By Mike Buckley | Pre-Sales Consultant at Nettitude

Are you confident your critical business systems are secure? Willing to bet your career on it? Whilst fairly easy to manage if you have the right systems and procedures in place, if your identity and access management controls are not configured correctly, it could be like leaving the front door of your house wide open. The challenge that many of our clients’ face is working out to what extent they need to configure access to their business-critical systems. With too many controls in place, it can be disruptive to work flow and cause projects to become overdue. However, with too much freedom, you risk compromise to those critical systems. So how do you get the balance right?

Below, we’ve compiled some of our expert in-house knowledge to help businesses get a better idea of how to strike a balance when it comes to identity and access management controls.

What is identity and access management (IAM)?

Identity and access management involve defining controls, both procedural and technical, that show a user’s identity and the access level they are granted or denied to the enterprise IT systems. This can cover everything from defining which staff members have admin rights, to what actions should require admin rights – such as downloading new applications to a work desktop, or changing system preferences. It also includes identification factors such as single sign-on (SSO) systems and multi-factor authentication, with privilege access management acting as an overlay to the authentication schemes. The Identity profile data must always be stored securely and can typically be linked to an existing active directory domain.

These components are available through a multitude of solutions, including on-premise, cloud-based, or a combination of both.

What are the main IAM configuration challenges businesses face?

When it comes to distributed Enterprise IT, both administrators and users will access a series of challenges. These include, but are not limited to, the following areas:

• Identifying users across disparate systems
• Assigning roles consistently across technologies with different capabilities
• Managing password complexity policies
• User credential management and security
• Centralised audit and reporting
• Privilege user access

What’s the solution?

A well set up and continually reviewed identity and access management system will address these challenges, in which reporting and control can be brought into a single system so the process is streamlined and easier to manage. In addition, it is important to consider the ability to scale up or scale down so that your IAM system operates simply across large scale enterprises; or if you’re a growing SME, it means you won’t encounter future challenges or experience the need to create your system from scratch.

What components should an IAM system include?

• The ability to identify users within the system
• Role Based Access Control (RBAC)
• User lifecycle management
• Ease of deployment/management
• Reporting and auditing of access

My current IAM system works well, why should I change it?

Identity and access management controls are ever changing within each organisation as people join, leave and move around your business. For example, identifying users is typically a shared function with an existing service such as Active Directory, in which user data held within AD is used to identify the service roles that are assigned by the IAM product to the user… or so it should be. Without this role-based control, you are not able to make changes easily or scale up/down according to the needs of your business.

In modern ident and access management systems, users entering and leaving an organisation can now be simply controlled by a single change, rather than adding a user across multiple systems. This reduces administration time, as well as room for human error, which inevitably eventually creeps in. It also provides auditable proof that the joiners and leavers process is robust.

How does a good IAM configuration look like?

An IAM should be constructed with the goal of ease of management, as well as fast, accurate, and efficient reporting and auditing. If administrators are frustrated by clumsy User Interfaces or systems that don’t integrate, then they’ll find workarounds that introduce risk and error.

In addition, an IAM should integrate with SIEM technology to allow for long term storage of audit data but should also allow the SIEM to correlate the user behaviour across multiple technologies with a consistent identity.

What’s more, while assigning access rights to privileged identities falls under Privilege Access Management (PAM), a well-developed IAM solution also solves the problem of controlling privileges

Watch out for the trap!

A by-product of IAM is that credentials and roles are potentially stored in a single place, and that place needs to be treated as a critical asset as it will be a target for attack. There have been multiple vulnerability disclosures on IAM products, so it’s important to make sure you do your due diligence when exploring the marketplace. 

Overall, a modern and well configured identity and access management is critical to both the safety and efficiency of your business, in which a poorly established system could affects each staff members ability to do their job. Therefore, it’s really worth getting it right first time to prevent problems from creeping up on your business further down the line. For more advice on establishing or updating your identity and access management system, please don’t hesitate to get in touch with the team.