability, privacy, and safety.
In conclusion, IAM processes are essential for organizations to protect their critical systems, data, and applications. My organization has implemented a comprehensive IAM system that follows established guidelines and aligns with local and international regulations. This system is enforced through the governing policy and baselines, and authentication is done through multiple methods. Authorization is applied after successful authentication and is governed by various access control models. Finally, defense-in-depth measures are applied to ensure acceptable levels of confidentiality, integrity, availability, privacy, and safety.