Identity and Access Management (IAM) policies are designed to stop privilege creep, prevent bad actors from misusing their credentials, detect and mitigate credential theft, and more.
Your particular IAM implementation should be designed to accommodate the size of your organization and the sensitivity of the data you hold.
For instance, the larger and more complex the organization, the more tight IAM controls to determine who should have access to what. Larger enterprises, in particular, need a centralized IAM to effectively keep track of who has access to what data. For example, consider an employee who started in HR before transferring to become a marketing associate.
Unless proper controls have been set up and applied throughout the company, this person may now have access to their HR applications and files and marketing plans. This represents a potentially serious liability.
IAM Implementations Inclusions
No matter what kind of company you work for or what kind of information it holds, its IAM implementation needs to contain some of the following components:
Password Protection Tools
It is said that passwords represent one of the worst ways to authenticate users—but they still aren’t going away.
Users recycle their passwords across different applications, use simple passwords (e.g., “123456”), or leave written sticky notes taped to their monitor. What’s more, hackers are steadily refining their use of adversarial computing techniques that allow them to crack passwords using brute force attacks.
One of the best ways to ensure that your employees’ passwords aren’t stolen is to reduce the number of passwords they need.
For example, an approach called Single Sign On (SSO) lets users create a single password that safely unlocks all their corporate applications. Because employees only have to manage one password at a time for their work, it decreases the likelihood of password reuse and allows them to remember a more complex passphrase.
That being said, your IAM implementation should also blacklist simpler passwords by increasing the cryptographic resiliency of your password hashes with granular controls for salting and stretching them.
If you’ve ever unlocked your smartphone with a fingerprint, then you know that biometric identification is both convenient and effective.
In fact, the proliferation of smartphones has commodified formerly pricey tools like fingerprint scanners, allowing you to place biometric locks on your most sensitive data. We’re not saying that every company has data so sensitive that you should use fingerprint scanners to protect it, but if you’re investing in IAM, it should have that option in case you eventually need it.
In addition to fingerprint scanning, other options enable users to unlock devices and data using technologies such as retina scans or facial ID.
For example, Windows Hello now lets users unlock their laptops or desktops using facial recognition via an attached webcam. These technologies are in relative infancy, but we may one day see them largely replace passwords.
Multi-Factor Authentication (MFA)
Say that someone does manage to steal that critical SSO password and gain access to all of an employee’s applications—what’s next?
In most cases, MFA should represent the next line of defense. Using a technology known as device fingerprinting, your IAM implementation should see that an attacker is using a different computer than normal, and this action should prompt it to invoke MFA.
How so? Well, it involves sending the (legitimate) user a one-time password via email, text, or voice. The idea is that the attacker controls the account information, but not the victim’s phone or secondary email.
For more secure accounts, MFA can also invoke biometrics. The idea here is to stop the attacker by asking them to present information they haven’t stolen.
Large companies may have to onboard dozens (or even hundreds) of new employees every month. Even if these employees are relatively low-level, such as warehouse staff, they still most likely need an email address and an ID.
Whoever is responsible for onboarding and offboarding these employees manually is likely spending full days doing that and not much else.
A good IAM tool will help automatically onboard new employees and offboard those who are leaving.
Instead of manually creating new accounts for all applications they’ll need, you should be able to copy their names, phone numbers, and personal email addresses into IAM, hit “create account,” and then sit back as your IAM tool automatically sends onboarding emails and begins creating accounts.
By the same token, it should be able to automate job transfers and offboarding. Say that an employee changes their position or leaves the company.
You should be able to click a checkbox within IAM and have it automatically cut off access to their old resources and then generate (if relevant) the new access they’ll need. Using automation, administrators can prevent privilege creep, ensuring that neither bad actors nor malicious employees can gain broad access to your organization by misusing a single account.
What’s On Your IAM Checklist?
While the features above are essential, they’re not the only valuable features for an IAM deployment. Essentially, you’ll need to fine-tune your IAM shopping list based on the characteristics of your organization.
For large organizations where each employee has little access to sensitive information, you may want to play up convenience features such as automation. For companies that protect health or banking information, you’ll want to add more security features. Regardless, the core feature set above is a good place to start and a great list to expand on, depending on your needs.
Nick L. Kael is Chief Technology Officer (CTO) at Ericom Software. He has over 24 years of experience in the technology industry, including 17 in cybersecurity. He is knowledgeable in areas including web technologies, architecture, infrastructure, networking and development environments. At Ericom, Nick is responsible for technology partnerships, solutions management, and technology strategy. He was Group CTO for Global Service Providers at Symantec and Director at Zscaler in the Chief Architect Team for Channel and Service Providers in previous roles. From 2009 to 2012, as a member of the Symantec CTO’s team, Nick advised the executive team. Earlier, he held leadership roles in network and security engineering for telecommunications providers including MCI, Qwest, Global Crossing, and British Telecom. He holds certifications in CISSP, CEHv7, CCSK, BCCPP & Bluecoat Blue Knight, MCSE + Security, CCDP, CCNA, CCSA, VTP5, and VTSP5.