Paweł Łąka

Head of Security Solutions

IDM: identity management in practice

In today’s world, it is impossible to run a company without a central base of identities (e.g. Active Directory (AD)). Large corporations that store the data of thousands of users try to outdo each other in ideas how to properly secure access to their services and data.

 
The challenge is both the decision as to who should have access to specific data, and its implementation. In order to ensure that the aforementioned data is adequately secured, it is necessary to ensure that users sign on properly and to manage user identities in a proper way.
 
Identity Management (IDM) or Identity and Access Management (IAM) systems come to our aid, as they allow to manage access by assigning users to groups and roles, specify the extent of access to specific content, manage privileges and update them, as well as verify and manage passwords. Let us take a look at these functions one by one.
 

Assignment to groups

There is no doubt that a company employee should have access to data that a mere mortal, associate or vendor should go nowhere near. The appropriate assignment of specific individuals to groups (such as: employees, contractors, board members) allows to distinguish who should have access to which resources.

When there is no clear data classification and structured rules for accessing this data, there may easily occur a situation where granting a third party access to a single URL will automatically give them access to highly confidential information.

Roles

Each user is not only assigned to a pre-defined group, but also assigned a specific role, e.g. administrator or tester, with the former having wider access. Usually applications or services behave differently depending on the role of the user who uses them. 

It is a good practice to closely combine IDM and SSO systems, as it allows an application or system to receive information about the role assigned to a specific user and what data they may access during the sign-on process.

Access to data

Appropriate content management is an important factor when designing systems and applications. It is necessary to remember that content (depending on the assigned role) is made available by the owners of specific systems. The decision which functions offered by the relevant system are made available to individual roles and groups depends on the specific nature of the application. The appropriate management of both identities and applications makes it possible to create a secure infrastructure.

Privilege management

The management of privileges to specific systems is becoming a significant challenge. Appropriate system administrators and owners should have the ability to define appropriate roles or groups connected with a specific application. They have the best knowledge regarding data that is presented to administrators, business owners, marketing department and end users. It goes without saying that different administrators should sign in to the same IDM system with different access levels depending on the application.

User data provisioning

The list of appropriately classified identities is not static. Every company has staff turnover. The fact of an employee leaving or changing their position should be updated accordingly in the systems as well.

It is not necessarily system administrators who should remember to make those changes. It is an automated process that may be achieved by properly integrating IDM with other systems.

Password management

At present, the main user authentication method is the method based on static passwords. In order for this method to remain secure, it’s necessary to properly manage such passwords.

Firstly, passwords must be changed on a regular basis. Keeping records about password validity is key to maintaining the security of static passwords. It’s necessary to remember that a new password must be different from the previous one.

In addition, such passwords must also be compiled properly. Unfortunately, the knowledge of password salting, peppering and hashing techniques is not sufficient to achieve an adequate level of static password security. The human factor continues to remain the weakest link.

Verification

It’s very often the case that security and personal data protection departments have neither the necessary data nor tools to conduct security level audits. Systems such as SSO, personal data protection systems or IDM allow to keep thorough security and data protection audit records.

Summary

Identity management is a key issue, especially for larger enterprises. You cannot manage a company without knowing who has access to information, on what terms and how they may use this information. Identity management provides the ability to control access to offered services, information and data or even specific areas within the building.