Access Management Explained - ManageEngine AD360

With organizations shifting their vital assets en masse from physical data centers to cloud infrastructures for better accessibility, and with some straddling both, it is important to ensure that the right people have access to business-critical resources at the right times. To overcome this challenge, companies must authenticate, authorize, monitor, and audit users' permissions to access important assets based on their needs and roles. To accomplish all these tasks, organizations must leverage access management.

Let's start with the question: What is access management? It is an IT governance framework comprising of tools, techniques, and technologies that enable the process of authenticating, delegating and monitoring of users' access to organizations' resources. With access management systems in place, IT and administrative teams can ensure that the right user with appropriate attributes and job roles get access to the right resource for the right period.

Access management techniques

Access management has become a necessary task for organizations due to the shift of resources to hybrid environments. Like every cybersecurity strategy, access management is a blend of techniques used to create and maintain a user's access-based privileges. The tools and techniques required to implement access management include:

User provisioning and deprovisioning

User provisioning relates to the onboarding process where a user's profile is created along with their necessary credentials and controls. Provisioning also involves accommodating changes to access privileges based on context (i.e., when an employee undergoes role-based changes within an organization).

A user's credentials must undergo deprovisioning as part of the offboarding process when the user’s association with the organization, and thus their identity life cycle, ends. Deprovisioning plays an integral part in preventing the stagnation of orphaned accounts, which can be potential threat vectors allowing attackers to infiltrate networks.

Authentication:

Authentication is a major part of identity management and is the step that precedes authorization. IT administrators must confirm the identities of users, ensuring they are who they claim to be. Authentication happens with the verification of a user's credentials, which can be of the following types:

Knowledge factors: These are credentials that only a user knows, such as passwords, PINs, and the answers to security questions.
Possession factors: This set of credentials pertains to the identity of the device owned by the user, such as the OTP generated to a designated mobile number.
Inheritance factors: These are based on the biological characteristics of a user, including biometric credentials such as fingerprints, retina pattern, and voice and facial recognition.
Location factors: Administrators can verify the user's location as a credential to delegate access.

Authentication used to be heavily dependent on passwords for verification, but as cyberattacks became more dynamic, these traditional methods required another layer of protection for added security. This requirement led to multi-factor authentication (MFA), in which, upon password verification, the login window also asks the user to provide additional credentials, which can include either a possession- or inheritance-based factor.

Another protocol that can be coupled with other authentication methods in MFA is token-based authentication, in which, upon verification of their identity, the user receives a cryptographic message with an expiration period, known as a token. The user can function within the network until the session ends, which coincides with the expiration of the token.

Another evolution of verification systems that is much-coveted is risk-based authentication, which enables the system to increase the stringency of authentication based on the number of potential security threats (in cases of BYOD and remote work environments) a user can bring into a network.

Authorization

After authentication, administrators provide users with access to network resources according to their role-based requirements coupled with other contextual factors (such as their designation, endpoint risk, and geolocation). Authorization minimizes the risk of exposing on-premises and cloud resources to potential threat actors by regulating users' access privileges. Authorization controls can be implemented across an organization by performing these two tasks:

1. Define an access control policy.
2. Enforce the policy.

Apart from regulating the flow of incoming traffic, an access control policy sets clear goals for authorization systems by determining safe practices that are permissible for users within the organizational network. Policy enforcement involves granting or rejecting users' actions and ensuring that users stay compliant with the security guidelines.

Some of the most prominently used access control policies include:

Discretionary access control (DAC): DAC is a strategy in which users are granted access based on a predefined set of rules, usually created by the owners of the critical resources. DAC leverages access control lists (ACLs) and capability tables to authorize users. An ACL features users and their level of access to an asset.
Mandatory access control (MAC): Used by governmental institutions across the world, MAC is a hierarchical mechanism in which access controls are granted by a central authority. In MAC, resources (such as documents, operating systems, and kernels) are protected in accordance with their sensitivity levels (denoted by security labels). Users can only access resources that are entitled to them based on their information security clearance.
Role-based access control (RBAC): In RBAC, access rights are granted to a user according to their designation, or role, within their organization by applying role engineering. According to NIST, a role is the collection of permissions held by a user and can be determined by several factors, which include the user's designation and competency. This ensures that access control is judiciously distributed among users based on their responsibilities. For instance, a C-level executive has access to more sensitive resources than an entry-level associate.
Rule-based access control: According to this policy, access is shared among users based on a predefined set of rules, mostly set by the IT administrators and other entities who govern or own the network. Like DAC, rule-based access control refers to ACLs before assigning access privileges to a user.
Attribute-based access control (ABAC): ABAC is an authorization mechanism that grants and manages access after examining the attributes associated with users. These attributes can be based on action, context, the resource assigned to the particular user, and aspects of the user's identity profile.
Privileged access management (PAM): With the advent of edge-based security services, such as Zero Trust network architecture and Secure Access Service Edge, hybrid environments can now use the principle of least privilege (PoLP), which is based on the assumption that every user or entity operating within a network is a potential threat actor. PAM uses the PoLP to grant functional access privileges that are sufficient for users to perform their operations while also monitoring user accounts with elevated privileges (C-level executives, for instance).

IAM: The present and future of access management

With legacy verification tools becoming inadequate for accommodating the growing number of devices and vendor applications within networks, authentication has become more reliant on identity- and entity-based attributes. The need for networks to delegate access based on a more granular user profile has given rise to identity and access management (IAM).

With IAM, a user receives permissions to access resources only on the basis of their role. Additionally, IAM leverages federated identity, enabling a user to maintain a single identity profile for access across a multitude of applications using single sign-on (SSO). Auditing of user behavior and access privileges is made easier with the combined deployment of behavior-based tracking solutions—like security information and event management (SIEM)—and user and entity behavior analytics (UEBA) tools.

The most common types of IAM include:

Customer (or consumer) IAM (CIAM)

A confluence of cybersecurity, user experience, and data analytics, CIAM enables organizations to authenticate, authorize, and manage the identities of end users while accessing solutions. Apart from delivering a secure environment for customers, CIAM can aid the personalization of the user experience by allowing organizations to map the customers' online behavior.

Employee (or enterprise) IAM (EIAM)

Also known as workforce IAM, this protocol applies IAM capabilities to secure the operational end of organizations: employees, internal users, and business-critical resources housed in on-premises and cloud environments. EIAM services include:

Life cycle management: Life cycle management provides end-to-end services pertaining to an employee's digital identity, from onboarding their profile to maintaining their access requests based on contextual demands, enabling directory services, and offboarding their account during termination.
Authentication: Authentication involves confirming an employee's identity with methods such as MFA, 2FA, SSO, and other risk- and context-aware techniques to determine the stringency needed for verification.
Authorization: Authorization involves configuring employee permissions to use resources and solutions based on the requirements of their work or designation. Authorization tools include cryptographically signed entities (such as JSON tokens and SAML and TLS digital certificates) and protocols (such as LDAP and IP addresses), which are used to establish connections between two parties in a network.
Auditing: During auditing, an employee's digital footprint is recorded using UEBA- and SIEM-powered tools to ensure productivity and monitor any suspicious user or device behavior.

Access management