A Beginner’s Guide to Building an Identity Management Program

If you’re reading this, chances are the SEO wizards that revised everything I wrote keyed it perfectly to your search activity online and we all lucked out. Regardless of how you got here, I’d be willing to go out on a limb and say you’re not typically an Identity and Access Management Professional for a living.

In fact, if I were a betting man, I’d be willing to wager that until recently you had nothing to do with identity at all, and worked in operations, or some other facet of IT that gives you a very organization-wide look at who and what makes the place run. As a result of this accumulated knowledge, your head honchos put you in charge of building your Identity and Access Management program for both internal employees and for external customers.

If I’m wrong, this will definitely still be a good read, so stick around. However, if I’m right, then welcome! This might just be the best place to start your journey, so buckle up.

Without Further Ado, Let’s Talk Basics

Now that we’ve established who you are (or aren’t, regardless, I’m still just as accurate as those TV psychics so give me some credit) let’s talk about why you’re here. You’re either really intimidated, or really excited at this opportunity to build out a security program from the ground up at a place where you know everything that needs securing, and you wanted to see what a quick google search would get you in terms of first steps.

That being said, there are 4 major Identity and Access Management “focuses” to speak of, so we will attempt to cover the basics of what you need to get up to speed on, namely:

  1. Identity Governance and Administration
  2. Privileged Access Management
  3. Single Sign-On & Federation in a Workforce Setting
  4. Customer Identity and Access Management (SSO and Federation is a consideration here as well)

Now, there’s a ton of nitty-gritty in each of those focuses that delve into the inner workings of an organization, both from a people and technology standpoint. For now, I’ll focus on an overview of these concepts and what they mean for YOU at the entry point in your IAM journey, and the key things to focus on to avoid common pitfalls that hamstring great projects. Shoot us a note later if you have more questions, we love chatting.

Identity Governance and Administration (IGA)

IGA is the foundation of Identity in the workplace. It isn’t just the product that supports roles, attributes, or hiring and firing processes, it’s the backbone of your entire organization’s security and productivity on a daily basis, irrespective of the department. If someone at your organization accesses anything digitally on any kind of device that depends on who they are at your organization, IGA is the spine to that framework.

IGA doesn’t start with your tool, it starts at your HR system. An HR system, for those who work in Human Resources, is where hires and fires are processed, and also a database of relevant information about employees like their Job Title, Organizational Groupings, Hierarchies (reporting structure), and other confidential information used to validate a person’s eligibility for employment and tie into benefit programs like Insurance and Retirement.

For us Identity professionals, an HR system is our Source of Truth (SOT) that feeds us foundational information about our users, which along with extensive Business Analysis and data derived from working with all the different departments and leaders in your organization will help you define the following basic tenets of your Identity Governance Program:

  • Role Matrix for Role/Attribute-Based Access Controls (RBAC/ABAC model)
  • Provisioning/Deprovisioning rules (Automated and Manual)
  • Organization Hierarchy and Reporting Structure
    • As it pertains to user privileges and access
  • Access Review Processes
  • Role/Privilege Attestation Processes
  • Hierarchy based Access Approval/Denial Workflows

Governance Protocol for Users at your organization as a whole is tied to your SOT, so building close working relationships with the technologists that handle HR systems are key to building strong Identity Programs that are responsive to the real needs of the people who make your organization run at scale.

As an Identity Professional, you are the heart, eyes, and nervous system of your security organization, and without bullet-proof mechanisms that start with strong foundations, weaknesses will abound as the program grows. The importance of working from the ground up with your HR teams is key to ANY program at EVERY organization, irrespective of how you do business, and is the best way to guarantee you make the right moves in building a solid IGA framework.

Privileged Access Management (PAM)

While IGA is foundational in that it allows you to both simultaneously secure and speed up operations by making sure employees have access to the right resources at the right time, PAM is what protects your organization from bad actors, both external and internal to your organization.

Now, to be clear, PAM and IGA go hand in hand in that user accounts can function as a gateway to privileged accounts in some cases, so we do encourage building IAM programs with both in mind from the outset.

A prime example of this is the Colonial Pipeline Hack, where an employee account accessed a legacy VPN to enter the network, and hamstrung an entire Pipeline to the point where it shut down. Normally, user accounts with privilege enough to do that get flagged, but, and this is speculation on my part (have to add that for the legalese), user accounts generally don’t have direct ability to perform service-related actions, but can have the ability to access privileged accounts if left unchecked, which could lead to catastrophic ransomware attacks.

In 2021, IGA systems built from the ground up the right way focus on scoring metrics that accurately track user accesses and privileges so when an account accumulates high-risk privileges an administrator is alerted and is required to act accordingly.

That being said, if a hacker is able to circumvent your firewalls with a user account by some miracle, and is able to beef up the account they used to sneak in with enough privileges to access a Privileged Account, PAM can be your third wall, and if built thoughtfully can greatly limit or end exposure to these threats. Here are a few ways:

  • Password Cycling: Industry-leading PAM products allow you to integrate with directory solutions like Active Directory so that Service Accounts don’t have static passwords, but have complex, dynamically generated passwords that change themselves after each use.
  • Account Auditing: PAM solutions today also have the ability to manage service accounts and provide a service integrated audit trail that returns activity records for tasks that the service accounts run on a daily basis. All PAM solutions will make a record of when an account is checked out, and who checked it out as well. Some solutions that are more advanced even leverage machine learning to spot irregularities in Privileged Account Activity outside of normal business.
  • Session Recording: Even today, very few PAM suites include this feature to where all sessions that are initiated by a user with high privilege or service accounts are screen capped, but it is imperative to contract with a vendor that allows you to record full sessions for history reasons.
  • MFA in front of ALL Servers: This seems basic, but you’d be surprised how many organizations don’t do this. If anyone accesses a server, they should have to utilize MFA to do so, and good PAM solutions will include this, or have integrations with providers that do so you can seamlessly set this up at the outset.
  • Privileged Account Search: Many organizations don’t honestly know where all their privileged accounts live, or whether an account is privileged or not based on how much time has passed since it was created. This isn’t always an egregious oversight; Organizations change, and when people come and go its hard to keep track of what got created, and where the specifications of that account are detailed. Many PAM solutions today will incorporate search tools that let you audit Identity Stores to dig these up, and thereby increase visibility over your environment.

There are a slew of other features that PAM solutions provide, including secure browser/sessions, VPN Access Control and Auditing, and much more, but the aforementioned tenets of PAM are going to be your biggest wins when first jumping in.

Single Sign-On (SSO) and Federated Identity Management (FIM) in a Workforce Setting

As an IAM nerd, you wouldn’t catch me dead using these terms interchangeably, but it’s so common that I decided dispelling the confusion is worth a section in this article. I also feel that I’ve had enough conversations with people looking to consolidate their toolsets who feel overwhelmed by all the sales-speak they have to endure in selecting a product that this is a necessary topic to dive into, so let’s.

SSO is using one credential pair (example: username and password) to access multiple applications. By the way, it isn’t true SSO if you have to keep logging into services with that credential pair, its supposed to be ONE time login and you have an open door to all the fun stuff you should be able to do with your account without continually having to enter your username and password. As a side note, you SHOULD have to use MFA to sign in in the first place, and if your session has been inactive or some other condition like network change or service change occurs that would require it to secure your experience.

The obvious benefits here are not having to maintain multiple usernames and passwords for a plethora of different services, and better security as a result.

FIM is similar, except its more about trust between domains that then enables SSO between them. A good example of federation is using your google account to access a third-party service like a cooking site. In this scenario, the cooking site is trusting google (as an Identity Provider (IDP)) to provide the cooking site (as a Service Provider (SP)) an identity that can then use its service without signing up with an account with that service.

In corporate terms, this means logging into your workstation, and being able to navigate to cloud applications, or applications in disparate corporate domains and automatically be able to log in without having to key in your username and password again (again, I can’t stress enough the importance of MFA in front of these though irrespective of an authenticated session existing).

There are different standards that the big companies that offer products (IDPs) that your organization can leverage, but they all support the same industry standards like SAML and Oauth, so don’t let that hamstring you in making decisions about which way to go.

The real difference here when selecting a solid provider isn’t always functionality, it’s about digging into the weeds of your pricing and getting the best bang for your buck based on organizational needs. Some products are strong with cloud access and plugging into On-Premise directories to pull Identity data into their ecosystem from your AD, but weak at providing enterprise solutions for On-Premise applications and Custom Applications. Others offer both, but they are separate platforms and mean overhead for you to manage. Then there are those that offer both, and do it well, but the pricing can be steep.

At the end of the day, selecting one of these providers is based on your application portfolio, and also based on how you handle Customer Identity and Access Management (CIAM) and MFA because this can factor into your licensing cost, and into your overall contract. Going with the same vendor for Workforce and Customer as well as MFA use cases is preferable because it generally means you can negotiate for better pricing overall, and hit all your use cases at the same time, but this takes research and the upfront understanding of your environment and what your organization needs now and 2-5 years from now.

Let’s not get it twisted though, this aspect of identity really is a commodity, so the best deal and all your use cases getting hit will suffice in making a selection. The major vendors share a lot of the same security certifications and service/uptime guarantees both in Cloud, On-Premise, and Hybrid offerings, so it really does boil down to what fits you best for what you want to pay. Make sure to require a POC during your selection process from any vendor though, as this avoids missing functionality down the road.

Customer Identity and Access Management (CIAM)

Last but definitely not least is CIAM as we briefly mentioned above in the Federation and SSO section. This is the Identity Management system you leverage to administer your customer identities that they use to access your services across websites, mobile apps, kiosks, etc.

Customers shop, interact, manage their stock portfolios, access health records online via a variety of devices and services, and in managing these identities, we take responsibility for not only the user’s username and password/biometric/2fa information, but also the information tied to that identity, like payment methods, consent statements, as well as other pertinent and sometimes confidential data artifacts.

These Identities are the first and the last level of protection for these assets. If your customer is a network of businesses (B2B Identity) the framework is similar, except in this case we manage identities for entities at organizations outside your own who need to access your services for some purpose (example would be like a medical device manufacturer who sells wholesale to distributors online and have established contracts with those clients).

Some Key Focuses to Keep in Mind When it Comes to CIAM are:

  • Securing customer data in accordance with Customer Data Privacy laws like GDPR and “right to be forgotten”
  • Managing customer identities, and thereby the data tied to those identities in ways that prevent breaches
    • Most breaches are not from external threat, but internal ones. As Identity professionals, we build security into the backend systems that control and orchestrate this data so a business’s employees, who are, sadly, their main attack vector, are kept in check (Zero trust model).
  • Using customer identities to create custom, curated experiences
    • Includes integrations with downstream marketing tools to kick off customized campaigns based on user preferences and trends
    • Example: A user shopping online browses 5 different pages; On 3 of the pages, the user selects a product, but on 2 of them the user spends time but doesn’t buy. That data on what they looked at and how they behaved is tied to their user identity. CIAM solutions that are comprehensive can send that data downstream, so marketers can use it to kick off campaigns, and see what does and doesn’t work in selling their products and services to customers.
    • We also have a large part to play in loyalty programs, gamification (like getting reward points for participating in surveys, competitions, etc).
  • Synchronizing Customer identities to work across multiple platforms that a company offers, all with one single user;
    • Example: Accessing a Mobile App, website, and loyalty program all with one credential pair. We can track their behavior across all these resources and tie it back to their user identity, and thereby learn more about the customer, and craft their experience on this basis for future interactions
  • API Security and API based integrations to send Identity data across disparate systems to create digital experiences between services in the background;
    • Example: A service like a loyalty program that aligns the sum of a customer’s points that are tied to their identity to then search in another service what rewards a customer is eligible for based on their total.

Like any other aspect of Identity Management, CIAM is a business driver that keeps people and organizations safe, but CIAM gets a bit more love with your Marketing and Business folks, because they can actually see those dollars in action in their programs.

This is just the Beginning

So, here we are, at the end of a really long, yet semi-conversational piece about IAM for beginners. As with anything in life, discussion furthers progress, so please do feel free to reach out if you are in a position where this guide helped you frame your next project and are ready to ask some tough questions. This guide may be merely a quick look at Identity from 30K feet, but when you’re ready to go to ground and dig in to the weeds, we’re here to help.

©RAAH Technologies 2024. All Rights Reserved.