Well, who are you? (Who are you? Who, who, who, who?)
I really wanna know (Who are you? Who, who, who, who?)
— The Who, "Who Are You"
When Pete Townshend wrote those words, I doubt he was thinking of writing an identity and authentication anthem, but there it is. Who are you, and can you prove it? Because if you can, the system is programmed to provide you with privileges. I think Townshend would agree with that, to some extent.
In the virtual universe, most people have multiple identities (IDs). Your banking, e-commerce, social media, and even browsing history can all be associated with one or more of your IDs. And if any of those IDs and data sets can be matched and a profile built of who you are and what you might be interested in, woo-hoo! Marketing gold.
For enterprise IT environments, the system really is programmed to provide privileges within its environment that enable administration, usage, reporting, and auditing. In fact, every system that has a limited set of users, with differentiated permissions, needs to start with a set of IDs to which it can associate the privileges and (typically) record their usage.
IDs can represent real people or programmed services that execute system administration or operating functions. Consequently, the management of identities is one of the foundational control objectives in IT. Internal auditors should be able to evaluate their organizations' implementation of controls over the establishment of — and accountability for — IDs in every significant system, including applications, databases, servers, network management solutions, and other computing and communications infrastructure.
The IIA recently issued a new
Global Technology Audit Guide (GTAG), Auditing Identity and Access Management, that aims to give audit managers and others who may not be technology experts enough information to plan and execute a meaningful evaluation of their organization's controls over related risks. The new
GTAG includes references to a few widely used external control frameworks:
- The U.S. National Institute for Standards and Technology Special Publication (SP) 800-63: Digital Identity Guidelines and SP 800-53 revision 5: Security and Privacy Controls for Information Systems and Organizations (SP 800-53r5).
- ISACA's COBIT 2019.
- Center for Internet Security (CIS) Controls version 7.1 (aka the "Top 20," formerly the SANS Top 20).
There are other frameworks, globally, for IT and information security, and over time The IIA may publish professional tools that evaluate identity and access management control descriptions in those other frameworks. For example, the International Organization for Standardization (ISO) publishes guidance for identity management (ISO 24760), identity proofing (ISO 29003), authentication (ISO 29115), and access management (ISO 29146), which many organizations use for designing and evaluating controls. Clearly, the control concepts are discussed in a fairly consistent vocabulary, so the
GTAG should be relatable to any framework your organization uses.
One of the great, underappreciated technological controls is the use of identity management services in a process known as federation. This is a centralized system for assigning network access privileges to provide identity, authentication, and access management services to other systems on the network. Sometimes this process is called single sign-on (SSO), and when it is integrated with the organization's human resources database, it can enable the automation of many user access provisioning and deactivation processes.
Still, even in organizations with an SSO tool, there may be business applications or other elements in use that are not fully integrated — perhaps not even hosted on the network. Internal auditors should examine whether the feasibility of federation has been adequately evaluated by the enterprise or security architects. Decisions not to federate are inherently riskier, because of the introduction of manual processes that may inadvertently bypass or weaken other controls. It is definitely worth verifying whether a risk assessment and acceptance was documented.
Processes that force users of an ID to prove they are who they claim to be are known as authentication. By now, most internal auditors have heard the term multifactor authentication, and hopefully everyone also realizes that when a website or application requires you to enter a password and a code that was texted to you, you are engaging in a multifactor authentication. I won't bore you with the usual "authentication is something you: know, have, or are" examples, but consider identity theft for a moment: Do some organizations enable such frauds through inadequate authentication controls?
Presumably, most people would prefer to see the use of their identity to commit fraud prevented on the front end rather than repaired afterwards. I hope that the internal auditors in such organizations remain vigilant for opportunities to strengthen authentication controls in the new account set-up processes — please, for the sake of humanity.
David Petrisky, CIA, CRMA, CISA, CPA, is director, Professional Practices at The IIA.
Want to be a part of Your Voices? Click here to learn how to contribute a blog post.