How to Build an Identity and Access Management Architecture

New technology, an increase in remote employees, and mobile devices have made businesses of all sizes recognize the need for a secure place to store personal protected information (PPI). The data also has to be accessible to those that need it to perform their jobs.

To protect stored PPI while still allowing authorized viewing, many companies are implementing identity and access management (IAM) programs. IAM is a set of practices used to manage digital identities, along with access to information and technologies. An effective IAM program will prevent many internal and external cybersecurity breaches. However, not everyone knows how to design an IAM program.

In this guide, you’ll find information on identity and access management architecture, along with tips on how to build one for your company.

 

What Is IAM?

Identity access management can use several technologies to control who can view data. These controls include,

• Multifactor authentication
• Single sign-on
• Password management
• Profile management

Companies may use one or all of these controls, depending on their individual cybersecurity needs.

A single sign-on control is a federated identity management (FIM) service. This is an agreement between all company partners to allow a user one sign-in to access multiple networks. For employees that frequently need to view data across different networks, this can be a convenient and time-saving option.

Multifactor authentication is a recommended cybersecurity protocol. It requires employees to enter their password and another form of identification. This can be a daily code passed out to authorized employees, an I.D. badge, or a fingerprint scan.

Password management ensures that employees regularly change their passwords. It also checks current password strength and automatically deletes old ones that are no longer in use.

Profile management is an important IAM control. It manages users’ profiles to ensure identity and authorization. It can also go a step further by managing the profiles of all users, beyond employees. For example, a healthcare professional can check if a patient’s information is current.

 

Assess your cybersecurity

 

An identity access management program with the right controls in place will be able to prevent cybersecurity breaches and vulnerabilities. However, building an IAM program will require more than implementing controls.

Building an Identity and Access Management Architecture

There are several components to a successful IAM program that include access controls, identity authentication, managing accounts, among others. This means that the IAM architect must take into account several principles when they’re building an IAM program.

 

1. Must Account for Private and Public Identifiers

In an IAM system, users normally have multiple identifiers. This applies to employees and consumers. In some industries, customers will also have access to limited information.

There are two types of identifiers, public and private. Public identifiers are the ones that employees and consumers use for limited network access and are often considered “shareable information”. These public identifiers can include,

• A user name (picked by the user)
• Phone number
• Email address
• Insurance policy number
• Client number (assigned by the company)

An IAM system must allow public identifiers to be changed by the user. It should also account for multiple identifiers for a single user. For example, a user can have multiple email accounts. Users should be able to easily change their public identifiers without impacting the system.

Private identifiers serve two purposes. The first is used as part of a multifaceted authorization process. In this instance, the private identifier is something unique to the individual. This can be an I.D. badge, along with a retinal or fingerprint scan.

The second reason applies to public network users. It’s a private identifier that can only be changed internally, with proper access. The identifier is also unknown to the public user. Basically, it adds another layer of protection against unauthorized use. It uses the private identifier to verify the public user’s access information.

 

2. Keep Personally Identifiable Information Separate

Keeping personally identifiable information (PII) separate from all other systems and data is a crucial part of identity and access management architecture. It is one of the best cybersecurity practices for managing and protecting PII and other data.

Personally identifiable information is any data that can be used to trace an individual. This includes,

• First and last names
• Social security numbers
• Place of birth and date
• Mother’s maiden name
• Medical, Education, Financial records

If any of this information is hacked from the main system or network, it is a compliance violation. Whether you use an on-site, off-site, or in the cloud for data storage, PII must be kept separate from public data in an effective IAM program.

Also included in PII are some of the access protocols employees use for network authorization. Retina/iris and fingerprint scans are common biometrics used for access authorization and this works by comparing current data with previously stored information. If the stored biometrics are altered by hackers, the biometric authorization would allow illegal access.

 

3. Keep Access Controls Externalized 

The access controls a company implements are only effective if employees understand them. Externalizing access control rules makes it easier for employees to understand the new practices and how to follow them. Businesses want the implementation of access controls to go smoothly, with minimal disruption to operations.

IAM architecture also needs to take into account how the access control rules will be enforced once employees are familiar with them. There are different policy models that can be put into place that outline how rules are enforced. Companies can also choose to create their own.

The benefit of hiring an architect is that they are already familiar with the technical language that will be needed to write the comprehensive access controls rules and enforcement policy.

 

4. Assign Trust Levels to Network Components 

There are several components in a network. Not all have the same trust level or plane. Putting components on varying trust plans limits their access to each other. This also makes it difficult for hackers to access one component from another.

Some of the components that should be assigned trust levels when a company is building an identity and access management architecture include,

• Identity Provider (IdP)
• Identity Store (Idap/database)
• Gateway (policy enforcement point)
• Service Providers

When companies are building their IAM architecture these and other components can be assigned different trust levels. For example, if the identity provider is the cornerstone of the network, it can be assigned a high trust level. From there, the architect can decide which other components will have access to it.

 

5. Keep Onboarding and Self-boarding Separate

On and self-boarding refer to who accesses the network and controls authorization. The company ultimately controls the network, but differences appear depending on who accesses it.

Onboarding is typically done by authorized employees. This means that they are accessing the network internally. HR departments are usually responsible for maintaining user accounts, with issues being reported to management and the IT department.

Self-boarding refers to customers accessing the network. Their access is limited to stored information and their account is maintained and managed by themselves. This can present a cybersecurity risk. If hackers breach a self-boarding account they could potentially access the rest of the network. Separating on and self-boarding accounts give another layer of protection to the IAM plan.

 

6. Use Pseudonyms for Attribute Sharing 

Since private and public identifiers are kept separate, companies do not want private identifiers to be used to access a public network. For the scope of some employees’ jobs, they will need data from public and private systems. Assigning these employees pseudonyms that change regularly as a private identifier for the public system’s access will help protect data security from potential hackers.

Another way to use pseudonyms for attribute sharing is to assign one to each service provider. This will allow public identifiers to be changed by the user without disrupting the system – it will still recognize the user even with a password change. This can also apply to employees that access multiple systems.

7. Privileged Accounts are Separate

Identity and access management architecture needs to account for privileged accounts. These are the ones used by administrators to log into,

• Servers
• Firewalls
• Switches
• Routers
• Databases

These accounts are often a target for hackers due to the privileged information they contain. This includes access codes and passwords to personal protected information (PPI). An IAM architect has to recognize the importance of protecting this information and create cybersecurity protocols to prevent hackers from gaining access.

 

8. Identify and Fix All Risks

While a company is building its IAM program, it’s the ideal time to look for flaws and weaknesses in the current cybersecurity protocols. This especially applies to identity and access management. Often this is one of the weakest points in a company’s cybersecurity plan.

During the assessment, the IAM architect will look for any vulnerabilities. If any are found protocols will be designed and implemented. However, it’s also important for the architect to not try and “improve” anything that isn’t vulnerable. It often leads to delays that cost businesses time and money.

 

9. Data Encryption 

Protecting data when it’s stored and in transit is key for any successful IAM program. Even though there are compliance standards that restrict sending PPI over unsecured networks or to unauthorized entry/exit points, the data is still vulnerable to hackers. Some industries already either recommend or require that data is encrypted during transmission but do not address the inherent vulnerabilities when it’s stored.

When data is resisting it is still vulnerable to cyberattacks. Even when it is protected by firewalls and other practices. Encrypting all PPI during all stages from handling to sending and receiving will dramatically reduce a company’s chances for a cybersecurity breach.

 

In Conclusion

It is important for businesses to build an identity and access management architecture. Managing identity and access to PPI is paramount for a company’s success. However, creating an effective IAM program goes beyond simply monitoring network access and updating users’ accounts.

Identity and access management must include all network components. This is everything from service providers to the database. It can be a large and time-consuming project for any company, regardless of its size. If the business is considering expanding, it can be even more difficult to create. This means more information must be included in the IAM architecture.

When your company is ready to build an identity and access management architecture the certified experts at RSI Security are here to help.