Skip to content

Identity Access Management

Oct 23, 2023
Gaini Umarov
Evan Haas

With organizations increasingly relying on new and emerging information technologies, it’s important to establish best practices to create a functional, secure, and auditable set of services for administrators and users to carry out their responsibilities. Additionally, each user requires a unique digital identity and linked roles or permissions within the system. This idea is more widely known as identity access management (IAM).

What is Identity Access Management?

IAM is a critical business functionality that regulates user access within an information technology (IT) environment. When implemented effectively, every user is part of the IAM ecosystem and provided a unique set of credentials that restricts access to specific applications, data, and information.  

Using Multi-Factor Authentication to Verify Users 

Identity management is a part of IAM and is a method of validating entities and the access granted to the entities within a network system. The process of identity management involves the authentication of the user in the system, with passwords, PINs and certificates assigned to each of them.

Proper configuration of identity management within a system allows for accessible tracking of individual actions and permissions. Using a combination of multi-factor authentication (MFA) and single sign-on (SSO), users within a system will have to validate their identity more than once using different devices and their credentials are applied across all systems.

MFA allows for individuals to have stronger account security, which strengthens the identity management. SSO allows for individuals to access services within an organization with a singular account service and simplifies user access reviews by tying accounts to one service. In the case of an account deactivation, SSO ensures that the individual’s restricted access would apply to all services. The security combination ensures that users accounts are significantly harder to breach, as well as making the internal review of access within the system more consistent.

Access Control to Protect Assets 

IAM should effectively track access for individual employees, contractors, vendors, and sub-service providers within an organization, with the various roles and responsibilities appropriately provided. Microsoft’s Active Directory for the Windows operating systems is a well-known example of how access control is maintained.

Active Directory is a directory service that allows for administrators within an organization to assign users to appropriate permission groups, while having easy access to view the user listings and monitor them. The information is updated on a continuous basis as individuals may join, transfer, or leave the company.

The protection of these assets has become ever important as bad actors continuously become more adept at finding and targeting exploitable vulnerabilities on corporate networks. Victims of these exploitations span from small businesses to Fortune 500 companies. This is why IAM has become essential for IT departments because it allows them to securely assign and restrict access on an ongoing basis.

Directories for identity management can vary, in that on-premises directories are often used, including Active Directory, which has the benefit of giving organizations full control over the system and how it is configured. Other services, such as Azure, which is cloud-based, are more scalable and secure due to being configured in a remote environment by a specific software company (Microsoft in this case).

Establishing Role-Based Access

Role-based access control is used to assign permissions to users based on their responsibilities within the organization. In an efficiently managed system, these permissions and roles are grouped into specific types for the various positions in an organization, which are then assigned appropriately to the incoming personnel. Instead of each user having individual permissions assigned, role-based access control grants the user a specific set of permissions based off their role within the company. For example, a newly joined accounting staff member would be assigned within the accounting staff group role, in which all accounting staff are given view and edit permission for client documentation, but are prohibited from any sort of document deletion or other administrative actions.

These group roles often become more complex with the maturity of the organization, to continue with the example, with a specific accounting staff group role only having access to accounts payable documentation, while another group role exists for having access to accounts receivable documentation. The roles, as seen in this example, will often enforce checks and balances to strengthen the integrity of the system.

Authorization in Identity Access Management 

The process of access management involves the authorization of users, including their job role and title being assigned, if they need privileged or administrative access, or specific authorization for a specialized role. These permissions typically adhere to the principle of least privilege that alludes to the idea that users should only have access to data and information that is essential for them to complete their duties.

Authorization is enabled by a technical team, either internally or outsourced, that is given a task to assign permissions by the human resources department or associated management after a hiring or transfer. In the case of a termination or transfer of a user, human resources submit a request to ensure that the user has their group removed, effectively deprovisioning them from the system.

In some cases, the user may be completely removed from the system, while in other cases the user may be restricted to view-only permissions but have their account access completely cut off by changing user credentials (identity management).

Identity Access Management Improving Self-Governance

When an organization implements proper identity access management, governance is an important factor to consider. Larger organizations undergo strict scrutiny for compliance to minimize the risk of a data breach, leak, or any sort of intrusion into the system. Typically, the easier it is for an organization to understand and follow its own guidelines, the easier it is for regulatory and advisory services to ensure the IAM solution is sound.

To maintain integrity of the organization, policies and reports are produced for identity access management as part of the internal controls established. Definitions for group roles, policies and procedures being established for adding, transferring, and removing users, and periodically generating reports of users within the system all assist in providing self-governance for an organization’s IAM system. Reports are reviewed for accuracy by upper management and gives a stronger indication of a functional access system that is being actively monitored.

Audit Capabilities and Tracking

Management should perform a periodic user access review to ensure that users within a system have appropriate roles and responsibilities assigned, as well as tracking the review procedures with documentation. Additionally, users seeking additional permissions for specific tasks should be reaching out in a documented form with permission granted from management.

Ticketing software, such as Jira Service Desk and YouTrack, is often utilized for user access reviews and further permission matters, which is a convenient method to document identity access management. Ticketing software allows for categorization and organization of issues related to user access, as well as clear evidence of authorization from management when needed. The nature of the software as a ticketing service ensures the procedures performed with the issue are documented, which further strengthens the integrity of user access procedures.

 Getting Started with Identity Access Management

With proper restrictions on authentication and authorization, organizations can expect a secure environment for users to be allocated based on their role to the organization. IAM is critical to the defense of a user access system, and companies’ reliance on IAM will only increase as technology continues to evolve. Implementing an IAM solution that aligns with an organization’s needs is pivotal to the success of the internal cyber structure of the organization.

What's on Your Mind?

a man in a suit

Gaini Umarov

Gaini Umarov is a Senior Manager in the firm. With over 10 years of experience in IT and business advisory services, Gaini is a Subject Matter Expert in SOX compliance, related SEC IT and Cybersecurity regulations and works closely with Public Companies from the SaaS, Fintech, Insurance and Biotech industries.

Start a conversation with Gaini

Receive the latest business insights, analysis, and perspectives from EisnerAmper professionals.