Engineer’s Corner – Advanced Security
In any cybersecurity solution, actionable intelligence is at the forefront of an in-depth security program. One of the first things we do as security practitioners is to look at ways to identify the who, the what, the where, and when something accessed our enterprise. We must assure we can put an identity on any resource including users, which is why enterprises should incorporate an Identity Access Management program.
As Gartner states in their Information Technology Glossary, “Identity Access Management (IAM) is a framework that enables the right individuals to access the right resources at the right time for the right reasons. IAM addresses the mission-critical need to ensure appropriate access to resources across increasingly heterogeneous technology environments, and to meet increasingly rigorous compliance requirements.” IAM is a crucial undertaking for any enterprise and must be business-aligned to ensure the business can protect its intellectual property and allow it to move at a competitive pace. Enterprises that develop mature IAM capabilities can reduce their identity management costs, and more importantly, become significantly more agile in supporting new business initiatives.
Keeping the flow of business data while simultaneously managing its access has always been an enterprise administration’s greatest challenge. The business IT environment is ever-evolving, and the difficulties have only become greater with recent disruptive trends like bring-your-own-device (BYOD), cloud computing, mobile apps, and the increasingly mobile workforce. There are more devices and services to be managed than ever before, with diverse requirements for associated access privilege.
Most Identity and Access Management (IAM) solutions centralize three key pillars:
- Identity (a factor that can be used to recognize a person or a device on the enterprise)
- Authentication (the procedure of uniquely distinguishing a person or a device)
- and Authorization (the process of giving someone permission to do or to have something)
Based on your business requirements, you may want to also consider added features like:
- Single Sign-On (SSO) – authenticates users once and allows access to other associated applications approved by the business
- User Provisioning – helps enterprise administrators in creating and managing user accounts and identity information within a centralized platform
- Multi-Factor Authentication – authenticates users by challenging them with multiple authentication factors, e.g., password, SMS, and fingerprint.
- Adaptive Authentication – authenticates users by challenging them with multiple authentication steps based on the users’ risk profile.
When considering user profiles in Identity and Access Management (IAM) solutions, there are several ways of defining the user, risk, and resource requirements, I narrow it down to 2 key types.
- Role-Based Access Control vs Attribute-Based Access Control
Role-Based Access Control (RBAC) which is an access control method that provides access rights depending on the user’s role in the organization, is the most common type of access control and the simplest to deploy. Attributes Based Access Control (ABAC) grants access rights to the user by using a combination of attributes together. A good example of ABAC would be allowing only users who are type=employees and have department=HR to access the HR/Payroll system and only during business hours within the same time zone as the company. ABAC is the most flexible, but the most complex. ABAC enables refined access control that allows for more input variables into an access control decision and requires input from various business units in your organization to successfully implement.
- Cloud Identity and Access Management
Cloud computing is a rapidly growing architecture that challenges enterprise administrators with varying workloads, data lakes, and user requirements that can create vulnerabilities to various kinds of network attacks and privacy issues. With its cost-effectiveness and flexibility, cloud networks in the public sphere can create more challenges whereas the public cloud provider creates a walled garden for their infrastructure and you as the enterprise administrator provide the security to the data property within. In this, it is necessary to have Identity and Access Management.
Cloud IAM tools allow administrators to authorize who can access specific resources at specific times via a specific way by giving the enterprise administrator full control and visibility to manage their cloud resources. In some cases, Cloud IAM can provide control for Software as a service (SaaS) based applications for even more granular control. With any Cloud IAM tool, you will want it to provide a unified view into security policy across your entire organization and have built-in auditing that can ease compliance processes.
For a more specialized approach, users can take advantage of third-party products, such as Okta, which provides IAM for cloud-based applications. For enterprises that want to build their own IAM from scratch, they can take advantage of open source technologies, but this approach can be more complex.
Enterprises around the world must ensure employees, customers, and business partners all have proper access to information and technology resources in a secure, fast and efficient manner.
By implementing Identity Access Management tools and following related best practices, a company can gain a competitive edge. For example, IAM technologies allow the business to give users outside the organization, like customers, partners, contractors and suppliers, access to its network across mobile applications, on-premise apps and software-as-a-service apps without compromising security. This enables better collaboration, enhanced productivity, increased efficiency, and reduced operating costs.
– Rick Beaupre, Security Solutions Architect