Identity and access management (IAM) processes, policies and technologies play an important role in the security operations of modern organisations, allowing them to manage electronic and digital identities effectively.
As technology continues to dominate the way businesses operate, and data privacy becomes a crucial part of the corporate agenda, IAM systems are gaining importance because they enable IT managers to control the information that users can access and the actions they can perform.
User actions, such as viewing or editing a file, are typically governed by the person’s role or level responsibility within an organisation. Common IAM systems include single sign-on (SSO) multifactor authentication (MFA) and privileged access management (PAM), which not only ensure that the most relevant data is shared, but also that user data is stored securely.
While IAM systems are far from new, they are quickly evolving to help organisations meet the demands of the interconnected economy and mitigate emerging security threats. Automation capabilities, in particular, are making it easier for IT teams to create and manage identities and avoid human error.
Eradicating manual tasks
In the past, IAM processes and technologies have been largely manual and relied on input from humans. But automation promises to speed things up and help organisations protect vital data in real time.
James Litton, CEO of IAM specialist Identity Automation, says: “Provisioning, deprovisioning and real-time updates to identity information occur in on-premise and cloud applications as changes are detected in the various authoritative source systems used by an organisation. This eliminates repetitive physical tasks for IT staff, while creating valuable bandwidth for more strategic initiatives.”
Litton argues that automation is also important for protecting critical data assets. “An example of this is when an employee leaves an organisation or a technology supplier relationship ends,” he says. “Automation can ensure that their accounts do not remain in an active state, thus eliminating a potential avenue through which bad actors can access data. When implemented properly, automated IAM solutions can also identify orphan accounts automatically and alert system owners.”
Identity management systems comprise users, applications and policies, all of which govern how people are able to use software. Litton says automated IAM systems can fully automate identity creation at scale; automatically manage user access; apply role- and attribute-driven policies; and completely remove the need for passwords, helping to improve the user experience, while decreasing the helpdesk support burden.
“Once an IAM solution has been deployed, the enforcement and management of users and their access to data assets can be automated,” he says. “And if the application of an organisation’s policies is automated, you stand a much better chance of mitigating risk from the negative consequences that result from poor policy management practices, while increasing operational efficiency and improving the user experience.”
Matt Lock, Varonis
Identity Automation has helped a number of organisations to modernise their IAM strategies, including Saint Luke’s Health System in Kansas City, US. IT manager Michael Marker says its clinicians are saving time each day. “For example, we have had physicians say they are able to see two to three more patients a day with the additional time it saves,” he tells Computer Weekly.
The firm has also been working with Charlotte County School District to implement automated identity management. Executive director Christopher Bress says: “We did an analysis of our procedures and concluded that they were ripe for automation. By having people do this work manually, we were basically building unnecessary delays into the process.
“Also, as the number of people using resources continues to go up, we were finding ourselves spending an inordinate amount of time at the beginning of the year creating and provisioning accounts.”
Matt Lock, technical director at security firm Varonis, believes automation has become a critical tool in a security team’s arsenal and agrees that it is particularly useful for managing IAM datasets.
“Organisations are great at generating huge amounts of information, but often do a terrible job of keeping track of it and making sure it’s secure,” he says. “On average, about one in five folders, some of them containing sensitive data, are open to every employee. When you are dealing with thousands of folders and millions of files, automation is the only realistic alternative.
“The size and complexity of today’s networks make watching and securing your most valuable digital assets far more than a full-time job. It is incredibly time-consuming and it must be done right or you will remove access for those who need it. And maintaining least privilege requires constant upkeep.
“Automation can take on the issue of overexposed access in days instead of months or years, and removes the grunt work that skilled IT and security pros shouldn’t be spending time on.”
A changing threat landscape
With technology evolving quickly and new threats always emerging, IT teams must stay one step ahead by developing and implementing robust security approaches. Phillimon Zongo, co-founder and director at learning provider Cyber Resilience, says rapid cloud adoption, tightening regulations and soaring cyber threats are all putting pressure on traditional identity and access management processes.
“Managing IAM manually is now untenable,” he says. “It raises both costs and business risk. When done correctly, IAM automation can materially enhance compliance, lower costs, reduce cyber risk exposure, and free up humans to work on value-creating initiatives.”
However, organisations need to consider what tools are needed to develop a sophisticated automation-driven identity and access management system. According to Zongo, IAM automation use cases are as varied as the organisations putting them to use. “Through federation and cloud-based single sign-on solutions, organisations are centralising IAM across several on-premise and cloud-based applications, eliminating dozens of unique passwords, boosting user experience, reducing cyber risk and streamlining access provisioning process,” he says.
Many organisations are relying on traditional spreadsheet-based user access reviews with automated workflows, says Zongo. “Businesses are aggregating access rights from multiple heterogeneous applications, presenting simplified dashboards for management review, automating escalations and enhancing IAM governance through comprehensive reporting.”
Facial recognition technology – perhaps more controversial – has also emerged as a popular IAM method in recent times. “Airports are verifying travellers’ identities on arrival, before issuing unique biometric tokens that travellers can use throughout the entire verification process,” says Zongo. “This removes the need for passport and boarding pass checks. Notwithstanding the privacy concerns, automating passenger verification processes can significantly uplift travel experience while lowering security risks.”
But Kushal Puri, cyber security innovation lead at London-based innovation centre and co-working space Plexal, says there are no specific requirements or tools to aid the introduction of automated IAM. “This is very much dependent on the complexity and the needs of the company,” he says.
However, organisations and technologists can make use of various solutions aimed specifically at automating aspects of an IAM framework, says Puri. “These include single sign-on, password management and helpdesk ticket automation,” he says. “From a security perspective, the ideal situation would be to use a single tool that automates as much of the IAM framework as possible. This is something we would like to see developed in future years.”
Puri says the first steps in the automation of IAM are automating processes such as password management, identity lifecycle management and finding orphan accounts, because doing these things will lead to significant benefits. “Not only this, but if implemented well, automating certain aspects of helpdesk ticket routing and app access management will also lead to huge cost and time savings for IT staff,” he points out.
However, Puri admits that the best way of introducing automation into a company will vary based on individual circumstances. “Typically, a company should take a phased approach by automating low-risk processes first, such as password management, before progressing gradually to processes that interact with multiple systems, such as app access management,” he says.
The benefits of automated IAM
When it comes to implementing any new technology, return on investment is a major consideration for organisations. “By eliminating human error, especially de-provisioning processes, the effectiveness of the IAM system from a security perspective will be greatly increased,” says Puri.
Business output levels can also be significantly boosted, he adds. “For example, manual provisioning of a new user can take up to 30 minutes, while an automated provisioning process can be executed in under five minutes, including ‘human in the loop’ checks. Similar to output levels, by drastically reducing the amount of time needed to gain access to apps, reset passwords, and even logging into various apps on a daily basis, employee productivity can also be improved by a huge margin.”
There are also financial benefits, says Puri. “IT staff costs can be lowered by reducing the need for IT staff intervention on IAM-related helpdesks,” he says. “Currently, each password reset request costs an estimated £20-30 in IT time. With automated IAM, this will no longer be the case.”
Neil Thacker, CISO of US security software company Netskope, says automation not only improves access management, but has also become essential to manage access in the cloud era. “The Netskope August 2019 Cloud Report identified that businesses now use, on average, 1,295 different cloud services – a mix of sanctioned and unsanctioned apps,” he tells Computer Weekly.
Neil Thacker, Netskope
“IAM teams struggle to stay on top of a few dozen apps. The old model simply doesn’t work. Automation is the only way to maintain and align with security policies without impacting productivity and innovation within a business.”
Thacker believes that as well as making full use of automation, identity and access management must be built on a zero-trust approach. “User, device, application, activity and location are all means of authenticating identity, so we should no longer be completely dependent on two-factor authentication (2FA) or basic policies relating to allowing access to services based on an IP address,” he says.
Chris Pope, vice-president of innovation at digital workflows platform ServiceNow, also claims there are countless benefits in managing access this way. “Time to provision and deprovision access, consistency of provisioning, central source of truth and management of a single identity are all benefits that provide security with the added benefits of knowing who has access to what and when and, more importantly, why,” he says.
“Features include time base access lists and anomaly detection for outliers of access. In addition, audits and controls can be managed easily and the revoking of over-entitled users is as simple as a click of a button, shutting off access as required to prevent data loss or loss of sensitive information.”
IAM procedures and technologies already play an important role in modern security strategies, but as new threats emerge, it will become even harder for organisations to manage the identities of all stakeholders.
Automation removes manual processes that could be stifling the effectiveness of IAM strategies, but also allows security teams to handle growing datasets and respond to more sophisticated security threats as they emerge.