Identity governance is a critical foundational practice required to secure and manage privilege and access across the enterprise. Organizations are required to demonstrate an enterprise identity governance program that complies with nearly every significant compliance audit for almost every industry.
Identity governance programs are typically deployed as part of the security stack that includes Identity Access Management (IAM) and Privileged Access Management (PAM) solutions. This enables organizations to seamlessly associate identities with role-based access controls that map across the enterprise throughout applications, servers, and endpoints.
What happens when IAM is not aligned with PAM?
When identities originate within a domain or network, mapping privileges initially to a user and/or role is usually standard and easy to perform. However, as the perimeter expands and new Operating Systems (OSes), applications, and infrastructures are introduced, the problem becomes much more complicated. Identities take on many forms, there’s the traditional human identity, which is associated with users. Non-Human identities can take forms such as services, systems, SSH keys, API keys, IoT devices, and many more.
The challenge is mapping an identity that accesses endpoints, servers, applications that span across traditional data centers, cloud infrastructures, and SaaS-based solutions
Typically, organizations will implement controls that govern both user and service account identities as a fundamental practice. However, where the challenge exists is mapping an identity that accesses endpoints, servers, and applications that span across traditional data centers, cloud infrastructures, and SaaS-based solutions. Single Sign-On (SSO) has made this challenge a lot easier, but implementing SSO only addresses part of the problem. SSO is traditionally associated with human identity. SSO does not provide any form of privilege management after authentication and authorization.
Role-based access controls govern what the user can do once access is granted. Also, what happens when the identity isn’t associated with a human? Endpoints, servers, and applications now use services to access other systems and use different types of identities to authenticate. These non-human identities must be governed and audited the same way human identities are. This requires demonstrating that machine identities are also part of your Privileged Access Management program to be compliant.
So, let’s talk about why PAM is essential to any identity governance and management program
Privileged Access Management ensures that users have the precise access privileges required for their job. The requirement for precision has evolved as security awareness has improved. Before the condition was to provide only the access necessary for a role to perform, their job was acceptable. However, as notable large-scale breaches leveraged compromised accounts or as internal users misused their privileges, the requirement for precision grew.
Today, organizations must do everything to reduce the risk of brand damage, leaks of PII, theft of proprietary information, or simply preventing unintentional access to sensitive data. This requires a comprehensive program that links ALL types of identities seamlessly across the enterprise, associating the identity, and auditing the precise access they have.
The steps to get started:
- Discover, assess, and reduce the number of identities; this is absolutely the first step to reducing and managing the number of accounts that need to be governed. This needs to take place not only at the domain level, but also on every piece of infrastructure, application, and database. Set up automated discovery operations that run as frequently as possible to quickly identify the rogue creation of accounts.
- Establish a foundational Privileged Access Management (PAM) program associated with each and every identity, both human and non-human. Consider every single point of access and ensure there are granular role-based access controls available. Consider both how humans gain access (ex.SSO, Username/Passwords/RDP/SSH Keys), and also how non-humans gain access (ex. API, SSH, credentials embedded in scripts).
- Implement a comprehensive Identity Lifecycle Management (ILM) program that extends across the enterprise. Identity lifecycle management needs to be centralized, so that identity changes only need to be made in a single location. When a change is made, the ILM program should be automated, so that change affects all accounts associated with the identity. This also reduces the time to remediate an identity-related incident, for example, removing access for a compromised identity.
- Identifying anomalies, measuring risk, undertaking identity audits, and demonstrating compliance is where a User and Entity Behavior Analytics program (UEBA) fits into identity governance and management. UEBA platforms leverage artificial intelligence (AI) to audit and track identity activity, create baselines, monitor for exceptions, and provide actionable intelligence.
This should not just be limited to access events. It also requires session recording to track keystrokes, clicks, and activities performed by both human and non-human users. This accelerates baseline creation and the identification of anomalous behaviors. Logging and reporting all activities provides a critical pillar of intelligence required to drive threat investigations and supports auditing efforts necessary to meet several regulatory compliance mandates.
Identity governance and management is the center of IT security operations
It needs to be efficient, drive productivity, and it absolutely can’t slow business down. The program must provide timely access to users and systems and grant access they need to perform their jobs. Ideally, the right governance promotes productivity by eliminating barriers and seamlessly moves users and systems through checkpoints without increasing risk. IT and Security ops teams will benefit significantly from an automated program. Unified, comprehensive, and automated, the program reduces burdens, and human error and accelerates time to remediation.