Today, organizations are aware of the need to protect their data, applications and infrastructure from cyber-attacks. For this reason, many are paying close attention to securing their logical access rights. Not only is it because they are one of the first points of entry for hackers wishing to infiltrate their information systems, but also because they are subject to regulatory compliance and security standards to which organizations must adhere. It is essential that they implement internal security policies and use specific tools to optimize the protection of their logical access rights.
The use of identity and rights management tools is part of this rationale, and the generations of Identity and Access Management (IAM) solutions highlight these changing requirements related to the management, control and analysis of risks linked to access rights. These requirements are increasing in number and diversity and must be addressed to cope with escalating cyber threats. The ability of organizations to adapt their strategy is crucial.
From their inception to present day, to what extent do identity management solutions enable organizations to deploy an effective and relevant cybersecurity model to protect their logical access rights? Read on to learn more.
Identity and Access Management (IAM): The Definition
Identity and Access Management (IAM) ensures that the right people have the right access to the right resources at the right time and for the right reasons. In other words, it is a way of being sure that employees only have the access permissions that they need to perform their duties within the organization while, at the same time, respecting the principles of least privilege and segregation of duties.
Identity and Access Management monitors the lifecycle of the people who work within the organization as well as the access rights granted to them.
An Identity and Access Management system, or IAM solution, relies on a certain number of rules to recognize identities (human or machine) and groups in order to assign, modify or revoke the access rights to which they are associated with, taking into consideration their job functions and responsibilities within the company.
How Identity and Access Management (IAM) Solutions Have Evolved Over Time
Identity and Access Management has been a key topic for organizations for nearly 20 years. Initially, early IAM projects were designed to maximize operational efficiency and reduce the risks associated with managing access rights to applications and corporate resources. It then underwent several successive deployment phases that largely contributed to the evolution of the IAM solutions available in today’s market.
Continue reading to learn about the different evolutions that IAM has undergone, the context in which they took place and how its scope has continued to expand from its onset two decades ago until today.
Identity and Access Management: The Deployment of the First Generation of IAM Solutions
In the early 2000s, the first Identity and Access Management solutions available on the market were designed mainly to meet an operational challenge: the building of an enterprise directory, i.e., a repository of the people who work within the company. The purpose of creating this repository was to facilitate the identification of personnel movement (new arrivals, internal mobility, departures) and the management of the access life cycle at the user account level. The allocation, modification or deletion of these accounts could then be automated.
In addition to building an identity repository, the deployment of several services using the first IAM solutions enabled:
- access control on web applications.
- the creation of SSO (Single Sign-On) bricks, eliminating the need for users to have to authenticate several times in the systems.
- the implementation of identity and access life cycle management.
- the creation of an account and access provisioning system to automate technical management.
Driven by the IT departments, these IAM projects helped to optimize operational efficiency and reduce the workload of their teams.
From the Management to the Governance of Identities and Access Rights
While the first IAM solutions arrived on the market to meet the needs expressed by companies, it became quickly apparent that these solutions needed to evolve. Many organizations were confronted with the limits of these solutions and were struggling to:
- rationalize access rights (especially when two people with the same job were supposed to have the same rights),
- integrate access requests into a formal and traceable approval process, and
- report and monitor elements related to the granted rights.
A new generation of software products was born to address these challenges: Identity and Access Governance (IAG).
A few years later, a new milestone was reached: the IAM and Identity and Access Governance (IAG) markets merged and became Identity Governance and Administration (IGA). IGA solutions now cover a wider scope and address new challenges by:
- improving the management of access rights in applications and systems by generalizing the concept of rights management through the creation of roles (Role-Based Access Control (RBAC) and Role Modeling).
- promoting the respect of early regulatory compliance and risk management requirements by ensuring that individuals have relevant and compatible roles (role- based Segregation of Duties (SoD)).
- ensuring the effectiveness of the identity management system in place by recertifying access rights and verifying that the access rights granted to each identity are legitimate.
IGA: The Onset of Expanding Solutions
Starting in 2018, organizations are once again facing new challenges. While regulatory standards for the compliance and security of logical access rights are multiplying, significant internal changes are also at work as more and more organizations are moving to the cloud and creating hybrid architectures.
As a result, while controlling logical access rights is a crucial issue for organizations, the implementation of control processes is becoming more complex. Logical access rights are increasing in number and are scattered across information systems (IS), both locally and remotely in the cloud.
In addition, new stakeholders such as internal and external auditors and compliance officers are expressing new requirements in terms of managing and reducing the risks associated with access rights. The execution of user access controls and the creation of compliance reports are essential.
This is no longer just about operational efficiency: it is also about meeting the compliance and security requirements relating to user access rights within organizations.
New services are emerging to enable:
- the implementation of Segregation of Duties controls in the systems themselves to help identify risks related to access rights in a more detailed way (fine-grained SoD).
- the automation of access-related controls such as IT General Controls (ITGCs) in order to identify active accounts of people who have left the company, over-allocation of access rights, atypical access rights, and password policy violations.
- the creations and publication of reports and compliance audits that provide answers to internal and external auditors.
- the building of dashboards that offer more visibility to key managers within the organization.
This evolution marks a decisive turning point in how organizations view cyber risks. The era of this being the concern of only the IT department is long gone. In today’s world, cybersecurity is becoming everyone’s business. It is a major priority across all departments and requires that each stakeholder have the necessary visibility to anticipate, control and reduce the risks associated with access rights and identities.
Identity and Access Management and Governance (IAM/IGA): Where do we stand today?
Today, many organizations have already started or completed their digital transformation. The rise of remote working in addition to new uses that are emerging push the limits of IAM and IGA systems.
Although previously centralized, enterprise resources are now scattered across information systems with many of them hosted outside the company’s strict physical perimeter. In these conditions, what is the best way to monitor, control and protect identities and their access?
To achieve this, companies are making a major shift away from the notion of implicit trust to a new approach: zero trust. The need to adopt a zero-trust approach is generating new requirements.
Now more than ever, companies must have an exhaustive, global vision of logical access rights according to:
- the people and identities that hold them,
- the level of sensitivity of the data to which users have access,
- their use, relative to applications and infrastructures, and
- their location, either local or remote.
All this must be considered in a context where the volume of data available to organizations is constantly growing.
The new services offered by the latest IGA solutions are designed to enable organizations to:
- manage non-named accounts, especially privileged accounts.
- set up governance so that they know exactly who has access to what not only from a data point of view but also from an infrastructure point of view.
- have an analytical approach that allows them to automate all the tasks that can be automated in order to better focus on other issues as well as the security strategy in place regarding logical access rights.
IAM and IGA: What problems do companies face when considering solutions currently available on the market?
While deploying IAM and IGA systems have made it possible to expand the range of services and solutions currently available on the market, many companies are faced with a major dilemma when considering what strategy to adopt.
While some are using the latest generation of IAM solutions, many are just completing the implementation of their IAM project using an older solution. This begs the question: Have the efforts and significant financial investment of the past few years all been in vain?
Not at all. There are answers to this predicament, starting with Identity Analytics by Brainwave GRC. This identity and access rights technology can be used in conjunction with existing IAM solutions to enhance any efforts and projects undertaken to date, addressing new security, compliance and access rights governance needs.
To learn more, contact us and discover how to maximize the potential of any IAM solution with Brainwave GRC’s Identity Analytics.