General security

What Is an IdM and how to discover if you need one

David Balaban
June 14, 2018 by
David Balaban

IdM is an abbreviation for "Identity Management," i.e., management of user accounts. Let's turn to Wikipedia:

"IdM is the security discipline that enables the right individuals to access the right resources at the right times and for the right reasons."

Interestingly Wikipedia takes this definition from the Gartner IT Glossary.

I would like to expand this definition: IdM is a set of approaches, practices, technologies, and software that deal with managing user credentials and access control systems aimed at improving the security and performance of information systems while reducing costs, optimizing downtime, and reducing the number of repetitive tasks.

So, we see that the essence of identity and access management is not a single system where one can hit a button called "Let's make it." IdM is a whole complex of activities and systems that include:

  • Defining the objectives of the above activities.
  • Concretization of the approach aimed at achieving the chosen goals.
  • Building processes and procedures.
  • Distribution of roles in the business structure.
  • Choosing a solution that will manage user rights and identities.
  • The actual implementation of the IdM solution.

Well, we sorted it out. However, still:

  • What exactly does IdM involve?
  • What procedures and processes are relevant to this activity?

Now we came to the most interesting part. It is interesting because it is difficult to find an exact indication of what relates to identity and access management, and what does not. Identity Management is a very broad term that includes many concepts. In practice, we systematically encounter the fact that each organization has its own view of identity and access management.

Do you remember a parable about three blind people trying to describe an elephant: one of them approached the elephant from behind, felt the tail and said that the elephant is like a rope; the second touched the trunk and said that the elephant is like a snake; the third one touched the elephant's foot and said that the elephant resembles a pillar or a column. The bottom line is that each of them individually had incomplete information and therefore could not recognize the elephant as a whole.

We have a similar story with IdM – it covers too many different functions and possibilities, and it is difficult to grab that fullness fully. Sometimes there are unexpected areas about which no one thought about before. It is important for IT professionals to understand not only the technical component of identity and access management but also the requirements for IdM processes in each company. It should be borne in mind that every year the infrastructure landscape becomes more complicated, and all effective methods of identity and access management (manual management of access groups, directory services, attempts to conduct role models on paper, user profiles, etc.) get outdated and no longer able to meet the business needs. Therefore, over time, they will be replaced by modern means of identity management, authentication, and audit systems.

To avoid confusion, it should be indicated that the term "IdM" refers to the whole complex of identity and access management, and the "IdM solution" refers to a class of systems and technical means.

When people start talking about the implementation of specific IdM solutions, business leaders often discover with surprise that before launching the actual implementation process it is necessary to understand in full:

  • What personnel processes are there in the company?
  • Who and how decides on each user access rights?
  • What are the roles?
  • Which services should be available to each user?
  • How to synchronize data updates in various business systems?
  • What procedures should be applied?
  • What kind of audit is needed?
  • It is worth remembering that there are several IdM levels:
  • Administrative (policies and procedures, supervision, and training of personnel.)
  • Physical (perimeter security, work zone separation, data backups.)
  • Technical (differentiation of logical and physical access rights, revision of the network architecture, data security, audit).

All the above affect the process of building successful identity and access management systems.

People who have already experienced the implementation of the IdM solution said that they had to completely reconsider access control approaches, make changes to existing business processes, and rebuild a number of information systems.

I do not want to discourage anyone from wanting to implement IdM solutions, but everyone should understand the amount of work needed, and leave behind deceived expectations like: "We thought that with the introduction of IdM you can immediately relax..."

The introduction of IdM is not a story of how engineers deploy the solution, and everything immediately becomes great. This is a story of how, in the process of transformation and growth of the IT services and InfoSec services, an entirely new system is created with goals and tasks, account records and user rights that are understandable to all participants, and which includes a list of processes and procedures, physical, technical, and administrative measures, as well as the IdM solution itself or the IGA platform.

How to decide if your company needs an IdM solution?

In some form, you already have a set of identity and access management processes. Moreover, often it requires a lot of manual work:

  • Processing access rights requests.
  • Blocking access rights of employees in connection with their dismissal or change of official duties.
  • Responding to various incidents related to insufficient or excessive access rights of employees.
  • Audit of employee access rights in each of the information systems.

All this, as a rule, is accompanied by the need not just to work with different consoles, but also - contact the administrators of each of the systems and ask to provide the necessary information. Sometimes there are complications in the form of uneasy relations between units and claims like: "Every manager wants to set tasks for my employee!" and: "We do not have time to do your work for you."

It's not always so bad, but if you come across at least one of these situations - you need IdM. To be more precise, you need to take care of establishing order in the field of management of identities and user rights.

For people who are still deciding on whether they need IdM, let me provide a checklist of situations and markers that indicate the need to think about changing the situation.

1. From the point of view of users and business:

  • It's unclear how to request access rights.
  • A complex and incomprehensible (for the non-advanced user) process of applying for access rights.
  • The process of processing requests related to access rights is not transparent. The actual performer does not understand who and how determines that the requested access rights should be provided.
  • Terms of processing an application cannot be determined (can be 5 minutes or can be five days.)
  • The business owner is excluded from the decision-making process (grating access rights) and so cannot fully be responsible for the possible consequences for the business.
  • To get any additional access rights, you can just call admin Bob and ask him.
  • Employees may be temporarily included in projects with different responsibilities; they are periodically obliged to perform tasks for absent colleagues, they are granted access to the system X. ... At the end of the project, access rights remain.

2. From an IT perspective:

  • Applications are made in free form and through several channels (email, ServiceDesk, phone, etc.)
  • It is difficult to understand what exactly access rights the user asks for. Sometimes they say – "I need to be able to do everything."
  • Creating accounts, granting, changing, and revoking access rights takes a significant amount of time.
  • You must periodically process massive amounts of requests from users (audit, new functions in the system, etc.)
  • In some cases, it is difficult for the administrator to understand who has granted access to the user and on what basis.
  • The administrator does not always understand by what principle the application passed the approval.

3. From the point of view of information security:

  • Access to some systems is limited (literally: there is no access even for reading, and it is impossible to obtain reliable and complete information quickly.)
  • Audit of access rights is not carried out because of the laboriousness and length of the process or takes an immensely long time (the information collected at the beginning of the audit, becomes obsolete by the time it ends.)
  • There are no clear procedures and rules for processing applications forms (requests come, but there is no understanding – whether to grant access or not.)
  • There is no access matrix or role model. Role-based access granting procedures are easy to run as it is clear what are the minimum rights the employee needs to perform his duties. However, this does not negate the possibility of provision of broader rights in systems in parallel with roles. Again, this is a story about putting things in order.
  • There are identity and access management procedures, they are thoroughly described in documents, but they are not followed by employees.

4. Incidents:

  • In incidents involving user rights, there is no complete picture of what is happening, and there is no information about the status of user rights at the time of the incident (and in general at any time in the past.)
  • There is no way to detect an unauthorized change in employee access rights.

5. Audit and compliance:

  • Regulatory requirements and standards require strict identity and access management.
  • Auditors issue an orderadvice to eliminate inconsistencies (for example, there are numerous user accounts of long-departed employees) but there is no tool to fulfill this task.
  • Internal audit is conducted, but discrepancies happen again and again because there are no effective management processes.

The process of building something new, including identity and access management systems, is clearly associated with the implementation of new standards, best practices, and risk assessment. In a number of cases, companies take the standard and try to do methodically and consistently everything that is written in there. At the same time, they do not realize that it is necessary to analyze each requirement of the standard and assess whether it fits into the context of your company's business.

The burden of deciding whether to implement a set of new processes lies with business leaders. In the process of preparing such a decision, the team (yes you cannot do it without a team) needs to develop a plan for transition to a new management model, considering all relevant processes, the roles of employees, and technical means.

Technical means (IdM solutions, alone or in combination with other classes of systems) can make the life of IT and InfoSec services easier by automating many operations. They provide control over what is happening and the ability to react to events in the shortest time. They allow you to quickly get information on user accounts and access rights in a single console, help audit and get the automatically generated reports.

The IdM solution is primarily a tool for IT and IS, but all employees of the company can use it - in this case, it becomes a service provided by IT and IS teams. It will allow users to request access rights, make changes to their profiles by updating the information, access self-service tools. Various reports on access volumes and use of systems by employees of the company can be formed. Therefore, the implementation of IdM solutions is strongly advised from the point of view of convenience and benefits for all employees and business units like IT and IS.

David Balaban
David Balaban