Fully implementing ICAM (Identity, Credential and access management) doesn’t have to be overwhelming. You simply need to break down this framework into different services and then get each of those up to speed. There’s good news here. By achieving a full ICAM program, you will have increased credibility in dealing with the federal government. Even better, your existing identity and access management program may only need a few tweaks to achieve full ICAM success.
The 7 Crucial ICAM Services You Need
As you review this list of services, give yourself a score of 0-10, where 10 is a fully implemented solution. Once you identify weak areas, you can direct your staff to make improvements.
1) Digital Identity
Each user and technology asset needs to have a defined digital identity. Without this centralized inventory, implementing successful ICAM will become very challenging. To maintain sufficient digital identity information, use the following practices:
● Activation. Use a defined process to create new identities. For example, link new user account creation to the hiring process.
● Maintenance. Change digital identity data to track changing work roles (e.g. promotions to new positions). Likewise, if an employee changes departments, their digital identity should be updated as well.
● Deactivation. Inactive identities pose a security risk. Find out more about controlling this risk through our article: Stopping Inactive User Account Risk Fast.
The same lifecycle management processes (e.g. creating credentials, maintaining them and removing them) apply to credentialing. In addition, you also need to consider sponsorship. Specifically, are the right users involved in sponsoring credentials? If your organization has suffered security incidents recently, you may need to reduce how many users can sponsor credentials.
3) Privilege Management
In ICAM, not all users are created equal. For instance, some users will only require read-only access to customer information. You will also need to manage powerful user privileges, such as the ability to approve payments and approve access requests. If you are too restrictive in privilege management, you will end up with frustrated executives who need to approve every transaction.
To solve this problem, use two principles to optimize your privilege management. First, adopt the principle of least privilege. What is the minimum set of privileges needed for a person to carry out their role? Second, acknowledge that privilege management requires ongoing fine-tuning. Set a recurring schedule (e.g. monthly reviews for administrative accounts) to ask for user feedback. Find out if people are using their privileged access and whether these permissions can be adjusted.
Closely related to authorization and access below, authentication is the process of verifying if a user is who they claim to be.
The authentication processes you use should reflect the security risks. For example, you may choose to require two-factor authentication when users are logging into your network from another country. To protect the most sensitive user accounts (e.g. accounts for executives), implementing biometric authentication may be needed.
Tip: Increasing your adoption of multi-factor authentication is one way to reach full ICAM implementation. If your management is reluctant to invest in this technology, you need to create a business case. Get started with our guide: Build Your Business Case for Multi-Factor Authentication in 5 Steps.
5) Authorization & Access
If you have managed identities, privileges and authentication effectively, managing authorization and access become much more manageable. There are two techniques we recommend to tighten your controls for access.
- Scheduled Access Reviews. Each month or each quarter, review the user access to your apps and systems. If you notice that users are not using certain SaaS apps often, propose reducing your SaaS licenses accordingly.
- Challenge Existing Access Needs. When new technologies are implemented, legacy systems are sometimes kept in place for some time. This is a significant circumstance to challenge those older access arrangements. If users have not accessed a system in 3-6 months, reach out to them and ask if you can remove their access.
Cryptography is another line of defense you can leverage to keep your organization safe. Some hackers will attempt to break your passwords. Others will go after your data in transmission or at rest, especially when it is stored in the cloud. However, there is a productivity trade-off involved in encrypting and decrypting data regularly.
Focus your cryptography program on the “Crown Jewels” in your organization. For example, a training manual for a specialized spreadsheet may not require extensive cryptographic protection. Alternately, financial data and applications are highly sensitive and deserve a much greater level of protection.
Resource: For more detailed guidance on US government expectations for cryptography, please take a look at the following publication – Security Requirements for Cryptographic Modules.
7) Auditing & Reporting
Everybody has blind spots even if they are highly motivated to manage IT security. That’s why ICAM expects that you will have auditing and reporting capabilities in place. The right software solution makes a tremendous difference here. If it takes several days to create monthly access reports, your staff are going to be reluctant to do that work.
Instead, use a software tool like Compliance Auditor, which tracks all access requests and approvals. Based on this data, you can easily gather data about the changing identity and access landscape in your organization.
The Two Missing Links in Achieving ICAM Success
Achieving consistent success in ICAM means that you need all seven areas running smoothly at all times. One option is to hire a small army of staff to manage your identity and access management needs. To a degree, you do need a team in place to manage your identity and access management arrangements. However, there’s no need to hire a dozen staff.
Instead, you can leverage access management software solutions. For example, you might have a help desk that spends 50% of its time on password reset requests. That workload prevents the IT help desk from addressing more complex technology requests quickly. You can reduce the burden on your staff by introducing an IT security chatbot that can handle password changes day or night.