https://sinetris.info/topics/iam/iga/Recent content in IGA on Sinetris's viewpointsSine Die theme for Hugoenduilio@sinetris.info (Duilio Ruggiero)Mon, 15 Jul 2024 16:27:00 GMThttps://sinetris.info/topics/iam/iga/access-management/Mon, 15 Jul 2024 16:27:00 GMThttps://sinetris.info/topics/iam/iga/access-management/<h2 id="why-you-need-access-management">Why you need access management</h2> <p>Some important points are:</p> <ul> <li> <p>It allows to properly document granted access history for auditing and security purposes</p> <ul> <li>Who had access to a specific system, what kind of access, why, at any point in time</li> <li>What did they access, when, and why (via integration with SIEM systems)</li> <li>When they are doing operations on a system, this allow to check if they are allowed</li> </ul> </li> <li> <p>Monitor drifting between desired state and actual state and what caused it</p> </li> <li> <p>Keeping track of users accesses allow to better refine them</p> <ul> <li> <p>Did they had granted more access than needed for their work?</p> <blockquote> <p>Grant them access based on principle of least privilege</p> </blockquote> </li> </ul> </li> </ul> <div>[Truncated]</div>https://sinetris.info/topics/iam/iga/considerations/Sun, 16 Jul 2023 18:20:00 GMThttps://sinetris.info/topics/iam/iga/considerations/<h2 id="assets-and-people">Assets and people</h2> <p>Ensure to have proper Orphan Account Monitoring (for example, people leaving the company) and delegation (for example, people in sick or parental leave) for people assigned to managing assets (Asset Owners, Application Administrators, Infrastructure Administrators, etc). Take into consideration that people might be out of office because in vacation, out sick, at a conference, etc.</p>https://sinetris.info/topics/iam/iga/identity-lifecicle-management/Sun, 16 Jul 2023 18:20:00 GMThttps://sinetris.info/topics/iam/iga/identity-lifecicle-management/<h2 id="hr-driven-identity-lifecycle">HR-Driven Identity Lifecycle</h2> <p>The HR department is the one that knows who is joining, who is leaving, who is moving to another job within the company, who is on vacation, sick leave, parental leave, etc. Their system should expose for each employee at least the name that should be used for them within the company (might be different from their legal name, which is only required by HR to sign contracts), the start and end dates (if applicable) of the contract, department, role, line manager, and absences.</p><div>[Truncated]</div>https://sinetris.info/topics/iam/iga/identity-security/Sun, 16 Jul 2023 18:20:00 GMThttps://sinetris.info/topics/iam/iga/identity-security/<h2 id="orphan-account-monitoring">Orphan Account Monitoring</h2> <p>It’s important to find missing identity associations or assets assigned to wrong identities (for example off-boarded employees).</p> <p>Examples:</p> <ul> <li> <p>An account is associated to an asset but is not assigned to any identity</p> <ul> <li>All accounts should be associated with one (and only one ) identity.</li> <li>If the system allow only one account (for example only one admin), access to that account should happen trough a system that keep track of all actions (see PAM and Just-in-time credentials).</li> <li>If credentials to the account are shared it will be hard to know who performed an action.</li> </ul> </li> <li> <p>Asset role (for example Owner or Admistrator) assigned to an Identity that left the company</p> </li> <li> <p>Employee assigned to a line manager that transferred to a different department</p> </li> </ul> <h2 id="adaptive-authentication">Adaptive Authentication</h2> <p>Varying authentication methods based on runtime evaluation of risk factors.</p> <div>[Truncated]</div>