Introduction to identity and access management

This document serves as an introduction to the fundamental techniques, technologies, and applications associated with identity and access management, primarily targeting technical personnel.

This guidance aims to:

• Clarify key principles important for designing user access management for sensitive roles.
• Illustrate architectural best practices when implementing and administering IAM systems.
• Provide resources for further exploration of relevant topics.

Identity and Access Management encompasses the policies, processes, and technologies that link individuals to specific permissions within a system.

These permissions may allow individuals to:

• Perform critical functions.
• Access sensitive data.
• Manage and administer the system.

An effective IAM system comprises several technical components, such as directory services and authentication tools that leverage information about access permissions.

Key areas of focus in identity and access management include:

• Policy: Governance strategies that outline who can access systems, under what conditions access is granted or revoked, and requirements for collaborative actions.
• Identity Management: Establishing and verifying the identities of individuals during their initial contact and ongoing interactions with the system.
• Privileged User Management: Implementing additional safeguards for users with heightened access permissions.
• Architectural Design: Creating secure frameworks that support IAM processes.
• Operations and Monitoring: Enforcing procedures and technologies that detect and respond to security policy breaches.

A comprehensive IAM policy should include:

• Criteria for who is authorized to access specific systems and why.
• Conditions under which access may be revoked or granted, typically handled through a joiners, leavers, and movers framework.
• Analysis of processes requiring multiple users for action execution.
• Recording of actions taken, along with how audit trails are maintained and protected from unauthorized alterations.

Policy frameworks such as ISO27002 and IEC 62443-2-1:2011 provide standards for establishing effective IAM policies.

Additional resources include:

• CPNI’s Physical Security Guidance.

Proper identification of any system user is essential, particularly at first contact, to establish their true identity and subsequent authentication methods. Important aspects to consider include:

• The level of access associated with the user, ensuring strong identity verification for those with sensitive permissions.
• The reliability of third-party assertions, especially concerning contractors and external personnel.
• Whether specific roles necessitate stricter background checks or enhanced security clearances.

Once an initial identity is confirmed, it must be linked to a strong authentication method, which should align with the sensitivity of the user’s access.

It is crucial to factor in where the user is authenticating from and the security of the devices in use. Authentication strategies should consider permissions, device trust levels, and locations, particularly when dealing with devices that may not be secure.

Different authentication methods include:

• Passwords – the most basic credential form that requires secure handling.
• Two-Factor Authentication – significantly enhances security by adding an additional authentication layer.
• Hardware-Backed Certificate Authentication – employs cryptographic materials to confirm identity, requiring trust in both the hardware and procedures surrounding it.
• Biometric Authentication – utilizes physiological traits for identification, which, while advanced, can pose certain vulnerabilities.

Reviewing and implementing relevant guidance is advisable to optimize IAM practices:

• CPNI’s guidance on Personnel Security and Pre-employment Screening.
• NCSC’s Password Guidance.

Privileged users possess access that impacts beyond their designated roles, including:

• Administrators managing critical systems and networks.
• Access to systems performing vital functions, like payment approvals.
• Developers with rights to edit foundational code.

Managing these accounts is critical to ensure the integrity of actions taken under their privileges, which can otherwise expose systems to threats. To minimize misuse of privileged accounts, consider implementing the following:

• Separate user accounts: Create distinct credentials for tasks that blend privileged actions with typical functions.
• Avoid untrusted devices: Minimize actions taken from compromised or insecure devices.
• Prefer ‘browsing down’: When accessing systems across network boundaries, do so from trusted environments to maintain security integrity.

Some of these methods may impact user experience, but they are essential for enhancing security.

Monitoring privileged actions should also be enforced via:

• Independent verification of significant changes or actions.
• Issuing support tickets prior to specific operational actions.
• Regular audits of privileged user activity, examining patterns for suspicious changes.

For additional learning, consider these resources:

• Microsoft’s Tiered Administration Model.
• NCSC’s blog on Protecting Management Interfaces.
• NCSC’s Design Principles.
• NCSC’s Secure Development Guidance.

When designing IAM systems, consciousness of potential vulnerabilities is paramount, as attackers often target these systems for unauthorized access.

Recommendations include:

• Isolating components connected to untrusted networks from core systems.
• If using Active Directory, consider Microsoft’s Administrative Tier Model.
• For Single Sign-On (SSO) systems, ensure that identity assertions originate from verified sources.

For organizations dealing with Operational Technology (OT), such as industrial control systems, the following practices are critical:

• Do not manage OT from enterprise IT networks to maintain system integrity.
• Ensure OT systems do not rely solely on a corporate user directory for access control.
• Adopt a ‘push’ methodology for transmitting data between IT and OT systems, avoiding direct access from IT to OT.
• When necessary, monitor or validate communications crossing IT and OT boundaries.

Due to the high stakes of identity and access management systems, they should receive priority for security updates and maintenance to thwart potential breaches. Best practices include:

• Designing monitoring systems that track user activity effectively.
• Linking user actions back to their profiles for accountability.

For further information on these practices, consult the following guides:

• Vulnerability Management
• Protective Monitoring
• Operational Technologies