Access Management (AM), Identity Management, Identity and Access Management (IAM), and Privileged Access Management (PAM): while these terms use similar language and act to strengthen an organization’s security posture, they each have separate and distinct meanings.
Access Management (AM) ensures access is granted to valid users and prohibited to invalid users by identifying, tracking, and regulating users' access to a system or application. While Identity Management creates and manages different users, roles, groups, and policies, access management ensures these roles are assigned proper access to resources based on these policies. AM is a governance process often used in conjunction with Identity Management for a comprehensive IAM system, which manages both user identities and access privileges alike.
On the other hand, PAM is a subset of Access Management that provides additional protection for privileged accounts, or the primary accounts that are at an administrative or system level. These are typically powerful accounts that give the user complete access to the system or application, so organizations make strong efforts to protect them. While AM refers to having the rights to certain resources or systems, PAM refers to having the rights to use privileged accounts.
Navigating through these terms is difficult enough, so how do you even begin to evaluate your organization’s access management capabilities? In order to simplify the process, we developed the Access Management Maturity Model, which divides these capabilities into four levels that an organization moves through as they mature their access management functionality.
Similar to the maturity models we’ve previously discussed for other IAM tenets, such as Delegated Administration and Identity Lifecycle Management (ILM), the Access Management Maturity Model gives organizations a pathway to assess current effectiveness, as well as tangible steps to progress forward.
Let’s jump right in to the characteristics found in Levels 1 and 2 of the Access Management Maturity Model and review the steps for increasing maturity.
Level 1: Birthright Access Management, ABAC, and RBAC
At Level 1, the most rudimentary access management level, there are two prerequisites from other IAM tenets, one of which we’ve already covered in our maturity model series, ILM, and one yet to come, governance. While fairly advanced ILM capabilities are required for Level 1 of the Access Management Maturity Model, only basic governance functionality is needed.
The first prerequisite is that, an organization must support an engine that fully automates identity lifecycles across all systems and applications in the organization’s ecosystem.
At a minimum, the engine intelligently determines the onboarding process and account creation, known as provisioning, as well as account removal, and any role changes are reflected as well. In turn, the organization’s ILM supports AM to properly position access based on birthright relationships, or a user’s attributes or roles upon entering an organization. Without the prerequisite of fully automated ILM, organizations often fall back into the manual process of creating accounts by hand and may forget an application or resource, affecting AM.
At Level 1, Access Management is based on two primary models of access control: Attribute-Based Access Control (ABAC) and Role-Based Access Control (RBAC). ABAC controls access based on three different attribute types: user attributes, attributes associated with the application or system to be accessed, and current environmental conditions. At Level 1, birthright access management is automated utilizing ABAC; however, any exceptions needed are handled on a manual or ad-hoc basis.
RBAC controls access based on the roles that users have within the system and on rules stating what access is allowed for users in given roles. By utilizing RBAC, users are statically and dynamically associated with roles, which can then be associated with certain applications. Associating users with roles is a faster method of controlling access to certain resources because it can be applied as a team or department, rather than tediously associating each resource with an individual user.
Level 1 also requires a basic level of governance, which is the next and final tenet in our IAM maturity model series. This prerequisite requires an organization to maintain an entitlement repository, or a list of entitlements specific to the organization and roles within the organization.
These entitlements are defined by policies that represent end user access and ensure access is certified. This often starts with a user’s Active Directory account, which has basic account information, such as username and password. For example, an entitlement, such as Outlook or Gmail, is granted to all employees, and the associated policy is that all employees have access to the email system. From there, access is granted to other systems that all users in a company need to access.
When an identity or account is created for a particular role, the entitlements given to that role define access available to them when they are born into the organization (birthright). For example, a new salesperson is granted access to the email system because they are an employee, but they also get access to Salesforce because they are a member of the sales team. However, the new hire is not granted access to the financials system because they are not a member of the accounting department.
Level 2: Automated Exceptional Access Requests
Often times, a user needs access to a system or application outside their normal operations that is not provided by the birthright relationship. In Level 1, RBAC associates users with their roles to grant access into resources and applications, and exceptions are handled by access approvals and certification on an ad-hoc basis. In order to be at Level 2 in the Access Management Maturity Model, an organization must have a mechanism in place to handle these exceptional access requests.
In addition, another characteristic of level 2 is that Access Management is refined to associate users with entitlements, which typically go through a request or approval process. Using self-service capabilities, users request exceptions through the automated mechanism in place. Business owners then review requests for their given system or application and determine if access is needed. Most likely, business owners will consider factors, such as the sensitivity level and if licensing is associated, before approving or denying a request.
Business or application owners can also set limits on duration, so an individual only has elevated privileges for the time necessary. Typically, the more sensitive the application or data is, the shorter the time frame that is allowed. For example, it may be appropriate to grant access to a particular system annually, or maybe every 3 months, every week, or even on a 24-hour basis for highly secure systems.
Once the time set has expired, access is automatically revoked, unless the business owner or manager reviews the certification and renews access. This identity best practice ensures no user is granted more access than required for their position. It also helps protect privileged accounts because access is only granted for a small window, limiting the user exposure and risk tied to these accounts.
Evolve Your Organization’s Access Management
Access Management is a strategy for how identities are applied to the data and resources in your organization’s environment, ensuring users have the correct access to the correct systems, resources, and applications. While at Level 1, an organization has implemented ILM to support birthright access management, at Level 2, Access Management has matured to support on-demand privilege escalation with limited duration. However, these are only the first two levels of the Access Management Maturity Model.
Ready to discover the advanced Access Management capabilities, such as privileged access management, the principle of least privilege, event correlation, and more that lie in Levels 3 and 4, as well as tangible steps to progress through each level?
Make sure to check out our on-demand webinar: Advancing Your Identity Management Strategy with the IAM Maturity Model, Part 6 - Access Management.
In this webinar, our founder, Troy Moreland, discusses how to progress from a basic access management strategy to an intelligent, centralized strategy that enforces least privilege access.