control, and governance
The Fundamentals of Identity and Access Management
Knowing the basics of an effective identity and access management strategy can help auditors provide recommendations that enhance an organization's information security posture.
Francis Kaitano, CISA, CISSP, MCSD.Net, MCAD.Net
Senior Advisor, Technology and Security Risk Services
Ernst & Young
IT networks face increasing threats from inside and outside an organization. Conventional perimeter defenses, for instance, can miss insider threats, such as password disclosures and fraud due to staff collusion as well as external online threats including zero-day attacks (i.e., attacks that take advantage of computer security holes for which no solution is currently available). To curb the presence of these threats, many IT departments are using companywide identity and access management (IAM) solutions that provide ongoing access to information, applications, and networks.
While access to company resources is critical for the day-to-day operations of private, public, and government organizations, this access must be highly secure and fast. In addition, users must be able to access network resources for which they are authorized as easily as possible. During their work, auditors often are required to provide recommendations that improve their organization's IAM activities. But before doing so, they need to understand the basics of IAM systems as well as their role in the design and implementation of IAM strategies.
IDENTITY AND ACCESS MANAGEMENT DEFINED
Before learning the basics behind an effective IAM program, it is important for internal auditors to understand each of the program's components: identity management and access management. Despite the differences between these activities, many beginning auditors treat them the same during audit reviews. However, they each oversee different aspects of the IAM program.
Digital Identities and IAM
As digital identities take on an increasingly important role in specifying how users interact with computer networks, IAM programs become more and more complex. For example, organizations need to manage users efficiently and accurately while granting them access to network resources.
However, organizations rarely store and use identity information in only one place (e.g., company information can be stored in and used by multiple departments, countries, business divisions, and software programs). This, combined with the occurrence of mergers and acquisitions, has resulted in the proliferation of directory services and application-specific identity stores (i.e., applications that store and manage multiple user IDs) and has translated into increasing costs and complex security issues (e.g., the greater the number of identity stores, the greater the likelihood that dormant and orphan accounts are being misused).
Therefore, auditors need to have a sound understanding of the approaches and technologies IT departments can use to address multiple digital identities as a way to help organizations develop a consistent and effective IAM strategy. These approaches and technologies need to implement short-term and strategic approaches to controlling a user's identity.
In essence, identity management is the process for managing the entire life cycle of digital identities, including the profiles of people, systems, and services, as well as the use of emerging technologies to control access to company resources. (A digital identity is the representation of a set of claims made by a digital subject including, but not limited to, computers, resources, or persons about itself or another digital subject. For more information about digital identities, see "Digital Identities and IAM" at right.) The goal of identity management, therefore, is to improve companywide productivity and security, while lowering the costs associated with managing users and their identities, attributes, and credentials.
On the other hand, access management is the process of regulating access to information assets by providing a policy-based control of who can use a specific system based on an individual's role and the current role's permissions and restrictions. When combined, these two processes form the foundation of an effective IAM program.
THE IAM STRATEGY
IAM is a combination of processes, technologies, and policies enabled by software to manage user identities throughout their life cycle. More specifically, the goal of IAM is to initiate, capture, record, and manage user identities and their related access permissions to proprietary information and other company resources. User identities can extend beyond corporate employees and include vendors, customers, floor machines, generic administrator accounts, and electronic access badges. As a result, improving access to network resources and managing an identity's life cycle can provide significant dividends for organizations, such as:
Here are some general strategies auditors can recommend for IT departments to consider when aligning the organization's IAM program to existing business strategies and regulatory compliance requirements:
A chain is a strong as its weakest link, and when it comes to IT security, IAM is the weakest link in many organizations. For example, many IT departments store identity credentials as data objects in different data repositories. Because these organizations can have hundreds of discrete identity stores containing overlapping and conflicting data, synchronizing this information among multiple data repositories turns into a challenging, time consuming, and expensive ordeal, especially if the data is managed through the use of manual processes or custom scripts.
Another key challenge is related to cost. As a general rule, the costs of managing user identities should be as low as possible to ensure a reasonable return on investment in the IAM project. Too often, identity management projects become too large or cumbersome to finish on schedule; after all, there will always be more applications to integrate into the system. This can be accomplished by scaling identity life cycle management activities efficiently across various applications and network resources and employing as little staff as possible to manage IT applications.
Identify Synchronization Issues
Besides the challenges stemming from the use of manual processes to manage multiple data repositories, other identity synchronization issues include:
THE ROLE OF INTERNAL AUDITORS
As part of their work, internal auditors need to ensure activities associated with user access are logged for monitoring, regulatory, and investigative purposes. Actions auditors can take as part of the IAM audit include:
Generally, IAM touches every part of the organization — from accessing a facility's front door to retrieving corporate banking and financial information. Because of this, auditors need to understand how organizations can control access more effectively to gain a better understanding of the magnitude of the IAM program. For instance, to effectively control access, managers must first know the physical and logical entry points through which access can be obtained. As a result, auditors should be involved in the development of the organization's IAM strategy by bringing a unique perspective on how IAM processes can increase the effectiveness of access controls and by providing greater visibility into the operation of these controls.
Total Cost of Ownership of Identity and Access Management
IAM is an expensive investment. Besides the recommendations above, auditors can share the following tips with their IT department to help reduce the total cost of ownership of IAM activities:
Note: Support costs are usually the largest portion of total ownership costs, followed by software and hardware costs.
With the continuing rise in identity theft, there is a need for a consolidated approach to improve IAM procedures. As a result, formalized compliance requirements need to be enforced in a top-down organizational approach, while security and software development professionals need to work together to ensure that all systems enforce concrete IAM principles at all levels. Above all, auditors should acquire all the skills necessary so that they can provide recommendations that meet the organization's IAM needs.
For additional information, auditors can read:
Francis Kaitano, CISA, CISSP, MCSD.Net, MCAD.Net, is a senior advisor of technology and security risk services for Ernst & Young in Zimbabwe. Prior to working with Ernst & Young, Kaitano was a systems and solutions developer at CIMAS, a private medical aid society in Zimbabwe. Kaitano also has worked independently as an industry analyst and researcher, covering IT compliance, risk analysis, applications development, incident response, and computer forensics issues.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.