Gage Heeringa, IAM Consultant, SecureITsource, Inc.
A fundamental business problem that is addressed by an organization’s Identity and Access Management (IAM) implementation is how to model access to resources at the organization. Kicking off their annual IAM Summit this month, Gartner published their Magic Quadrant for Privileged Access Management. A key takeaway: by 2021, 40% of organizations that utilize formal change management practices will integrate with a privileged access management (PAM) tool – up from 10% in 2018. Reining in roles by adjusting your organization’s access model can restore the benefits provided by abstracting access with roles, and pave the way for an integration with a PAM solution.
An issue that may arise with an IAM implementation is commonly referred to as “role explosion.” Recall that a role is simply a set of references to entitlements. (E.g., an “Accounts Payable Manager” role may include the entitlements “Timesheet Preparer” and “Timesheet Approver.”) Role explosion may occur when an access model is structured to contain roles that only represent a single entitlement. (E.g., “Timesheet Preparer” is its own role, and only contains the entitlement “Timesheet Preparer.”)
The problem with “1-role-1-entitlement” is that the advantages which abstracting access with roles provides become overshadowed by new issues that arise. Aggregating accounts from an application, generating certifications, and maintenance tasks may take performance hits. Managing these roles becomes burdensome as a manager may need to certify the same set of roles for several employees, when perhaps this set of roles could be reduced to a single role. In the pursuit of ensuring every user has “the right access to the right resources,” the work for everyone involved in the access management process should be made as simple as possible (but not simpler).
Modeling access at an organization also brings about the question of what to do with privileged accounts. For example, an application may have a team of administrators who each have their own “admin” account, which can perform more operations than a standard account. Additionally, some of these administrators may have access to a “sysadmin” service account that is built into the application. A key difference to note here is that the user’s privileged account should be deprovisioned when that user no longer requires that access or leaves the organization, while the service account remains intact – though of course the user should lose access to that as well. These users also need some way to share and eventually update the “sysadmin” password. This is where privileged access management comes in. SailPoint’s IdentityIQ, the current leading IAM solution, provides a module for integrating with a privileged access management solution.
According to BeyondTrust’s 2015 report Privilege Gone Wild in which over 700 responses from information security professionals were collected, 47% of respondents acknowledged that their users continued to have privileged access unnecessary to fulfill the duties of their roles. The majority of organizations participating in the report had a PAM solution in place, whereas Gartner’s 2018 report indicates that it is the exception an organization is effectively managing privileged access. When roles are improperly provisioned, security risks follow.
IAM solutions such as IdentityIQ provide the means to elegantly represent and manage access in a way that is tailored to the organization’s needs. As the importance of a privileged access management solution becomes increasingly important for an organization’s information security, complementing IAM/PAM implementations such as IdentityIQ with CyberArk – the PAM solution with the highest marks for both “ability to execute” and “completeness of vision” in Gartner’s latest report – will become increasingly important.