Introduction to identity and access management

This document serves as an essential guide on the fundamental techniques, technologies, and applications of identity and access management, specifically tailored for technical personnel.

It aims to:

• Introduce basic principles to consider when developing user access management for sensitive roles or systems.
• Outline fundamental architectural best practices for designing and managing access control systems.
• Suggest further reading on various relevant topics for those interested in learning more.

Identity and access management encompasses a collection of policies, processes, and systems that link a user (or sometimes a system) to specific permissions within your infrastructure.

These permissions might enable a user to:

• Execute functions (like adjusting industrial control processes).
• Access confidential data (such as employee records).
• Administer the system.

An effective access management system integrates various technical components, including directory services and authentication frameworks, which ensure the secure handling of authentication and authorization data.

The core components of identity and access management include:

• Policy: Outlining strategies for authorizing access to systems, data, or functionalities, including how access requests are managed and when access should be revoked.
• Identity Management: Establishing a person’s identity during initial and subsequent interactions with your systems.
• Privileged User Management: Implementing additional controls to protect sensitive operations on the system.
• Architectural Design: Securing the technical design of systems that support these functions.
• Operations and Monitoring: Managing processes and technologies that detect and address any breaches of policy or control.

Effective identity and access management policies typically address:

• Determining who should have access to specific systems and the rationale behind it.
• Setting conditions for granting or revoking access, commonly managed through joiners, leavers, and movers processes.
• Examining which functions should necessitate multiple individuals to carry them out.
• Establishing records for actions taken, methods for acquiring audit logs, and safeguards against tampering.

You can refer to various international security standards for comprehensive identity and access management policies, including ISO27002 and IEC 62443-2-1:2011. Additionally, consider:

• CPNI’s Physical Security Guidance

Identifying potential users of your systems at the initial contact is critical for establishing their true identity and future authentication methods. Key considerations include:

• The access level they will require—more sensitive access demands stringent identity validation.
• Reliance on third parties for identity verification—such as external contractors—warrants confidence in their identity proofing processes.
• Whether specific roles necessitate more thorough background checks or security clearances.

After verifying an individual’s identity, bind them to that identity with a corresponding authentication method. The authentication’s strength should correlate with the user’s access sensitivity or privilege level.

When designing authentication protocols, consider both the physical environment and the trustworthiness of devices used for authentication. Access from untrusted locations or devices should influence the level of authentication required.

Different authentication methods come with various strengths and limitations. Below are some common methods:

• Passwords – Fundamental credentials reliant on what users know. If compromised, an attacker can impersonate the legitimate user.
• Two-Factor Authentication – Adds an extra layer of security by requiring something the user has in addition to something they know. It significantly raises the challenge for potential attackers.
• Hardware-Backed Certificates – Utilizes cryptographic keys stored in hardware for reliable user verification.
• Biometric Authentication – Employs physiological traits, like fingerprints or facial recognition, to authenticate users.

Consider reviewing these additional resources for enhanced security measures:

• CPNI’s Personnel and People Security guidance.
• NCSC’s Password Guidance.

A privileged user is defined as having access that allows alterations impacting beyond their immediate job responsibilities. Examples include:

• Administering systems essential to business operations.
• Accessing critical functions or systems.
• Developers capable of modifying crucial code repositories.

The primary focus of privileged user management is to ensure that actions taken by these accounts are genuinely performed by authorized users rather than intruders. Strategies for minimizing risks include:

• Separate User Accounts: Grant distinct accounts for users who require both privileged and regular access. Privileged accounts should not be used for standard activities like reading email or browsing the internet unless properly secured.
• Avoiding Untrusted Devices: Avoid executing privileged actions from devices deemed untrusted unless necessary precautions are taken.
• Security in Network Crossing: Prefer using more trusted environments for accessing less trusted systems to maintain integrity.

To enhance control over privileged users’ activities, consider:

• Independent validations or approvals for significant actions.
• Requiring support requests before executing actions on critical systems.
• Monitoring actions by privileged users actively to identify suspicious behavior.

Refer to the following for further insights:

• Microsoft’s Tiered Administration Model.
• NCSC’s blog on Protecting Management Interfaces.

When developing an IAM system, it’s critical to understand that such systems are attractive targets for attackers and can compromise overall security if not handled securely.

Recommendations include:

• Isolating externally accessible access management components from the internal systems.
• If utilizing Microsoft’s Active Directory, implement the Administrative Tier Model.
• With Single Sign-On or federated management, always validate the reliability of identity assertions received.

For organizations managing operational technology (OT), particularly in sectors like energy, we advise:

• Maintaining a clear separation between OT and enterprise IT systems to protect overall integrity.
• Not relying entirely on lower trust domains for OT authentication to prevent unauthorized access.
• Using a push mechanism for data transfer from OT to IT, avoiding direct access from IT systems.
• Ensuring any communication across IT and OT boundaries is monitored and validated at the periphery.

Given the high stakes of identity and access management systems, prioritizing their security maintenance is essential. This includes promptly applying security patches, effective user management, and employing protective monitoring strategies.

Furthermore, consider:

• Designing access control systems for seamless account usage monitoring.
• Connecting all user actions to the respective users to enhance traceability.

For more guidance, see:

• Vulnerability Management.
• Protective Monitoring.
• Operational Technologies.