Identity and Access Management or IAM system brings together a set of enterprise processes which are adopted by organizations to manage human identities and their access to systems and data in order to secure company assets. IAM capabilities are increasingly being evolved and adopted to manage the IoT world which is rapidly expanding and connecting many of our devices which must communicate with each other to authenticate and authorize activities.
Considering that privileged access is required at least for some employees which exposes a company to great risks due to human error which is ranked the number one cause of information security incidents, identity and access management processes and IAM system has become even more critical to manage not only the user access to data but also user's ability to modify, delete, or transfer data.
There are many reasons why a company should adopt IAM processes and systems as well as employ IAM professionals but first and foremost it is to meet business requirements. For examples, the main drivers for IAM implementations and adoptions are regulatory compliance, improved security, and efficient operations.
Selecting the platform
An IAM platform should have the capability to incorporate directory services for centralized identity data management, allow granular role management, and incorporate advanced authentication or at least self-service password management.
Roles and entitlements
User roles, entitlements or access rights should be defined based on business requirements which considers the user group membership and access to multiple systems. Users can have multiple roles across multiple departments but segregation of duties must not be neglected facilitating conflict of interest and allowing unauthorized activities to go undetected. These entitlements define what users can access and what they can do once they have access. The IAM platform should then be configured to match the entitlement design documentation and tested to make sure it works.
Access review
Business managers must be required to periodically review system access for their respective groups and systems to validate the list of user with access and their allocated access rights. This process is also called access rectification and depending on the system and its data, can be performed quarterly, semi-annually, or annually. A major part of this process includes access adjustment which may include the removal of departed or transferred employees who may have changed roles. The system should have the ability to provide granular reports for management review.
Access request
The IAM platform should provide a streamlined access request process for new users and access change request for existing ones. This process should include automated completion check for collecting all required pieces of information for establishing access including approvals and access removal for departed users.
Consider registered IAM system certifications from the leading organization.