There is no doubt that single sign-on (SSO) capabilities are an important part of any identity and access management (IAM) solution. SSO reduces user frustrations by eliminating the need to keep a list of separate login credentials for individual applications and lowers support costs by helping to reduce the amount of time IT spends addressing login issues and resetting forgotten passwords. Single sign-on can also be utilized for documenting user account activity.
Yet, while single sign-on does play an important part in identity and access management, there are other, equally important features that your solution should have as part of your overall effort. The three I will focus on today are: full-lifecycle management, roles and group management, and privileged access management.
Full-lifecycle identity management
While SSO helps manage the burdens when users need to access multiple applications, it assumes that the accounts have already been created. Full-lifecycle identity management not only automates the process of identity creation, but goes all the way through the entire span of a person’s need to access critical business data, apps, and tools. As new employees are hired, existing employees shift roles, freelancers or seasonal employees are brought in, and employees leave the company, the associated tasks are automated based on established business rules and policies, eliminating the opportunity for human error and freeing up IT from handling these mundane, but critical tasks. This ensures employees have access to the right data at the right time, while logging, monitoring, and restricting access, when necessary, to increase security and protect the enterprise's mission-critical data.
Dynamic role and group management
When new employees join an organization, there is quite a bit of work from the IT department that needs to take place to ensure that they not only have accounts created in the applications they need to do their jobs, but also to ensure that they have the correct rights and privileges. If something is left out, it delays an employee’s ability to get things done. If they are given access beyond their needs, it creates security concerns.
With the right solution, access rights can be provisioned and deprovisioned according to each user’s specific attributes (for example, having a specific certification or working in a particular building) or role in the organization, automatically placing the user in the appropriate group. When the user logs in, everything they need access to is auto-provisioned for them. If the employee leaves the company or changes positions, rights can be removed as soon as they are no longer part of a specific group or if rights to that resource are no longer relevant to their role.
Privileged account management
A compromised administrator account gives an intruder free reign within your network. From here, they can not only access any data or resource on your network and perform any administrative task they choose, but they can also create other administrator accounts, install backdoors onto your system, and impersonate legitimate users within your organization.
To protect administrator accounts from being compromised, there needs to be an on-demand privileged account management feature within your IAM solution. Within this framework, when an administrator needs privileged access, they request it, and the approval process is initiated. The approval can be automated based on the user’s role or it can require sign off from a human in the organization. Once the elevated account access is granted, the administrator is given a one-time randomly generated password to use for a set time period.
To further protect against rogue employees or compromised administrator accounts, your IAM solution should provide the ability to map multiple accounts to the same user ID, so that those who need administrator rights do not need to have another account created outside of the IAM system. Further controls on admin accounts can be met with a solution that allows you to create time limits for superuser and administrator rights. When needed, a user can request an account. After this request is approved through the appropriate workflow process, the rights are granted for a predetermined window of time. Once the time limit expires, the account will no longer work.
Identity management is a key part of a solid security plan, but in order for your organization to get the most out of your identity management solution you have to implement a tool that goes beyond single sign-on. The right solution will provide you with the means to manage much more than just the logon process.