DeMISTIfying Infosec: Identity & Access Management | SC Media

DeMISTIfying Infosec: Identity & Access Management

January 19, 2016
By Katherine Teitler

Identity & Access Management

Identity and access management is both a process and a set of technologies that allow IT departments to manage user data and privileges on IT systems, applications, and across device types. In any business—large or small—employees, partners, providers, and customers need access to systems and data to perform their job responsibilities. With access to data, especially proprietary or sensitive data, comes risk. Identity and access management, sometimes referred to as “IAM” or IDAM,” is the way for systems administrators to ensure that users have appropriate access: those who need access to specific data and information get it quickly, and those who do not are not permitted access.

To manage identity and access, each company should have a set of security policies that define which devices and users are allowed on the network and how they can interact with the data once there. For instance, an HR employee may require access to payroll data but the PR team should not have access.

Identity and access management is not strictly a security issue but becomes one when a user gains access to any system or data to which they are unauthorized. Unfortunately, managing identities and access is a challenge for many organizations. Privileges are set when an employee is hired or a partnership of any sort is formed. Often, though, roles and responsibilities change; individuals are hired or fired; special projects require temporary data access; etc. Provisioning and deprovisioning accounts may be a lesser priority for the IT team when a threat isn’t imminent. To further complicate matters, each system or application is likely to have separate identity stores and/or authorization schemes, data across systems is not likely stored in a standardized format, and access to more sensitive data needs to be handled in a different manner than less sensitive data (e.g., an employee’s office phone number vs. her Social Security Number).

Learn about Identity & Acces Management at InfoSec World 2016

Effectively run identity and access management programs:

  • Support different systems and applications;
  • Include security controls;
  • Provide a consistent user experience;
  • Create greater efficiency and usability for anyone who needs access;
  • Be reliable;
  • Scale as the organization changes and grows; and
  • Be (at least partially) automated.

Common methods to manage access and identity include:

  • Directories/repositories
  • Security policy enforcement
  • Password management
  • Single sign-on/Federation
  • User provisioning
  • Role-based access controls
 

 

prestitial ad