Given that the access management system is generally used in numerous firms, the applicable data with security and IAM controls must be persistently organized as stakeholders wish to feel sure that IAM control in the organization is executed successfully to lessen the risk of business disappointment or mishandling business information.
The Identity and Access Management is generally reshaped according to the requester, If the business stake holder requests some urgent access without proper approvals the organization accepts the way as it is only way to resolve the issue and avoid business impact and the stake holder should be legit to own and handle the associated risk (e.g. CIO, CEO, CTO) . The IAM controls are not on the grounds that it is legally necessary or guideline, but since it is a good practice and supports the association's business destinations or mission. There should be a particular schedule for evaluating and reviewing the IAM controls and the short comings should be fixed and the hardship of user accessing the data must be reduced as data
availability plays a vital role in business impact. As significant changes to the IT framework and handling conditions because of changes coming about of approaches of the way firms think of access management and new innovations on automation.
The first objective of this study is to explore the answers for the research questions
Are the IAM controls effective as stated?
As we saw from the practical example of how a typical IAM procedure works and provides full traceability and authentication of the users and increases the efficiency. The Risk analysis outcome showed before and after of the IAM controls that the risk is substantially reduced to minimum after the IAM controls are implied.
67
The effectiveness of the IAM controls are much related to the design of the framework and are when designed properly and implemented the effectiveness of the IAM control is higher which results in lowering the related risk towards threats and vulnerability for the
Organization and the future enhancements to automated IAM controls in the future; the risk levels will be further more decreased ensuring the stakeholders interest and continuous flow of operations.
Do the IAM controls help the organization to effectively organize accessibility to the users?
As we talk about the risk assessment processes (Refer Chapter 8), the usage of IAM controls assisted with accomplishing a higher level of progress in risk recognizable proof and relief.
The specialized, the executives, and operational security controls, or a blend of such controls demonstrated to augment the adequacy of controls for their IT frameworks and association.
Henceforth, when IAM controls are utilized fittingly can reduce, limit, or evade potential risks and risk source.
What is the working procedure of authentication methods for creation of digital identities to access information?
According to the showcased procedure of providing the access for users to firm’s secure information and systems by means of special privileged account to access particular data (Refer Chapter 8.3).
The provisioning of the privileged account required steps of authentication to create the account for the user and so the user can access the secure data and the risks related to the information security is reduced to minimum and the data handling is carried out in a secured way
The following details are required for the authentication for creation of the accounts:
Approval of the operational manager of the user
Valid business reason
List of servers where the account will acquire access
Justification for privileged special AD account
68 An effective user access management will depend on,
Correct design of approval flow for each access requests
The full help and support of the IAM operations team.
The skill of the IAM architects, whom must have the expertise to apply the IAM controls for access management to a particular site and framework, recognize mission risks, and give practical shields that address the issues of the organization.
Proper trainings for the users on good practices of using the special AD accounts for privileged access to data and servers.
A continuous assessment and review of the IT-related threats on access management.
As the scope of IAM increases exponentially due to the rapid increase of cyber-attacks hence below are some on-going enhancements and improvements in Access management,
Automation of Approval process and Digital ID creation
Auto Account Logout after specific time interval
Different types of privileged accounts for internal employees and contractors
Implementation of IAM polices in Internet of Things(IoT) devices
In general, the top administration choice is the key of the IT security factors for the situation organization. Also, employees conduct and their good practice can upgrade or decrease the risks. Information security is a continuous procedure to oversee risks. One could state that risk management is basically a dynamic procedure.
Although current techniques have opportunity to get better, IAM controls without a doubt serves a significant and handy capacity for firms as the risk analysis clearly indicated that the potential threats and risks related to access of firm’s sensitive data is highly reduced and an good practice is introduced with full visibility and traceability.
IAM controls provides valuable add-ons during the process of disaster recovery in the firm for the audit purpose of whom have accessed the particular data or servers on the time of business impact and the changes made from there end which are recorded as logs.
The role of Identity and Access Management plays important for the organization as it touches all the centres of the firm from being the fore-runners in information security, operations executives in providing access and a go-to person during business impact for access information and logs.
69
Bibliography
(2015). Retrieved from Microsoft:
https://blogs.microsoft.com/blog/2015/09/08/microsoft-acquires-adallom-to-advance-identity-and-security-in-the-cloud/
(2017). Retrieved from TechTarget:
https://searchsecurity.techtarget.com/definition/identity-management-ID-management
(2020). Retrieved from smartsheet: https://www.smartsheet.com/all-risk-assessment-matrix-templates-you-need
Allen, J. H. (2015). Structuring the Chief Information Security Officer Organization.
Benantar, M. (2005). Access Control Systems_ Security, Identity Management and Trust Models.
Deloitte. (2019). Retrieved from Cloud and Identity and Access Management:
https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-cloud-and-identity-and-access-management.pdf
Gietzen, S. (2018). Retrieved from Rhinosecuritylabs:
https://rhinosecuritylabs.com/blog/
Hopkin, P. (2010). Fundamentals of Risk Management.
IIA, T. (2007). Identity and Access Management.
https://chapters.theiia.org/montreal/ChapterDocuments/GTAG%209%20-%20Identity%20and%20Access%20Management.pdf.
OHSAS, 1. (2007). OHSAS 18001. (2007). "Risk is a combination of the likelihood of an occurrence of.
Christine, B. Jefferson, W. Steve, H. (2007). GTAG: Auditing Application Controls
The CNIL in a nutshell. (2019). Retrieved from
https://www.cnil.fr/sites/default/files/atoms/files/the-cnil-in-a-nutshell.pdf
70
Annexes
Annex 1. Structure of the Interview with Medobal Risk Manager
1. Do you feel your organisation is threatened considerably by risk of cyber-attacks?
2. How do you handle the broadcasting of information?
3. What do you believe to be the high risk impact of using shared mailbox?
4. What kinds of IAM controls do you consider while user using a firm’s resource?
5. How can you monitor the innovations in the field of access management and implement them?
6. What are your thoughts on the Top Management on handling company’s risk assessment on access management?
7. What do you believe will help to improve the efficiency of usage of IAM controls in business?
8. What are your thoughts on outsourcing IT services?
9. Do you believe every organisation has to employ more IAM experts as threats are increasing rapidly?
10. How do your company educate the customers on the access management policy of their provided firm’s information?