What Are Best Practices for Identity and Access Management?
Identity and Access Management (IAM) policies are designed to stop privilege creep, prevent bad actors from misusing their credentials, detect and mitigate credential theft, and more.
Your particular IAM implementation should be designed to accommodate the size of your organization and the sensitivity of the data you hold.
For instance, the larger and more complex the organization, the tight IAM controls to determine who should have access to what. Larger enterprises, in particular, need a centralized IAM to effectively track who has access to what data. For example, consider an employee who started in HR before transferring to become a marketing associate.
Unless proper controls have been set up and applied throughout the company, this person may now have access to their HR applications, files, and marketing plans. This represents a potentially serious liability.
IAM Implementations Inclusions
No matter what kind of company you work for or what kind of information it holds, its IAM implementation needs to contain some of the following components:
Password Protection Tools
It is said that passwords represent one of the worst ways to authenticate users—but they still aren’t going away.
Users recycle their passwords across different applications, use simple passwords (e.g., “123456”), or leave written sticky notes taped to their monitor. What’s more, hackers are steadily refining their use of adversarial computing techniques that allow them to crack passwords using brute force attacks.
One of the best ways to ensure that your employees’ passwords aren’t stolen is to reduce the number of passwords they need.
For example, an approach called Single Sign On (SSO) lets users create a single password that safely unlocks all their corporate applications. Because employees only have to manage one password at a time for their work, it decreases the likelihood of password reuse and allows them to remember a more complex passphrase.
That being said, your IAM implementation should also blacklist simpler passwords by increasing the cryptographic resiliency of your password hashes with granular controls for salting and stretching them.
If you’ve ever unlocked your smartphone with a fingerprint, then you know that biometric identification is both convenient and effective.
In fact, the proliferation of smartphones has commodified formerly pricey tools like fingerprint scanners, allowing you to place biometric locks on your most sensitive data. We’re not saying that every company has sensitive data that you should use fingerprint scanners to protect it, but if you’re investing in IAM, it should have that option in case you eventually need it.
In addition to fingerprint scanning, other options enable users to unlock devices and data using technologies such as retina scans or facial IDs.
For example, Windows Hello now lets users unlock their laptops or desktops using facial recognition via an attached webcam. These technologies are in relative infancy, but we may one day see them largely replace passwords.
Multi-Factor Authentication (MFA)
Say that someone does manage to steal that critical SSO password and gain access to all of an employee’s applications—what’s next?
In most cases, MFA should represent the next line of defense. Using a technology known as device fingerprinting, your IAM implementation should see that an attacker is using a different computer than normal, and this action should prompt it to invoke MFA.
How so? Well, it involves sending the (legitimate) user a one-time password via email, text, or voice. The attacker controls the account information, not the victim’s phone or secondary email.
For more secure accounts, MFA can also invoke biometrics. The idea is to stop the attacker by asking them to present the information they haven’t stolen.
Large companies may have to onboard dozens (or even hundreds) of new employees every month. Even if these employees are relatively low-level, such as warehouse staff, they still most likely need an email address and an ID.
Whoever is responsible for manual onboarding and offboarding these employees is likely spending full days doing that and not much else.
A good IAM tool will help automatically onboard new employees and offboard those leaving.
Instead of manually creating new accounts for all applications they’ll need, you should be able to copy their names, phone numbers, and personal email addresses into IAM, hit “create account,” and then sit back as your IAM tool automatically sends onboarding emails and begins creating accounts.
By the same token, it should be able to automate job transfers and offboarding. Say that an employee changes their position or leaves the company.
You should be able to click a checkbox within IAM and have it automatically cut off access to their old resources and then generate (if relevant) the new access they’ll need. Using automation, administrators can prevent privilege creep, ensuring that neither bad actors nor malicious employees can gain broad access to your organization by misusing a single account.
What’s On Your IAM Checklist?
While the features above are essential, they’re not the only valuable features for an IAM deployment. Essentially, you’ll need to fine-tune your IAM shopping list based on the characteristics of your organization.
You may want to play up convenience features such as automation for large organizations where each employee has little access to sensitive information. You’ll want to add more security features for companies that protect health or banking information. Regardless, the core feature set above is a good place to start and a great list to expand on, depending on your needs.
Nick L. Kael is Chief Technology Officer (CTO) at Ericom Software. He has over 24 years of experience in the technology industry, including 17 in cybersecurity. He holds certifications in CISSP, CEHv7, CCSK, BCCPP & Bluecoat Blue Knight, MCSE + Security, CCDP, CCNA, CCSA, VTP5, and VTSP5.