Introduction to identity and access management

This guidance serves as an introductory framework on essential identity and access management techniques, technologies, and applications, primarily targeted towards technical personnel.

This document aims to:

• Provide clarity on fundamental principles for designing user access management for critical systems or roles.
• Outline best practices in designing and administering access management systems.
• Offer resources for further reading on select subjects if additional information is desired.

Identity and access management encompasses the policies, processes, and systems that facilitate the linkage of an individual (or sometimes a system) to specific permissions within your organization.

These permissions enable individuals to:

• Perform critical functions (e.g., modifying industrial control processes)
• Access vital data (e.g., employee records)
• Administer overarching system functionalities

An effective access management system consists of various technical components, including directory services and authentication mechanisms that validate authentication and authorization information across your systems.

Identity and access management can be categorized into the following major areas:

• Policy: Your strategic guidelines outlining who can access systems, data, or functionalities, under what conditions access can be granted or revoked, and whether specific operations necessitate collaboration from multiple users.
• Identity Management: Processes to establish a person’s identity during initial contact and in subsequent interactions with your systems.
• Privileged User Management: Additional controls aimed at ensuring the security of sensitive system operations.
• Architectural Design: Secure design principles for the systems supporting the above elements.
• Operations and Monitoring: Mechanisms for monitoring and investigating breaches of policy or security controls.

An IAM policy typically outlines:

• The individuals permitted to access specific systems, data, or functionalities, and their rationale.
• The conditions under which access will be granted or revoked, often managed through a process for new joiners, departures, and role changes.
• Evaluation of which tasks may need multiple individuals to complete.
• Recording actions performed, acquiring audit logs, and safeguarding them against alterations.

International standards provide detailed IAM policies to follow, such as ISO27002 (specifically Section 9 – Access Management) or IEC 62443-2-1:2011, for industrial control systems.

Additional useful guidance includes:

• CPNI’s Physical Security Guidance

Properly verifying anyone who could gain access to your systems from the first contact point is crucial for establishing their true identity and enabling consistent future authentication. Key considerations for identity establishment include:

• The extent of access required; higher sensitivity necessitates stronger identity verification.
• The level of trust in third-party assertions, such as contractors responsible for maintenance.
• The necessity for stringent background checks or security clearances for specific roles.

Once the identity is established, it must be bound to a user through an authentication process, with the strength of this method reflecting the sensitivity of the user’s access.

When crafting an authentication strategy, consider both the physical environment from which users will authenticate and the reliability of the devices they use.

Various authentication methods present different strengths and limitations:

• Password-based Authentication: The most fundamental form; susceptible if compromised.
• Two-Factor Authentication (2FA): Adds a second authentication element, such as a physical token or mobile verification, enhancing security.
• Hardware-backed Certificate Authentication: Utilizes cryptographic keys stored on hardware devices, providing high trust if combined with other controls.
• Biometric Authentication: Utilizes physiological traits for identification, though some methods may be easier to spoof.

We recommend reviewing pertinent guidance:

• CPNI’s resources on Personnel Security and Pre-employment Screening
• NCSC’s Password Guidance

Individuals with access that can significantly impact systems beyond their job duties are classified as privileged users. Examples include:

• Administrators managing critical systems (e.g., database or system admins).
• Users accessing systems vital for critical operations (e.g., industrial systems, financial approvals).
• Developers who can modify crucial code repositories.

Effectively managing privileged users means ensuring that the actions linked to their accounts are their own. In addition to robust authentication, consider the following measures to mitigate the risk of misuse:

• Separate accounts for distinct functions: Assign different credentials to users who need both privileged and everyday access to prevent misuse.
• Avoid untrusted devices for privileged tasks: Only allow privileged actions from devices you trust.
• Maintain integrity across network boundaries: Prefer conducting privileged actions from trusted environments to minimize compromise risks.

Although some of these practices may be less convenient for users, they substantially improve security resilience.

To control privileged user actions further, implement the following measures:

• Require confirmations for actions (e.g., code changes should be reviewed).
• Set up support ticket systems for critical actions.
• Monitor actions of privileged users actively, not just through logs, to detect suspicious behavior.

For additional insights, consult:

• Microsoft’s guidelines on Securing Privileged Access.
• NCSC’s blog on Management Interfaces.
• NCSC’s recommendations on Design Principles.
• NCSC’s guidance on Secure Development.

When designing an IAM system, it’s vital to recognize its appeal to potential attackers, who view it as a pathway to gain system access.

Recommendations include:

• Isolate external-facing IAM components from core systems when dealing with untrusted networks like the Internet.
• Employ Microsoft’s Administrative Tier Model when using Active Directory.
• When implementing Single Sign-On (SSO) or federated approaches, validate that incoming identity assertions stem from trusted sources.

In organizations managing Operational Technology (OT) such as industrial control systems, the following practices are advisable:

• OT should not be managed from an enterprise IT environment to ensure integrity.
• OT systems shouldn’t solely depend on a lower trust domain for authentication, as this poses security risks.
• For data transfer between IT and OT systems, prefer a ‘push’ method from OT to IT, rather than granting IT direct access to OT.
• Ensure communications between IT and OT are transparent and inspectable, possibly using firewalls for boundaries.

Given the significance of IAM systems to attackers, they warrant prioritized security maintenance, including timely application of patches and diligent user management.

Additionally, it is recommended to:

• Design access control systems to enable straightforward monitoring of user activities.
• Ensure comprehensive tracking of actions to link them to specific users.

For comprehensive guidance on these subjects, refer to:

• Vulnerability Management
• Protective Monitoring
• Operational Technologies