IAM: Knowing your Roles.
“Know your role!”, is a famous quote from professional wrestler, turned actor, Dwayne “The Rock” Johnson. How does this apply to Information Security? Well, sit back and let me explain how a small quote from a giant man can be tied back to IT Security.
What is IAM?
The global IT research and advisory firm, Gartner, defines Identity Access Management, or IAM, as the security discipline that enables the right individuals to access the right resources at the right times for the right reasons. Seems simple enough, but to simplify it further, IAM is essentially knowing your users and allowing them to access the network resources they need when they need them. Another way to envision an IAM program is the security discipline that stops the wrong individuals from accessing the wrong resources at the wrong times for the wrong reasons.
Why is IAM an essential part of a good security program?
At its core, IAM exists to ensure that your employees have access to the resources they need, when and how they need those resources.
For example, perhaps you have a VPN connection to your company that allows employees to connect remotely. It may not be necessary for all employees to have access to that VPN connection. Allowing certain users to access the VPN and deny others (perhaps based on job role) is, essentially, IAM.
IAM is a key piece of a good IT Security program. IAM is how employees get a username and password, and access to your network. IAM also dictates how and when employees are provided access to resources on your network. Every employee from the CEO to System Administrators has an identity assigned by IAM. IAM follows employees from day one on the job to the day they fill up that bankers box. If an employee is terminated, but their accounts are not disabled or deleted, that employee could access to your network and, given the motivation, have the ability to cause damage to your network.
How do you do IAM?
All organizations, regardless of size, do some form of IAM. Whether there is one employee managing Active Directory or an entire department dedicated to an IAM program, every single organization performs IAM in one form or another. How your organization implements IAM depends on many factors. Size of the organization, number of identity stores, and number of employees are just a few of the items that must be considered in the context of IAM.
IAM should be considered a critical part of your IT infrastructure and built on a solid foundation of technology, processes and procedures. Once you have a foundation, such as Active Directory, you can build other services around it such as Multifactor Authentication (MFA) and Single Sign On (SSO). As such IAM should be a program and not a service provided by one IT team.
No simple task
IAM is not simple. IAM can be a full-time job for an entire team of IT professionals. Consider implementing your IAM program one piece at a time. Implement a solid foundation and make additions, such as SSO and MFA. Implement new services as it makes sense and has the least impact on business processes.
Written by Nathan Rice
Nate has fifteen years of IT experience spanning a variety of domains with a focus in defensive security. Nate currently holds the following certifications: CEH, CompTia Security+ and CompTia A+. Prior to TechGuard Security, Nate was a Senior IT Security Engineer at a Fortune 100 organization. As a Security Engineer, Nate focused on new technology integration and implementation. Along with a variety of application administration roles in security operations, his past project work includes, Implementation of a DLP Program, Single Sign On Program and Multifactor Authentication. At TechGuard Security, Nate conducts audit control assessments, penetration tests, vulnerability assessments and social engineering exercises. Nate’s focus is on customer service and support, as well as providing customer solutions to complex IT security challenges. When not working or studying Nate enjoys being outdoors and spending time with his wife and kids.