IAM: How to manage user identities and accesses
Applications are multiplying in your company: SaaS and On-Premise. Staff movements are becoming increasingly frequent.
To orchestrate your ecosystem of users, automate and manage each person's authorizations on company software, it's high time to find out what IAM software can do for you.
What is IAM? Definition and basic principles
IAM (Identity and Access Management ) brings together all the systems put in place to manage user authorizations, in order to control their access and rights to applications.
If we were to sum up IAM in a simple (simplistic? 🙂 ) phrase, we could say that IAM corresponds to the management of users and their authorizations.
For several years now, IAM has been at the heart of corporate processes, even beyond the prerogatives of the IT department.
ℹ️ Why is it so important to manage user authorizations?
In a company, employees will need to access software or data with a certain number of authorization rules in order to carry out their work.
When each new employee arrives, a large part of the onboarding process consists of creating 2 groups of resources:
- Resources belonging to the "common core". These include basic office tools such as Active Directory accounts, email (Office 365, GSuite...),
- Business-specific" resources. These resources correspond to tools specific to the employee or the department to which he or she belongs.
It is also important to note that for the common core, the settings for each resource are specific to the user's function. For example, the creation of an Active Directory account must be accompanied by the setting of security groups corresponding to the user's function.
Once a new employee has joined the company, it is also necessary to adapt the user's authorizations and tools to his or her development within the company. When a user changes function, joins a new department or team, security rights need to be withdrawn or added, the distribution groups to which he or she belongs need to be modified, new rights on new software need to be given, and above all: don't forget to withdraw rights no longer required.
All these operations can be carried out manually, following a set of processes. It is also important to ensure that processes evolve in line with changes to the IS or its perimeter. To do this, you need to keep an up-to-date inventory of all software accounts, all types of authorizations (sometimes referred to as authorization profiles), and a repository of authorizations for each user, so you know who has access to what.
ℹ️ Why is it so important to have this kind of repository?
Because when someone leaves the company, you don't want their access to remain open. Cisco, for example, was hacked by a former employee who still had access to all its tools several months after leaving.
Also because, in the event of an audit, you need to show that you have fine-tuned access control: don't leave any room for approximation or craftsmanship when you talk about authorizations!
To ensure rigorous management, and given that we're talking about hundreds or thousands of users, accesses and authorization parameters, you need to use a tool that enables governance and, ideally, automation of these repositories.
The 4 stages in setting up an IAM
Step 1: Know your employees
It may seem surprising, but yes, it's important to keep a good record of ALL your users. Who has the user list in your company? In reality, nobody!
HR has part of it (employees on permanent or fixed-term contracts, etc.), while the business departments have another part (temporary staff, service providers, etc.). It is therefore essential to have a single view of all these users, so as to be able to manage their authorizations.
Step 2: Take stock of your software
This can be a difficult task, but you need to list all the software used in your company. I'm going to rub it in, but you really do need to list all software, even if it's not managed/known by IT.
If you want to ensure your company's security all the way, it's a good idea at this point to also note all the hardware that's provided, such as access badges, keys and computer equipment.
Step 3: "Reconcile" users and software
In accounting, this is called "lettering": it consists of associating the various accounts of all applications with the right users. This reconciliation defines the list of tools available to each user.
When this reconciliation action is carried out, you'll find "orphan" accounts: these are either "system" accounts, or user accounts that don't exist or no longer exist in your repository. These are the famous "ghost accounts". The users are gone, but the accounts are still active.
Our advice : carry out these 3 steps as often as possible, to ensure the security of your IS.
IAM software can simplify these 3 operations:
By connecting your IAM solution to your HRIS, you obtain the list of employees, then you connect the solution to your Active Directory (or similar) and you obtain the complete list of accounts. The solution performs the reconciliation automatically, and notifies you of users and accounts in error. It requires no effort on your part, and you have all the information you need in a matter of minutes!
The great thing about an IAM solution is that, once set up, it can perform these actions in near real time.
Step 4: Manage access rights
The final step is to manage your users' access rights. You've just defined who can use which software, but now you need to define what they can do with it.
The most common mistake is to give everyone administrator rights. If you give everyone full rights, you've got no rights management policy at all!
When granting administrator access, think carefully about the responsibilities of the person who will receive these rights. Keep a close eye on these accesses in particular, because if they are hacked, the damage will obviously be catastrophic.
Some IAM systems allow you to specifically monitor certain sensitive access rights, so that you can be informed of any changes (for example, a user being appointed administrator of a resource).
Do you manage your users' accounts yourself, or do you opt for an external solution?
After reading the 4 steps to self-managed identity and access management, you might be thinking to yourself:
- okay, I'll set it up OR
- it seems a bit time-consuming to carry out all these actions on a regular basis, without any certainty of being exhaustive.
What you think at the time is already a good indicator of whether or not you need a full-fledged IAM solution.
Company size and staff turnover are other important criteria.
The easy answers: if you have more than 100 employees and/or a high turnover, choose an IAM platform.
If you have more than 200 employees, it's impossible to operate without such a system.
The 3 most common IAM mistakes to avoid
Mistake 1: Confusing IAM with SSO
SSO is an authentication system, while IAM is an account management system.
IAM and SSO work very well together, but don't perform the same functions at all.
At the root of this confusion lies the definition of the need, which is not necessarily very clearly defined: the IT department wants to lighten/centralize password management for users. This requirement is at the crossroads of IAM, SSO and password managers.
Implementing an SSO system makes it possible to centralize part of the authentication of users on their various accounts. But the technical constraints of implementation, compatibility and maintenance mean that SSO is only partially applied to the company's various applications.
If we wanted to use a metaphor:
With SSO, you decide who has the right to enter the house;
with IAM you decide who has the right to move furniture, repaint walls or just sit down.
SSO doesn't allow you to manage clearance levels properly, you don't have a global view of your tools and software, because they're not all compatible, and you don't have a global view of the people working in your company, because it doesn't connect to the HRIS.
Mistake No. 2: Confusing users and accounts
When I'm in contact with a company and I ask them if they have a repository that centralizes all their users, I regularly get the answer: "yes, Active Directory is the reference". But that's precisely the mistake you shouldn't make: confusing users with accounts.
Users are physical persons who have a surname, a first name, a date of arrival and possibly a date of departure.
These users are given access accounts based on HR functional parameters.
If you understand this fundamental difference, you're well on your way to implementing intelligent identity management in your company.
Mistake no. 3: thinking that the IAM tool, once in place, will work on its own
You can totally screw up your IAM project by not putting someone in charge of managing the tool. Yes, even the best IAM solution needs to be looked after. New arrivals, account creations and suspensions need your intervention, and it's by maintaining your IS that it will remain "clean" and correctly synchronized with HR information.
Finally, the key points for getting started
👉 Choose a "user-friendly" solution: you'll be using the tool on a regular basis, and the solution you choose must be simple and ergonomic.
👉 A SaaS solution: offers you rock-solid flexibility, with no cumbersome software to install and maintain. Your solution is always up to date, and the TCO is much lower in hosted mode.
👉 Compatibility with your applications: your applications are "On premise" for some and SaaS (Office 365 for example) for the most recent. It's important to check that you can integrate your applications, whatever their technologies, so that you can cover the entire perimeter of your information system. The main difficulty is often integrating proprietary on-premise tools. That's why Youzer has developed a universal connector so that our customers can "build" a customized connector for each of their applications.
👉 Responsive customer service : if you're making a multi-year commitment to an IAM solution, you need to be able to rely on responsive customer service to answer your questions and solve your problems. If you're on a huge platform, make sure you get a decent response time and that the person is technically proficient (so you don't get walked around before you get your answer 🙃).
👉 A solution that evolves : choose a solution that evolves. Today, it's not uncommon to see software platforms that haven't evolved for several years or even decades. With technologies and uses evolving so rapidly, it's important to choose a flexible, scalable platform.
Sponsored article. Expert contributors are authors independent of the appvizer editorial team. Their comments and positions are their own.
Article translated from French