7 November 2019
Creating and maintaining an advanced Identity & Access Management (IAM) program requires collaboration. As one famous African proverb states, “If everyone helps to hold up the sky, then one person does not become tired.”
But this type of collaboration involves planning. When you’re working in a large organization with multiple parties – each of whom has a different perspective – it can be hard to keep things moving at the right pace and in the right direction, and there’s also the challenge of making sure that the parties involved are not working at cross-purposes.
So what steps do you need to take to develop an IAM program – collaboratively – that meets your company’s security needs? The following are some basic guidelines designed to get you on track in building on your current IAM system and developing an advanced program that involves stakeholders, technology areas, policies, and processes.
1. Don’t Skip Project Definition
Careful project definition saves heartache down the road. Though it’s time-intensive, defining the boundaries of an IAM program and its objectives up front generally reduces the number of policies required – so in the long term, it can save time and resources. Whether you’re building on a legacy IAM system or creating something new, make sure that basic aspects of IAM strategy have been rigorously considered, including the existence of a single identity per employee, identity confirmation, timely access removal when necessary, and eliminating duplication.
As systems become more complex, it’s important to revisit typical user transitions that are part of your company’s user access management process.
Two simple examples: an individual starts out as (1) an applicant, then becomes (2) an employee, and eventually turns into (3) a former employee. Alternatively, a person enters the system as (1) a prospective user, who then becomes (2) an active user, then finally becomes (3) a deactivated user, and eventually is changed into (4) a deleted user. There’s also the (2.5) Promoted user and the user who is working on new projects.
3. Look at Who’s Using the System
From one perspective, the stakeholders of an IAM program can be broadly divided into three main categories: service consumers, service providers, and role providers.
From another perspective, IAM identities can be divided up based on their roles in authentication, as follows: subject, identity provider, and relying party.
Multiple sources of identity also exist within every organization so ensuring appropriate authorizations is imperative. In addition to your HR system, for example, you may also have to take into consideration a guest system or contractor systems.
4. Buck Stops – Where?
For an IAM program to be developed and managed effectively, it is necessary to be clear on who has the ultimate responsibility. This can be broken down into several areas: Who is responsible for developing a clear vision and overseeing implementation? Which members of staff are involved in the implementation and maintenance? And (in a larger and more complex organization) what are the sources of funding?
5. Legacy IAM – and Its Limitations
Assuming that you already have an IAM system in place, the question, of course, is how best to enhance it to meet today’s growing security and identity needs and the opportunities derived from cloud-based applications. Legacy IAM programs aren’t meeting today’s need for scalability, flexibility, and speed - and the need to handle cloud-based and SaaS applications that are not on-prem, and to maintain security for external groups.
6. Policy-Based Authorization
PBAC (policy based access control), a combination of ABAC (attribute based access control) & RBAC (role based access control), has been much touted as an approach to access management that provides the increased security levels and control that your company needs while providing the ability to scale up more easily.
With more comprehensive identity controls and technology, PBAC also provides the increasingly crucial ability to configure support easily for external user groups, such as partners, customers, and contractors. But how best to go about integrating PBAC into an existing system?
Enhancing legacy IAM to fit modern authorization needs is critical. Most IAM systems were designed to deal with the old-fashioned way of doing things. Organizations are struggling to make adaptations to legacy systems in order to keep up with the new use cases and changing technologies. And of course, there’s always the limitations that are connected to both time and funding, as a result of which it’s often impossible to consider the complete replacement an old system.
That’s where PlainID comes in. PlainID allows you to add ABAC on top of an existing RBAC to scale up fast with an existing IAM. An agile, standards-based platform, it reduces the required resources and allows attribute-based decision all the way from user to the resource or action, based on pattern or resource attributes.
PlainID supports multiple identity types and identity sources, offering a comprehensive view of all of the identities that a company needs to authorize, including employees, customers, and system accounts.
© All Rights Reserved 2021 PlainID