So you know that IAM is essential to making your organization work securely. And now what? This knowledge is great but needs to be put into practice. And it all starts with understanding the other piece of the puzzle - how to implement IAM policies securely, efficiently, and at scale.
61% of companies find identity management too time-sensitive and costly to manage effectively. All organizations of a certain size need to consider integrating policies in the real world without relying only on manual intervention, which is where Identity Governance and Administration (IGA) comes in.
IGA is the field of managing and monitoring your access policies, enabling you to follow security best practices while remaining efficient at scale. This article covers the benefits of IGA and some essential best practices to consider as you build your organization's IGA stack.
The ABC of Identity Governance
IGA is a subset of Identity and Access Management (IAM). The primary difference is that IAM explains how to add permissions to individual identities, whereas IGA answers which permissions you should give and why you should give them. Put simply; identity governance is about giving permissions to IT infrastructure.
For example, imagine you are an IT admin for an organization (if you actually are an IT admin, hi!), and a new developer joins the company.
Consider the following questions:
Which permissions should you give them to do their job well while minimizing the possibility of a data breach?
How should you manage when they want permission to make a new cloud resource?
How can you make sure that there are no breaches across your estate?
How can you ensure they follow security best practices to keep their laptop secure? (e.g., changing their password regularly)
What should you do if they abruptly leave the company?
How can you manage this efficiently as your company grows to 100s or 1000s of people?
These are the kind of questions that IGA is well-suited to answer.
A robust IGA framework is essential to any Cloud Identity Management strategy, as it fosters a strong, secure, and scalable IT infrastructure that a small team of experts can manage. It can reveal possible security events quickly, reduce the likelihood of an attack, and efficiently handle easy IT requests so that the IT team can spend less time doing essential tech support. Conversely, a weak IGA infrastructure can result in overly lax permissions, an increased risk of catastrophic cybersecurity breaches, and an overextended and underutilized IT team.
What does Identity Governance involve?
Identity Governance suites generally include multiple tools and services that make managing IAM policies more manageable and secure. Some of these solutions include:
User Lifecycle Management - automating the lifecycle of everyday occurrences, such as onboarding, offboarding, or going on extended leave.
Segregation of Duties (SoD) - making rules that don’t allow dangerous combinations of permissions to be given to a single person. For example, rules that specify that a person who handles accounting shouldn’t be able to transfer funds.
Compliance - ensuring that your IT infrastructure complies with the latest data storing regulations, such as GDPR or HIPAA.
Access management - reviewing users or machines that request new permissions or access.
Role-based Access Management - giving permissions according to a user’s role within the company. For instance, quickly passing a new data scientist all the most common permissions she needs to access GPU instances.
Analytics - monitoring your IT infrastructure, both with users and in the cloud, for possible breaches, unusual behavior, or IAM errors.
Mastering Identity Governance: 7 best practices
As you can see, many pillars create a robust IGA solution. With this level of complexity, inadvertently exposing yourself to a security risk can be easy. Therefore, you must be careful when designing your processes to follow security best practices, which (luckily!) we have laid out for you.
1. Implement IAM policies based on the principle of least privilege
The Principle of Least Privilege states you should give your users and machines the bare minimum IAM permissions required to do their jobs. When this principle is adopted, a security breach is immediately limited in scope as a compromised account can only perform specific, limited actions.
This principle is essential when designing a secure IGA infrastructure because efficient processes won’t matter if the permissions you give are way too relaxed.
However, it can be challenging to adopt in practice - how do you know which set of permissions is the minimum required? For this, you can use a tool like Slauth.io, which automatically creates IAM policies for machine identities based on real-world usage logs, so you can seamlessly develop permissions that follow the least-privilege rule.
2. Implement Segregation of Duties
As mentioned earlier, Segregation of Duties (SoD) is when you don’t allow a single identity to possess dangerous combinations of permissions. You should take some time to work out which privilege pairs could constitute a security risk in your IT infrastructure.
This will depend greatly on the specifics of your organization but may focus on permissions that make financial fraud possible. For example, ensure that employees who can see sensitive personal data about your users cannot export or delete it. Furthermore, you should set up access control and automated gates that flag and deny access when these dangerous combinations are requested.
3. Invest in monitoring and auditing
On the surface, leaving a trail might seem like rather general advice for any software. However, it is also advice that is often ignored and maligned as boring, so it bears repeating.
You need strong walls on the periphery of your estate and guards patrolling the grounds (as any heist movie shows you). You can pick up security breaches and risks by monitoring your infrastructure and conducting regular audits.
4. Regularly refresh credentials
You wouldn’t be reading this article if you thought “password123” constituted a security best practice. However, this is unfortunately still far too common. You should enforce a minimum password standard among your users. Furthermore, consider mandating regular password refreshes, where users switch their passwords regularly.
But protecting your system goes much beyond reviewing passwords. Increasingly more attackers are targeting the API credentials of machine identities to access resources. Ensure you regularly update certificates and keys linked to machine identities and revoke them as soon as your resources are no longer in use. This way, leaked credentials have a limited shelf life, and the chances of security breaches are lower.
5. Automate analytics
Not only should you be investing in manual audits and monitoring, but consider adding an automated auditing tool to your stack. The reality is that your IT team will not be able to check for suspicious activity every moment of every day, but a computer will happily work 24/7 without pay or benefits. Slauth.io includes auditing capabilities for machine-based identities to ensure your resources are continuously compliant and secure.
6. Enable self-service
Supporting self-service can impact your resilience to attacks long-term. In this context, self-service allows users to do low-risk security tasks themselves without input from your IT team. For example, you could allow users to change their passwords or automatically gain low-risk privileges.
Enabling and supporting self-service can have sizeable benefits for both users and IT teams. When users can easily make beneficial security changes themselves, they are more likely to do it. Furthermore, automatic servicing frees time for IT professionals to conduct more specialized tasks, such as IAM audits.
7. Store all activity data
You must store activity for auditing when following security regulations such as PCI, HIPAA, or GDPR. You can manually keep your activity logs or use a tool such as Slauth.io, which automatically saves your organization’s IAM behavior, making it easier to prove compliance whenever requested (no late nights with the team hopelessly trying to find data).
Where to begin?
Identity governance is a vast beast covering many aspects of users' and machines' interactions. If your organization is larger than a handful of people, consider building an IGA infrastructure to mitigate risk, reduce user friction, and improve employee efficiency.
Many solutions fully manage IGA for users, machines, and IT teams. Still, it all starts with designing IAM policies that reflect the actual usage needs of your company and follow the principle of least privilege. And you don’t have to do this manually, either.
The best way to create strong IAM policies that effectively reflect user needs is by tracking the activity of your identities, which solutions like Slauth.io do. Slauth.io can automatically generate secure roles and policies based on API calls from end-to-end tests to AWS and enable you to monitor and audit them effectively. To find out more, you can get started here.