As organizations increasingly rely on digital assets and the data they process, they want to ensure that only authorized users access those assets. This is no small task. “Just look at the avalanche of news in recent years revealing security breaches at large private companies and public organizations: a compromised user ID is the most common cause of these breaches,” notes Maher Chaar, associate partner, identity and access management , from IBM. Canada.
As breaches multiply, identity and access management (IAM) is emerging as an important component of enterprise cybersecurity strategy. Of course, several security measures were implemented long ago. But the successive accumulation of computer systems and production equipment made them lose their effectiveness.
Because each system has its own access control system, employees must create and remember a multitude of passwords. The systems force us to respect a minimum number of characters, to use characters other than letters and to periodically change their passwords.
For users, these restrictions are a source of frustration. They encourage them to save money by adopting insecure practices: similar passwords used for multiple systems, sometimes even shared among multiple users; access codes written on a piece of paper and left near the devices; etc.
The arrival of cloud computing and the widespread use of mobile devices have added a level of complexity to access management. Users access systems from outside the company’s offices, from a variety of devices, and interact with both the company’s installed systems and those hosted in the cloud, while the company does not have full control over how its cloud providers manage the security of computing resources rented to its customers.
In this context, it is imperative to establish a GIA program. “The principle of GIA is simple”, summarizes Roger Ouellet, senior solutions designer, responsible for NOVIPRO’s security practice. It consists of ensuring that the people who access the systems are who they say they are; then, give them access that corresponds to the resources they need for their work, and only those. »
Conceptually, two steps are required to establish an IAM program:
1. set the rules organizational measures that must be applied to manage digital identities;
2. configure the technologies necessary to exercise and enforce these rules.
Starting from “zero trust” to establish access rules
Security needs analysis first aims to define the roles that a user should play in the organization, from the point of view of the digital resources that they should use for their work. “These functions do not necessarily correspond to the definition of the position held by the employee”, observes Roger Ouellet. Companies are accustomed to segmenting positions based on hierarchical relationships and deliverables, rather than based on the need to access a particular system to manipulate a particular category of data. »
Each role has specific access rules. Previously, these were conceived as restrictions versus full access. “By default, an employee had access to everything and removed unnecessary access rights,” explains Roger Ouellet. This paradigm is today replaced by an approach that starts from an opposite principle, documented by the research company Forrester: zero trust. “Following this principle, a user only gains access to a system if its function justifies it”, continues Roger Ouellet. This method avoids leaving blind spots by providing unjustified access that we later forget to monitor because they do not correspond to the expected work processes. »
A range of coordinated and integrated technologies
A set of technologies makes it possible to put established access rules into practice. For a complete GIA, desirable features include:
• Centralized directory — Lists all users, internal or external, who can benefit from access to any company system. Updating this directory facilitates the safe reception of new employees and consultants and the departure of old ones.
• Single authentication — Allows a user to identify himself once, at the beginning of his work session, to immediately gain access to all systems to which his role authorizes him, without having to subsequently enter new authentication codes each time he passes from one system to another.
• Multi-factor authentication — Requests the user to identify themselves by at least two different means. For example, a user can enter a personal password and at the same time identify themselves by providing a fingerprint. Multi-factor authentication greatly reduces the risk of an unauthorized user infiltrating a system.
• Privileged access management — Some users have privileges that go beyond simply consulting or using a system: they can, for example, access confidential data, modify configurations, create or delete user accounts, or install or uninstall applications. Granting and revoking these privileges requires careful management, and how each user uses these privileges can be automatically monitored and recorded.
• A password vault — Stores all user passwords in encrypted form on a secure server. Combined with a unique authentication system, it allows users who have identified themselves once to use, without seeing or manipulating them, the passwords corresponding to the systems they need to access during their session.
All technologies related to identity and access management must be orchestrated within a program that guarantees the execution of IAM rules. “An effective IAM program makes it possible to reliably authenticate users’ identities to apply security governance to them in an integrated and coherent manner across the enterprise,” concludes Maher Chaar of IBM Canada. This allows the company to exercise an appropriate level of access control and security without affecting user productivity or forcing them to have painful experiences when connecting to the network. »