Maturing Identity and Access Management
Identity and Access Management (IAM) is a security and business discipline that includes multiple technologies and business processes to help the right people or machines to access the right assets at the right time for the right reasons while keeping unauthorized access and fraud at bay.
Over the last decade, IAM has been increasingly recognized as a critical layer of every enterprise’s cyber security posture. As cyber threats, regulatory requirements, and privacy concerns grow, IAM governance, practices, and capabilities must mature accordingly. We can no longer rely on highly distributed, ad-hoc, and manual processes to govern identities and user privileges. A mature IAM program automates these policies and tasks enabling granular access controls, timely granting and revoking of privileges, auditing of identity and access data, and increases both user productivity and security of digital assets.
A framework for Identity and Access Management (IAM) Governance:
- IAM is a critical layer of modern IT infrastructure and cyber security that controls access to university data and IT resources. It is important to implement a framework for coherent and strategic oversight of the IAM function across Virginia Tech. This will help reduce risk, reduce costs by consolidating redundancies, and provide a framework for deciding on future investments.
A framework for managing Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC):
- RBAC authorizes user access based on their role, while ABAC uses specific characteristics of the user, resource, and environment to make authorization decisions. Adopting these methods of managing access control will move Virginia Tech towards assigning accounts and authorizations based on user’s roles and attributes and reduce request-based access. This speeds time to access and reduces risk by more efficiently removing access when needed.
A modern enterprise access request processing and provisioning solution:
- Virginia Tech needs an enterprise solution for provisioning and deprovisioning user access based on access policies in a scalable and robust manner. This reduces the security risk though standardization, provides a single-pane view of authorizations, eliminates ad-hoc and disparate IAM operations, and automates provisioning and deprovisioning of access. For this purpose, Virginia Tech has selected MidPoint, which is part of the InCommon TAP Architecture. Virginia Tech already uses two other InCommon TAP Architecture components: Shibboleth (Login) and Grouper.
Project Team Members:
Project Lead: Ryan McDaniel, Executive Director, Security Identity Services
Project Manager: Will Jones, Senior Project Manager, IT Transformation Project Management Office
Technical Project Manager: Kevin Duncan, Director Identity Architecture & Technology
Identity Strategy & Solutions
The Key Benefits of maturing our Identity and Access Management capabilities are to realize:
A reduction of Security Risk:
- Reduction of ad-hoc IAM processes and tools.
- More timely removal of user access based on identity lifecycle changes.
- More accurate authorization management.
- Automated Segregation of Duties controls preventing inappropriate access.
- Increased “single-pane” view of authorizations.
- Greater ability to ensure that access is correct.
Operational efficiency gains:
- Shared service for provisioning and deprovisioning of accounts and authorizations, thereby reducing overhead for many other units.
- Rapid access provisioning for new employees, reducing wasted time gaining access.
- Single tool for access request processing and approval workflows.