Identity Access Management (IAM) is a critical step in the process of securing company resources, while allowing users enough access to get the job done. Accessing data is only one component of identity and access management. Once a user has access to data, what should they be able to do with it? Should a user be able to modify or delete it? Should they be able to FTP it off to another site outside the company?
According to Steve Jensen, VP/CISO of Carlson Wagonlit Travel, there are four reasons to undertake an IAM project: regulatory compliance, enhancing security, making security operations more efficient, and making it easier for business units to interact with security.
Jensen has outlined the following 10-step program to a successful IAM project.
Click through for 10 steps to a successful IAM project, as outlined by Steve Jensen, VP/CISO for Carlson Wagonlit Travel.
Establish an identity warehouse of access privileges that incorporates password self-service functionality. Platform coverage should be a key factor in the purchasing decision, as well as the ability to incorporate directory services.
Either build or purchase a role management product that meets business requirements, giving users the access they need but no more. At a minimum, the product should include role management, role mining, and role attestation.
Define entitlements based on business terms, then map one or more access groups to the application entitlements by leveraging documentation, comments and description fields. Combine like groups that have been applied on multiple platforms.
Have business managers validate that assignments of application functionality to users are correct.
Establish a request system for changing users’ access rights to a request by application entitlements instead of IT group lingo. Ensure that a granular review process of access rights is available.
Create enterprise roles that can be applied across departments to multiple users. Role ownership should be assigned, usually to a specific manager. Workers can be assigned multiple enterprise roles.
Validate the assignments of enterprise roles to users, and provide drill-down review capabilities to entitlements.
Change your request system to request enterprise roles instead of or in addition to application entitlements. Ensure a granular review process of access rights is available.
Provide mutually exclusive entitlements and roles that do not allow a person to have both, thus avoiding potential conflicts of interest.
Apply IAM to customers, suppliers and business partners through an automated self-service process.