If one of the goals of a company is, as it should be, to grow and evolve, this would mean having more employees and, since we live in the era of technology, more devices. Moreover, if we’ll still have to live with the Coronavirus lurking among us, some of these new employees will have to use their devices not only at work, but remote too, in order to complete their tasks. All these factors necessary for growth can also represent dangers when it comes to cybersecurity – to the identity and access management part, to be precise.
A good identity and access management (a subdivision of IT security that includes frameworks of solutions for the management of digital identities) requires a good access governance strategy.
What is access governance?
Identity and access governance (I.A.G.) is a management solution that links people, applications, data and devices in order to determine who has access to what, if that represents a risk and what kind of risk, and take actions if policy violations are discovered.
Instead of going from person to person to elevate privileges whenever other employees need it, a good access governance strategy allows system administrators to handle such request and keep track of what is done in a much easier manner.
What do companies risk if they do not have an access governance strategy?
Users with privilege accounts (e.g. local administrative accounts, domain administrative accounts, emergency accounts, service accounts etc.) can access an organization’s highly classified IT assets and the sensitive information stored within them. If a cyberattacker obtains a privileged account’s credentials, he might use them to steal data, hold data at ransom, lock out accounts, or shut the entire network down.
Decentralised privilege access management
A decentralised privilege access management due to poor software or handled manually can cause more harm than good, causing inconsistent policy enforcement. Managing all of the accounts, permissions, credentials and assets inappropriately will surely leave security gaps that cyberattackers might exploit.
Removal of access
If managing all the employees’ accounts manually is hard, not forgetting to disable user accounts when people leave the company might be even harder. In many companies, new employees swiftly get access to whatever projects they need to work on, but there is no urgency to remove it when they leave, which poses major security risks.
Unsecure password management
Default credentials or overly simplistic passwords used for multiple accounts might be easy to remember, but are also easy to crack, so they are always a top priority for hackers.
Audits and compliance issues are other risks that companies face when they do not have a good access governance strategy. Allowing all employees access to all of the company’s systems, applications and data would be a huge violation of security protocols and might attract legal actions.
Why is it important to have a good access governance strategy?
As you can imagine, a good access governance strategy can help minimize or rule out all these risks. Besides:
It improves user experience and enables digital transformation, since automated solutions for identity and access governance enable quick access to resources and applications.
It increases productivity and reduces IT costs. Access governance tools eliminate the cost of internal help desks and reduce their workload, allowing them to focus on more important tasks. Such tools allow users to authenticate or have their rights elevated from anywhere and at any time, on any device and with only a few clicks, providing extensive access rules, policies and audit trails.
It secures your business
I.A.G. helps you ensure that the right people have the right access, verify users’ identity at log in and throughout the session and, depending on the solution you opt for, de-escalating rights/privileges if threats are detected.
It establishes trust
Regulations come and go, but there will always be something you need to be compliant with. Apart from helping with the legal issues that the GDPR implies, for example, it is always good marketing to show your customers and business partners that their data are safe and they can safely work with you.
What types of identity and access governance are there?
I.A.G. encompasses two approaches, RBAC (role-based access control) and ABAC (attribute-based access control) and has two main components – authentication and access.
RBAC involves a long list of network permissions and restrictions according to an employee’s role within the organisation. The roles are pre-defined and based on factors like responsibility, job competency and level of authorization.
Among the benefits RBAC brings to a company we mention: complete compliance with state and local laws, rules, and regulations, including GDPR, increased overall visibility over authentication protocols and access requests, downsized insider threat risk, downsized costs.
ABAC uses XACML (eXtensible Access Control Markup Language), a policy language used to define the various entities operating within its boundaries – the subject, action, resource, environment. The subject is the one who requests access. The action refers to what the subject intends to accomplish (read, write, transfer etc.). The resources refer to what is impacted when the subject performs a certain action, and the environment to the context in which a user initiates an action that impacts one or more resources.
ABAC is a very dynamic I.A.G. model, capable of integrating contextual-sensitive data and metadata, that can offer almost endless combinations and significantly reduces the risks associated with human error.
What are the best I.A.G. practices?
A good access governance strategy involves centralizing your approach, dealing with orphaned accounts, implementing zero-trust security and finding the best software solution.
Centralizing identity management and login procedures offers great visibility on what devices and data are used in your company and by whom.
The accounts of people who got promotions or left the company should never be forgotten. The credentials and provisions of the so-called orphaned accounts represent easy targets for threats both inside and outside the company’s network.
The zero-trust security model implies monitoring behaviour through multiple and continuous authentication methods and assessing risk levels throughout the duration of each session.
Last but not least, you need to find the best software solution for your business. You need to handle privilege escalation requests, automate the elevation of admin rights, provide a full audit trail or automatically de-escalate on infections? There are options for all of these.
The external threats of cybercriminals and the users’ behaviour and how they handle the devices they work on are some of the most important cybersecurity risks for any company – identity and access management and a good access governance strategy are two of the best solutions to mitigate them. It’s up to you to choose the option that best suits your company and allows you to focus on evolution and not on dealing with unwanted cybersecurity issues.