Today’s cybersecurity environment requires the layering of control processes and technology tools when building or updating an Identity Access Management (IAM) program.
Core program components include Identity Governance and Administration (IGA), Single Sign-on (SSO), Multi-factor Authentication (MFA), and Privileged Access Management (PAM) tools to help companies strengthen their security posture and realize greater operational efficiencies by automating many traditionally manual processes. For optimal efficiency, companies may opt to utilize a combination of these tools. However, before you can envision the synergy of these solutions it’s important to first understand the high-level benefits of each tool.Identity Governance and Administration (IGA)
IGA tools support the proper authorization of access by facilitating approval workflows and periodic access reviews by managers and/or system owners. Some of the benefits of implementing an IGA tool include:- Automation of the user lifecycle events of New Hire Onboarding, Departmental/Job Title Transfer, and Termination. This helps standardize the timely acquisition and removal of access, diminishing downtime and the potential for unauthorized access.
- Ability to utilize Employee Roles, often referred to as “Role Based Access Controls (RBAC)”, which can also streamline access acquisition and removal by allowing HR or hiring managers to select pre-defined groups of entitlements based on one’s job title rather than requesting each entitlement individually.
- Opportunities to connect systems (e.g. financial or customer information systems) directly to the IGA tool. Increases automation potential beyond access acquisition and removal into other areas, such as, alerts on unauthorized or stale accounts in a connected system.
- Automation of Access Certification campaigns. Not only can requests to certify access be automatically sent to the appropriate parties, but also any removal actions pursuant to the reviewer’s rejection of the access can be automatically performed depending on the connected status of the target system.
Single Sign-On (SSO) and Multi-factor Authentication (MFA)
SSO and MFA tools facilitate the authentication of a user as they attempt to access desired systems or areas of the network. The user must first sign into the tool with a master password, after which the tool will automatically pass the user through to the target systems. Some of the benefits of implementing an SSO/MFA tool include:- Increased password security. The employee only needs to remember one master password for the SSO tool, therefore, they are more likely to create complex passwords for the systems to which the SSO tool will pass them, plus they are less likely to write passwords down.
- Increased employee productivity with diminished password fatigue. Employees are no longer spending time searching for multiple passwords throughout the day, nor are they constantly resetting passwords or having to remember which password goes to which system.
- Additional layers of security by utilizing MFA. SSO can be paired with MFA, requiring employees to confirm their identity via an additional factor beyond their username and password e.g. a hard token they physically hold or use an app on their phone before the SSO connection can be completed.
Privileged Access Management (PAM)
PAM tools help securely manage and audit access to credentials for a variety of accounts that often hold elevated rights, such as service accounts, application accounts, bot accounts, and shared administrator accounts. Some of the benefits of implementing a PAM tool include:- Passwords can be stored in an encrypted vault for access only by authorized users; logging and justification of need are required when accessing each password.
- Session Monitoring. Logging onto a server via the PAM system using stored credentials can be recorded by the PAM tool and anomalous activity highlighted and even alerted against, allowing for immediate or subsequent reviews by a human user.
- Automated Password Change functionality can streamline the password updating process for stored account passwords without the need for human intervention and even without the need for human knowledge of the new password.