IT networks face increasing threats from inside and outside an organization. Conventional perimeter defenses, for instance, can miss insider threats, such as password disclosures and fraud due to staff collusion as well as external online threats including zero-day attacks (i.e., attacks that take advantage of computer security holes for which no solution is currently available). To curb the presence of these threats, many IT departments are using companywide identity and access management (IAM) solutions that provide ongoing access to information, applications, and networks.
While access to company resources is critical for the day-to-day operations of private, public, and government organizations, this access must be highly secure and fast. In addition, users must be able to access network resources for which they are authorized as easily as possible. During their work, auditors often are required to provide recommendations that improve their organization's IAM activities. But before doing so, they need to understand the basics of IAM systems as well as their role in the design and implementation of IAM strategies.
Identity and Access Management Defined
Before learning the basics behind an effective IAM program, it is important for internal auditors to understand each of the program's components: identity management and access management. Despite the differences between these activities, many beginning auditors treat them the same during audit reviews. However, they each oversee different aspects of the IAM program.
Digital Identities and IAM
As digital identities take on an increasingly important role in specifying how users interact with computer networks, IAM programs become more and more complex. For example, organizations need to manage users efficiently and accurately while granting them access to network resources.
However, organizations rarely store and use identity information in only one place (e.g., company information can be stored in and used by multiple departments, countries, business divisions, and software programs). This, combined with the occurrence of mergers and acquisitions, has resulted in the proliferation of directory services and application-specific identity stores (i.e., applications that store and manage multiple user IDs) and has translated into increasing costs and complex security issues (e.g., the greater the number of identity stores, the greater the likelihood that dormant and orphan accounts are being misused).
Therefore, auditors need to have a sound understanding of the approaches and technologies IT departments can use to address multiple digital identities as a way to help organizations develop a consistent and effective IAM strategy. These approaches and technologies need to implement short-term and strategic approaches to controlling a user's identity.
In essence, identity management is the process for managing the entire life cycle of digital identities, including the profiles of people, systems, and services, as well as the use of emerging technologies to control access to company resources. (A digital identity is the representation of a set of claims made by a digital subject including, but not limited to, computers, resources, or persons about itself or another digital subject. For more information about digital identities, see "Digital Identities and IAM" at right.) The goal of identity management, therefore, is to improve companywide productivity and security, while lowering the costs associated with managing users and their identities, attributes, and credentials.
On the other hand, access management is the process of regulating access to information assets by providing a policy-based control of who can use a specific system based on an individual's role and the current role's permissions and restrictions. When combined, these two processes form the foundation of an effective IAM program.
The IAM Strategy
IAM is a combination of processes, technologies, and policies enabled by software to manage user identities throughout their life cycle. More specifically, the goal of IAM is to initiate, capture, record, and manage user identities and their related access permissions to proprietary information and other company resources. User identities can extend beyond corporate employees and include vendors, customers, floor machines, generic administrator accounts, and electronic access badges. As a result, improving access to network resources and managing an identity's life cycle can provide significant dividends for organizations, such as:
A lower total cost of ownership through the increased efficiency and consolidation of identification and authorization procedures.
Security improvements that reduce the risk of internal and external attacks.
Greater access to information by partners, employees, and customers, thus leading to increased productivity, satisfaction, and revenue.
Higher levels of regulatory compliance through the implementation of comprehensive security, audit, and access policies.
Greater business agility during events such as mergers and acquisitions.
Here are some general strategies auditors can recommend for IT departments to consider when aligning the organization's IAM program to existing business strategies and regulatory compliance requirements:
Obtain senior management support prior to designing and implementing an IAM program as the program will be an important part of companywide information security efforts.
Understand the organization's IAM needs and define corresponding processes first.
Automate the identity provisioning process to allow for the central administration of user identities.
Consider the acquisition of directory servers, meta directories (i.e., techniques for providing directory integration), virtual directory servers, and administration products (e.g., directory and public key infrastructure management tools and provisioning products).
Build access layer and workflow processes. The access layer is used to mediate access to the shared media and other network resources, while workflow processes define and track the exchange of work among users.
Lay out business requirements as much as possible before starting the integration of IAM processes.
Before signing a contract with a vendor, check out references and foster a good partner relationship.
Integrate the components and processes above, but realize that not all components might be needed at first based on the organization's strategic plan, business needs, and IAM project scope.
A chain is a strong as its weakest link, and when it comes to IT security, IAM is the weakest link in many organizations. For example, many IT departments store identity credentials as data objects in different data repositories. Because these organizations can have hundreds of discrete identity stores containing overlapping and conflicting data, synchronizing this information among multiple data repositories turns into a challenging, time consuming, and expensive ordeal, especially if the data is managed through the use of manual processes or custom scripts.
Another key challenge is related to cost. As a general rule, the costs of managing user identities should be as low as possible to ensure a reasonable return on investment in the IAM project. Too often, identity management projects become too large or cumbersome to finish on schedule; after all, there will always be more applications to integrate into the system. This can be accomplished by scaling identity life cycle management activities efficiently across various applications and network resources and employing as little staff as possible to manage IT applications.
Identify Synchronization Issues
Besides the challenges stemming from the use of manual processes to manage multiple data repositories, other identity synchronization issues include:
Reducing the costs associated with managing large numbers of identity stores.
Providing the ability to expand the organization's people and IT resources without a corresponding increase in IT staff.
Increasing employee productivity by being able to find the right information about other users.
Meeting regulatory requirements associated with privacy and access controls.
Remembering to use more than one user ID.
The Role of Internal Auditors
As part of their work, internal auditors need to ensure activities associated with user access are logged for monitoring, regulatory, and investigative purposes. Actions auditors can take as part of the IAM audit include:
Identify the regulations the company is required to comply with.
Assess the current compliance baseline by analyzing the organization's risk and compliance policy, determining how it is aligned with industry best practices, performing a gap analysis of IAM processes, and reviewing actual business performance against potential performance.
Recommend the organization implement IAM controls where needed and compare these to industry standards and best practices, such as the International Organization for Standardization's 27001 Standard.
Determine whether IAM audit logs are secure and scalable (i.e., is there a system, network, or process property that indicates the component's ability to handle growing amounts of work in a graceful manner?).
Acquire IAM reporting tools that meet the organization's audit needs. Such tools should provide at least the following information:
- Centralized access reporting data, both current and historical, so auditors know who is accessing what, when, where, and why.
- Critical highlights regarding system access rights.
- Detailed audit logs of user and administrator activities.
- Reports on configuration changes including file and exchange servers.
Generally, IAM touches every part of the organization — from accessing a facility's front door to retrieving corporate banking and financial information. Because of this, auditors need to understand how organizations can control access more effectively to gain a better understanding of the magnitude of the IAM program. For instance, to effectively control access, managers must first know the physical and logical entry points through which access can be obtained. As a result, auditors should be involved in the development of the organization's IAM strategy by bringing a unique perspective on how IAM processes can increase the effectiveness of access controls and by providing greater visibility into the operation of these controls.
Total Cost of Ownership of Identity and Access Management
IAM is an expensive investment. Besides the recommendations above, auditors can share the following tips with their IT department to help reduce the total cost of ownership of IAM activities:
Follow the rule of economy of scale. If more people use the same tool or application, its unit cost will decrease. Therefore, IT departments should search for and use the most popular off-the-shelf IAM solution first. Custom building an IAM application should be a last alternative (i.e., when no other commercial tool is available that can meet the organization's needs) due to the amount of time and resources required to create the tool.
Outsource IAM operations. If IT staff is based in North America or Europe, auditors can recommend that the organization consider outsourcing its tier 1 (i.e., help desk) or tier 2 (i.e., the person or company the employee calls when the help desk is not available) IAM support activities. The company also should consider outsourcing its tier 3 (i.e., the person or company that the tier 2 organization calls when they don't know the solution) IAM support activities and its architecture and integration work to a larger IT service company, such Microsoft Corp., IBM, or Hewlett Packard, to reduce the amount of service down time.
Note: Support costs are usually the largest portion of total ownership costs, followed by software and hardware costs.
With the continuing rise in identity theft, there is a need for a consolidated approach to improve IAM procedures. As a result, formalized compliance requirements need to be enforced in a top-down organizational approach, while security and software development professionals need to work together to ensure that all systems enforce concrete IAM principles at all levels. Above all, auditors should acquire all the skills necessary so that they can provide recommendations that meet the organization's IAM needs.
For additional information, auditors can read:
The Institute of Internal Auditors' Identity and Access Management Global Technology Audit Guide
"What Is Authentication?" published in ITAudit
Enterprisewide Identity Management, available for purchase on the ISACA Web site
Microsoft's Identity and Access Management Series