Between 2009 and 2014, the number of successful attacks on information security increased at an average annual rate of 66%. Bearing in mind that insiders are responsible for two thirds of these attacks, managing users’ access rights with Identity Access Management has become a critical issue taken very seriously by senior management.
A large number of security solutions are now available, offering different value propositions. Identity Access Management (IAM), data access governance (DAG) and privileged account management (PAM) solutions each make their contribution at different levels to controlling access rights. As the common denominator, the user’s identity can be used to de-compartmentalize these solutions, culminating in an integrated security concept. In the following I will describe a framework for using these products based on user identity, and outlines an integrated architecture meeting IT security requirements over the long term.
1. Identity Access Management (IAM)
Previously limited to the mere administration of user accounts on IT systems, the management of user identities and their access rights to applications has over the years become a central management tool.
Used by business and IT departments alike, Identity Access Managemen is used to implement fundamental security rules company-wide, with the objective of controlling users’ access permissions and reducing risk.
More precisely, an IAM solution centralizes and maintains the consistency of data from HR, directories and target systems. By defining roles for users that are properly representative of their functions within the business, users’ access rights are controlled following the principle of least privilege, ensuring that no combination of roles brings about a high risk situation. Governance rules and workflows automate user lifecycle management. An IAM system also makes in-depth analysis possible, for audit and forensic investigation purposes. Lastly, recertification of user access rights ensures that they are compliant at all times.
2. Data access governance (DAG)
It is estimated that some 80% of corporate data is unstructured, meaning with no predefined format (file servers, emails, SharePoint resources, etc.). Managing and controlling the security of access rights to such file servers is essential for any business seeking to control the risk of data leaks.
This is exactly what data access governance (DAG) solutions offer, and a company can use them to administrate its access structures, delegate control over rights to resource owners, and automate the attribution and removal of permissions by means of workflows. A user will in this way be able to send a permissions request to an owner. Owners, meanwhile, are responsible for access to their data, independently deciding and controlling “who is allowed to do what to what”. A DAG system is also very useful as regards supplying analysis and reports to meet audit requirements, providing answers to questions such as “who approved this access and when?” or “who is the owner of this resource?”.
In contrast, the user’s roles and other access rights to applications are not taken into consideration by the DAG solution as such. Security then becomes threatened by the sheer number of user accounts or accumulation of access permissions.
It is then a matter of combining the Identity Access Management and DAG systems, with the user’s identity naturally being the common denominator. This approach will enable all necessary data about users to be correlated for properly-informed decision-making and end-to-end management of access rights.
3. Privileged account management (PAM)
Access rights arising from business requirements, for example to carry out financial transactions, should be clearly distinguished from those arising from technical requirements, in particular application administration. User accounts possessing these technical access rights consequently hold high levels of privilege, and represent a significant risk for a business. Yet the majority of these privileged accounts are not definitively assigned to one individual. “Root”, “admin” and “system” accounts are frequently shared between IT system administrators. Controlling and tracing tasks carried out using such accounts then becomes difficult, if not impossible.
This is where privileged account management (PAM) solutions enter the scene. By defining governance rules, a PAM system can be used to administrate groups holding access rights to these specific accounts, and then to allocate and control temporary access rights. Lastly, session logging makes it possible to know exactly what actions have been carried out, thereby making understanding any abnormal events somewhat easier.
However, a PAM system operating in a silo gives no visibility over the other access rights of users who hold these privileges. How can access rights be kept to a strict minimum if no overall view is available? It is not difficult to imagine the risk posed by a user having temporary access to the “admin” account for a business application for which he or she also has a user account and a certain level of privileged permissions. Similarly, what about other shared accounts outside the scope of the PAM system?
To resolve this issue, once again we turn towards the concept of a user’s identity in order to gather together all the data about the user (groups, roles, accounts, etc.). Combining these PAM and IAM systems means the company will be in a position to control both the business and technical access rights of its users, by making use of a common reference base of governance rules.
4. Architecture meeting security requirements
To reduce the risk of fraud posed by internal users, all aspects of security related to their access rights must be covered. This entails controlling the privileges attached to business or technical user accounts, whether shared accounts or otherwise, and the access rights to applications and file servers, etc. while ensuring that the rules of segregation of duties are followed at all times.
It seems obvious that an architecture based on security tools running in a compartmentalized fashion, each in its own silo, would give rise to security breaches whereby malicious internal users would have no difficulty gaining entry to systems to commit their attacks.
In contrast, an integrated architecture pulling together DAG and PAM security tools under one central IAM system would give the business a 360-degree overview of its users, their access rights and the associated risks. The user’s identity, as a common denominator, can be used to consolidate both the data and administration tasks aspects of access rights.