Hlavní práce70735_ezhg00.pdf, 1.6 MB Stáhnout

(1)

PRAGUE UNIVERSITY OF ECONOMICS AND BUSINESS

MASTER´S THESIS

2021 Guhan Balaji Ezhilarasan

(2)

Prague University of Economics and Business

Faculty of Informatics and Statistics

The Role and Importance of Identity and Access Management in Firms

MASTER THESIS

Study programme: Applied Informatics Field of study: Information Systems Management

Author: Guhan Balaji Ezhilarasan Supervisor: doc. Ing. Vlasta Svatá, CSc.

Prague, January 2021

(3)

Declaration:

I hereby declare that I am the sole author of the thesis entitled “The Role and Importance of Identity and Access Management in Firms“. I duly marked out all quotations. The used literature and sources are stated in the attached list of references.

In Prague on... Signature

Guhan Balaji Ezhilarasan

(4)

Acknowledgement

I hereby wish to express my appreciation and gratitude to my professor and the supervisor of my thesis, doc. Ing. Vlasta Svatá, CSc.

I’m grateful to FIS master’s program coordinator Mgr. Veronika Brunerová and all of my fellow ISM students with whom I had pleasure to study and work with during my academic years in VSE, Prague.

I would like to thank my family and friends for their guidance and support and most

importantly, I thank my parents, Kanmani Ezhilarasan, Bsc. and Ezhilarasan Gurusamy, BE.

MBA. for their unconditional love and faith towards me in my entire life.

(5)

Abstract

This thesis intends to clarify how Identity and Access Management (IAM) controls can help the access management procedure used in firms by improving efficiency and reducing the threats related to mishandling of organization’s information and securing the access to organization’s data by providing authentication to right person to handle the information.

Data security and Administrative factors influence the adequacy of IAM control systems. An ever increasing number of organizations are worry about their IT risks these days, particularly the organizations depending on IS (Information System) in business especially for access management. The goal of this thesis concentrated on what risks in the case company should be paid the most attention on priority to secure the information of the organization.

Overall, the point is to assess the efficiency and reliably in digital identity handling and access approvals on the bases of IAM controls and the explanation. In addition, while

investigating the risk management methodology; the benefits of the IAM controls in a firm is observed and reviewed with an example of how the control works in real world environment.

The general strategy of this study is qualitative research technique. It intended to check if the general IT risks found in literature review and the data collected form case study to analysis on efficiency of identity and access management procedure.

Key words: Identity and Access Management (IAM), Risk Management, Digital Identity, Threat, Vulnerability, Information security, Access Management, Privileged Accounts, Authentication

(6)

List of Figures

Figure 1: IAM service components...19

Figure 2: IAM domains and supporting services by AWS...29

Figure 3: Risk Analysis scale...32

Figure 4: Creation of Personal Digital Identity..………...……...36

Figure 5: Created Final Personal Digital Identity...37

Figure 6: Selection of Active Directory account...38

Figure 7: Created final AD account...38

Figure 8: Creation of special AD account...42

Figure 9: Selection of special AD account...43

Figure 10: Creation of exchange resource account...44

Figure 11: Created special AD account...49

Figure 12: Selection of exchange resource account...49

Figure 13: Creation of exchange resource mailbox...50

Figure 14: Created final exchange resource mailbox...51

Figure 15: Creation of shared mailbox account...56

Figure 16: Selection of shared mailbox account...56

Figure 17: Creation of shared mailbox...57

Figure 18: Primary mailbox selection...58

Figure 19: Mailbox Creation...58

(8)

List of tables

Table 1: Risk and Control Matrix: Creation of Digital Identity for User...34

Table 2: Risk Analysis of digital identity before implementation of IAM control...35

Table 3: Mandatory Field details...36

Table 4: Risk Analysis of digital identity after implementation of IAM control...39

Table 5: Risk and Control Matrix: Special AD Account Creation Procedure...40

Table 6: Risk Analysis of special AD account before implementation of IAM control...41

Table 7: Risk Analysis of special AD account after implementation of IAM control...45

Table 8: Risk and Control Matrix: Exchange Resource Creation (Room, Video Conf., Scanner)...46

Table 9: Risk Analysis of resources before implementation of IAM control...47

Table 10: Risk Analysis of resources after implementation of IAM control...52

Table 11: Risk and Control Matrix: Creation of shared generic mailbox...53

Table 12: Risk Analysis of shared mailbox before implementation of IAM control...54

Table 13: Risk Analysis of shared mailbox after implementation of IAM control...59

Table 14: Process Roles and Responsibilities...61

Table 15: RACI-Matrix...62

(9)

List of abbreviations

Abbreviation Definition

ITOM IT Operating Model

GDDB Global Directory Database

IC Internal control

AD Active Directory

GRC Governance, Risk Management and

Compliance

GOP / SOP Global / Standard Operating Procedure

IMF Information Management Framework

ERM Enterprise Risk Management

IRM Information Risk Management

AWS Amazon Web Services

BRM Business Relationship Manager

OBS Organization Business Structure

IAM Identity and Access Management

CNIL Commission Nationale Informatique &

Libertés

(10)

10

Introduction

Identity and Access management control plays a vital role to reduce the risk related to access of information in the firm and also secure the access to the firm’s information.

Identity and access management (IAM) is a set of controls and procedures to rationally control and organize rights access to IT resources (Benantar, 2005). With a complete and well-managed IAM system, an organization has a reliable repository of its internal and external users. It assigns automatically - often after hierarchical validation, functional and technical - access rights according to the needs and role of the user in the organization. It ensures the identity of the user when he wishes to have access to data, or use applications and systems. IAM tools allow the management of a life cycle digital identity within the

organization, by opening access to system resources information when necessary, and deleting or modifying it when the user changes post or leave the company.

The digital identities are unique for each person employed in the firm and provides different layer of access according to their domain of work so that they will not be able to access the information of the organization out of their scope of work. And if the user likes to access some sensitive information of the organization then some privileged access is provided for a certain period of time and reverted back. The digital identities help to find traceability during the occurrence of security incident to find who made the changes and at what time the changes are made.

Managing the digital identities of the firm is the main goal of IAM controls and which should not be compromised and the access to the information should be readily available for the users. Hence the IAM plays a vital role in access management and information security of the firm and reduces the risk of exposed firm information when implemented and used in the right way. It on the other hand helps the employees to access the data hassle-free and in an secure way to carry out their work without overseeing the threat of information leaks and the privileged access to secured information ae provided on the bases of valid business

justification and the role of the employee in the organization.

(11)

11

1. Research Methodology

In the past, research was defined to have different academic definitions. A definition in Oxford Dictionary is “the systematic investigation into and study of materials and sources in order to establish facts and reach new conclusions” (Research: Definition of research in Oxford dictionary). Theoretical phase will help the examination in picking up the particular information for a specific region. Practical event information and breaking down the

discoveries are to allude intelligently to the hypothesis. As indicated by the investigation, ends could be made for hypothetical definition.

The Qualitative research methodology is used to answer the research questions of the thesis, Primary Data:

The findings from the practical implemented IAM controls in Medobal Firm and explore the role and responsibility of IAM controls and analysis, how it reduces the IT risk of the

organization.

The data finding from the expert interview organized with Medobal Firm’s Risk Manager according to the risk management of the firm based on IAM control.

Secondary Data:

The knowledge obtained from theoretical research on the subjects of Identity and Access Management (IAM), IAM Governance, Role and responsibility of IAM in firms, which are collected by means of referring to professional journals, annual reports, books etc.

Both the primary and secondary data collected will be analysed and evaluated to provide the risk analysis on which bases the risk of the access management is reduced by implementation of IAM controls in the organization and list out the benefits and areas of improvement

observed.

(12)

12

2. Research Purpose and Question

The purpose of the research is,

 To describe the identity and access management (IAM) controls of the specific firm and explore their effectivity and efficiency.

 By help of the risk management to design the changes and discuss the key features and various benefits.

Within the research I will try to answer the below research questions

 Are the IAM controls effective as stated?

 Do the IAM controls help the organization to effectively organize accessibility to the users?

 What is the working procedure of authentication methods for creation digital identities to access information?

3. Importance of IAM controls in firms

A little over 10 years ago for new employees of the firm, all you had to do was create the active directory account and their mailbox ID. The rest of the on-boarding process was mainly to prepare his workstation (his fixed PC or his laptop) to install and configure the various softwares.

Nowadays, the workstation is nothing more than a display terminal for tools and everything has been implemented by the IT department so that the workstation requires little

maintenance or configuration: installation of GPO for the automatic deployment of software on workstations, setting up workstations in VDI (Virtual Desktop Infrastructure), provision of thin clients, use of RDS servers for Remote Desktop, etc.

The IT department is therefore more focused on using services rather than on resources:

cloud services are multiplying and “business” departments are naturally putting pressure on them to have various business tools.

(13)

13

For a new employee, there are therefore dozens of accesses to the different business tools that must be created when he/she arrives: the access to files, mailbox, instant messaging, access to CRM, to reporting tools, the corporate intranet, expense report management tools, etc.

Creation of the AD accounts when a new employee joins the firm are often painful but end up being completed. Still multiple communications are sometimes necessary between the

managers, HR, IT department, etc. so that the new employee has good access to the right software they need.

But this “onboarding” of the IAM is only the tip of the iceberg, because Identity management has 4 main management points (Benantar, 2005):

 Management of Arrivals: when a new employee arrives. This step is generally carried out… but not necessarily correctly. The opening of accounts is done but often with forceps. The manager finds himself tossed between HR and IT, the former not having informed the latter and the latter not always quick to create access. These back and forth trips often create friction between managers and the IT department.

 Management of Departures: when an employee leaves the company. This point is the most painful. No one “needs” the accounts of a user who has left to be closed, no one is comfortable with suspending accounts: “can't we wait?”, “We can left open the time to take over the files?” And who is in charge of this step? The IT department is only rarely informed of the departure of an employee, and must therefore do with the means at hand to properly close the accounts of the user who has left. As the processes are not always followed, the IT Department has been obliged to set up a regular “account review”: this involves going through the list of accounts and comparing them with the “active”

workforce provided by HR at any given time. This “inventory” is often done manually based on excel files that we try to merge between them. It is relatively heavy and is only done annually or biannually.

 Management of Movements: When an employee benefits from internal mobility In this step there are 2 points: when a user changes position, he benefits from new applications and new rights which correspond to his new function, but he “also loses

(14)

14

”access to software and rights of his former position. As much as this first point is carried out correctly (as for the arrival of a new employee), the second point is hardly carried out because it is complicated: it is not a question of suspending an account but of modify the rights, the access perimeter. For example, a salesperson who changes sector should no longer have access to prospects or customers from his former sector.

 Reconciliation: The coherence analysis of active access, this step has no trigger like the arrival or departure of an employee. This involves keeping an “inventory of identifiers”

for each user in order to be able to follow up on the previous points. But it is above all a crucial point in identity management to monitor all access accounts and ensure that they each have a valid reason for existing (the main reason being that they are used by such or such user). In an ideal world, the identifiers correspond exactly to the users, but there are

“system” accounts, shared accounts, accounts created for testing, temporary accounts, etc.

It is thanks to these 4 points which define the IAM that the company, and more particularly its IT department, will control and secure the digital identity of its employees by managing access rights to resources such as applications, systems, software, networks, data, etc. HR manager will be able to follow the employee from his arrival to his departure with all his development in the company, involving additions, modifications and deletions of his access rights.

Thus, IT and more broadly, companies are able to meet security and compliance standards, have better software management, a major reduction in security breaches and an effective fight against shadow IT.

As for human resources, they have a better approach to the employee through successful onboarding which makes it possible to provide all the resources he needs upon arrival, career monitoring and controlled off-boarding.

In general, employees have access to a large number of core and valuable resources: files, applications, system, cloud services, network, database, professional telephone, virtual platform, etc. This inevitably introduces a higher risk of fraud and corporate network

(15)

15

attack. We are noticing this with alarming cyberattack figures. What to do? Lock down your business resources to have only a small official list? It would simply be

counterproductive. We can clearly see it today, uses are changing, changes in behaviour such as teleworking prove it, the company must adapt to new uses, in particular carried by the cloud. Concretely, the evolution of these uses accelerates and multiplies the requests for modifications of the accesses on the various software, cloud platforms etc., which

exponentially complicates the monitoring of these various accesses. To carry out identity monitoring missions, the IT department must deploy best practices, monitoring, reporting and control tools which are very time-consuming in everyday life. There is therefore a very strong need for automation. In this the IAM will considerably help the IT department by setting up a workflow with a delegation of validations by the business lines. The IAM software must be a tool managed by IT but used by managers and the HR department (Benantar, 2005). IT departments are often cautious at the idea of delegating part of their job to operational staff:

CIOs do not really want managers to manage the creation of accounts for their teams themselves.

4. Identity Governance and Administration (IGA)

IGA is a generic term for the set of IAM measures taken by a company to ensure and prove that users have adequate and sufficient access. “In general, “role” represents a set of

responsibilities needed to conduct business operations or transactions, “access” represents the privileges and resources used by someone within a role, and “identity” represents someone with a given role at a certain point in time” (ISACA, The Impact of Governance on Identity Management Programs, 2011). Correctly implemented, the IGA allows it to control and govern all its identities, as well as the access granted, in particular to applications, data and privileged accounts. Strong access governance reduces risk and ensures better control of local, hybrid or cloud networks.

(16)

16

One of the least secure forms of authentication is simple username/password

combinations. Yet, many businesses still use them due to the complexity and costs often associated with using more robust forms of authentication.

Many companies sometimes feel that the information they store is of little interest to

cybercriminals. However, a breach of their systems can not only prove to be of great value to hackers, but also offer them a means of extending their criminal activities to other networks (customer & supplier, for example). Next are listed some of the most important tools of IGA, Active Directory:

The Active Directory or AD, the most widely deployed access granting and control platform which allows companies to create and manage privileged access for a large number of users. These are divided into several levels (called “groups” in the AD). Each group has specific access rights and privileges on the different systems to which users authenticate.

(Detailed description of Active Directory is provided in chapter 6.1)

The main advantage of AD is the centralized control of access over a large part (but not all) of the network, which simplifies the implementation of settings, such as security updates, and the granting of privileges to users. However, the basic IGA functions required for proper AD use often prove to be complex and error prone without additional IAM tools in place to lighten the workload (Benantar, 2005).

Self-service passwords:

Helping users to reset their password all the time, and if they forget it to unlock their account, is perhaps the biggest burden on support services. To make matters worse, the trend is

towards a more complex password policy and stronger security of these credentials.

However, it is possible to considerably reduce the number of calls to the helpdesk by using tools that allow you to change passwords on a regular or occasional basis in a secure manner through self-service functions.

Role-Based Access Granting and Control:

With Role-Based Access Control (RBAC), used by most companies with more than 500 employees, access to systems is limited to authorized users based on their role in the workplace within the company (or the group to which it belongs in the AD).

(17)

17

This approach provides different levels of access to applications and data depending on the role. Permissions are automatically granted based on the tasks assigned to employees, as defined by an authoritative information source, such as an HR system (Benantar, 2005).

Multi-factor authentication:

Multifactor authentication is applied to many consumer products, such as email, mobile phones and bank accounts, to provide an additional layer of security in addition to traditional login credentials such as username and password (Benantar, 2005).

It's also a great corporate identity and access management tool, and there are easy-to-use solutions to make sure the authentication process doesn't slow down

productivity. Smartphone approval and fingerprint recognition are just two examples of how companies can effectively deploy an additional layer of security without penalizing

employees.

Managing passwords and privileged sessions:

As most systems have an administrator account with rights and privileges which are often shared, it is wiser to add secure management of privileged credentials to the IAM

solution. Management of privileged passwords can be added as an additional layer of

security. Privileged password management tools store privileged passwords in a secure vault, assign them according to pre-established approval paradigms and workflows, and change them at predefined intervals.

Coupled with privileged password management, privileged session management allows organizations to control, monitor and record privileged sessions of administrators, remote vendors and other high-risk users. Session recordings play a particularly important role for forensics, as they help organizations detect suspicious activity in their systems.

Regulators have recently started to put pressure on companies to record sessions requiring privileged access, which will draw more attention to this type of solution. Combined with multi-factor authentication and management of privileged passwords, privileged session management significantly increases the security of enterprise identity and access management policies (Benantar, 2005).

(18)

18 Behaviour analysis of privileged users:

Another useful tool for forensics, the behaviour analysis of privileged users is used to identify suspicious behaviour and to highlight both internal and external threats. User behaviour analysis technology can detect anomalies and prioritize them based on risk level, enabling organizations to prioritize response to threats and take appropriate action.

Combined with other sources of information, such as system and audit logs, and session data, privileged account analysis data strengthens and complements the privileged access

management (PAM) functions of enterprises.

With cyber-threats not about to stop, the best way to prepare for them is to build a cybersecurity strategy that integrates the many facets of IAM.

Cybercriminals have figured out that it is easier to prey on people, often seen as the least resistance path to corporate networks. So identity is quickly becoming the new security perimeter for companies.

Proper implementation of access and identity management is essential to limit the potential impact of a cyberattack on the business and reduce the risk of internal malicious activity.

5. Identity and Access Management in Firms

Identity and access management (IAM) is the process of managing information and who has access to handle the information over time to perform certain activities. IAM involves the creation of distinct identities for individuals and systems, as well as the association of system and application-level accounts to these identities. IAM processes are used to initiate, capture, record, and manage the user identities and related access permissions to the organization’s proprietary information. These users may extend beyond corporate employees. For instance, users could include vendors, customers and generic administrator accounts. The means used by the organization to facilitate the administration of user accounts and to implement proper controls around data security form the foundation of IAM (IIA, 2007).

(19)

19 Identity and Access Management Components:

Identities take many forms within an organization, and all types of identities should be considered in an identity management process. Identity types include, but are not limited to, any or all of the following (IIA, 2007):

 Employees of the organization.

 Vendors (e.g., External Employees).

 IT devices

 Application service accounts

When inspecting the identities present in the organization, IAM members should determine whether specific and universally applied identifiers are associated with each identity type.

This allows different rules to apply to the management and review procedures associated with different types of accounts. For instance, a batch account may be subject to different policies and may require a different type of review than a user account.

Figure1: IAM service components (TechTarget, 2017)

(20)

20

The IAM service components consist of four major services according to the Governance Framework (TechTarget, 2017),

 Authentication Services: Single sign-on, Multifactor authentication, Session and token management.

 Authorization Services: Roles, Rules, Attributes and privileged access

 User Management Services: Provisioning, De-provisioning, Self-service and Delegation

 Directory Services: Identity storage, Directory federation, Meta data Sync and Virtual directory

6. Roles and Responsibilities of IAM Members

This chapter describes a process that supports creation of personal/generic accounts in an Information system. Associates, IT/OT devices, autonomous systems or physical resources might require a personal/generic account to access the Company’s network, systems and information. The Personal/generic accounts can only exist if associated to a personal or generic digital identity owned by a Company’s associate.

A personal/generic account, in conjunction with system roles/entitlements, can be one of the following types (Benantar, 2005):

 Normal accounts: A non-administrator account linked to and used by a person.

 Temporary accounts: An account with elevated privileges, which is active for a limited time.

Activation of temporary accounts, their deactivation and the reason for such accounts should be documented.

 Privileged accounts: A user account that allows the user to make changes that will affect other users, circumvent security controls or breach segregation of duties rules.

Privileged accounts can be divided into the following types:

(21)

21

 Shared: multiple users share and use the account. Any shared accounts must have an owner, be documented, and their use must be reviewed during the periodic review performed by the owner of the shared account.

 Technical: an account that belongs to a Company’s system and is used to communicate with other Company’s systems.

 Administrator: the accounts reserved for access with elevated rights. This account type is reserved for tasks that are required to ensure business continuity and system maintenance.

 Emergency: An account with elevated privileges that has bypassed the normal account authorization. Emergency accounts must only be created in response to an emergency business need. Activation of emergency accounts, their deactivation and the reason for such accounts must be documented.

The role of the IAM members in the firm is to grant and modify systems permissions Based on the below business justification provided in a request, system permissions to be:

 Granted for a new firm’s user.

 Granted/modified when an associate is changing a job assignment.

 Granted/modified when an associate is gaining more responsibilities.

Any Firm’s associate can submit a system permissions requests for Internal and External associates. Firm’s Information Systems have their Role Based Access Control (RBAC) matrix defined that is referred to when granting system access. The types of system permissions that can be requested to a firm’s system are,

 Normal or privileged end-user permissions: Accounts linked to and used by a person, (e.g. internal associate).

 Privileged permissions:

Administrator permissions - accounts used for changes that will affect other users, circumvent security controls or breach segregation of duties. Administrator access can be used to change security settings, install software and hardware, or even have full access to an information system.

(22)

22

Technical permissions - non-personal accounts used by information systems (e.g.

applications, databases, middleware) to communicate with each other, also referred to as functional, system or service accounts.

Emergency permissions - Emergency permissions are the exceptional and temporary provisioning of privileged access to an associate in order to perform a time-sensitive system maintenance or troubleshooting activity. An account with elevated privileges that will bypass the normal account authorization. Emergency accounts must only be created in response to an emergency business need, with the need for rapid account activation, such as an interruption of the manufacturing process that will negatively impact the quality of the product, if the account were not to be available. Activation of emergency accounts, their deactivation and the reason for such accounts must be documented.

The following is the Standard Operating Procedure of IAM:

This Standard Operating Procedure describes the process for Identities, Accounts and Access Management for Company’s Information Systems (IIA, 2007).

 Provisioning, modification, revocation of Digital Identities for associates, Information Technology (IT) / Operational Technology (OT) devices, autonomous systems and physical resources.

 Creation of accounts for associates, IT/OT devices, autonomous systems or physical resources to access Company’s Information Systems.

 Information system access management, provisioning, modification, revocation, and account reviews on all Company’s Information Systems.

Based on the above provided IAM ideas from different scholars and journals, I have derived the specific responsibilities (components, services, etc.) for the IAM in the firm.

Responsibility of IAM members are:

 Administration of Digital Identities for identities not linked to an HR Core record

 Administration of standard Active Directory (AD) accounts

 Re-activation (for Re-hires within 30 days) and creation (New Hire with exception and Re-hires after 30 days) of AD accounts and person Mailboxes

(23)

23

 Creation of AD Special Named Accounts “e.g. ADM_, DEV_” and AD Special Generic Accounts “e.g. EDU_, LAB_, SYS_, TEC_, WBA_, TST_, TSP_, INT_, SADM_, SUP_, BLD”. (more elaborate details of the account type in section 6.2)

 Creation and deletion of generic Mailboxes

 Creation and deletion of Resource Type: CONF (Conference), SCAN (Scanner), ROOM (Meeting Room), EQIP (Equipment), VC (Video Conference Room), COLLAB (Collaboration Room)

 Creation and revocation of mailbox entitlements

 Emergency Access Termination (Emergency account revocation)

 Ensuring data quality

6.1. Introduction to Active Directory Accounts

Active Directory is a directory service that is developed by Microsoft for Windows domain networks. It provides a stable authentication and authorization platform, a central location for network administration, and a means of applying and enforcing policies throughout the enterprise.

Active Directory Account is a user account that is required for access, authentication, and authorization to the organizational network. There are different types of Active Directory accounts, depending on the specific functionality they are designed to allow for the user.

Usage of these types of accounts will reduce the risk of potential leak of information as it restricts the user to access the type of information required for his work position and the user activity is monitored and recorded.

All accounts have a defined type and subtype, which differs in terms of capabilities and business rules. The account type/subtype also defines the set of properties for the account, so the Identity Administrator must select the account type/subtype when registering a new account. Once registered, the type/subtype of an account usually cannot be changed – however, special exceptions apply.

AD Standard Named User Accounts - AD Standard Named User Accounts are designed to be used for daily work: Windows logon, access to home, and shared data or email. The name of

(24)

24

this account replicates user’s Unique ID and is created for every on-boarded associate by default.

AD Special Named User Accounts - Accounts with elevated Active Directory access rights and are created for users with certain roles within the organization. These accounts link to a user’s ID and are named with a prefix that refers to certain account subtype followed by user’s ID (e.g. ADM_XXXXX).

Available account subtypes: ADM, SADM, TADM, SUP, TST, and EDU.

AD Special Named User Accounts of the same subtype may be created in more than one domain for a single user. Creation of these accounts requires Manager Approval.

AD Standard Generic User Accounts - AD Standard Generic User Accounts are required to allow for mail delivery in the Microsoft Office 365 (O365) environment, which in turn is necessary for functioning of the site Resources and Shared Generic mailboxes. No elevated rights are to be assigned to any standard generic account without explicit approval from Global IT Security and the account owner is accountable for account usage. There may be special cases for which a standard generic account must be used for testing purposes.

AD Special Generic User Accounts - AD Special Generic User Accounts are required for access with elevated rights or for a specific role that cannot be tied to a named user. All accounts including special generic accounts must be registered in the Identity Management System. These accounts are non-personal accounts that can be used only by an internal user.

Some of these accounts require Manager Approval.

6.2. Active Directory Subtype Accounts Overview

ADM – Administrator:

Administrator Accounts are reserved for users performing administration tasks on servers.

For administrators, the user account must have the following format:

ADM_ (User ID).

The associated rules are as follows:

• ADM accounts should not be used for daily work tasks.

(25)

25

• Additional training may be required to access certain administration tools.

• ADM accounts are used in cases where access to servers is required.

SADM – Site Administrator:

Site administrator accounts are used for local site administration. Such accounts are only used for the following:

• To grant GMT generic and data groups creation privileges.

• To schedule AMT moves.

For Site administrators, the user account must have the following format:

SADM_ (User ID).

• Daily work must be done with standard accounts.

TADM – Temporary Administrator:

Temporary administrator accounts are used only in special cases for disaster recovery exercises.

For temporary administrators, the user account must use the following format:

TADM_ (User ID).

• Temporary administrator accounts must be approved by the Active Directory Service Owner.

• Daily work must be done with the standard account.

SUP – Supporter:

Supporter accounts are reserved for user support employees with workstation administrator rights.

SUP accounts are for user support and workstation admin rights with corresponding groups.

For supporters, the user account must have the following format:

SUP_ (User ID).

TSP – Tester:

Tester accounts are reserved for performing tests within Production environments. The expiration date for these types of accounts is mandatory.

(26)

26

For testers, the user account must have the following format:

TSP_ (User ID).

EADM – Enterprise Administrator:

Enterprise Administrator accounts are handled by the Active Directory Team.

For enterprise administrators, the user account must have the following format:

EADM_ (User ID).

• Daily work must be done with the standard account.

• Used for Active Directory Administration only.

SYS – System User:

System accounts are used by services where interactive logon is not required in servers. All system accounts must be non-interactive by default. They are reserved for infrastructure applications, which need any type of privileged rights on the server.

The account format is as follows:

SYS_ (Name provided)

• System accounts are applicable only for servers.

• System accounts cannot be used for interactive server logon.

TEC – Technical User:

Technical accounts are designed for the following:

• Require interactive logons to servers.

• Need any type of privileged server rights.

The account format should be as follows:

TEC_ (Name provided)

• Passwords must rotate.

• Technical accounts must be used with interactive logon to servers.

(27)

27 WBA – Workstation Bound User:

Workstation bound accounts are Generic Accounts that are used on a specific range of workstations. The purpose of workstation bound accounts is to perform daily activities and tasks for line operators working in the same production line.

The account owner holds complete responsibility for access restriction when the following conditions occur:

• The password is set to never expire

• The account is shared

The WBA account format is as follows:

WBA_ (Name provided)

• Windows servers and workstations can be bound.

• Logon is only possible on specified workstations.

• WBA accounts must be bound to at least one valid workstation/server.

• The owner maintains the list of users who share the account and is accountable for it.

EDU- Training User:

Education accounts are designed for training purposes and must be use on training workstations only.

The account format is as follows:

EDU_ (Name provided).

7. Latest trends and challenges in IAM controls

As businesses adopt more and more cloud services, security professionals are faced with new and exciting challenges. One of them is the rapid proliferation of identities associated with these cloud services. AWS (Amazon Web Services) is one of the most popular and used cloud services providers in the globe. The more of these, the more identities must be provisioned. Keeping track of it can quickly turn into a nightmare. In the fall of 2014, Adallom - since acquired by Microsoft - estimated that 80% of companies had at least one former employee with a SaaS account still active; that 11% of SaaS application accounts were inactive; that 7% were directors; and that 19% of users bypassed identity and access

(28)

28

management systems (Microsoft, 2015). These problems are still very common. They illustrate how difficult it can be to manage the account lifecycle of SaaS applications. And if we still had to convince ourselves of what was at stake, a study by Rhino Security labs blog (Gietzen, 2018) recently highlighted a large number of elevations of privilege techniques that were still incredibly common in AWS in early 2018. They take advantage of role models and ill-defined privileges. For large organizations, there may be hundreds, if not thousands, of roles defined for a large number of accounts. The mere inventory of role assignments can be a huge challenge.

While some may already have Identity and Access Management (IAM) policies in place internally, these will likely need to be adapted for cloud environments. For all real human users, accounts should link directly to central directory services like Active Directory, making it easier to provision, audit, and de-provision accounts.

All SaaS applications should require the use of a single sign-on (SSO) system linked to this central directory through federation. For PaaS and IaaS environments, identity governance can be a bit trickier, as all assets (servers, server less code, storage nodes, etc.) can have their own roles and privileges. Some of these identities - whether they are simple users and groups or more complex role assignments - may not easily align with a central directory, and

development and operations teams may find it easier. Use cloud native tools to manage accounts and identities in some cases.

Companies must indeed understand that the evolution to the cloud affects their IAM strategies on two key elements (Deloitte, 2019):

First, the Cloud brings new management challenges because companies must now extend the scope of their IAM strategy to manage user access to applications in the cloud, in addition to their on- premises applications. Second, the growing use of management tools in SaaS mode for businesses such as human resources and IT services has paved the way for the implementation of a new collaborative approach called IDaaS (Identity as a Service), capable of increasing business agility, generating value faster, while reducing operating costs.

These two challenges are critical for the evolution of companies' IT strategies, leading to two possible scenarios: the management of SaaS as part of the implementation of IAM then the implementation of the IAM-as-a-Service.

(29)

29

Cloud IAM offerings allow you to manage and federate different resources. If they are used well, they can be a real accelerator for the business of the company. But like any service in the cloud, there are advantages (costs, regular updates, etc.) and disadvantages (data control, sometimes non-standard protocols and formats, etc.) (Deloitte, 2019).

Customers and partners, as well as employees or service providers, can benefit from the identity federation. Likewise, specific connectors are implemented for SaaS or on-premises applications used by the company. Users can log in through any type of terminal. There are still a few essentials to take full advantage of an IAMaaS and keep control of it: the ability to perform account reviews, the availability of provisioning connectors to applications and control of sending personal data to the cloud (Deloitte, 2019).

Figure2: IAM domains and supporting services by AWS (Deloitte, 2019)

As the above Figure2 shows us the IAM domains and supporting services provided by the AWS cloud platform for enterprise end-to-end solutions which includes access governance, authentication, authorization, accountability and identification. Similar IAM domains

development is in raise with other cloud platform providers like Microsoft Azure and Google Cloud.

(30)

30

In comparison with on-premises solutions, certain risks will be covered in the same way, or potentially better, by a cloud solution: system availability and data compromise. Suppliers are often more mature than the company on the subject of infrastructure resilience and have anticipated compartmentalization administrators from the design of the service.

Other risks, however, must be specifically addressed such as (Deloitte, 2019):

 Reversibility: you must ensure that it is possible at any time to recover your data in a usable format and you must not make any compromise on the use of standards.

 Data isolation: this is sometimes very difficult or even impossible to

control; nevertheless, it is possible to contractually ensure the isolation of its data from the supplier's other customers.

 Compliance: within the framework of certain obligations CNIL (Commission Nationale Informatique & Libertes) in particular as “The CNIL supports the

development of new technologies on a daily basis and takes part in the construction of a digital ethic.” (The CNIL in a nutshell, 2019) It is necessary to ensure that the outsourced data will be hosted in compliance with the standard. One approach to this is to use data encryption before sending, but this is not necessarily easy to use in an IAM solution.

8. Case-Study: Implementation of Identity and Access Management in an Organization.

This chapter is to give a practical view on how the IAM control works on creation of new identity for an employee so that the employee can use this unique identity to access company’s information resources in a secure way. As providing digital identity for the employees of the firm is a key process of IAM.

The below steps describes a practical example of how IAM Team of the Medobal

organization (A Sri Lankan medical institution in the tourism sector with Headquarters in Chennai, India which acts only as connecting services and has lately been involved in the

(31)

31

development of specific functionalities for healthcare) will create different types of unique identity and which rules and controls must be followed.

The case study includes description of the four processes of IAM:

 Creation of digital identity for user

 Creation of special AD account for user

 Creation of exchange resource

 Creation of shared generic mailbox

And the analysis of each process includes below description,

 Current state of the process (without support of GDDB)

 Risk map/table with scenarios, probability and impact

 Description of the suggested changes based on GDDB system with IAM controls

 Risk map table with scenarios after implementation of these changes

To analyse the benefits of the IAM controls implemented to the firm a risk assessment method is framed and all the IAM process will be assessed according to how efficiently they reduce the risk of the threats for information security and Access management.

Management uses risk evaluation to decide the degree of the potential risk and the risk related with an IT framework. The yield of this procedure assists with distinguishing proper controls for decreasing or disposing of Risk during the Risk relief process.

Risk is an element of the probability of a given risk source's practicing a specific potential strength and the subsequent effect of that occurrence of security incident in the organization.

To decide the probability of a future unfavourable occasion, risks to an IT framework must be examined related to the potential vulnerabilities and the controls set up for the IT framework.

To recognize the risk level, it needs to investigate the potential vulnerabilities and controls so as to finish up the likelihood. Helplessness may get unsafe in IT framework and effects horrendously to the business. The extent of effects alludes to the pertinent estimation of IT resources and information or other IT parts influenced.

The most genuine risks have both high probability and high impact. A high effect risk with an exceptionally low probability may not be deserving of consideration, and similarly, an almost certain risk with low effect may likewise be seen as less genuine. In light of the result of

(32)

32

probability and effect, every risk might be characterized into various risk levels. For instance, a straightforward grouping may be: high risk, medium risk, or generally safe. Other

characterization approaches are clearly conceivable, for example, a 0-5 scale.

The risk level mirrors the need of that risk. High risks ought to be given the most

consideration and most criticalness in the following procedure of risk relief. Medium risks ought to likewise be tended to by risk alleviation however maybe with less desperation. At long last, low risks may be adequate without alleviation, or might be relieved if there are adequate assets. When it comes to IT risk, a measure of it can be defined as a product of probability and impact:

Risk = probability * impact (OHSAS, 2007)

Figure 3: Risk Analysis scale (smartsheet, 2020)

(33)

33

Kindly find the above scale of the risk category, which will be used to identity the type of risks in the organization.

8.1. Introduction to GDDB System

A global data repository system for person information is referred to as GDDB (Global Directory Data Base). GDDB is a tailor-made system for Identity and Access management for the Medobal Firm. Global Identity Management Platform is used for registration and life cycle management of users and accounts/mailboxes. Its data is provided to applications and services. GDDB is the authoritative source for digital identities and provides consolidated identity information.

The current system was initially developed to provide platform-independent registration capabilities for e-mail users and to allow smooth migration from one e-mail system to another. Today, AD accounts and email accounts are maintained in GDDB and provisioned to the respective systems. Additionally functions like AD account password management and account unlocking can be performed in GDDB.

Basically, the GDDB is authoritative for generating two key data elements, Digital ID and email address.

All Medobal employees or associates requiring IT resources, especially an AD account and email, must be registered in GDDB. As a consequence, several other applications and IT systems use the data generated and stored in GDDB for their purposes.

So the basic functionality of the GDDB is centred on:

• The generation and assignment of the Digital ID

• Mechanisms to ensure the uniqueness of the Digital Identities

• The maintenance of required personnel data.

• The maintenance and provisioning of Active Directory accounts.

• Management of AD passwords.

• Support of recertification processes for manual maintained records

(34)

34

8.2. Creation of Digital Identity for User

a. Current state of the process

The current state of the process involves the requester and implementer for creation of digital identity for user and a created single account for the user will provide access to entire firm’s resources.

Process to create a new digital identity:

 When user needs a digital identity, requester contacts the implementer to generate digital identity.

 Implementer verifies the business justification only with the requester.

 Provides only First Name, Last Name and Gender details to the system to generate user ID.

 The user ID is generated for the user.

 User is informed via email with the creation of ID and provided with access details.

Risk and Control matrices should capture all relevant information pertaining to a given business/IT process. Important control activity information needs to be captured in the matrix includes:

 Identified Risks

 Control Objectives

 Missing Control Activities

Risk and Control Matrix:Creation of Digital Identity for User Business Process &

Control Objectives

Risks Missing Control

activities S.no. Control Objectives Risks Impact Control activities 1 Controls provide reasonable

assurance that the user activities are monitored while using the digital identity

User’s

changes/deletion of data in the firm’s system is not recorded and can go unnoticed.

Extreme Controls are such that the user changes in data and access to system are recorded in activity log of the digital identity.

2 Controls provide reasonable assurance that the user will not be able to login multiple computers with the digital identity

User will be able to access firm’s data out of his role and scope.

Extreme Controls are such that the user will be restricted to login &

usage of only assigned computers 3 Controls provide reasonable

assurance that the user will not be able make unauthorized actions on the firm’s

Unauthorized logins and changes made in servers will

compromise the

Extreme Controls are such that access is granted after approval from firm’s manager and frequent

(35)

35 computers, resources and

SharePoint

security and expose the firm’s information

reviews on server activity log to detect events of

unauthorized actions 4 Controls provide reasonable

assurance that duplicate identity is not created for the user

User will be entitled to multiple digital identity and will be a security threat to firm

High Proper control checks to ensure no old identity exists for the user before creation of the new identity 5 Controls provide reasonable

assurance that the digital identity is created with provided proper approvals

Digital Identity can be created without any approval/notification from the users manager which reduces

transparency

Extreme Proper process approval workflow should be maintained before creation of digital identity

Table 1: Risk and Control Matrix: Creation of Digital Identity for User

b. Risk map/table with scenarios, probability, impact

Below table we will see the risk and analyse the risk scenario associated with the creation &

usage digital identity of the user in the organization before implementation of IAM controls.

Risk Scenario Category Impact (1-5)

Likelihood (1-5)

Risk

Rating Baseline Enterprise/IT architecture

3 3 9 9

IT operational infrastructure

incidents 3 4 12 9

Unauthorized actions

5 5 25 9

Software adoption/usage problems

4 3 12 9

Unable to monitor user activities

5 5 25 9

Third-party/supplier incidents

4 3 12 9

Noncompliance

3 5 15 9

User able to access restricted firm’s

data 5 5 25 9

User login multiple servers and

computers 5 5 25 9

Duplicate User ID

5 3 15 9

User deleting firm’s data from

system 5 4 20 9

(36)

36 Mishandling User Personal

Information 5 4 20 9

Data & information management

4 4 16 9

Table 2: Risk Analysis of digital identity before implementation of IAM control

c. Description of the suggested changes based on GDDB system with IAM controls

Process narratives are technique available to document business process transactions with their associated applications as shown below. These narratives are best used documentation tool for IT environments.

Process to create a new digital identity:

 Verifies the business justification with the manager of the requester.

 In GDDB System used by the firm, click Insert Person.

The Search for Duplicates screen appears.

Figure 4: Creation of Personal Digital Identity

 If that particular person record does not exist in ERP system yet, click Insert Person.

In the Insert Person screen, fill in the mandatory fields listed in the table below.

Mandatory Field Person Record

Last name First name of the user.

First Name Family name of the user.

Organization Organization Name.

Gender For persons use M for male or F for

female.

(37)

37

Category Internal or external employee.

Supervisor ID Company Manager or Owner of Identity.

Table 3: Mandatory Field details

 To finish creating a new person record, click Insert. At this point GDDB System generates a Unique ID. A pop-up message appears prompting you to specify the exception.

Figure 5: Created Final Personal Digital Identity

 Once a person record is created in System; Active Directory account, mailbox and skype can be created.

To create an AD Account for the created Digital Identity:

 Open a generic record of the Digital Identity you want to create an AD Account for and click Add Account.

 The Account Insert Screen opens prompting you to select an account type. A pop-up window opens listing the account types.

 Choose the required AD account for the user and click next.

 The Active Directory account is created and will be synchronized with AD within 4 to 6 hours.

(38)

38

Figure 6: Selection of Active Directory account

Figure 7: Created final AD account

Below are the listed advantages which will help to mitigate/reduce the risks after the implementation of IAM controls,

 Manager approval required for creation of digital identity

 No duplicate ID will be created.

 User provided personal data are verified and recorded till deletion of ID.

(39)

39

 User will have individual digital identity for activity monitoring.

d. Risk map/table with the same scenarios, probability, impact after the implementation of changes

Below table we will see the Risk analysis outcome how the implemented changes reduces the risk associated with the creation & usage digital identity of the user in the organization.

Risk

2 2 4 9

incidents 3 2 6 9

3 2 6 9

Software adoption/usage problems

1 3 3 9

2 2 4 9

Noncompliance

1 1 1 9

User able to access restricted firm’s

data 2 2 4 9

User login multiple servers and

computers 1 3 3 9

Duplicate User ID

3 1 3 9

system 3 1 3 9

Mishandling User Personal

Information 2 2 4 9

2 2 4 9

Table 4: Risk Analysis of digital identity after implementation of IAM control

(40)

40

8.3. Special AD Account Creation Procedure

a. Current state of the process

The current state of the process involves the requester and implementer for creation of special AD account for user to access firm’s servers and data.

Process to create a new special AD account for the user:

 When user needs a special AD account, requester contacts the implementer to generate special AD account.

 Verifies the business justification only with the requester.

 Select the single available special AD account for access to the firm’s servers.

 The special AD account is created and will be synchronized with AD within 4 to 6 hours.

 The special AD account is generated for the user.

 When special AD account created, send an e-mail to the account owner asking the account owner to reset the default password.

Risk and Control matrices should capture all relevant information pertaining to a given business/IT process. Important control activity information needs to be captured in the matrix includes:

 Identified Risks

 Control Objectives

 Missing Control Activities

Risk and Control Matrix:Special AD Account Creation Procedure Business Process &

Control Objectives

Risks Missing Control

activities S.no. Control Objectives Risks Impact Control activities 1 Controls provide reasonable

assurance that the special AD account are created by

authorized personal completely and accurately

Special AD account can be created with wrong permissions and will not be able to serve its business purpose

Extreme Proper segregation of duties for the

operational personal must be set with assigned roles and responsibilities 2 Controls provide reasonable

assurance that correct special AD account type is created as per the business needs

There are various types of special AD account and creation of wrong AD account will not serve the business

High Controls are such that business justification provide is verified accurately before creation of special AD

(41)

41

purpose account

3 Controls provide reasonable assurance that the special AD account is created with provided proper approvals

Special AD account can be created without any proper business justification and without any

approval/notification from the management

Extreme Proper process approval workflow should be maintained before creation of special AD account

4 Controls provide reasonable assurance that the user will not be able make unauthorized actions on the servers

Unauthorized logins and changes made in servers will

compromise the security and expose the firm’s information

Extreme Controls are such that access is granted after approval from firm’s manager and frequent reviews on server activity log to detect events of

unauthorized actions 5 Controls provide reasonable

assurance that the user will not be able to delete or copy firm’s data

Deleting or Copying of firm’s classified data will lead to potential financial loss

Extreme Controls are such that user is provided only with read only access or disable deletion option

Table 5: Risk and Control Matrix: Special AD Account Creation Procedure

b. Risk map/table with scenarios, probability, impact

Below table we will see the risk and analyse the risk scenario associated with the creation &

usage of special AD accounts in the organization before implementation of IAM controls.

Risk

3 3 9 9

incidents 3 4 12 9

5 5 25 9

Type of Special AD account

adoption/usage problems 4 3 12 9

5 5 25 9

4 3 12 9

Noncompliance

3 5 15 9

User able to access data without

approval 5 5 25 9

(42)

42 User login multiple servers and

computers 5 5 25 9

User performing changes in data

5 3 15 9

servers 5 4 20 9

User activity log traceability

5 4 20 9

4 4 16 9

Table 6: Risk Analysis of Special AD account before implementation of IAM control

c. Description of the suggested changes based on GDDB system with IAM controls

This chapter provides you with a step-by-step instruction describing how to create a special AD Account. Each GDDB generic record can be associated with only one special account.

Process to create a special AD Account:

 Open a person record of the Digital Identity you want to create an AD Account for and click Add Account.

The Account Insert Screen opens prompting you to select an account type.

Figure 8: Creation of special AD account

 To show the account types available, click.

 A pop-up window opens listing the account types.

Hlavní práce70735_ezhg00.pdf, 1.6 MB Stáhnout

PRAGUE UNIVERSITY OF ECONOMICS AND BUSINESS

MASTER´S THESIS

2021 Guhan Balaji Ezhilarasan

Prague University of Economics and Business

Faculty of Informatics and Statistics

The Role and Importance of Identity and Access Management in Firms

MASTER THESIS

Abstract

Contents

List of Figures

List of tables

List of abbreviations

Introduction

1. Research Methodology

2. Research Purpose and Question

3. Importance of IAM controls in firms

4. Identity Governance and Administration (IGA)

5. Identity and Access Management in Firms

6. Roles and Responsibilities of IAM Members

6.1. Introduction to Active Directory Accounts

6.2. Active Directory Subtype Accounts Overview

7. Latest trends and challenges in IAM controls

8. Case-Study: Implementation of Identity and Access Management in an Organization.

8.1. Introduction to GDDB System

8.2. Creation of Digital Identity for User

8.3. Special AD Account Creation Procedure