Enter Centric: From Compliance to Identity Access Management
Our cyber risk management team began by identifying gaps in the client’s IAM processes, with the goal of creating a roadmap that would help them address each gap. As we carried out our work, we needed to consider the legacy IAM applications and processes that had recently been partially automated within the client’s new IAM system. These would require updated IAM controls to mitigate risk and address existing gaps.
Below is a summary of each gap we encountered and how we addressed it for our client:
Gap 1: No Clear IAM Owner
We addressed IAM process ownership by creating a new role for an IAM Administrator, including the estimated time required for each of the administrator’s responsibilities.
This individual is responsible for:
- All the apps in the IAM environment.
- Understanding the company’s roles and how they impact access.
- Managing access changes when people join the company, transition to new roles, or leave the organization.
The IAM Administrator role is also important from an auditing perspective. With the administrator in place, auditors have one point of contact for the most consistent information they require.
Gap 2: No “One-Stop” Shop for IAM Information
We created a list of applications that the company had ranked as “high” or “special” based on multiple attributes from IT and business application owners. While meeting with the app owners, we validated their roles and security identifiers (SIDs). We also identified applications that needed recertification, apps that had been retired, and apps that lacked end-users. Others needed future retirement plans, including replacement activities.
This documentation delivered the “one-stop-shop” our client needed for their IAM-related application information.
Gap 3: Non-Standard Access Request Process
We created a standardized user access request form and a standardized process. Previously, the access request process had been decentralized, with each application or team handling access requests differently. We developed the new access request form to centralize the process, ensuring all employees know where to find the form and that they follow a single, consistent procedure.
Gap 4: Training for New Security Processes
We created training decks, facilitator notes, and recordings of our sessions and turned them over to our client so they could continue the training themselves.
Gap 5: Lengthy Recertification Process
On a reoccurring basis (in this case, semi-annually), managers must revalidate each employee’s user access to ensure they still require access and have the necessary roles to conduct their jobs. We enlisted nearly 100 of our client’s managers to create a new recertification process involving thousands of roles. At the end of our work, we removed many roles and created a single listing of users, allowing us to deliver an access recertification package that included email templates and email documentation, a user access recertification process document, and user access recertification training.
Gap 6: Segregation of Duties Tracking
In cybersecurity, segregation of duties (SODs) ensures that no one person has control over enough of a system to take it down on their own. People are granted access to certain areas but not others. However, as roles change and people move within the organization, access must be tracked to prevent an individual employee from gaining privileges they should not have.
To fill this gap, we updated the SOD matrix for the company’s legacy IAM system and new IAM system. We then communicated the changes throughout the company.
Segregation of duties is implemented to minimize the risk of fraud and errors. Organizations should follow the principle of least privilege, identifying roles that may lead to conflicts. This involves splitting tasks that could typically be handled by one person into multiple steps, preventing any single person from having complete control. To address this gap, new identified and documented new SODs and communicated them to the appropriate stakeholders to ensure they were not assigned to one person.
Gap 7: Security Exceptions
Occasionally, for business reasons, a company may create a security exception, such as temporarily opening a port to complete a critical business process. The challenge is ensuring that the port is closed as soon as the business process is completed, which can be difficult in complex systems unless the company has put a strong security exception procedure in place. This procedure must include a tracking process. Without tracking and ownership, security-exception-related vulnerabilities can persist for years.
We delivered an updated security exception process focused on SODs and job change processes. The process we created included a flow, a security exception form template, security exception training decks, a “train-the-trainer” deck, and a communication plan. Again, we left the training materials with the client so they could use and adapt them in the future.
The Result: Preparing for a More Secure Future
The standardized processes we delivered not only closed all the identified gaps but also prepared our client for long-term growth and improvement. The new processes and documentation we created also allowed us to meet contractual obligations, track who has access to which apps, and lay a procedural foundation for future automation of the IAM process. These improvements also make it easier to limit the damage any cyberattack might cause by limiting what a bad actor can do with stolen credentials in a given environment.
Our client is now ready to begin using the training resources and consistent processes we created to build a best-in-class IAM program.
Conclusion
The automobile industry is not the only sector affected by the security challenges of high turnover, inconsistent IAM procedures, and rapidly changing legal and contractual cybersecurity requirements — especially as the threat and impacts of breaches continue to rise. A phased approach, such as the one we took with our client, allows the delivery of various IAM tools that help mature an organization’s security profile.
