8 Steps For A Complete IAM System Audit

Oren Harel
May 31, 2018

As organizations grow and evolve, the importance of maintaining a robust and flexible Identity Access Management (IAM) system becomes ever more critical. Organizations that neglect IAM  – or use outdated IAM methodologies for user authorization and authentication – put their data at risk from outside the company and from within. Data breaches of any sort (especially ones that affect high-value company information) can cause irreparable harm to the organization’s reputation, resulting in faltering investor confidence and real damage to the organization’s bottom-line. Furthermore, regulators can impose harsh financial penalties on non-compliant companies and, in some cases, affect the organization’s ability to continue operating.

As with almost any regulation, the fear of penalties for non-compliance is what drives organizations to expend the effort necessary to meet industry standards and requirements. But when your organization’s proprietary data and future are at stake, the motivation for adhering to recommended practices becomes a matter of long-term stability.

Here are eight things that you need to do to ensure your identity access management system is robust enough to meet IAM audit requirements and protect your company.

Identity and Access Management Audit Checklist

1. Create a Security Policy

IAM processes need to be clearly defined in the creation of a security policy. For complex systems like your IAM policy, formalizing the entire process in a policy document is the first step to ensuring its robustness.

Aside from making sure that your organization complies with regulations, there are several benefits to developing a good IAM policy document:

  • It gets you thinking about the process of managing user access and authorization in your company.
  • Going through the motions of mapping out who needs access to what helps you to develop strong policies for identity and access management in your organization.
  • Developing a comprehensive IAM policy enables you to respond to incidents swiftly and with confidence.
  • When you formalize procedures, they are more likely to be followed.

It is also important to make sure that you review and revise the policy document at regular intervals. Organizations are dynamic creatures – nothing ever stays the same and so neither should your IAM policy. Schedule this review into your regular security maintenance procedures and make sure that all relevant stakeholders are involved in the review process.

2. Develop Formal Procedures

As with any complex system, it is important to make sure that everyone in the organization who is involved in your IAM procedures has clearly defined roles. The IAM policy document should include a list of people (or their titles) and what they are responsible and accountable for in terms of maintaining the IAM system. This list should also include what actions each person needs to take and the estimated time required for completing each of them.

3. User Review

In any organization, users come and go, change positions and responsibilities, and are assigned to new projects all the time. This poses a constant challenge to IAM. There are so many moving parts that it becomes difficult to manage them all and make sure that the correct people have access to the correct resources on the company network or cloud.

One way to make sure that users are assigned the correct authorizations is to formalize the user access review process. It is important to clearly define the intervals at which you review the IAM system to find where users have access to systems and applications that they should not have access to. For example, performing a user review once every 60 days ensures that at almost any time you have a reasonably high level of confidence in your IAM system.

Note that PBAC can assist in expediting the user review process, by relying on those attributes to enable access. An approved user review can mean the user will automatically gain access to the required resources and functionality.

4. Assign Appropriate User Privileges

While it might seem kind of obvious, assigning appropriate user privileges is the cornerstone of a secure IAM system. While you should make sure that your security policies enable or disable access based on what the user needs, it is also important to follow the principle of “least-privileged user account.” This means that a user should be given access to as few resources as possible – they should be authorized to use the resources that they need to do their job, but no more.

Problems arise when special privileges are temporarily given to employees and are not then revoked after the temporary period has expired. This means that there could be any number of users on the network who have inappropriate privileges, leaving the door wide open for them to resources that they should not be able to access.

This is an area where PBAC can dramatically reduce the overall efforts, by automatically assigning the right privileges to the users, based on their assigned attributes.

Read the Whitepaper:  5 Myths About Policy-Based Access Control

5. Segregation of Duties

Segregation of Duties (SoD) is a principle of risk management that distributes critical functions among a number of people so that no one person has complete control or access. This minimizes the risk of fraud or error. For example, to enter the safe at Fort Knox, several members of the Depository staff need to enter separate combinations.

Regarding SoD for IAM, critical tasks should be broken down into multiple smaller tasks so that one person is not in control of the entire process. Therefore, in case of a failure in identity security, an attacker would not have access to the entire process. Although this comes at the cost of business inefficiency, the price of implementing SoD to protect the company’s most critical or vulnerable assets is a worthwhile investment.

SoD in the PBAC means that the restrictions can be implemented and fine-tuned. For example, users can’t have access to equity products and financial products at the same time. PBAC places the responsibility on the resources side, and not just on the roles.  

6. Manage Generic User Accounts

Sometimes it is useful for training, testing and other purposes to have generic user accounts set up on your network. However, a generic user account – without an actual person assigned to it – is a security risk.

Make sure to delete generic user accounts that are no longer being used, and do not assign Admin rights or rights to mission-critical systems to generic user accounts. If you need to create generic user accounts, change their preselected options (to, for example, use strong passwords) so that an attacker cannot gain access to your resources by using default settings. Regularly review the generic user accounts on your system and delete whichever ones are no longer necessary to maintain.

PAM’s (Privileged Access Management) aim is to solve the generic privileged user accounts problem. PAM combined with PBAC provides the full control and visibility required for those generic accounts.  

7. Disable Unnecessary User Accounts

Keep a clean IAM system by removing unused and unnecessary user accounts. These accounts tend to build up over time, creating a larger attack surface that could lead to a data breach.

  • Delete dormant accounts – keeping inactive users in the system opens it up to a potential threat. Any user that has not used their account for a long period of time is likely to no longer be a part of your organization and should be deleted.
  • Remove users from groups that they shouldn’t be part of – users who changed roles or have new responsibilities in your organization should only be part of relevant user groups.
  • Review group policies – take a look at the access policy definitions for every group and make sure that they are appropriate for that group.
  • Delete unnecessary or exposed user login details – if a user has access credentials to resources that they don’t need access to, or if you are aware that a user’s access credentials have been compromised, remove them from the system. This reduces the threat of accidental exposure to sensitive information and potential breaches.

8. Maintain Clear Documentation

A clear and easy-to-follow documentation trail is necessary for proving compliance with regulations. If your organization is audited, it will be necessary to account for all administration activities, policies, and usage. Proper documentation of your IAM system is also helpful when understanding your IAM system to find ways to make it more efficient and effective.

Examples of documentation that could help with an audit include:

  • IAM Policy document

  • Administrator and user log files

  • Fraud Risk Assessment document

Any of the other documents described, above

Blog: Identity Access Compliance Regulations

Ensure Your IAM System is Watertight

Ensuring that your IAM system is up-to-date is of paramount importance. Create a security policy and document your procedures, maintaining those documents. Formalize processes, assign appropriate privileges and continually review them. Reduce risk by employing the principle of “segregation of duties,” manage generic accounts, and disable disused ones. If your company follows those guidelines, you are in good shape going forward. Your users, IT managers, and bank account will thank you.

Clear visibility of an organization’s PBAC policies enables risk and compliance officers to identify and reduce some of these gaps, as well as ensure that the way the company manages IAM meets all legal requirements, company guidelines, and industry standards.

Ask for a demo to see how PlainID and PBAC can help your organization to identify gaps and prioritize improvements to make sure that your organization meets industry standards and best practices.

Most Popular Posts