Identity access management – An auditor’s view

This article addresses the key concern that organizations of all size must contend with, i.e. lack of effective Identity and Access Management (IAM) processes. The risk of not having a robust IAM system may lead to severe consequences, some of which include loss of data confidentiality, integrity, and even availability. This can inflict irreparable harm to organization's reputation, loss of investor confidence, financial penalties imposed by regulators, and in some cases, organization’s inability to continue operating!

An IAM strategy has never been more important to the success of an organization than it is today.

What is IAM?

According to Gartner, identity and access management is the security discipline that enables the right individuals to access the right resources at the right times for the right reasons and then over time being able to prove it.

IAM addresses the mission-critical needs to ensure appropriate access to resources across increasingly heterogeneous technology environments, and to meet increasingly rigorous compliance requirements. This security practice is a crucial undertaking for any enterprise. It is increasingly business-aligned, and it requires business skills, not just technical expertise.

IAM is a broad area and there are multiple components in an IAM system which can be further divided:

Provisioning (or on-boarding) - IAM life cycle, inbound/outbound provisioning of user accounts, just-in-time provisioning and approval workflows.
Accounts management - privileged accounts management, credential management and users/groups/roles management.
Identity governance - role engineering, identity analytics, segregation of duties, role consolidation, identity delegation, entitlement & access certification, regular monitoring & reporting, risk management and compliance.
Identification (or authentication) - multi-factor authentication, adaptive/risk-based authentication and authentication brokerage.
Access control (or authorization) - Role based access control and OS access control.
Identity federation - single sign on, single log out, session management and attribute sharing.

This is never a complete list — and it will keep growing!

Despite awareness, education, and training, it is surprising how many organizations frequently miss the mark around effective design, implementation, and operation of internal controls relating to their IAM processes and therefore, are in receipt of audit findings pertaining to their IAM processes, year over year.

As IT auditors become more aware of the threats posed by unmanaged identities, the organizations could face increasing pressures to bring these powerful logins under control. Here are the most common IAM Audit findings:

Inappropriate access/ Separation of duties
Lack of regular reviews & approvals
Excessive number of administrators/privileged users
Role based access not fully implemented
No clear Information owner
Decentralized IAM functions
Terminated users still active
Shared accounts / Service accounts / Duplicate user IDs
Password storage (passwords in a file for service accounts?)
Lack of formal procedures
Decentralized security – inefficient

12 Best Practices from an Auditor’s view:

Lack of formal procedures - Formal procedures (including change management) should be developed, clearly identifying roles, accountabilities, responsibilities, and turnaround time to complete activities, such as, account provisioning, account disablement, account suspension, etc.
Non-formalized user review process - A formalized process has a higher probability of occurring then an informal ad-hoc one. Organizations should periodically plan user reviews by engaging the data and system owners across the organization. The owners should review the list of all users, validating their currency, privileges, attributes, and the need to have continued access to the system, applications, etc. All reviews should conclude with formal management sign-off. Documentary evidence should be retained and archived for management purposes, including audit.
Unable to manage infrequently used accounts - Sometimes it is necessary to create and maintain accounts for system maintenance and/or training purposes. However, due to the infrequent use of these accounts, they often turn into ‘ghost accounts’, opening door to possible abuse. If it is an absolute necessity, to have such user accounts created and maintained, then it is a best practice to promptly disable these accounts after usage or define an auto-expiry date. When required, these disabled accounts can be reactivated/re-enabled at a future date.
Improper Segregation of Duties (SOD) - Due diligence should be performed when developing roles and assigning responsibilities to those roles. Roles should be segregated by responsibilities, and independent of each other, to avoid any possible conflict of interest.
Establish MFA For Remote workers, Partner Resources and Privileged Users - Implement Multi-Factor Authentication (MFA) for the privileged users who require access to the sensitive data/resources. Such processes will require user to provide additional authentication (Like randomly generated token or One Time Password) along with their normal credentials.
Outline Policies for Privileged Access To Key Systems - Ensure the policies are designed as specific as possible (time- bound access, dual-Control authorization, password modifications) and are as granular as possible (down to session and command level policies).
Security Monitoring and Alert Communication - Proactive monitoring of the activities helps to protect from any intentional or unintentional unauthorized access. Such findings should then be immediately propagated to concerned team as alerts.
Manage Generic User Accounts - Organizations should refrain from creating and using generic accounts. They are normally created/used for training and/or vendor maintenance purposes. However, their generic nature fails to maintain an audit trail from non-repudiation perspective, hence their use should be discouraged. If it is an absolute necessity, to have them, then administrators should change ALL default settings associated with generic accounts.
Enforce Privileged Account Lifecycle Process - Privileged account creation, modification and deletion should be entertained via well-established process. As far as possible the system should be automated to handle any such request post necessary approvals. It’s a good practice to create privileged account with a predefined expiry period where such accounts are created for ad-hoc work.
Least Privilege = Securing Your Data - When setting up roles and permissions, IAM professionals attempt to follow least privilege enforcement – only giving people the bare minimum level of access they need to do their job. Insider threats are limited when they can’t get to the good stuff. By making sure you’re only granting access to what each person needs – and continuously monitoring accounts that have access to sensitive data or business critical applications – you’re focusing your attention on the riskiest identities and increasing your organization’s healthy security posture.
Assign Appropriate User Privileges - When a user requires access to data set(s), validate the type of access (Read, Write, Modify) required by the user, the scope of access required by the user, the duration for which user access is required, and segregation of duties to avoid any possible conflict of interest.
Failing to maintain proper documentation - Organizations should produce and retain documentary evidence of all account administration and usage activities for management purposes, including but not limited to audit requirements.

Finally, it is important to understand that technology is only an 'enabler'. The first step should be to develop an understanding of the business needs and critical assets, and then determine the application of technology to safeguard those critical assets as per business needs.

The best practices can be used to address the challenges; however, it remains management’s prerogative to develop an effective IAM strategy, and empower staff to design, implement, and operate internal controls to safeguard critical organizational assets.