What risks do you take by not implementing entitlement management?

Publié :

05/2022

| Mis à jour le

-
Articles
>
IAM
Entitlement management helps secure your IT by limiting access and providing granularity to the assignment of user rights. This involves mastering the lifecycle, software needs, and user access rights. RBAC can be used to finely create user groups, which will automate and scale the assignment of rights.

Summary

“Granting the right permissions to the right person”

Define entitlement management

Entitlement management could be summarized as follows.

But why is it so important to assign the right rights to the right person in the company? Ultimately, if we gave everyone elevated access, it would greatly simplify the lives of IT departments rather than bringing granularity to each user.

To understand why entitlement management is not a luxury but an absolute necessity in business, let's look at the current context.

The cloud is becoming increasingly important in enterprise applications. Today, 35% have more than half of their apps in the cloud and within 12 to 18 months they will be more than 50% according to Check Point Software.

The problem with SaaS solutions is that there is less control over access rights; they have a higher level of rights assignment by default. Non-compliant configurations with IAM policies can easily be introduced. Thus, there are twice as many unused permissions in integrated policies as in on-premise software.

27% of corporate security breaches are due to misconfigurations according to It Social and 65% of security incidents in the cloud are misconfigurations.

So there's the rub.

If we are aware of these figures, so are the cybercriminals.
Authorizations must be defined and have a limited lifespan.

What is entitlement management?

This involves defining user profiles to limit access to only the necessary data and removing permissions as soon as they are no longer aligned with the user's profile. The CNIL defines this very well.
We will ask the question: Who is authorized to do what and with what need?

We will also talk about privilege management or permission management.

Entitlement management

Control the risk

The objective of access and authorization management is to combat internal and external attacks, thereby limiting risk.
We protect data from human malfunction, fraudulent use, loss, or theft.

Companies have already implemented an annual review of rights and access in order to identify errors that could lead to security breaches.
An authorization strategy will verify several elements:

  • Unused accounts, duplicates, orphan accounts
  • The alignment of rights based on each user
  • Defining the resource requirements for each user type
  • the level of rights, and it will take more time on high levels of access rights.

This involves tracking the user lifecycle, 

  • onboarding with the allocation of resources and access rights, 
  • a change of position with sometimes adjustments of rights to be carried out and 
  • offboarding with the suspension of rights.

The company must define a process for reviewing entitlements, incorporating all these elements to comply with the rules established by the CNIL in particular, and within the framework of audits.

It is therefore clear that access and privilege management cannot be administered manually but requires automation; otherwise, IT departments will simply be overwhelmed.
To be automated, it is necessary to have processes, workflows, and batch management.

Principle of least privilege applied in groups

To limit risk, it is necessary to restrict access and rights to the minimum for each user. They must have only the rights strictly necessary for their work/position.

This principle can be applied using a RBAC strategy.
RBAC or role based access control: a control model where each access decision is based on the role of the user (Wikipedia).

RBAC is the most popular solution in business because it is scalable and suits many models, but there are other models if this one does not suit you.
To implement it, you need to define user typologies with criteria such as position, managerial role, hierarchical position, etc.
Define the profiles between the IT department and the managers; you will have greater finesse of the profiles, and these will be better understood and accepted internally. IT will nevertheless ensure that managers do not 'exaggerate' the needs of their teams in terms of resources and access rights. We will keep in mind the principle of least privilege.

The advantage of this segmentation is time saved in assigning rights, since being part of the group makes them eligible for a certain number of applications and access privileges.

Particular attention should be paid to administrator groups. The latter will have elevated access with an increased risk to data security. These privileged accounts will require permanent and automated supervision, regular review of access and rights, and monitoring of the user lifecycle.

Segregation of duties is an excellent way to mitigate risk. No single user should control the entire chain of command for a given action (initiation, validation, and control). This is mandatory in the banking sector and a necessary step for GDPR compliance.

What needs to be done - the implementation

✅ The must-dos in authorization management :

  • increased monitoring of privileged accounts
  • Onboarding and offboarding workflows to ensure rigor in the processes defined upstream
  • Define a sensitivity level for resources in order to avoid focusing on each resource with the same intensity, then monitor the most sensitive ones.
  • External personnel should be monitored by IT in the same way as internal personnel. Their rights and access must be controlled.
  • Regular cleanup of duplicates, orphaned accounts, and all anomalies
  • a regular rights review
  • Sanctions for non-compliance with security measures for administrator groups

❌ We'll note the worst to avoid:

  • shared accounts that cannot be monitored in the event of an incident. Who made the mistake? This also implies a risk of password sharing.
  • granting administrator rights without reason, which offers significant security vulnerabilities for the company
  • too many privileges not respecting the rule of least privilege
  • Temporary authorization of additional rights not revoked.
  • Forgetting to delete accounts of departed users
  • the lack of monitoring of a user's lifecycle
  • the failure to revise its entitlement management policy

A large number of companies therefore want a secure, external and independent solution that will centralize all applications. However, the tools on the market are off-putting because they are technical and difficult to handle.

Youzer Entitlement Management

Youzer can assist you in this process; as an IAM specialist, we have focused on user and application management SaaS and on-premise with a view to simplifying and clarifying information.

Unlike technical IAMs, we approach IAM in its 'administrative' version by allowing you to group all your users and applications on the same platform. Your applications synchronize, thus facilitating your authorization management.

Now let's get practical, how to implement an action plan to set up entitlement management, 10 points for success!

Besoin d'évaluer le coût d'un projet d'IAM ?

Téléchargez ce livre blanc sur le coût de l'inaction dans l'IAM :

Nous n'avons pas pu confirmer votre demande.
Votre demande de livre blanc est bien prise en compte.

Recommended Articles

Software to perform a review of accounts and entitlements
Identity and Access Management: What is it?
Identity governance and administration: the key to effective management