Identity and access management (IAM ) is more than ever a priority for companies. Whether due to growing cybersecurity threats or the need to automate processes, IAM solutions have become a must-have for IT departments.
💡: it's possible to listen to this article! Find the audio at the bottom of the page 🎧
Don't have time to read it all? Here's a summary.👇
IAMincludes several points to master in identity management: the arrival and departure of employees, internal movements. These points are fundamental, because if poorly controlled they lead to user frustration and ghost accounts. To avoid this, reconciliation, i.e. linking accounts (IT) with users (HR), is necessary. This is why setting up an IAM solution is so useful: you'll gain in automation through workflows, user autonomy through self-service, and user rights management during internal movements.
This is why setting up an IAM solution is so useful: you'll gain in automation through workflows, user autonomy through self-service, and user rights management during internal movements.
Implementing identity management therefore requires :
▶️ a complete and regular repository of your users
▶️ a repository of your applications and accounts ,
▶️ a strategy for reconciling these 2 repositories
▶️ an authorization policy
Quick definition of IAM
The acronym IAM stands for Identity and Access Management.
Identity and Access Management is a set of processes set up by the IT department to manage user authorizations (which can be for employees, contractors, temporary staff, etc.) in order to regulate access to the network and cloud applications.
What is Identity and Access Management?
With the explosion in the number of software applications used in companies over the past few years, and the increasing mobility of employees, identity and access management (IAM) has become a key issue. identity and access management is more important than ever.
IAM can be summed up as a process for adapting the access rights or authorizations of company users according to their role, function or hierarchical responsibility.
Like M. Jourdain who wrote prose without knowing it, you probably already have identity and access management in place in your company.
Even if you're not familiar with the acronym IAM: when a user joins your company, you create their access to the various applications with the right rights so that they can work. This account creation stage is always carried out, because it's the only stage necessary for the company's "business" operations. The employee needs tools to work, and these tools are requested from the IT department by the manager or the new employee.
Just over 10 years ago, all that was required was to create the new user's Active Directory account and mailbox. The rest of the onboarding process mainly involved preparing the user's workstation (desktop or laptop) to install and configure the various applications.
The workstation is now no more than a terminal for displaying tools, and IT Departments have done everything possible to ensure that it requires little maintenance or configuration: GPOs for automatic software deployment on workstations, VDI (Virtual Desktop Infrastructure) workstations, provision of thin clients, use of RDS servers for Remote Desktop, etc.
As a result, the IT department is now more focused on usage than on IT solutions: cloud services are multiplying, and business departments are naturally pressing for access to the various tools that are multiplying throughout the company.
When a new employee arrives, he or she has to be given dozens of access points: access to files, mailbox, instant messaging, CRM, reporting tools, corporate intranet, expense management tools, etc...
These account creations on the arrival of a new member of staff are often painful, but they do happen in the end. A lot of to-ing and fro-ing is sometimes necessary between the manager, HR, the IT department, etc., to ensure that the new arrival has access to the right software.
But "onboarding" is just the tip of the iceberg, because identity management involves 4 main control points:
Arrival management: new employees
Thisstep is usually completed... but not necessarily correctly. Access is granted, but often by forceps. Managers find themselves torn between HR and IT, the former having failed to inform the latter, and the latter not always quick to create accesses. This back-and-forth often creates friction between managers and the IT department.
Gaps in this process can lead to user frustration and the creation of unnecessary accounts. To avoid this, reconciliation - the alignment of IT accounts with HR data - is crucial.
Movement management: when a user benefits from internal mobility
DInthis step, there are 2 points: when a user changes jobs, he benefits from new applications and new rights that correspond to his new function, but he also "loses" access to the applications and rights of his old job. While the first point is done correctly (as with the arrival of a new employee), the second point is done very little, because it's complicated: it's not a question of suspending an account, but of modifying its rights and access perimeter. For example, a sales rep who changes sector should no longer have access to prospects or customers in his or her previous sector.
Departure management: when an employee leaves the company.
Thispoint is the most painful. No one "needs" the accounts of a departed user to be closed, no one is comfortable with their suspension: "shouldn't we wait?", "maybe we can leave them open, just long enough to get back to the files?"
And who oversees this stage? The IT department is rarely informed when an employee leaves, so it has to make do with what it can to close the accounts of the departed user properly.
As processes are not always followed, the IT Department has been obliged to set up a regular "account review": this involves going through the list of accounts and comparing them with the "active" headcount provided by HR at a given moment.
This "inventory" is often done manually, using Excel files that we try to merge together. It is relatively cumbersome and can only be carried out on an annual or bi-annual basis.
Reconciliation: consistency analysis of active accesses
Thisstep has no trigger such as the arrival or departure of an employee. It involves keeping an "inventory of identifiers" for each user to be able to follow up on the previous points. But above all, it's a crucial point in identity management, to monitor all accesses and ensure that they each have a valid reason for existing (the main reason being that they are used by a particular user). In an ideal world, identifiers correspond exactly to users, but there are "system" accounts, shared accounts, accounts created for testing purposes, temporary accounts, etc...
These identifiers must be inventoried and clearly identified in an identity and access management system.
It is thanks to these 4 points that define IAM that the company, and more particularly its IT department, will be able to control and secure its employees'digitalidentity by managing access rights to resources such as applications, files and others. It will be able to track employees from the moment they join the company to the moment they leave, and keep track of their progress through the organization, including additions, modifications and deletions of access rights.
As a result, IT and more broadly, businesses are able to meet security and compliance standards, have better software management, a major reduction in security vulnerabilities and an effective fight against shadow it.
As for human resources, they have a better approach to employees, with successful onboarding that provides all the resources they need on arrival, career follow-up and controlled offboarding.
Identity Governance: IAM as a pillar of security
IAM enables companies, and in particular IT departments, to control and secure the digital identities of their employees throughout their lifecycle within the company. This includes assigning, modifying and deleting access rights to resources such as applications and data.
IAM and IT Security: The Triptych
Computer access management is an AAA-secure IT protocol. This somewhat barbaric term refers to the IT triptych which is :
- Authentication: Manage user authentication based on contractual relationships with the company, whether in the form of employment, service provision, subcontracting or temporary employment contracts.
- Authorization: Check the legitimacy of each user to access a resource with specific authorizations.
- Audit/Traceability: Audit and monitor all events linked to each identity for complete traceability.
IAM in your company: a necessity
- Why implement IAM?
Short answer: to find out who has access to what.
The following 2 questions may seem trivial, but they generally make CIOs uncomfortable, because it's so hard to answer them at the moment:
- Do you know all the resources to which your employees have access?
- Do you control each employee's access to resources (legitimacy?) according to their level of responsibility?
Generally speaking, employees have access to a large number of tools: files, applications, system, cloud services, network, database, pro phone, virtual platform... Which inevitably introduces a higher risk of fraud and attack on the corporate network.
- The current cybersecurity situation
The figures for cyber-attacks are impressive: according to a study by Scale Venture Partners, 71% of cybersecurity experts say their company has faced at least 3 attacks in 2022.
According to the same study, phishing attacks to steal user credentials have increased by 58%, which is why CISOs are prioritizing spending on identity and access management for their users.
- What measures should be taken to protect identities and access within your company?
Locking up your company's resources just to have a small, official list? That would simply be counter-productive. As we can see today, usages are changing, and evolutions in behavior such as telecommuting prove it, companies must adapt to new usages, particularly those driven by the cloud.
BYOD, or bring your own device, completely reshuffles the deck, and IT Departments have to deal with it.
In concrete terms, the evolution of these uses accelerates and multiplies the number of requests for modifications to access to different software, cloud platforms, etc., making the monitoring of these different accesses exponentially more complex.
To successfully carry out its identity monitoring missions, the IT Department must deploy :
- best practices
- monitoring tools
- reporting
- control
which are very time-consuming in everyday life.
- A need for automation
The need for automation is therefore very strong. In this respect, IAM will considerably help the IT department by setting up workflows and delegating validation to the business.
An IAM solution should be a tool managed by IT, but used by managers and the HR department.
IT departments are often reluctant to delegate part of their job to operational staff: they don't really want managers to handle account creation for their teams themselves.
But consider the following analogy: just as it would be counterproductive to call your electrician every time you want to turn on the lights in your home, the IT Department should not be called upon to create accounts or modify rights.
The IT department, on the other hand, must provide the switch, i.e. a system that enables operational staff to be autonomous in the operations that concern their teams.
- IT account reconciliation
The challenges of IAM are also focused on controlling users' IT access and identity. In this way, Active Directory user profiles can finally be "reconciled" (in accounting, this is called "reconciliation") with the company's employees.
We set up a system for managing access rights to applications, enabling rights to be allocated according to level of responsibility. In this way, one of the major issues that arises during an audit is: is access to sensitive company data by outsiders such as service providers under control? The answer is yes.
With each manager able to manage access to applications, and each access to a platform monitored, software connections are under control.
- Be careful not to confuse IAM with SSO
Many CIOs believe that the problem of identity management can be solved by implementing single sign-on for all applications. The initial aim is to have a single point of user management (e.g. Azure Active Directory, Google Workspace or Okta), and to link other applications to it so that they rely on theidentity provider for authentication.
This trendy practice has 4 major drawbacks:
- The security risk associated with authentication rests on a central point, theidentity provider, which becomes a point of vulnerability.
- SSO brings convenience to the user, who now has just one password to manage, and this password also becomes a point of vulnerability, as it gives access to everything.
- Single sign-on does not (yet) allow you to manage authorization levels for the various applications linked to it. This management has to be done on a per-unit basis, which diminishes the interest of using a central directory if adjustments then have to be made one by one.
- SSO currently only covers compatible solutions. The most important ones can be integrated (Microsoft 365, Salesforce, Google Workspace...) but not the dozens or hundreds of other business applications used in the company. So the "Single" in the acronym "Single Sign On" is just wishful thinking.
In short, CIOs need to bring flexibility to a business model that constantly demands it, while managing tools such as cloud and SaaS, which are the most complex to secure. Of course, IAM is not a magic wand, and nothing can replace exchanges with the various entities to discuss application needs and share best practices in IT security.
⚠️ Be careful not to confuse SSO and IAM: they are complementary but not similar.
Would you like to receive our white paper on identity and access management?
In practical terms, how do you set up identity management?
To set up an identity management system, follow these 4 steps:
1. Create a user repository (of ALL users)
This involves building up a list of people who have a contractual relationship with the company, which is generally a prerequisite for opening an account.
In this directory, you need to enter information on employees, of course, but also on other users (temps, service providers, freelancers, etc.).
This directory should only contain "physical" persons, and not generic names, as the aim is to identify the owner of the units assigned to him/her.
What's really important is to keep this directory up to date: connecting to an HRIS is precisely this kind of convenience, as it provides a near-real-time list of employees, with their arrival and departure dates, their manager, and so on.
But you can also add multiple data sources: CSV files that are updated and sent by business departments, and so on.
IAM tools detect names and surnames directly in HRIS and HR files, alerting you or suggesting users you may have overlooked in your directory. This makes it easier for you to control users who have been created "outside the system".
2. Create a repository of applications and access accounts
This directory is an inventory of all the software you wish to supervise. It is sometimes also possible to add access equipment such as security badges, keys etc. to this directory.
As with the user directory, an inventory of existing accounts on each software application must be automatically and regularly compiled.
To list them, rely on the architecture of the systems you know, but you also need to ensure that this list can evolve: as soon as a new piece of software enters the IT department's radar, it needs to be added (manually or automatically) to the list. It's also important to raise user awareness, so that they report new tools to the IT department and avoid shadow it.
3. Reconcile the 2 reference systems
The 2 directories previously created and maintained must be "reconciled". Each account, which is "orphaned" by default, must be linked to one or more users.
The first reconciliation can be done manually (a tedious operation, but possible) or automatically with intelligent automatic association systems.
Subsequently, if you use an IAM tool to generate account creations, the connection will be made automatically on the basis of unit creation requests.
4. Define access and rights assignment strategy
This strategy needs to be developed in collaboration with the business departments and even the managers themselves, because it's they who need to be made aware: they need to adapt rights to the strict needs of their employees, and not define all users as "admin" on their business software, on the pretext that "it works just fine like that".
It's impossible to implement a strategy worthy of the name for all solutions. On the one hand, because the list evolves daily, and on the other, because it's unreasonable to set up a strategy for a software with only two accounts that are part of the "long tail" of the list of software used.
Finally, here are a few important points to remember:
It's essential to look at the use of IAM as a whole:
- well-known arrivals,
- departures much less pleasant, but very important in terms of safety,
- movements, and employee career paths, which are currently difficult to manage,
- reconciliations, reconciling user accounts and application accesses.
Next, you need to follow the installation steps carefully:
- A directory of users that you can link to HR
- A directory of software and accounts
- Reconciling the two directories is an important step in providing a clear picture of internal IT security.
- Define your identity and access management!
Convinced by IAM? Here are 7 criteria to help you make your choice.