News

More than 30 IDM realisations in the Czech Republic and abroad

AMI Praha What is identity management? – series about IdM part 1.
What is identity management? – series about IdM part 1.

What is identity management? – series about IdM part 1.

And also to have access only to the data that falls within its competence. In information security terms, to maintain the confidentiality, integrity and availability of information.

We will show why this area actually needs to be addressed in the following story.

Story about “Common company Ltd.”

Honza and Tomas had a great business plan in their heads after school. So they decided to start a joint venture called “Common Company Ltd.” and dove headfirst into business. Tomáš was a natural-born salesman, while Honza knew how to make contacts. They worked on laptops that their parents had bought them while they were still students. They arranged the necessary accounting with a friend, whose documents they sent by mail and e-mail.

The business went like clockwork. Soon they added a few more friends to cope with the onslaught of demand. To better share data, they bought a Windows server and everyone got an account on it. They also finally set up a company domain for their website and email and purchased Google Apps. And they strengthened the team again.

Now they had two company systems, a website, 10 employees and Tomas, who had been handling everything around IT (it was his hobby after all) felt it was taking too much of his time. So he decided to hire a person who would only take care of IT. He made him the information systems administrator and they agreed on a procedure: all change requests would be received from Tomas, along with the documents for updating the website.

Life went on and the success of the company brought with it new reinforcements and systems. Soon the company had 50 people in various positions, a VPN system was added for remote access (as some salespeople worked from the other side of the globe), the familiar accounting system was replaced with an enterprise (ERP) system, and the interns developed their own web application to support the core business.

And then customers started leaving the company for competitors. Another firm suddenly began offering identical services at a cheaper price. Active salespeople from this competitor company had already managed to call most of the customers and pull them over to their side.

The investigation found One of the employees, with whom the company had a disagreement and terminated the relationship in bad faith, was still able to access the VPN. Tomas had issued a delete order, but the administrator had forgotten about it (he was on the phone with his wife). This meant the attacker still had remote access to company documents. He downloaded not only the business plan, but also the Excel database of customers, and sold everything to Another company.

 

Figure 1 – Data leakage using a dormant account

Tomáš is now sitting in his office with the questions in his head: where did he go wrong? How could this have been avoided? And how to quickly innovate the business plan and win new customers?

What’s the bottom line?

Every company from a certain size onwards comes to the need to address identity management. The 50 employees mentioned in our case can be considered as the threshold where the benefits of targeted identity management are already visible. As a rule, the company will introduce or adjust appropriate processes and set up tools and instruments. In principle, there are two basic approaches to process identity management: methodically and technically.

Methodological approach

In the methodical case, we define procedures for assigning, changing, removing identities and permissions and assigning them to people in the organization chart. We will supplement the process with forms and record tables and ways to obtain reports for security. We will identify the administrators responsible for each information system (assets).

We will use the example of an employee coming on board to show what happens in this case.

Figure 2 – The succession wheel of a new employee in a “classic” environment

A new employee starts work. His first journey is to the HR department, where he is introduced to the HR system. Here, he is also given an entry form, which tells him which systems he should have access to. The employee goes to his manager with this paper, who signs it and completes it if necessary. If there is a need for further approval somewhere (for example, the ICT Security Department in the case of remote access), the employee will arrange this as time permits. He/she then visits the administrators of the individual information systems and receives access to each system in turn. He can then start work.

As can be seen from the description, this ’round’ may take some time. Thus, several days or more may pass between the employee’s start of work and his full involvement in the process, depending on how the employee managed to reach the positions in question in person.

There is some difficulty in updating information. How quickly and well information about, for example, a change in a worker’s position gets from one system to another depends on the degree of integration between the systems. In some places a common data source (Active Directory, database) can be used, in others a two-point connection between systems (peer-to-peer) or reliance on e-mail or verbal transfer is necessary.

And what happens if an employee leaves?

Figure 3 – Employee departure in a “classic” environment

The process may look like a worker going to the HR department and getting an exit slip. Here he has information systems filled in, in which the user’s access is checked. With this sheet, he goes to the manager, who checks and completes the information, and then bypasses all the system administrators, who confirm that they have deleted the user accounts on the relevant systems. The correctly signed exit slip can then be linked to, for example, the last payroll so that the employee has an incentive to complete everything.

This process only works as well as the record of accounts in HR and with the supervisor.  But what if during the course of the contract the employee has gained access to another information system? For example, to a database as part of a project they were involved in. Or what if they parted company in bad faith and forged the signatures of administrators? These are the pitfalls of a purely methodological approach.

Advantages

  • Quick to implement
  • Can be easily applied to companies with varying degrees of work organisation
  • Soft rules allow for less standard states to be included (“access like Franta, but without the VPN”)

Disadvantages

  • Lots of human factors, prone to errors, both intentional and unintentional
  • Can be time consuming, depending on the workload of system administrators, supervisor and security
  • Employee handles the agenda instead of working in the position they were hired for
  • Process follows a “smooth line”, relying on the goodwill and loyalty of the employee
  • Potential for inconsistencies in information due to the different ways in which information is updated

For whom the approach is suitable

  • Few information systems
  • No regulatory requirements
  • Impact of misappropriation of information is small
  • Little change in staff (turnover)
  • Example: car dealership, joinery, cleaning company

Technical approach

The technical solution puts a specialized system, commonly referred to as Identity Manager, at the center of identity and permission management. This software contains the process and business logic required to automate user onboarding into information systems. The processes and procedures here serve as a formal description and aid to identity and permission management.

Again, we will see what happens in the case of employee onboarding and offboarding.

Figure 4 – Succession of a new employee in an Identity Manager environment

The new employee will report to the HR department where they will be introduced to the HR system. He/she fills in the appropriate fields such as nationality, department, job title, immediate supervisor. Based on this information, a set of rules is evaluated in Identity Manager: Should the employee have an email? Where should it be introduced to Active Directory? Should he have remote access? What role does he have within the company Intranet?

The result of these rules is a set of permissions that is assigned to the user. If any of these require approval, an approval process is initiated where the responsible personnel in the Identity Manager environment perform the approval. Identity Manager then automatically creates and sets up the accounts and permissions.

Updating information is the responsibility of Identity Manager in this approach. The Identity Manager regularly checks to see if anything has changed in any of the systems. Does the employee have a new phone number? Has he or she moved to another project? Did a worker get married so they need to be renamed? Based on the set rules, the information in the connected information systems is automatically updated, with approval triggered if necessary.

And how does the situation change from the previous approach when an employee leaves?

Figure 5 – Employee departure in an Identity Manager environment

The departing employee will visit the Human Resources Department to complete the final paperwork. The departmental staff will change the employee’s status in the HR system – set him/her as inactive, or as of some future date. Identity manager will process this information, and if the moment of departure has already occurred, it will terminate the user in the information systems – remove, invalidate, change password, remove permissions – according to the set rules.

Advantages

  • The system operates largely autonomously, saving the work of administrators
  • There is a central overview of accounts on end systems
  • Reduces the risk of misuse of information after an employee leaves
  • Central management of accounts, permissions and changes to information
  • Can plan for future changes
  • The solution has the potential to become the basis for further ICT development in the company (access control, licenses, SSH keys, roles)

Disadvantages

  • The solution is technically more complex the more fragmented the company’s information systems are
  • Higher implementation costs

For whom the approach is suitable

  • Medium and larger companies
  • Information security plays a role
  • Larger number of information systems
  • Large number of users
  • Frequent changes
  • Examples: educational institutions, public sector, energy and financial institutions

Conclusion

In the first part of this article we have covered the field of identity management. We have shown why identity management is needed by using the example of Common Company, Ltd. We looked at two approaches to dealing with this issue: methodological and technical. We evaluated both approaches, and explained why the technical approach is more suitable for medium and larger companies.

In the next installment, we’ll take a closer look at identity management. For example, we’ll talk about some of the specifics of identity management, what techniques are used to manage permissions to information systems, and what security can expect from identity management.

Author: Petr Gašparík