Content

DeMISTIfying Infosec: Identity & Access Management

By Katherine Teitler

Identity & Access Management

Identity and access management is both a process and a set of technologies that allow IT departments to manage user data and privileges on IT systems, applications, and across device types. In any business—large or small—employees, partners, providers, and customers need access to systems and data to perform their job responsibilities. With access to data, especially proprietary or sensitive data, comes risk. Identity and access management, sometimes referred to as “IAM” or IDAM,” is the way for systems administrators to ensure that users have appropriate access: those who need access to specific data and information get it quickly, and those who do not are not permitted access.

To manage identity and access, each company should have a set of security policies that define which devices and users are allowed on the network and how they can interact with the data once there. For instance, an HR employee may require access to payroll data but the PR team should not have access.

Identity and access management is not strictly a security issue but becomes one when a user gains access to any system or data to which they are unauthorized. Unfortunately, managing identities and access is a challenge for many organizations. Privileges are set when an employee is hired or a partnership of any sort is formed. Often, though, roles and responsibilities change; individuals are hired or fired; special projects require temporary data access; etc. Provisioning and deprovisioning accounts may be a lesser priority for the IT team when a threat isn’t imminent. To further complicate matters, each system or application is likely to have separate identity stores and/or authorization schemes, data across systems is not likely stored in a standardized format, and access to more sensitive data needs to be handled in a different manner than less sensitive data (e.g., an employee’s office phone number vs. her Social Security Number).

Learn about Identity & Acces Management at InfoSec World 2016

Effectively run identity and access management programs:

  • Support different systems and applications;
  • Include security controls;
  • Provide a consistent user experience;
  • Create greater efficiency and usability for anyone who needs access;
  • Be reliable;
  • Scale as the organization changes and grows; and
  • Be (at least partially) automated.

Common methods to manage access and identity include:

  • Directories/repositories
  • Security policy enforcement
  • Password management
  • Single sign-on/Federation
  • User provisioning
  • Role-based access controls
 

 

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.