By Chinatu Uzuegbu, CISSP, CEO/Managing Cyber Security Consultant at RoseTech CyberCrime Solutions Ltd. 

1. We kicked off the Identity and Access Management Processes from the Top-Level Management approach. The Identity and Access Management Security Steering Committee is a group of C-Suites leaders, also referred to as the respective Data and Asset Owners from the various Business Units of my organization. The group met and established the governing policy around the Identity and Access Management Processes. The governance covers the Mandatory Access Control Policy and Trust Policy of the organization which are automatically enforced as the baselines on default.

2. The governance of our organization also mandates that the Identity and Access Management Framework, like other frameworks, align with local and international regulations as well as other industry-related regulations in each jurisdiction where the organization is domiciled. The required regulations are also enforced and applied to the Identity and Access Management systems as the baselines.

3. Our organization is currently running with a mix of Identity and Access Management Frameworks customized and embedded in the holistic ISO 27001 Cyber Security Framework. An element of NIST SP 800-63, Digital Identity Guidelines and ISO 27001 and 27002 are customized and applied as one framework in the Integrated Information Security Management System (ISMS) of my organization. Aligning with these frameworks ensures the organization is running with the best practices in Identity and Access Management.

4. The organization leverages on the Microsoft Kerberos Authentication framework to promote single sign-on (SSO) handshake and minimize single point of failure. The Kerberos System has helped a great deal in reducing administrative bottlenecks and promoting multi factor authentication (MFA) following the Challenge Handshake strings in Kerberos. The organization is working hard to embrace more borderless and wireless authentication frameworks even though the acquisition process is ongoing.

5. We ensure each human or non-human identity is uniquely defined with a standard naming convention. For example, for human identities, the combination of employee’s first name initial and last name with the employee identity number is his/her unique ID (C.uzuegbu-IT0001) on the Identity and Access Management System. The non-human identities which include machine identities, application identities, federated identities, cloud-based identities, network-based Identities, artificial intelligence identities, IOT Identities, blockchain identities and others are named with the combination of the identity set and a respective automated unique identity (HackingLab-001) where HackingLab is the machine name, or the identity set and ‘001’ is the unique ID. A clearly defined identity set with uniqueness would help in assigning access rights based on roles and necessary monitoring all through the identity management life cycle. It also promotes a level of granularity and flexibility especially when there is a need for versioning and necessary updates on each identity set.

6. The organization strictly aligns with the Account Provisioning and De-provisioning concept in the Identity and Access Management Life Cycle with a granular and procedural approach to the concept of ‘IAAA-Identification, Authentication, Authorization and Accountability’. For example, the organization would enroll every human and non-human identity considering the identification process first, then authentication second, authorization third and accountability last. The authorization process must only apply after the identification and authentication processes respectively and not before.

7. We ensure that every identification enrollment process is traceable to an authoritative identity source. For example, on enrolling a vendor or contractor in the Identity and Access Management System, the contract letter and service level agreement are verified and endorsed by authorized parties. This ascertains the validity of the identity and confirms that the access right is persistent or temporal or with daily thresholds. Employee Identities are traceable to the letter of employment and would help ascertain the role of the employee as well as the access right required. This would ensure that user accounts are not provisioned for impostors or unauthorized parties. The authoritative identity sources must be stored and reviewed regularly to ensure authenticity of the account at any point in time.

8. Our organization only authenticates after the identification process has been verified leveraging on the authoritative identity source. The authentication process validates the above claimed identity in three ways:
   1. Something You Know, such as Password or Personal Identification Number (PIN): The vulnerabilities around this has become so bad that Forbes reported that about 15 billion passwords are exposed on the dark web in 2021 and over 80% of cyberattacks were due to weak credentials, most traceable to weak password Management. My organization is considering password less authentication framework, but now combines a password with any of the other two ways of authentication below.
   2. Something You Have, such as a token device, mobile gadget or smart card: My organization enforces the combination of ‘Something You Know’ with ‘Something You Have’ authentication methods before granting access right on all critical Systems and Applications. This is one good way to mitigate the vulnerabilities around Passwords. The tokens can come in form of one-time-password or line of time-bound characters automatically generated from the token device. This combination also applies on Automated Teller Machines (ATM), where you insert your card as a token device and supply your PIN as something you know.
   3. Something You Are, such as Biometrics: My Organization leverages on electronically Biometrics doors to access most secure zones such as the data center or to log-on to highly critical and core applications that adds up to the over 90% of my organization’s business. Authenticating through biometrics is to leverage on the biological and physiological attributes of a human being such as fingerprints and other pattern recognitions, iris scan and others. Biometrics only applies to human identities. Most non-human Identities leverage on the combination of ‘Something You Know’ or ‘Something You Have’. Our organization is currently on Identity and Access Management revamp with up-looking initiatives such as leveraging on block chain password less framework with cryptographic algorithms and hashes in mind on highly critical assets. Even though biometrics is the strongest of the three methods of authentication, they only apply on human identities.

From the above outlined methods of authentications, it is obvious my organization currently embraces MFA framework which is the standard best practice when it comes to authentications. MFA is the combination of two or more methods of authentication, commonly referred to as Two Factor Authentication (TFA).

9. The organization ensures the authorization process only applies after a successful authentication of the claimed identities. All Stakeholders in my organization must align with the Authorization Policy Framework of the organization and The Access Control Matrix, which ascertains the Subject (the active human or non-human identity requesting to access a resource) and the object (the passive entities and resources to be granted access that must also be well outlined in the Access Control List (ACL). Mandatory Access Control Model is enforced on the platforms as the minimum standard or baseline access rights across critical platforms in the organization. Discretionary Access Control Model is driven by the asset and data owners, mostly the top leads of the various business units. Role Based Access Controls are assigned based on roles and functions of the human and non-human identities on the various platforms. My organization ensures that appropriate separation of duties are applied and that the screens and windows of each identity is compartmentalized leveraging on the concept of least privilege, which grants access based on all that is required to do the assigned job and the concept of need-to-know, based on all that is required to know and access. Rule Based Access Control Model is driven and enforced by rules and policies with criteria on whether to block or allow access, such as application white-listing or black-listing. Attribute Based Access Control Model would grant or deny access rights based on the attributes and characteristics around the human or non-human identity and the resource for access, such as a vendor who requires only a temporal and just-in-time window access right on the system or an application identity that requires only a straight-through process access to another application once-off or periodically.

We leverage techniques that would minimize authorization creeps emanating from overwhelming access rights on privileged accounts. There may be need to employ an administrative three-tier technique (top tier for the critical systems such as the active directory, middle tier such as the application server and third tier such as workstations) for managing privilege accounts and ensuring the concept of least privilege also applies on the administrative accounts. The administrative tiers would streamline the privileged accounts with necessary security models as well as the sensitivity level of the data being accessed.

10. We see the accounting phase of the cycle as the bottom line that ensures the process is running as required with adequate security measures in place. Adequate security measures are applied with defense-in-depth in mind and to assure reasonably that the Identity and Access Management System is running with the acceptable risk appetite of my organization in mind. For my organization to assure the acceptable level of confidentiality, integrity, availability, privacy and safety around the Identity and Access Management processes with varied measures of control which covers the Preventative (DLP), Detective (SIEM), Corrective (Fixes and Patches), Deterrent (Penalties and Sanctions), Recovery (Back-Up), Compensative (alternatively Cheaper) and Directive (Governance and Security Policies) Controls. The aim is to ensure that the provisioned Identities are running with the access rights granted with minimal anomalies and Authorization creeping issues. My organization ensures access rights are terminated automatically on Identity expirations. Terminated identities could also be re-applied when necessary. We ensure all logical access rights on the identity and access management system are removed on the exit or termination of both human and non-human Identities as traceable to the authoritative identity source of the firm. 

11. Our organization embraces Zero Trust Architecture with trust zero model approach to ensure an implicit denial of accesses across all platforms and with the mandatory access controls, driven from the governance, enforced to the default baseline. To achieve the Zero Trust Architecture, my organization employs varied layers of controls and techniques from both defensive and offensive perspectives such as the cyber kill chain, penetration testing, ethical hacking, risk management, vulnerability assessments and other security measures to proactively detect and mitigate threats that could exploit the vulnerabilities around the identity and access management Processes. My organization employs cost-effective defense in depth or multi-layered Security measures to maintain a good and Zero Trust security posture across all platforms not only that of the identity and access management. The organization believes that a loophole in one area could create vulnerability in others including the Identity and Access Management Process.

12. My organization perceives Identity Security as the first line of defense in cybersecurity and its importance in routinely reviewing the systems to minimize cases of Adaptive Persistent Threats (APT), denial of service attacks, spoofing, account hijacking, tampering, information disclosures, escalation of privileges, malwares and all forms of misuses around the Identity and Access Management Processes.

13. The Organization also embraces electronic log-on banners to warn on every authentication on the system and to enforce the human Identities to consent to issues related to monitoring and sanctions on any form of misuse.

14. We embrace good backup and disaster recovery processes with seamless business continuity in mind, in cases of data losses, system crashes or any form of disaster. The back-up strategy covers the primary and secondary sites. To promote resilience and redundancy, the organization leverages on replication and clustering of critical servers with the organization’s off-site back-ups including that of the Identity and Access Management System.

15. Finally, but not the least, my organization employs automations that seamlessly promote Continuous Integration and Continuous Delivery (CI/CD) security operations. This is in line with the current robustness around the business processes and wide range of Identity categories with overwhelming handshakes plugged into the Identity and Access Management System.

Strict obligations to the above Identity and Access Management Processes best practices have helped my organization to maintain an acceptable security posture and acceptable level of confidentiality, integrity, availability, privacy and authenticity around my organization’s identity and access management processes.