What is Identity and Access Management?
April 28, 2021
Did you know that some of the earliest PCs came with a lock and key? They were installed to prevent anyone except the owner from using the device. Since then, and by necessity, the field of access control has evolved significantly.
Access control became a real, pressing problem with the proliferation of inexpensive PCs across the corporate world. The issue was exacerbated, first, by the advent of LANs, but exploded with the rise of the Internet – where pretty much anyone could access any device from any place.
This is hugely risky, of course. At that point, companies wanted to know exactly who was who, and who was allowed access to each application and data resource. This was when identity and access management (IAM) systems came of age.
Gartner defines IAM as a “discipline that enables the right individuals to access the right resources at the right times for the right reasons.” In other words, companies need to stay on top of who people are and what digital assets they can access.
IAM is a mix of technology, policy and process. The basic idea is fairly easy to understand: There’s a directory of users – which is mostly employees but may also include some contractors and third parties, such as IT consultants – and the directory describes the systems each user has authorization to use.
IAM can get pretty complicated from there, though. People tend to move around inside of companies. With changes in roles, come changes in authorizations. Then, there are varying levels of access within a system. For example, in an international company, users in a specific region should typically only be able to see data related to that
region, and not others. The IAM solution and practices must stay on top of such policies.
Why would you need systematic IAM? You could, if you wanted, manually manage all identities and access controls. Small companies do this frequently. For any sizable organization, though, manual identity management is not a wise approach to staying secure.
IAM is also required for certain aspects of compliance. Auditors want to ensure you’re methodical about access management.
Doing IAM the right way reduces the risk of an internal – or external – data breach. That’s because IAM solutions make it possible to define and enforce security policies related to access control equally across all users. You can authenticate individual users as they log in to the network and then allow access according to defined privileges. This makes it less likely that a user will gain unauthorized access to confidential data. Similarly, an external attacker who penetrates the network will not automatically have access to any data that they want to steal.
IAM also contributes to greater efficiency in security and IT operations by automating the initiating, capturing, recording and managing of user identities, as well as their associated access privileges. Automating the process means less IT admin time spent on this aspect of security and compliance.
In some cases, a single system will perform all the required functions, but usually, IAM solutions comprise more than one system. For example, an IAM solution might need to include systems for single sign-on, multi-factor authentication, directory management and so forth.
IAM solutions should typically offer the following:
- All necessary controls and tools for the capture and recording of user login information – including management of the enterprise database of user identities
- Assignment and revocation of user access privileges (e.g., a centralized directory service with visibility into the complete company user base)
- Simplified user provisioning and account set-up (e.g., an automated workflow with administrator visibility into the process)
- Multiple levels of review to enable effective checking of access requests
- The ability to create role-based access and establish groups with specific privileges for different roles
Cloud Identity and Access Management
One major challenge in IAM today is the need to extend access controls across multiple hosting environments. For instance, a user might need to log into System A, which is hosted on-premises; System B, which is hosted on the Azure Cloud; and System C, which is on AWS. To be secure and avoid the nuisance of having the user log in separately to each environment, the IAM solution should work seamlessly in all three places.
IAM and SAP
IAM for SAP landscapes is critical for compliance, as well as for maintaining a strong security posture. Given the criticality of data held on SAP systems, it’s imperative to keep track of who has system access. And, you have to be in control of which system functionality and data each user can access. All the major IAM solutions work with SAP on-premises, as well as in cloud-based and hybrid cloud architectures. The challenge is to understand how to make IAM work properly on SAP. This is an area where we can help.
IAM and GRC for SAP
Identity and access management figures prominently into the governance, risk management and compliance (GRC) activities that affect SAP. For example, IAM is essential for segregation of duties (SoD). SoD mitigates fraud risk by separating user privileges for different stages of a financial transaction. (E.g., a single individual can’t both request and approve a check.) Compliance regulations such as Sarbanes Oxley (SOX) require the establishment and auditing of SoD. As a result, SoD is part of the GRC function.
At NTT, we work with many companies on implementing SoD through IAM systems, using our ControlPanelGRC solution for SAP environments. With ControlPanelGRC, we perform SoD risk analysis – examining users and their respective roles, and identifying access privilege conflicts that could constitute a SoD risk. ControlPanelGRC’s Access Controls Suite provides continuous monitoring of access risk and SoD violations.
Talk to us, and request a free risk assessment, to learn more about how to make IAM an effective part of your GRC processes.
Scott Goolik is the vice president of SAP security and compliance at the Managed Services division of NTT Ltd., Americas