Identity & Access Management – What it is and why it is crucial for companies cyber security
Identity management is one of the most important pillars of corporate cyber security: the more identities there are in an organization, the greater the risk of falling victim to a successful cyber attack. In this article, Philipp Plum, Senior Communications Consultant at PIABO, explains how identity management works and what companies need to consider in their IAM.
Identities and how we deal with them are a part of our everyday life. And everyone has different identities. From a passport, to a customer account at an online shopping account, to a membership card at the local fishing club - all identities belong to a natural person, but are different in their purpose and the attributes they contain – a passport contains different information than a membership card.
In companies, people have yet another identity. The attributes that are crucial here are, for example, name, gender, position title, department, supervisor, and so on. Different access rights are linked to these identities: employees in the finance department need access to invoices, employees salaries and their respective account data for their daily work. Employees in sales do not need (and are not allowed!) access to the same information, but rather, product presentations, customer databases, and leads.
The administration of all these identities and their access rights to certain data is regulated by a so-called Identity & Access Management (IAM).
Authentication in IAM
In order to access data, applications and other resources in the company, employees authenticate their identities: in other words, they prove that it is really they who are accessing company data. The best-known authentication method is probably the combination of username and password, even though this authentication method is now considered outdated, unsecure, and inconvenient. Many companies therefore rely on a two-factor or multifactor authentication via hardware tokens (e.g. YubiKeys) or same-device MFA (as with IDEE) to better protect identities.
Unmanaged identities: a threat to corporate security
Once identities are confirmed, we face the next challenge: employee identities are a worthwhile target for cybercriminals. The more access rights an employee has, the greater the yield of information after a successful attack. For this reason, companies use solutions for Identity & Access Management. Well-known providers include SailPoint, ForgeRock, Okta, and OneIdentity.
With the help of an IAM, access rights to data can be managed. Central questions behind IAM are: "Who has access to which data from where and is the person authorized to do so?". With IAM, access authorizations can be distributed and revoked as needed. A similar principle applies here as in medicine: as much as necessary, as little as possible (called the principle of least privilege in technical jargon).
The various providers differ greatly in their offerings and approaches, especially in the degree of automation: while some require a great deal of manual effort on the part of IT administrators, others use AI technologies to decide who may have access to which data. However, all these solutions have one goal: to recognize unmanaged identities, manage their access rights, and thus, strengthen cyber security.
Joiners, Movers & Leavers
Employees pass through different stages in a company, which means that the corresponding identity also has different "life phases" - this is referred to as the "access life cycle".
Joiners have just joined the company and first of all need access rights to certain data in order to be able to start working.
Movers refers to users or identities that change within an organization: for example, in the case of a promotion or a change of department, the tasks, and therefore, the access requirements, logically, also change. It is important not only to grant new access rights, but also to revoke old ones.
Leavers are employees who leave the company. Their access rights must therefore be recalled or the corresponding identity completely deleted. Otherwise, there is a risk of accounts that are apparently no longer active, but can still access possibly critical data - a potential security gap.
A popular anecdote among IT admins in this context is the trainee who comes to the company and goes through various stations in the course of his learning process. Since the company does not have an IAM, he thus receives various access rights in his brief insight into the company's everyday life, from HR to finance to IT. The result: an identity with access to the most critical company data and thus a jackpot for cyber criminals, should the intern's account fall into the wrong hands.
A few points for good IAM
Decision-makers who are uneasy about their own identity practices as they read this should not immediately call their Chief Information Security Officer (CISO) and ask for an IAM solution instead. As with many things, there is a wide variety among providers. A checklist of criteria that the IAM should bring:
High degree of automation The effort required to manage identities and their access rights is high, and increases as more employees work in the company. Automation, therefore, not only helps to distribute access rights quickly so that employees can work more efficiently - it also relieves IT admins of their daily work.
Clarity Integration into existing security solutions or a well-structured dashboard help administrators keep track of identities in the network.
Compliance Since IAM solutions process personal data, they must be compliant with data protection laws. This includes the use of European data centers if the solution is cloud-based.
Focus on users Some solutions offer functions that allow users to make data access requests themselves - without a helpdesk, emails, or tickets. Administrators can then grant access or not, with an assessment by AI if necessary, as to whether the request should be granted.
In combination with good password security and high cyber awareness among employees, an IAM ensures that users can only access data for which they have a legitimate interest. Companies can thus prevent cyber attacks and compliance violations.
Did you know? October has been the official Cyber Awareness Month since 2004. The themed month is intended to remind people and companies to think about their IT security and to question any problematic areas.