I am currently completing a masters in cyber security and my final work is on IAM and why it seems to continue to be a problem despite being a longstanding security fundamental and many organisations investing significant funds into the problem...
I have worked at a few places where sustainability of good IAM seems to be a challenge.
My own working theory is that it is seen as a technology problem when in fact it is a business process which needs technology support and that controls degrade after investment due to poor connection with wider corporate governance.
If anyone has any thoughts and views they would be very welcome.
I guess large organisations have very complex processes and IAM works extremely well in a standardized environment. The real challenge is achieving the level of flexibility and complexity in the system and yet get it working.
It is a business relationship issue. If your business is able to define it's capabilities and business processes you can then develop a security model that can be maintained. Most businesses can't describe their processes and what it take to operate.
Most IAM system end up with a mix of what they think is RBAC and then a pile of direct assignments. This amounts to a lack of rules and application of rules.
The key is to first understand actions, actors, relationships (including customers/personas), and the resources that are acted upon. (also remembering that processes and data are resources)
You are correct that it is not a technical issue at first. Although you can make a bad situation worse with IAM technology.
Okay, so here are a few points.
Larger organisations are more likely to have heterogenous environments (particularly if they have grown by merger) and, especially, legacy systems. IAM solutions (process and technical) deal less well where you have to control numerous different scopes.
Movers & leavers. In a small organisation, you know about people leaving or changing roles. In larger organisations, it may take IT ages to find out (and HR may deliberately hide the fact that some people have left.)
Greater granularity. The more you split up your IAM roles, the harder it is to keep up to date. Larger organisations will (usually) have different privileged roles for different areas - a small company might have a few people who are admins for everything.
Edge cases - the more complex your organisation, the more people you will have who don't fit in a nice neat IAM role. And will require exceptions.
In my opinion, IAM has to work very closely with the business users and the applications they use in the organization.
It needs business users to define the roles and what functions the role can access in an application.
Then it needs to integrate with the applications to impose these roles and functions on the applications.
Whenever the new functions are created in the application, administrators need to create them correspondingly in the IAM and discuss with the business users which roles should have them.
It is like having double work from 2 departments.
But it reduces recurring effort from the application to provision user accounts and to review roles assignment.
IAM can also give an overview of who has what access in which applications.
If the IAM receives input from the HR System, it would give the reviewer visibility of staff movement.
Most important, it should have the ability to grant/revoke access from a central control point.
Overall, the IAM should be owned by the Governance/Quality Assurance Team and supported by various operational heads.
Thanks All for your input some very useful thoughts and comments here which I will use to help shape my thinking and research.
Do let me know if I can be of help at any point in the future
Although you can make a bad situation worse with IAM technology.
Or to extend that statement: you can make any situation worse with technology.
I had originally put “bad, or badly implemented” but even well implemented good technology can make things much, much worse (see others’ comments about business involvement & requirements being paramount.)
Just my 2 penneth....
1. The business rarely views IAM as anything other than an IT concern. They don’t understand that IT Security (in my org’s case) facilitate access - but the business owners should be offering guidance on who gets what and why.
2. JML processes are inherently problematic. EVERYONE shouts when a new arrival doesn’t have access. Nobody cares about removing it when the employee moves or leaves. Except Security of course. HR are seldom as involved as perhaps they should be.
3. Few businesses correctly balance security with availability and functionality.
4. Few orgs get business owners to accept responsibility for systems and data that reside in their areas. Frustratingly, they are often the experts who understand what specific access does. Therefore, IT end up managing access that they rarely fully understand in enough detail.
5. RBAC is hard. Roles evolve, people move/take on additional responsibility/deputise etc. So the exceptions become the norm and the roles are reduced to being a starting position.