IAM: identity management in practice
In today’s world, it is impossible to run a company without a central base of identities (e.g. Active Directory (AD)). Large corporations that store the data of thousands of users try to outdo each other in ideas how to properly secure access to their services and data.
Assignment to groups
There is no doubt that a company employee should have access to data that a mere mortal, associate or vendor should go nowhere near. The appropriate assignment of specific individuals to groups (such as: employees, contractors, board members) allows to distinguish who should have access to which resources.
When there is no clear data classification and structured rules for accessing this data, there may easily occur a situation where granting a third party access to a single URL will automatically give them access to highly confidential information.
Each user is not only assigned to a pre-defined group, but also assigned a specific role, e.g. administrator or tester, with the former having wider access. Usually applications or services behave differently depending on the role of the user who uses them.
It is a good practice to closely combine IAM and SSO systems, as it allows an application or system to receive information about the role assigned to a specific user and what data they may access during the sign-on process.
Access to data
Appropriate content management is an important factor when designing systems and applications. It is necessary to remember that content (depending on the assigned role) is made available by the owners of specific systems. The decision which functions offered by the relevant system are made available to individual roles and groups depends on the specific nature of the application. The appropriate management of both identities and applications makes it possible to create a secure infrastructure.
The management of privileges to specific systems is becoming a significant challenge. Appropriate system administrators and owners should have the ability to define appropriate roles or groups connected with a specific application. They have the best knowledge regarding data that is presented to administrators, business owners, marketing department and end users. It goes without saying that different administrators should sign in to the same IAM system with different access levels depending on the application.
User data provisioning
The list of appropriately classified identities is not static. Every company has staff turnover. The fact of an employee leaving or changing their position should be updated accordingly in the systems as well.
It is not necessarily system administrators who should remember to make those changes. It is an automated process that may be achieved by properly integrating IAM with other systems.
At present, the main user authentication method is the method based on static passwords. In order for this method to remain secure, it’s necessary to properly manage such passwords.
Firstly, passwords must be changed on a regular basis. Keeping records about password validity is key to maintaining the security of static passwords. It’s necessary to remember that a new password must be different from the previous one.
In addition, such passwords must also be compiled properly. Unfortunately, the knowledge of password salting, peppering and hashing techniques is not sufficient to achieve an adequate level of static password security. The human factor continues to remain the weakest link.
It’s very often the case that security and personal data protection departments have neither the necessary data nor tools to conduct security level audits. Systems such as SSO, personal data protection systems or IAM allow to keep thorough security and data protection audit records.
Identity management is a key issue, especially for larger enterprises. You cannot manage a company without knowing who has access to information, on what terms and how they may use this information. Identity management provides the ability to control access to offered services, information and data or even specific areas within the building.