With the complexities of today's networks, ensuring proper oversight of network identities and related assets is crucial. Just as perimeter security and patch management are critical components of a security program, identity and access management must also be mastered.
Implementing a successful IAM program is challenging because every organization has unique needs and tolerances to risk. However, there are a handful of fundamental steps security teams can take to master IAM at organizations of all sizes and industries. Avoid identity and access oversight from becoming the network's Achilles' heel by adopting the following four identity and access management best practices.
1. Document expectations and responsibilities for IAM success
A successful IAM system is not complete unless and until the rules of engagement are documented. While documentation is not everything -- too many organizations rely on it too much -- it is a necessity. Infosec professionals must avoid an overreliance on documentation and instead develop -- and communicate -- standards and policies in a balanced way.
Many organizations implement privileged account management, single sign-on and user provisioning, and yet, these IAM controls are ineffective time and again. This is often a result of communication breakdowns among IT and security teams, stakeholders, system analysts, business unit leaders and HR managers. It is commonly the case that each individual is looking at each other and assuming that everyone is doing their part. Troublingly, IAM standards, policies and procedures hang in the balance as a result. It is important this documentation is understood by and agreed upon by everyone across the organization to implement the identity and access management best practices successfully.
2. Centralize security and critical systems around identity
Many organizations make the mistake of implementing expensive IAM systems on one part of the network -- typically with Windows Active Directory -- while other critical systems fall outside of such purview. This includes ERP and other web systems, mobile and cloud environments, source code repositories and IoT. Adding to the disarray in these cases, internal employee identities are governed, but external partners, contractors and customers are often not subject to oversight.
IAM is not easy, and successfully implementing an IAM system enterprise-wide can take a significant amount of time. An identity and access management best practice is to roll out the program in phases to ensure secure adoption of policies and procedures. Make sure short- and long-term plans expand the scope of IAM across all business-critical systems where possible and reasonable.
3. Codify business processes to minimize risks
Often, day-to-day processes for identity management and account access are taken for granted. For example, common roles needing access, anomalous access requests and actual versus requested access rights must be considered.
These fundamental identity and access management best practices should not be glossed over. If left unchecked, they perpetuate identity- and account-related oversights and what might be considered unnecessary security risks. For example, privilege creep and identity lifecycle mismanagement can occur, resulting in consequences both swift and steep.
4. Evaluate the efficacy of current IAM controls
Unfortunately, implementing the security controls in an IAM program can lull organizations into a false sense of security. This phenomenon of taking security for granted may manifest in security teams not measuring the IAM program's progress over time.
In some cases, enterprise investments are made and controls are rolled out, yet the IAM program is not effectively enforcing or governing identity authentication and access across the network. The best way to avoid underimplementing IAM systems in this way is to continually ask the question, "How is this program working for the organization?" Determine specific benefits and drawbacks in the context of security oversight, and measure those metrics. Use zero-based thinking to determine what the organization should do more of and what it should do less of when it comes to IAM implementation. This exercise can go a long way toward achieving and maintaining a truly effective IAM system.
8 additional IAM best practices to consider
Expensive investments in the latest cybersecurity tools and technology are no replacement for the protection that IAM best practices can provide. Take these steps to securely manage network identities and limit the risk of IAM-related security incidents:
- Reduce network complexity wherever possible.
- Improve audit trails to help with oversight and compliance.
- Implement separation of duties and principle of least privilege.
- Ensure users have the proper permissions they need to do their jobs.
- Ensure privileged accounts are properly managed.
- Use IAM products to fine-tune your environment.
- Minimize costs and maximize satisfaction by having users manage their own accounts through customized IAM workflows.
- Focus on visibility and control.
Improperly secured and managed network identities are a tangible risk. The last thing a security team should do is mismanage -- or undermanage -- these assets. Whether it's accounts that are stolen, orphaned or otherwise unknown, the keys to the kingdom should not be the low-hanging fruit that creates the next incident or breach.