Published 3/18/22, 9:00am

The IAM Assessment: Who, what, where, when, and how of identity and access management.

Credentials are, and have always been, the most sought-after tool for hackers. Let’s think about it. In scenario A, a hacker needs to spend time and money coding (or buying) malware, distributing it, and then leveraging it to breach the system. In scenario B, the hacker just needs a set of login credentials, purchased for a nominal fee on a dark web forum, to access a business system. So–If you were a hacker–which scenario would you choose: A or B?

The vast majority of breaches tied to hacking involve lost or stolen credentials or brute force attacks. Furthermore, once a business has been hacked, the majority of these attacks will result in privileged user credentials being stolen.

Preventing attacks based on credential misuse is crucial, and it begins by building an identity and access management (IAM) program, which starts with a comprehensive identity and access management risk assessment.

What is an IAM assessment?

An IAM assessment evaluates a business’s identity governance landscape. It examines the current IAM state, identifies gaps, and creates a roadmap to help improve the overall IAM process using this information.

IAM assessments also help determine the effectiveness and efficiency of a business’s IAM processes. Organizations engage in IAM assessments to:

• Improve the IAM solution and ensure enterprise-wide adoption of policies and procedures.
• Define more rigorous IAM security standards.
• Better secure and manage the changing identity landscape, including concerns related to remote work, legacy systems, and on-premise, hybrid, and cloud applications, systems, and platforms.
• Minimize the risk of breaches and attacks from both insiders and external threat actors.

The formal IAM assessment process usually involves three to five phases, depending on scope and scale. For example, phases may include (1) Examining the current state; (2) Identifying the future state; and (3) Presenting a roadmap and recommendations. Phases may also include a technology review and requirements collection.

Ultimately, what happens in each of these phases can be broken down into five simple categories based on those interrogatives we all remember from English class—who, what, where, when, and how. This attribute-based evaluation process looks at the following:

• Who—The users associated with the business.
• What—The access patterns of the users and business assets, as well as business requirements, compliance concerns, current security architectures and tools, and existing policies and procedures.
• Where—The location of users and assets.
• When—The access times.
• How—The appropriate solutions, recommendations, and strategic path needed to meet the business’s IAM needs.

IAM Assessment: “Who”

In the world of IT and security, professionals often refer to users. In the early days of computing, a ‘user’ typically always meant a person. That definition has changed dramatically, and today, ‘user’ can be defined in multiple ways. It can mean a person, an identity (e.g., login), distributed systems, Internet of Things (IoT) devices, software and applications, external devices (e.g., cameras), and ‘smart’ tools such as tablets and phones. When specifically referring to a person, ‘user’ can also mean an employee, a contractor, or a third-party vendor that has access to business systems.

Identifying and documenting network and system users is a critical early step in the IAM assessment process to ascertain who has access to systems, who needs access to systems, and what sort of privileges each user requires.

IAM Assessment: “What”

The IAM assessment process also includes the identification and documentation of assets and their patterns of use. It looks at overall business strategies, anticipated areas of growth, and any requirements related to compliance. The “What” phase will also examine existing security architectures, technologies, and tools, as well as current identity and access management policies and procedures. Gaps in current processes, policies, and technologies are noted to ensure future solutions correct any deficiencies.

IAM Assessment: “Where”

In the last two years, ‘location’ has taken on a whole new meaning when it comes to security.  Remote work has made identity and access management an essential part of the security process. In fact, some believe that remote work is actually helping to reshape the IAM process by redefining the number and type of digital identities and how those changing identities are secured. The growing number of identities in disparate locations, including identities associated with on-premise or cloud-based systems, data, networks, and software applications, underscores the importance of knowing “where” identities are located to ensure that the right IAM security configurations and privileges have been applied.

IAM Assessment: “When”

Even though users may be distributed geographically, the vast majority likely maintain a regular working schedule. Whether that be a 9 to 5 local to their time zone or assigned shifts at odd hours, knowing when users access systems is a key component in establishing a pattern for access management. For example, if a user regularly logs in between 8 and 9 AM local to their time zone, access patterns can be established by combining location data with login time. Or, if they work regular shifts monitoring and maintaining critical resources, likely, they will always be requesting access at the same time local to the resource they are accessing. This behavioral profile is a critical component of a well-governed IAM program.

IAM Assessment: “How”

With the who, what, where, and when identified and documented, IAM assessment practitioners will then look at the ‘how,’ that is, what IAM solutions are needed to meet the business’s current and future access use cases. The ‘how’ phase usually includes a solution blueprint based on the current state of user access management, notes existing security gaps, and provides recommendations for remediation and improvement. The ‘how’ will include strategies and tactics for policies, processes, and technologies. This phase will also align the strategies, processes, and technologies with compliance requirements, business goals, and existing security architectures.

IAM Assessments are a “Must-have” Component of an IAM Solution

Businesses need IAM assessments to reach the point at which they can confidently implement a comprehensive and long-term IAM solution. Assessments help businesses identify security holes and create perspective for why certain IAM policies are necessary. Assessments also help organizations understand what sort of security is needed to support future growth or changing market conditions. With an assessment process as part of their overall IAM services, organizations can mature their overall identity governance program and position it to support business objectives and deliver value.