In every organisation, users need access to resources and systems to do their jobs effectively. However, IT departments must ensure that each user’s access is appropriate and secure, which is where identity access management (IAM) and privileged access management (PAM) come into play. These systems help manage who has access to what, ensuring that users can do their work while keeping sensitive information secure.
But managing access isn’t so simple, especially when employees leave or change roles. Companies often struggle with maintaining permissions and ensuring that only authorised individuals can access critical resources. “It’s not an automated process, so when a person leaves or a machine is decommissioned, relying on manual processes to remove access takes too long and leaves the door open for excessive or stale access to persist,” says Nomalizo Hlazo, Investec’s head of security and governance.
At some point, we’re going to have AI with identities and it’s just going to keep going.
Nomalizo Hlazo, Investec
Traditional, manually-intensive IAM systems are also often siloed by platform, making it difficult to ensure consistency across platforms and applications. In the financial services industry, the need to get access management right is a big part of maintaining trust and credibility. Financial institutions handle vast amounts of sensitive data and are subject to regulations like the Protection of Personal Information Act and Financial Intelligence Centre Act. Non-compliance can result in financial penalties of up to R10 million, as well as criminal charges.
This is why IAM forms the backbone of a secure IT environment; it ensures that users have access to the resources they need while keeping sensitive data protected. “And to get IAM right, you have to have a framework,” says Hlazo. “You need to understand what the objectives are for your access management strategy and then implement against those objectives. What you can’t do is start from nowhere, decide to implement IAM and go for it.”
Hlazo adds that an effective IAM framework should include formalised policies, controls and processes around authentication, user lifecycle management, role-based access and automation. Automation, in particular, has a big part to play as many organisations still use manual systems. Moving to an automated system such as OneLogin or Microsoft’s Azure Active Directory (AD) for user provisioning and deprovisioning can boost security by ensuring timely access removal or adjustments.
Many companies rely on AD for IAM because it simplifies user management and authentication processes, seamlessly integrating with Windows servers and workstations. This integration allows IT departments to centrally manage user accounts, groups and policies, making it easier to control access across the entire network. Using AD does have drawbacks, the most obvious being managing non-Windows environments and integrating into cloud services. This is one of the reasons enterprises are starting to shift towards cloud-based identity solutions like Azure AD, IBM Security Verify and Centrify.
The evolution of identity
Identities are not only becoming more distributed and decentralised; they are now expanding beyond the user to include non-human entities. “A big part of access management happens at the user level – how you get your users into the system. And it’s not just users,” says Hlazo. “At some point, we’re going to have AI with identities and it’s just going to keep going.”
Modern IAM frameworks need to account for non-human identities like machines, applications, bots and APIs that may need authentication and access to systems. These identities will become increasingly common as technologies evolve.
Another important part of IAM is continuous monitoring. For Hlazo, this means making sure that there are enough tools that are getting enough data to pick up suspicious activity. “We leverage our analytical tools and get insights into user behaviour. That is how we identify patterns or any issues and then we can deal with them as they come along,” she says. “Continuous monitoring builds in that muscle of always looking at what you’ve done. Is everything operating the way it’s supposed to? It allows you to change and improve as necessary.”
Hlazo says that with PAM, the fundamentals should apply across the board because much of the time, organisations put roles in place but don’t review access rights. “If you’re not reviewing these periodically, with privileged access even more frequently than regular access, you will miss areas where you have not applied the correct changes. This creates risk and it can also lead to policy violations depending on what has been agreed on within the organisation.”
Complexities
A big part of PAM is that it must be auditable; who has access to what, and in what context. “We use a lot of analytics to track what’s happening, to look for suspicious activity. We have alerting built in,” she says. Reviewing access rights involves auditors, whether external, internal or both. “Part of an auditor’s role is to support these kinds of controls by actually checking them.”
Identifying these access gaps and closing them leads to a more mature security posture. “We sometimes find that people resist auditors, but we embrace the fact that they come in as they are helping us to get better, they’re helping us mature by finding blind spots that we may have and don’t see,” she adds. “Auditing is a big part of making sure that access management works in our organisation.”
One of the main PAM strategies companies should consider is zero trust. Here, the goal is to ensure privileged access so that people and accounts only have access at the right time and to the resources they need, beyond just the network perimeter. “If they’re compromised, they can do a whole lot more damage,” she says. Even though zero trust is often the end goal as it can provide a good framework for guiding more dynamic PAM, it can be difficult to implement as there are a lot of complexities to consider. This is why Hlazo believes that a good framework should be built out of your strategy. What do you want to achieve from access management? “There are tools that allow you to manage privileged access that aren’t reliant on human intervention,” she says. “That way, you know that your privileged access passwords are continuously being renewed as necessary and that the access that is there is actually required.”
Gary Allemann, Master Data Management’s managing director, believes organisations should be moving from zero trust to a zero risk strategy. While zero trust focuses on access verification, zero risk offers a broader, more proactive security strategy for a more robust and scalable security posture.
ATTRIBUTE-BASED ACCESS CONTROL
Although the terms Privileged Access Management and Identity Access Management are used interchangeably, there are differences. IAM is used to identify and authorise users across the entire organisation, while PAM is a subset of IAM, focusing on those who need permission to access more sensitive data. Gary Allemann, Master Data Management’s MD, says for true data security, businesses need to move beyond IAM and implement Attribute-Based Access Control (ABAC). “ABAC goes beyond user identity, considering factors like device, location and data sensitivity when granting access,” he says. “This creates a more granular and data-centric security approach.”
* Article first published on brainstorm.itweb.co.za
Share