Digital identity management. Where to start?

Managing access rights to business resources, including systems, databases and applications, is one of the key elements within a cybersecurity strategy. How can you prepare a digital identity management project in an organisation? What is digital identity and how can you make it visible?

What is digital identity?

Before a company formulates its own definition of digital identity, it must think about what it wants to manage and why. First of all, the scope of this management should cover people, i.e. full-time employees, contractors, B2B, employees of an external provider, auditors etc. Each of them is granted access to IT systems where they process data using specific and unique identities. Such people act within the organisation and participate in business processes.

How is identity visible in IT systems? It can be seen, first and foremost, in source data (where someone inputs the identity details for the first time, where the identity is registered and embedded within structures, and where functions, roles, job positions etc. are assigned to the identity). This usually happens in HR systems.

The second location containing identity details covers the company’s IT systems used for various business processes. In this case, we encounter personal access accounts, privileged accounts, functional accounts, contacts, e-mail boxes, e-mail addresses, personal records etc.

The idea of identity can be extended to encompass not only people, but also an IT system, a business service or a system’s production instance. Here the sources of data will include Configuration Management Databases (CMDB) where such services are stored.

Last but not least, a digital identity can be a set of data about an entity that must be properly managed for the purposes of security, business efficiency as well as compliance with regulations and policies. If that entity is a human being, the digital identity will comprise the HR information, the information about personal accounts and access configurations. A human identity should be defined at the layer above

accounts and source records (e.g. HR agreements and “points of employment”).

Why should you manage digital identity?

How does a company gain from making digital identity visible and managing it? In general, it boosts its competitive edge and reduces the business risk to a great extent. To be more specific, digital identity management helps enterprises within three areas:

– Enhance performance and reduce operating costs

Today, employees are able to perform their duties effectively only if they have their accounts configured and access rights granted. Without this, they cannot authenticate their identities and process data, i.e. work becomes impossible. Quick and effective assignment of rights and privileges as well as the set-up of profiles in systems are crucial actions, especially during the employee onboarding or when job positions, teams and duties are changed. Such processes as the induction of new employees within the company’s structures, transfers between structures and/or managers and the related reconfiguration of accounts or privileges can happen automatically thanks to mature management of identities, which, in its turn, boosts performance and reduces costs.

– Ensure security

The necessity of data/resource protection requires multiple actions related to employees’ access to systems and databases. It is very important (1) to revoke all access rights when people leave the company, (2) to suspend unused access rights in the case of long absences, and (3) to immediately block accounts and privileges when a security breach incident is suspected. At all times, employees should have access rights which correspond exactly to their positions and duties, i.e. they must not be excessive rights in order to limit the options available to a potential intruder who would use such rights without any authorisation.

– Comply with regulations

Identity management helps businesses in ensuring and demonstrating compliance with regulations and policies. In consequence, a company can easily prove that it regularly reviews access rights and abides by policies, e.g. the SoD (Segregation of Duties) policy and that it effectively supervises the access to personal data. Thereby, businesses can reduce the risk of serious breaches that could damage their reputation or cause major financial losses.

IGA – a wider approach to identity and the maturity of management

How can you effectively manage digital identities in an enterprise? Of course, you can use mature systems such as IAM (Identity Access Management), IdM (Identity Management) or IGA (Identity Governance & Administration) – these terms are often used interchangeably. They can be implemented in two modes: through a dedicated implementation project or through creating and maintaining a dedicated Identity Governance & Administration (IGA) program.

Though the first approach is simpler and seems less time-consuming as well as easier to plan and carry out, in a longer run it brings fewer benefits, since it usually solves the most urgent problems, often occurring in a single department (IT, HR, Compliance, Security etc.). As such, it lack the holistic view of the needs of the whole company.

On the other hand, a dedicated IGA program engages multiple departments from early on and addresses their (short-term and long-term) needs in a coordinated manner. It launches all the necessary projects and initiatives, including implementation and development of tools that support identity management (IdM, IAM, AM). It designates a program manager who coordinates all actions. This ensures a wider view of identity – the project team determines what the organisation’s current situation is and where it is headed, while the implementation of tools remains only one of the goals.

Typical tasks, projects and initiatives in a mature IGA program:

• setting goals and priorities for the entire organisation
• defining roles in the program along with accountability and communication
• business analysis, preparing documentation and defining requirements regarding changes: business processes, IT tools, standards, data models
• preparing a roadmap, including the set-up, maintenance and supervision over:

– the project of purchase, implementation and continuous development of the configuration of the IGA tool
– the initiative to integrate managed systems
– the initiative to plan and perform reviews of access rights
– the initiative to model business roles (combining various privileges so that they make sense business-wise)
– the initiative to identify separation of duties and to detect conflicts of privileges

How to make a good start?

An IGA project is a big thing. To make it successful, a company needs to reassess its current possibilities. The pace of work must take into account the participants’ availability and level of engagement.

The project participants should include employees from multiple departments that need to process identities (IT, Security, HR, Compliance) as well as people with extensive analytical skills, since it is necessary to prepare a precise description of the company’s needs and of the way to meet those needs.

Not only the project team, but also the entire company has be prepared for the changes to come. The benefits that the new tool will bring to particular departments should be pointed out clearly (e.g. reducing the workload of the help desk, automating repetitive actions done by administrators who create accounts and set up privileges). Employees must be aware that temporary inconveniences might occur, e.g. filing documents both in the old system and the new system depending on related processes and applications.

A few questions to ask at the beginning:

• what is important to the organisation at the moment?
• what is the biggest problem and the biggest challenge right now?
• are there any quick wins achievable in the nearest future?
• are there any areas with excessive risks that should be reduced?

Based on the answers to these question, one can define first tasks and carry on by iterations. This is very important when the project is this big, since you cannot do all of it at once. When it comes to IGA, each little step has its value. Each such step enhances the security and the automation of processes which make use of digital identities.

This text is based on a webinar “Organising and Planning Identity Management – What to Consider? How to Avoid Mistakes?” It was hosted by experts from Concept Data: Sławomir Kuźmiński, Identity Strategy & Solution Advisor, and Krzysztof Bicz, IAM Consultant.

More about IAM systems:

The IAM systems. Agile business that is secure, employee-friendly and in line with regulations

Remote work which is secure and effective. What tools to choose

Secure assess to company data. How to facilitate remote work, protect resources and support IT departments

Safeguards which understand the user. CyberArk Identity Adaptive MFA