IGA is a generic term for the set of IAM measures taken by a company to ensure and prove that users have adequate and sufficient access. “In general, “role” represents a set of
responsibilities needed to conduct business operations or transactions, “access” represents the privileges and resources used by someone within a role, and “identity” represents someone with a given role at a certain point in time” (ISACA, The Impact of Governance on Identity Management Programs, 2011). Correctly implemented, the IGA allows it to control and govern all its identities, as well as the access granted, in particular to applications, data and privileged accounts. Strong access governance reduces risk and ensures better control of local, hybrid or cloud networks.
16
One of the least secure forms of authentication is simple username/password
combinations. Yet, many businesses still use them due to the complexity and costs often associated with using more robust forms of authentication.
Many companies sometimes feel that the information they store is of little interest to
cybercriminals. However, a breach of their systems can not only prove to be of great value to hackers, but also offer them a means of extending their criminal activities to other networks (customer & supplier, for example). Next are listed some of the most important tools of IGA, Active Directory:
The Active Directory or AD, the most widely deployed access granting and control platform which allows companies to create and manage privileged access for a large number of users. These are divided into several levels (called “groups” in the AD). Each group has specific access rights and privileges on the different systems to which users authenticate.
(Detailed description of Active Directory is provided in chapter 6.1)
The main advantage of AD is the centralized control of access over a large part (but not all) of the network, which simplifies the implementation of settings, such as security updates, and the granting of privileges to users. However, the basic IGA functions required for proper AD use often prove to be complex and error prone without additional IAM tools in place to lighten the workload (Benantar, 2005).
Self-service passwords:
Helping users to reset their password all the time, and if they forget it to unlock their account, is perhaps the biggest burden on support services. To make matters worse, the trend is
towards a more complex password policy and stronger security of these credentials.
However, it is possible to considerably reduce the number of calls to the helpdesk by using tools that allow you to change passwords on a regular or occasional basis in a secure manner through self-service functions.
Role-Based Access Granting and Control:
With Role-Based Access Control (RBAC), used by most companies with more than 500 employees, access to systems is limited to authorized users based on their role in the workplace within the company (or the group to which it belongs in the AD).
17
This approach provides different levels of access to applications and data depending on the role. Permissions are automatically granted based on the tasks assigned to employees, as defined by an authoritative information source, such as an HR system (Benantar, 2005).
Multi-factor authentication:
Multifactor authentication is applied to many consumer products, such as email, mobile phones and bank accounts, to provide an additional layer of security in addition to traditional login credentials such as username and password (Benantar, 2005).
It's also a great corporate identity and access management tool, and there are easy-to-use solutions to make sure the authentication process doesn't slow down
productivity. Smartphone approval and fingerprint recognition are just two examples of how companies can effectively deploy an additional layer of security without penalizing
employees.
Managing passwords and privileged sessions:
As most systems have an administrator account with rights and privileges which are often shared, it is wiser to add secure management of privileged credentials to the IAM
solution. Management of privileged passwords can be added as an additional layer of
security. Privileged password management tools store privileged passwords in a secure vault, assign them according to pre-established approval paradigms and workflows, and change them at predefined intervals.
Coupled with privileged password management, privileged session management allows organizations to control, monitor and record privileged sessions of administrators, remote vendors and other high-risk users. Session recordings play a particularly important role for forensics, as they help organizations detect suspicious activity in their systems.
Regulators have recently started to put pressure on companies to record sessions requiring privileged access, which will draw more attention to this type of solution. Combined with multi-factor authentication and management of privileged passwords, privileged session management significantly increases the security of enterprise identity and access management policies (Benantar, 2005).
18 Behaviour analysis of privileged users:
Another useful tool for forensics, the behaviour analysis of privileged users is used to identify suspicious behaviour and to highlight both internal and external threats. User behaviour analysis technology can detect anomalies and prioritize them based on risk level, enabling organizations to prioritize response to threats and take appropriate action.
Combined with other sources of information, such as system and audit logs, and session data, privileged account analysis data strengthens and complements the privileged access
management (PAM) functions of enterprises.
With cyber-threats not about to stop, the best way to prepare for them is to build a cybersecurity strategy that integrates the many facets of IAM.
Cybercriminals have figured out that it is easier to prey on people, often seen as the least resistance path to corporate networks. So identity is quickly becoming the new security perimeter for companies.
Proper implementation of access and identity management is essential to limit the potential impact of a cyberattack on the business and reduce the risk of internal malicious activity.