The Top 7 Identity and Access Management Control Procedures

Zero Trust security has become one of the best approaches to ensuring that networks are protected from common security threats such as data theft, breaches and ransomware attacks. The idea behind zero trust is that no person or thing can be automatically trusted to access enterprise resources, without verifying that they are an authenticated user who is authorized to access that specific resource. Therefore, Zero Trust methods treat every user as suspect until proven otherwise.

Why is IAM an Important Part of Zero Trust?

ID and Access Management (IAM) is a pillar component of a Zero Trust strategy. IAM provides processes that enable users to prove that they are who they claim to be, and should therefore be permitted to access the tools and data they are authorized to use -- those they need to do their job. IAM may leverage technologies such as multifactor authentication, single-sign-on, and password management.

In addition to providing technologies that enable enforcement of strong authentication policies, administrators can use IAM to control access to different applications and privileges based on user authorizations. A variety of methods, which are known collectively as control procedures, may be used for this purpose. Different procedures may be more suitable for different companies and may require varying levels of management effort depending on the frequency with which users join, leave, or change positions within the organization.

Let’s take a look at the 7 main IAM control procedures:

Role-Based Access Control

Role-based access control (RBAC) provides access to the network, applications, and various files based on a user’s position within an organization. If a person is a doctor within a healthcare organization, for example, they might be allowed to access patient records, medical imaging software, and productivity tools like email – and probably nothing else. This is a great way for large organizations to provision their employees at scale, without manual intervention, as everyone has a predefined role and a set of apps associated with it.

Discretionary Access Control

Many small businesses use discretionary access control because it’s reasonably secure and easy to implement. In this control scheme, there are objects – such as files – and there are owners or creators of these objects. Any owner can extend access to an object they own by granting them a username and password. This makes information sharing easy, but of course, this may not scale (or provide the necessary security controls) for larger organizations.

Mandatory Access Control

This kind of access control is often used to restrict information in hierarchical organizations such as governmental or military agencies. In this control method, an individual is given a clearance level that corresponds with the kind of information they can access. If you have confidential clearance, for example, then you can only access confidential information — and not secret or top-secret information. For added security, each endpoint has this classification schema baked into its operating system kernel.

Attribute-Based Access Control

As the name suggests, Attribute-Based Access Control (ABAC) sprang out of RBAC. In this control method, both users – which are called subjects – and objects have attributes (actions and environmental characteristics have attributes as well). As an example, an object may have the attributes that it’s available to view and copy, but not edit, to subjects with the role of “accountant,” but only during the hours of nine to five.

Setting up attributes for every subject and object in your network can be tricky at the outset, but it can be a lot easier than creating new roles. In a large company, the things that a role can and cannot do can change all the time – therefore, it’s much easier to add and delete attributes from various personnel.

Privileged Access Management

Privileged Access Management (PAM) refers to the suite of controls used to manage and monitor an organization’s most important data and users. PAM users might include systems administrators, security professionals, and some high-tier support personnel. Since these account holders are all potential targets for impersonation by attackers, PAM tools will usually involve encryption, multi-factor authentication, session tracking, and audit logging. After all, it follows that the individuals with the power to unlock a company’s most secure secrets should also endure the most scrutiny.

Single Sign-On

By the end of 2018, companies used an average of 129 business apps. Forcing users to remember up to 129 corresponding passwords is a nonstarter, however. If pressed, users tend to reuse passwords, choose insecure easy-to-remember passwords, and choose passwords that are slight variants of one another. Rather than endure this security weakness, SSO lets users log into an entire suite of applications with just a single secure set of credentials. While not every application supports SSO, most new ones do – especially most cloud applications. Implementation lets users memorize fewer, more secure passwords.

Remote Access

Finally, remote access defines how users are able to log in and access applications when they’re not physically located on your premises. This kind of control scheme can cover anyone from a remote worker logging in from home to a tech support worker using a screen viewer to diagnose a bug. With 43 percent of US workers working from home at least some of the time, organizations need to understand how to make their policies as secure as possible.

The good news about IAM is that most newer forms of cloud-based IAM are specifically designed to make remote access secure. In fact, you’ll be able to use IAM to implement nearly any control scheme on the list above, or even multiple control schemes in combination. Your only job is to figure out which control scheme works best for your company, and to implement it to the best of your ability.