"Granting the right rights to the right person".
Define authorization management
Authorization management can be summed up as follows.
But why is it so important to assign the right rights to the right people in the enterprise? In the end, giving everyone high-level access would make life much easier for IT departments, rather than providing granularity for each user.
To understand why authorization management is not a luxury, but an absolute necessity, let's take a look at the current context.
The cloud is becoming increasingly important for enterprise applications. Today, 35% of companies have more than half of their apps in the cloud, and in 12 to 18 months' time this figure will rise to more than 50%, according to Check Point Software.
The problem with SaaS solutions is that there is less control over access rights, as they have a higher level of rights assignment by default. It's easy to introduce configurations that don't comply with IAM policies. As a result, there are twice as many unused authorizations in integrated policies as in on-premise software.
27% of security breaches in the enterprise are due to misconfigurations, according to It Social, and 65% of security incidents in the cloud are misconfigurations.
So there's the rub.
If we know these figures, so do cybercriminals.
Authorizations are to be defined and have a limited lifespan.
What is authorization management?
This involves defining user profiles to limit access to only the necessary data, and deleting permissions as soon as they are no longer aligned with the user's profile. The CNIL defines this very well.
The question is: Who is authorized to do what, and for what purpose?
This is also known as privilege management or permissions management.
Managing risk
The aim of access and clearance management is to combat internal or external attacks, and consequently to limit risk.
Data is protected from human error, fraudulent use, loss or theft.
Companies have already implemented an annual review of rights and accesses to identify errors that could lead to security breaches.
An authorization strategy will check several elements:
- unused, duplicate and orphan accounts
- alignment of rights for each user
- definition of resource requirements for each type of user
- the level of rights and will take longer on higher levels of access rights
This means tracking user life cycles,
- onboarding, with allocation of resources and access rights,
- a change of position, sometimes with adjustments to entitlements, and
- offboarding with suspension of rights.
The company needs to define an authorization review process that incorporates all these elements, in order to comply with the rules laid down by the CNIL (French Data Protection Authority) in particular, and within the framework of audits.
It is therefore clear that access and privilege management cannot be administered manually, but needs to be automated, otherwise IT departments will simply be overwhelmed and out of their depth.
Automation requires processes, workflows and batch management.
Principle of least privilege applied to groups
To limit the risk, access and rights must be restricted to a minimum for each user. Users must have the rights strictly necessary for their work/position.
This principle can be applied using an RBAC strategy.
RBAC or role based access control: a control model where every access decision is based on the user's role(Wikipedia).
RBAC is the most popular corporate solution, because it's scalable and suits many models, but there are other models available if this one doesn't suit you.
To implement it, you need to define user typologies using criteria such as position, managerial role, hierarchical position, etc.
Define the profiles between the IT department and the managers, and you'll get a finer definition of the profiles, which will be better understood and accepted internally. IT will nevertheless ensure that managers do not 'exaggerate' the needs of their teams in terms of resources and access rights. The principle of least privilege should be kept in mind.
The advantage of this segmentation is that it saves time in assigning rights, since being part of the group, it becomes legitimate for a certain number of applications and accesses.
Particular attention needs to be paid to administrator groups. They will have high levels of access, with a heightened risk to data security. These privileged accounts will require permanent, automated supervision, regular review of access and rights, and monitoring over the user lifecycle.
Separation of tasks is even an excellent way of limiting risk. A user cannot be on the entire chain of control for the same action (initiate, validate, control). This condition is even mandatory in the banking sector and is a necessary step under the RGPD.
Would you like to receive our white paper on identity and access management?
What needs to be done - setting up
✅ The must-dos in authorization management :
- increased monitoring of privileged accounts
- onboarding and offboarding workflows to ensure rigorous adherence to upstream processes
- define a level of resource sensitivity, so as not to focus on each resource with the same intensity, then monitor the most sensitive ones
- external staff must be monitored by IT in the same way as internal staff. Their rights and access must be controlled.
- regular cleansing of duplicates, orphan accounts and any anomalies
- a regular rights review
- penalties for non-compliance with safety measures for administrator groups
❌ We'll note the worst to avoid:
- shared accounts that cannot be monitored in the event of an incident. Who made the mistake? This also implies a risk of password sharing.
- unwarranted granting of administrator rights, which can lead to major breaches of corporate security
- too many privileges not respecting the rule of least privilege
- temporary authorization of additional rights not withdrawn
- forgetting to delete party user accounts
- failure to track a user's life cycle
- the failure to revise its authorization management policy
Many companies are therefore looking for a secure, external and independent solution to centralize all their applications. However, the tools currently available on the market are discouraging, because they are technical and difficult to learn.
Youzer can help you in this process. As IAM specialists, we have focused on managing users and SaaS and on-premise applications, with a view to simplifying and making information easier to understand.
Unlike technical IAM, we take an administrative approach to IAM, enabling you to group all your users and applications on the same platform. Your applications are synchronized, facilitating the management of authorizations.
Now let's get down to the nitty-gritty: how to draw up an action plan for implementing authorization management, 10 points for success!