Special report

State of identity, Report from the frontline

The state of identity in ANZ

A comprehensive study, of 565 Australian and New Zealand professionals from a broad range of industry sectors participated in the research.

Download the report

Trusted by leading companies

The post State of identity, Report from the frontline appeared first on SailPoint.

Additional Exclusive Resources

How mature is your identity security strategy?

Discover the 5 horizons of identity security and take the assessment to see where you sit.

Read more

The state of Identity in Australia & New Zealand

A comprehensive study, of 565 Australian and New Zealand professionals from a broad range of industry sectors participated in the research.

Download the report

Flinders University builds an identity program for higher education

Kim Valois, CISO of Flinders University, explains how their identity strategy ensures business continuity and builds a foundation for the future.

Read the case study

Trusted by leading companies

The post Harnessing AI and machine learning to improve identity security appeared first on SailPoint.

In today’s digital world, you can’t do business without technology, and you can’t use technology without identity security.

Identity security (also known as identity governance and identity management) protects against the cyber threats associated with providing technology access to a diverse workforce. It does this by enabling the management and governance of access for every digital identity within an organisation.

With the rapid growth of technology in the cloud enterprise, it’s imperative to protect your business against the potential cyber risks that target digital identities.

What is a digital identity?

A digital identity is a collection of unique identifiers that helps computing systems identify internal and external users and what they’re permitted to access. These associated identifiers or attributes are recorded and updated throughout their tenure with an organisation, keeping permissions and security efforts current. Attributes may consist of email address, login credentials (username/password), pin numbers, etc. 

Digital identities are required to enable workers with access to technology. If not managed and governed properly, they and their associated access represents risk to organisations. With hundreds of thousands, even millions of digital identities found across an enterprise organisation, enforcing a least-privilege access model for each digital identity is critical to the overall health of a security program.

A recent Identity Defined Security Alliance (IDSA) report showed that 94% of organisations have experienced an identity-related breach, yet surprisingly according to that same report 99% of those breaches were completely preventable.

It’s the aforementioned that shines light on why businesses must be proactive about their approach to identity security. With the digital transformation well underway, organisations need to be able to discover, secure and manage every type of identity—which includes employees, contractors, vendors, customers, and even non-human users such as machines and bots.

Identity security transcends access management

When organisations hear the word identity, they may default to think of access management practices such as single sign-on (SSO) or multi-factor authentication (MFA). However, that’s only part of the identity story.

Authentication helps to verify the identity is who they say they are. However, this practice does not include cross checks to determine if access to resources is allowed and adheres to access policies. Furthermore, SSO and MFA are not able to manage or govern what information within a resource the user is able to see or touch, which is becoming increasingly more important as stricter data privacy regulations are putting more accountability on organisations to protect sensitive information.  

Identity security helps solve the bigger picture. It helps to grant, secure, and manage access, working off of the principle of least privilege (PoLP). This is the idea that every single identity in your network only has the least amount of access they need to do their job. Why? By restricting permissions based on job function and user role, you’ll reduce the risk of users having access to information they should not have access to, and inadvertently or maliciously doing something with that information.  

Identity security puts an emphasis on both enablement and security—providing access but properly controlling that access. It involves setting up and defining user roles and creating policies used to govern access throughout the digital identity’s lifecycle.

Understanding who requires certain access and being able to modify and remove that access based on role changes is critical for risk and compliance. Defining and enacting access policies are core to identity security. You can’t have technology without access controls.  

So, given the paradigm shift in technology, remote work, and cloud initiatives, organisations must evolve and adopt identity security as their overall security strategy.

Identity security for the cloud enterprise

A strong identity security solution helps the enterprise enable access while securing business—everywhere, which includes hybrid and multi-cloud environments, remote work, multiple devices, and more.

Organisations have found that identity security provides multiple layers of business value such as reducing risk and automating IT processes, as well as enhancing the worker experience.

Identity security achieves these above-mentioned results by properly provisioning access, protecting the business at scale, and enabling compliance.

Provision with confidence

By embracing a strong identity security solution, you’ll be able to use artificial intelligence (AI) and machine learning (ML) technology to properly provision and deliver the right access to the right users at the onset of the onboarding process and throughout a user’s lifecycle as they move roles or leave the organisation.

Identity security enables you to manage and govern accounts, roles, and entitlements for all applications, systems, data and cloud services, all while maintaining the same level of consistency and visibility across the entire organisation. This makes it easy to identify risks, monitor behaviours, and refine roles.

Protect at scale

Ensuring your business maintains operability while managing security is critical when scaling a cloud enterprise. How can you ensure your organisation can manage millions of identities and access points while mitigating risk?

Identity security uses deep analytics and machine learning to detect and identify risks, separate duties (SoD) to enforce security controls, and build and enforce custom access policies. Building these policies in turn helps meet compliance needs while maintaining operational efficiencies.

With identity security at the helm, you can manage users, requests and entitlements at high volumes, no matter where you are—without the worry.

Comply with certainty

By governing user access, tracking usage, and enforcing policy controls for all users, apps and data, you’ll be able to demonstrate compliance to auditors.

Identity security ensures regulatory compliance by providing transparency into every digital identity in the enterprise. This includes their attributes, entitlements, and even access history.

With a good identity security solution, you’ll be able to use AI and ML to certify users quickly, maintain audit trails of accounts, entitlements, policies and actions, and manage policies throughout the user lifecycle.

Transforming the enterprise

With SailPoint Identity Security you can transform manual processes to automated, shift your security approach from technology-centric to people-centric, and evolve static policies to be self-learning and adaptive.

You might also be interested in:

Products

Modern SaaS Identity Security

Industries

Guidance for your specific industry needs

Integrations

Gain visibility to all systems and users

The post What is identity security? appeared first on SailPoint.

What is cybersecurity?

Cybersecurity is the practice of using technology, controls, and processes to protect digital networks, devices, and data from unauthorised access by malicious attackers or unintentional activity. It includes ensuring the confidentiality, integrity, and availability of information using many types of cybersecurity.

Ten types of cybersecurity

Many types of cybersecurity are employed to protect digital systems from malicious and accidental threats. It is helpful to understand the ten most commonly referenced types of cybersecurity.

1. Application security 
Application security prevents unauthorised access and use of applications and connected data. Because most vulnerabilities are introduced during the development and publishing stages, application security includes many types of cybersecurity solutions to help identify flaws during the design and development phases that could be exploited and alert teams so they can be fixed.

Despite best efforts, flaws do slip through the cracks. Application security also helps protect against these vulnerabilities.

A subset of application security is web application security. It focuses on protecting web applications, which are frequently targeted by cyber attacks.

2. Cloud security 
Cloud security focuses on protecting cloud-based assets and services, including applications, data, and infrastructure. Most cloud security is managed as a shared responsibility between organisations and cloud service providers.

In this shared responsibility model, cloud service providers handle security for the cloud environment, and organisations secure what is in the cloud. Generally, the responsibilities are divided as shown below.

3. Critical infrastructure security 
Special security processes and types of cybersecurity solutions are used to protect the networks, applications, systems, and digital assets depended on by critical infrastructure organisations (e.g., communications, dams, energy, public sector, and transportation). Critical infrastructure has been more vulnerable to cyber attacks that target legacy systems, such as SCADA (supervisory control and data acquisition) systems. While critical infrastructure organisations use many of the same types of cybersecurity as other subcategories, it is often deployed in different ways.

4. Data security 
A subset of information security, data security combines many types of cybersecurity solutions to protect the confidentiality, integrity, and availability of digital assets at rest (i.e., while being stored) and in motion (i.e., while being transmitted).

5. Endpoint security 
Desktops, laptops, mobile devices, servers, and other endpoints are the most common entry point for cyber attacks. Endpoint security protects these devices and the data they house. It also encompasses other types of cybersecurity that are used to protect networks from cyberattacks that use endpoints as the point of entry.

6. IoT (Internet of Things) security 
IoT security seeks to minimise the vulnerabilities that these proliferating devices bring to organisations. It uses different types of cybersecurity to detect and classify them, segment them to limit network exposure, and seek to mitigate threats related to unpatched firmware and other related flaws.

7. Mobile security 
Mobile security encompasses types of cybersecurity used to protect mobile devices (e.g., phones, tablets, and laptops) from unauthorised access and becoming an attack vector used to get into and move networks.

8. Network security 
Network security includes software and hardware solutions that protect against incidents that result in unauthorised access or service disruption. This includes monitoring and responding to risks that impact network software (e.g., operating systems and protocols) and hardware (e.g., servers, clients, hubs, switches, bridges, peers, and connecting devices).

The majority of cyber attacks start over a network. Network cybersecurity is designed to monitor, detect, and respond to network-focused threats.

9. Operational security 
Operational security covers many types of cybersecurity processes and technology used to protect sensitive systems and data by establishing protocols for access and monitoring to detect unusual behaviour that could be a sign of malicious activity.

10. Zero trust 
The zero trust security model replaces the traditional perimeter-focused approach of building walls around an organisation’s critical assets and systems. There are several defining characteristics of the zero trust approach, which leverages many types of cybersecurity.

At its core, zero trust is based on several practices, including:

• Continuously verifying users’ identity
• Establishing and enforcing the principle of least privilege for access, granting only the access that is explicitly required for a user to perform a job and only for as long as that access is required
• Microsegmenting networks
• Trusting no users (i.e., internal or external)

Many of the solutions within each of these types of cybersecurity are used across subcategories, such as:

• Anti-malware software
• Antivirus systems
• Backup
• Data loss prevention (DLP)
• Enterprise mobility management
• Encryption
• Endpoint detection and response (EDR)
• Enterprise mobility management (EMM)
• Firewalls
• Identity and access management (IAM)
• Intrusion detection and prevention system (IDPS)
• Mobile application management (MAM)
• Multi-factor authentication
• Network access control (NAC)
• Next-generation firewall (NGFW)
• Secure access service edge (SASE)
• Secure email gateways (SEG)
• Security information and event management (SIEM)
• Security orchestration, automation, and response (SOAR)
• User and entity behaviour analytics (UEBA)
• Virtual private networks (VPNs)
• Web application firewalls (WAFs)

How cybersecurity threats have evolved

Types of cybersecurity threats have changed significantly since 1965, when the first computer vulnerability exploit occurred. The following is a brief timeline of notable incidents.

1965: Software vulnerability 
William D. Mathews from the Massachusetts Institute of Technology (MIT) found a flaw in a Multics Compatible Time-Sharing System (CTSS), the first general-purpose time-sharing operating system. The vulnerability could be used to disclose the contents of the password file. This is widely held to be the first reported vulnerability in a computer system.

1970: Virus 
Bob Thomas created the first virus and unleashed the first cyber attack. Meant as a joke, the program moved between computers and displayed the message, “I’m the creeper, catch me if you can.”

In response, his friend, Ray Tomlinson, wrote a program that moved from computer to computer and duplicated itself as it went. The message was changed to “I’m the reaper, catch me if you can.”

While these were intended to be practical jokes, they started what would evolve into the advent of malicious cyberattacks.

1989: Worm 
The Morris Worm, created by Robert Morris to determine the size of the internet, ended up being responsible for the first-ever denial-of-service (DoS) attack. With an initial infection, the worm slowed computers, but by infecting the same system multiple times, the worm was able to cause systems to crash.

1989: Trojan 
The first ransomware attack was perpetrated at the 1989 World Health Organisation’s AIDS conference when Joseph Popp distrusted 20,000 inflected floppy discs. Once booted, the discs encrypted users’ files and demanded payment to unencrypt them.

1990s: Fast-spreading, malicious viruses 
Particularly virulent viruses began to emerge in the 1990s, with the I LOVE YOU and Melissa viruses spreading around the world, infecting tens of millions of systems and causing them to crash. These viruses were distributed via email.

Early 2000s: Advanced persistent threats (APTs) 
The early 2000s saw the rise of advanced persistent threats (APTs), with the Titan Rain campaign aimed at computer systems in the US and believed to have been initiated by China. Perhaps the most famous ATP is the Stuxnet worm that was used to attack Iran’s SCADA (supervisory control and data acquisition) systems in 2010, which were integral to their nuclear program.

Early 2000s: Ransomware-as-a-service 
The first ransomware-as-a-service, Reveton, was made available on the dark web in 2012. This allowed those without specialised technical abilities to rent a ransomware system, including collecting payments.

The 2013 emergency of the CryptoLocker ransomware marked a turning point for this malware. CryptoLocker not only used encryption to lock files, but was distributed using botnets.

2016: Botnets used to attack IoT devices 
As the Internet of Things (IoT) exploded, this became a new attack vector. In 2016, the Mirai botnet was used to attack and infect more than 600,000 IoT devices worldwide.

2020: Supply chain attack 
In 2020, a vulnerability in one enterprise organisation’s network management system software was exploited by a group believed to be working with Russia. More than 18,000 customers were impacted when they deployed a malicious update that came from the compromised organisation.

Present 
Traditional cyber attack methods continue to be widely used because they remain effective. These are being joined by evolving versions that take advantage of machine learning (ML) and artificial intelligence (AI) to increase their reach and efficacy. Ironically, many of these attack methods take advantage of the technology that cybersecurity solutions use to thwart them.

Gen V attacks

Categorised as Mega attacks, Gen V is the latest generation of cyber threats. Gen V cyberattacks, which emerged in 2017, use large-scale, multi-vector approaches to target IT infrastructure with advanced attack technologies.

These cyber threats are believed to originate with state organisations that leak the technology to public cybercriminals. The hallmark of Gen V cyberattacks is that they attack multiple vectors and are polymorphic, changing as they move around and acting differently on different systems. NotPetya and WannaCry are examples of Gen V cyberattacks.

Supply chain attacks

Supply chain attacks have evolved with other attack vectors, since the same technologies and approaches are usually used. Supply chains have become a target for cybercriminals because these organisations provide an easier point of entry to specific enterprises than attacking those larger companies directly.

Supply chain attack targets can be used to gain access to many organisations connected with the target.

Ransomware

Ransomware has seen a fast and virulent evolution due to its efficacy and profitability. Attacks have escalated in terms of the scope of what is held hostage and the threats.

Ransomware is used for extortion, with threats of disclosing information or destroying vital data if the ransom terms are not met. Ransomware-as-a-service has also made it much more accessible to cybercriminal elements.

Phishing

Phishing attacks persist as a preferred attack vector for cybercriminals, but new approaches are emerging to evade many types of cybersecurity, such as using QR codes to direct users to malware. There is also an increase in multi-stage attacks to bypass multi-factor authentication.

Spear phishing and whale phishing are also on the rise. These approaches target specific individuals with messages developed using in-depth research to increase effectiveness. Phishing attacks are also increasing due to the rise in phishing kits sold on the dark web.

Malware

Malware continues to evolve by augmenting or changing legacy software using the latest technologies. Gen V cyber attacks leverage these newly updated malware packages.

What is a consolidated cybersecurity architecture?

A consolidated security architecture creates a single point of control for managing multiple types of cybersecurity solutions. When there were fairly limited types of cybersecurity products, it was possible to manage point solutions to defend against different threats and use cases. As the number of types of cybersecurity increased, the move to a unified approach was driven by:

• A growth of remote workforces that dissolved security perimeters and multiplied threat vectors as users connected from disparate points with varying degrees of protection.
• An endpoint explosion that started with desktop and laptop systems and grew to a great sprawl of connected devices, including mobile phones, tablets, and IoT devices.
• Increased complexity as new types of cybersecurity solutions were added to the defence mix to address new threats and hybrid environments (i.e., on-premises systems and users along with cloud systems and applications) that were difficult to monitor and manage.
• A need for more sophisticated types of cybersecurity to combat more adept cyber attackers with more advanced threats that could not be detected with legacy security tools.

A consolidated cybersecurity architecture was created to solve for these issues by integrating different types of cybersecurity and aggregating them under a centralised, scalable control platform. With this new model, specialised cybersecurity could be leveraged in the fight against threats and risks more cost-effectively and efficiently. A consolidated cybersecurity architecture delivers a number of benefits, including:

• Eliminates overlapping functionality that comes with disparate cybersecurity deployments
• Expedites the creation of rules and reports
• Fills gaps in security coverage due to multiple solutions’ inability to communicate and work together cohesively
• Maximises efficacy of machine learning (ML) and artificial intelligence (AI) to improve detection capabilities and accelerate response times
• Provides broad visibility across all cybersecurity functions in the organisation
• Reduces the expenses associated with purchasing and implementing different types of cybersecurity
• Reduces the number of tools and vendors needed to perform different cybersecurity functions
• Shifts to an integrated security approach that enhances cybersecurity posture
• Simplifies threat monitoring and prevention as well as incident response
• Streamlines management and maintenance of the many types of cybersecurity
• Unifies cybersecurity solutions to enable protection across all attack surfaces (e.g., networks, devices, and applications)

Many types of cybersecurity are needed to combat cybercrime

Cybercrime, attack surfaces, and attack methods continue to grow and evolve, getting more complex with time. The good news is that there are many types of cybersecurity solutions to combat cybercriminals. Taking time to understand the relevant threats and vulnerabilities helps organisations find the right mix of cybersecurity solutions and the best ways to deploy them.

You might also be interested in:

Article

Cybersecurity risk assessments

Article

Cybersecurity risk management frameworks and best practices

Article

NIST Cybersecurity Framework

The post Types of cybersecurity appeared first on SailPoint.

eBooks

Five tenets of holistic access governance for SAP

Resources

You might also be interested in:

Horizons of Identity Security

This new Horizons of Identity Security Report discusses in-depth the five horizons of identity security.

Read the report

KuppingerCole Executive View: SailPoint Predictive Identity™

Global analyst firm KuppingerCole delves into SailPoint Predictive Identity, an intelligent SaaS solution designed to overcome these obstacles.

Download the report

State of IaaS Cloud Infrastructure Security and Governance Report

SailPoint surveyed executives and governance professionals who are directly involved with IaaS compliance and governance.

Download the report

The post Five tenets of holistic access governance for SAP appeared first on SailPoint.

Role-based access control (RBAC) is a security methodology based on managing user access to protect resources, including data, applications, and systems, from improper access, modification, addition, or deletion. RBAC grants access based on a user’s needs according to their position. Roles and associated privileges are defined, and permissions are assigned to control access (i.e., what a user can see), the scope of approved operations (i.e., what a user can do, such as view, create, or modify), and session time (i.e., how long a user can have access).

Three common principles of RBAC

With role-based access control, permissions are based exclusively on roles, which simplifies administration. When a user’s position changes, including if they sever relations with the organisation, administrators simply change their role, and permissions are automatically updated. Using RBAC, users can be assigned multiple roles.

1. User role assignment defines users’ permission or access rights based on a role or task. 
2. User role authorisation confirms that a user is approved for a role and to perform related functions.   
3. User role permission and access rights define specifically what a user can and cannot do. 

RBAC permissions

With role-based access control, it is important to remember that permissions follow roles, not the other way around. Determine what each role should do and apply permissions accordingly. Additional considerations when setting RBAC permissions to specify what users can access and what they can do in the system include: 

Access 

• Which users can open a specific item, such as a file, application, or database?  
• Which users should be aware that certain assets exist? 
• What limitations should be placed on visibility? 

Modification

• Which users can make changes to specific items?  
• What approvals are required to make changes? 

Sharing 

• Which users can download a document? 
• Which users can share a document?   

RBAC best practices

Best practices for the enterprise to consider when implementing role-based access control include:

• Analyse the users, including their workflows and the resources they need. 
• Conduct audits of the roles on an ongoing basis to keep them up to date and align them with current requirements. 
• Create a basic role that includes the access every user needs. 
• Determine which roles have a common set of access requirements.  
• Ensure RBAC is integrated across all systems across the organisation. 
• Establish a process for handling role changes, including setting up and decommissioning users.   
• Identify the resources that require access control.  
• Include the principles of RBAC and how it works in employee training programs. 
• Take care not to create too many roles. 

Types of role-based access control 

The four types of access control under the RBAC standard are core, hierarchical, symmetric, and constrained. 

Core RBAC 

Core role-based access control details the key components of the system. It can stand alone or be used as the base for hierarchical and constrained RBAC. Core RBAC is composed of five static elements: Users, roles, permissions, operations, and objects. The permissions are comprised of the operations, which are applied to the objects. 

Hierarchical RBAC 

Hierarchical role-based access control uses a hierarchy within the role structure to establish relationships between roles (e.g., senior, mid-level, junior). With hierarchical RBAC, users with senior roles are granted all of the permissions of their subordinates and those specific to their needs. 

Symmetric RBAC 

Symmetric role-based access control allows administrators to perform permission-role and user-role reviews to assess permissions assigned to existing roles.   

Constrained RBAC 

Constrained role-based access control augments core RBAC with separation of duties (SOD), which can be static or dynamic. With the static separation of duties (SSD), no user can hold mutually exclusive roles. For example, a user cannot make and approve a proposal. Dynamic separation of duties (DSD) allows users to have conflicting roles but cannot act in both roles during the same session.   

Additional types of access controls

Attribute-based access control (ABAC)

Attributed-based access control is a user authorisation solution that assesses users’ attributes or characteristics, rather than roles, to determine access privileges based on an organisation’s security policies. With ABAC, access rules can be hyper-granular. 

Access Control List (ACL) 

An access control list is a table that lists the permissions associated with a resource. For each user, there is an entry that details the security attributes of each object.  

An ACL lets the operating system know which users can access an object and which actions are authorised to execute. Access is granted or denied in two categories—networking and file systems. With networking, ACL is applied to routers and switches to assess the traffic.  

ACL also evaluates activities and if they are allowed through the network. File systems use ACL to filter and manage access to files and directories through the operating system. 

Discretionary Access Control (DAC) 

Discretionary access control grants or restricts access to an object according to policy determined by an object’s owner group or subjects. DAC gives users complete control over their resources, making it less restrictive than other access control options.  

With DAC, if a subject is granted permission to access an object, they can: 

• Allow users to share their privileges with other subjects. 
• Change security attributes. 
• Choose the security attributes to be associated with new or updated objects. 
• Modify the rules governing access control.  
• Share attribute information with other subjects or objects. 

Mandatory Access Control (MAC) 

Mandatory access control limits access to resources according to the sensitivity of the information and the level of users’ permissions. The administrators define criteria for MAC. The enforcement of MAC is handled by the operating system or a security kernel, which users cannot change.   

RBAC vs. access control list (ACL)

Role-based access control and ACL serve different purposes. For example, RBAC is considered to be the best option for managing business applications and data access. On the other hand, ACL is thought to be better at handling security at the individual user level and for low-level data. Additionally, RBAC is a good fit for organisation-wide security, while ACL works well for granting access to a specific file. 

RBAC vs. attribute-based access control (ABAC)

The key difference between role-based access control and ABAC is how access is granted. RBAC grants access based on users’ roles and responsibilities. With ABAC, access is granted based on attributes or characteristics, such as: 

User types

• Security clearances 
• Username 
• Age 
• Job function 
• Department 

Time of day

• Lock down access to resources during the night  
• Limit edits during times when a user is not under supervision 
• Restrict access to materials on weekends 

Location

• Restrict access to a specific area (e.g., office, campus, country)  
• Deny access from specific devices (e.g., mobile phones, laptops with Wi-Fi) 

Generally, organisations use RBAC for coarse-grained access control, while ABAC is used for fine-grained access control.  

RBAC implementation 

A methodical approach is a must when implementing a role-based access control system. Time must be taken to analyse details to ensure the system meets security requirements. Specific steps that must be taken when implementing RBAC include the following. 

RBAC implementation steps

• Make an exhaustive inventory of all resources, including applications (i.e., on-premises and cloud), servers, documents, files, file servers, databases, and other records that require security.   
• Work with managers and human resources to identify roles.
• Review all roles and determine how many roles should be included and which can be collapsed into blended groups.
• Solicit feedback on the roles and input on permission levels from managers and other key constituents. 
• Assign access permissions for the roles.
• Develop an integration timeline that includes the development of the system as well as communications to users and training. 
• Implement the plan, keeping a keen eye out for any glitches and making corrections and adjustments as needed. 

Best practices for managing RBAC implementation

• Have a written policy for how the role-based access control system should be used, including detailing the process for making changes.
• Be receptive to input from managers and users about how the RBAC system can be optimised and make relevant changes as needed.   
• Continually evaluate roles and security status. 
• Consider the reason and implications request for any change to users’ permissions before implementing changes.   
• Enforce security protocols related to permissions. 

RBAC examples

Examples of RBAC designations

Common designations in an RBAC system include:

• Management role assignment, which connects a role to a role group 
• Management role group, from which members can be added or removed
• Management role scope, which puts limits on which objects are managed by a role group 

Examples of RBAC roles

With role-based access control, various roles within an application can be designated to users. These roles differ based on the type of application. Examples of RBAC roles include the following. 

Kubernetes RBAC role assignment elements 

• Role—specifies permissions at the namespace level
• ClusterRole—specifies permissions at the cluster level or for namespaces across the environment
• Subject—describes a user, group, or service account 
• RoleBinding—lists subjects and their assigned roles to bind roles to entities at the namespace level 
• ClusterRoleBinding—lists subjects and assigned roles at the cluster level for every namespace in the cluster 

Microsoft Azure RBAC role assignment elements 

• Principal—a user, group, service principal, or managed identity that requests a resource and is given access 
• Role definition— a set of permissions that define what a principal in a certain role can do on a resource 
• Scope—defines the resources accessible to roles and the permission levels 

Examples of RBAC permissions

Role-based access control permissions are granted based on roles and access requirements. Roles and permissions are aligned with a user’s position in an organisation, such as an administrator, a specialist user, or an end user. Examples of RBAC permissions are: 

• Administrative—for users that perform administrative functions 
• Billing—for an end user to access a billing account
• Primary—for the main contact for a specific account or role
• Technical—for users who perform technical tasks 

With RBAC, users’ access permissions are tied to the common responsibilities and needs of a group, such as human resources, sales, or finance. Each role is provided with a set of permissions, as shown here:

RBAC benefits

Enable separation of duties

Since roles are separated, in theory, no single user can cause a significant breach as a hacker would be limited to whatever resources that account was permitted to access. 

Enhance operational efficiency

Role-based access control simplifies administration and increases operational efficiency by providing a streamlined approach to assigning and managing access permissions. RBAC also allows administrators to quickly add and change roles and implement them across operating systems, platforms, and applications globally. This can be performed for internal and third-party users, including those who only require temporary access.

Improve compliance

Role-based access control helps organisations adhere to the data protection and privacy requirements set forth in myriad regulations by restricting access to resources.  

The automation of access based on roles also supports compliance by reducing human errors that could inadvertently expose sensitive data to unauthorised users.  

RBAC also provides support for auditing, which helps address compliance requirements.

Free up valuable administrative time

By reducing the amount of time administrators must spend on user permissions, role-based access control enables them up to work on higher-value, more important tasks. In addition, by limiting access to certain processes and applications, organisations can optimise the use of resources, such as network bandwidth, memory, and storage. 

Increase visibility

Role-based access control gives network administrators and managers more visibility and oversight of operations and users’ activities. It also allows them to see which resources users can access to ensure compliance and adherence to security protocols. 

Realise zero trust security

Role-based access control enables the implementation and enforcement of the principle of least privilege, a key tenet of zero trust security. By limiting access permissions to a user based on their roles and those required to do tasks associated with their role, RBAC significantly reduces the risk of breaches and data leakage. 

RBAC for advanced user privilege management

A proven solution for user-centric security, role-based access control is the go-to for administrators. It is easy to use and reliable. RBAC protects resources and enables organisations to comply with security and privacy standards included in many regulations. 

You might also be interested in:

Article

RBAC vs. ABAC: What’s the difference?

Article

What is attribute-based access control (ABAC)?

Solution

Separation-of-duties policy management

The post Role-based access control (RBAC) appeared first on SailPoint.

This article details the definition, processes, best practices, and benefits of user provisioning and deprovisioning, as well as the meaning and utilisation of automated user provisioning and user provisioning solutions. 

Definition of user provisioning

User provisioning, also known as user account provisioning, is an identity and access management (IAM) process that utilises key user information such as name, job title, department, attributes, entitlements, group memberships, and other associated data to create accounts and grant the appropriate rights and privileges to users across the IT infrastructure and business applications. Its purpose is to safeguard systems, applications, and data while enabling user access to perform tasks that support the enterprise’s strategies, goals, and objectives. 

User provisioning is activated when new information is added or updated in the original system database and subsequently managed throughout the user’s lifecycle within the organisation. Access to applications and data is granted based on the enterprise’s needs for that user and adjusted as roles and business needs evolve and change. 

Types of user provisioning

Types of user provisioning include: 

• Self-service: Users manage some aspects of user provisioning on their own; for example, password updates 
• Discretionary: Users are granted access to data and applications by an administrator 
• Workflow: User access is granted based on workflow requirements once mandatory authorisations are obtained 
• Automated: The user provisioning process is managed by software or a solution that conforms to rules created for accounts, generating efficiencies by enabling Administrators to focus on other tasks 

What is deprovisioning?

Deprovisioning is the act of withdrawing privileges or access from an account or deleting an account prompted by changes such as internal employee transfers or departures. Accounts may also be disabled or deleted due to internal or external threats. The user will also be removed from any groups or roles of which they are a member.  

Deprovisioning is an important step for security reasons; even if the user does not pose a threat, dormant accounts can be gateways to data breaches and other cybersecurity threats. 

An example of user provisioning

An example of user provisioning for a new employee might include the following steps: 

• The employee joins the organisation; an IT profile is created, and birthright applications are assigned 
• The employee is onboarded, and may be granted additional access based on required tasks 
• Throughout the employee’s tenure, access may be withdrawn and/or granted as the employee’s role changes  
• When the team member’s employment terminates, the user account will be appropriately deprovisioned as the employee offboards 

User provisioning policies and procedures vary based on circumstances, such as in the above example versus on-off provisioning for temporary, non-employee access, or re-provisioning for a current employee experiencing problems with an existing account.  

The user provisioning process

These steps may be followed to launch user provisioning or to restructure an inefficient or non-scalable program. User provisioning process steps include: 

• Assessing and evaluating identity and access management (IAM) initiatives: Consider maturity level, efficacy, and security, and enable an organisation-wide language around user provisioning 
• Developing a user provisioning business case: Detail the current IAM process, identify gaps and challenges in usability and productivity, and project the benefits, such as improved security, reduced risk, and increased efficiency, of proposed updates 
• Inventorying of mission-critical systems and applications, directories, and users 
• Planning resources: Typical roles required for user provisioning include a project manager, technical leads, system administrators, database administrators, and human resources analysts 
• Introducing a trial of the proposed program: Involve people at all levels of the organisation, including executives, and request feedback to incorporate prior to the full release 
• Launching user provisioning throughout the enterprise: Use checklists, status meetings, and the identified internal resources to keep the process on track 
• Observing and enhancing the new process and solution: Track user provisioning requests and responses, measure key performance indicators, and iterate to improve the program and continue to scale while sunsetting the previous process 

Be sure to note areas of improvement that might not be immediately visible via metrics, such as increased availability from IT teams for larger, more complex initiatives due to spending less time on routine user provisioning requests. 

User provisioning best practices

One of the greatest challenges for the enterprise today is safeguarding applications and data while ensuring that employees and others have easy access to the resources they need to be productive. User provisioning best practices support both concerns with the following: 

• Ensure centralised identity and access management: Minimise security risk while easing the burden on IT teams 
• Use the principle of least privilege: Users only need access to resources that are essential to perform their jobs, and only for defined time periods 
• Automate user provisioning and deprovisioning: Manual management of user provisioning doesn’t make sense for most organisations; it consumes valuable IT resources with little return, and is less effective when it comes to security since over- and under-provisioning are common 
• Support IT teams: Generate guidelines for sharing and restricting access, checklists for onboarding, transitioning, and offboarding team members, and transparency around roles and their required access to organisational resources 
• Use multi-factor authentication: This access management tool combines two or more security mechanisms for accessing IT resources, including applications and devices 
• Utilise risk-based authentication (RBA): Determine the risk when a user performs a specific action; block the user and alert the IT team when potential issues are detected 
• Consider compliance and implement auditing: Compliance requirements often overlap with security concerns; internal audits proactively support both security and compliance efforts 

Best practices for user provisioning solutions

Best practices for selecting user provisioning software or solutions for the enterprise include selecting a product that: 

• Is comprehensive and scalable 
• Offers a positive, easy user experience 
• Provides automated capabilities with self-service where feasible 
• Has features that support regulatory compliance requirements 
• Mitigates the cost of the solution with internal improvements 
• Includes robust analytics and reporting 

User provisioning benefits

To grow, scale, and enable digital transformation, the enterprise must dispense with manual, spreadsheet-based processes and enable automation, streamlining, and artificial intelligence. User provisioning is part of this change because it facilitates a shift from IT teams as support to a team that drives new initiatives.  

Benefits to the enterprise from enabling user provisioning include: 

• Streamlining identity and access management across applications 
• Easier employee onboarding and offboarding with better security and lower costs 
• Improving team member, contractor, and partner efficiency and productivity 
• Providing role-based access control 
• Protecting sensitive data 
• Reduced administrative complexity and fewer human errors with a centralised system 
• Time savings for the IT security team that allows them to prioritise other tasks   
• Simplifying password management  
• Mitigating risks from compromised or over-provisioned accounts 
• Improved regulatory compliance and audit preparation 
• Facilitating efficient auditing, with automated user provisioning systems that conduct audits in hours instead of days or weeks 
• Enhancing operational velocity 
• Maintaining organisational security, including supporting remote work and mitigating risks associated with shadow IT 
• Reputation enhancement based on safeguarding of information and applications 

Automated user provisioning

Automated user provisioning is the logical outcome of user provisioning and identity and access management. Joiner – mover – leaver roles make sense here. The role attributed to the user can be tied to their current organisational position, freeing IT team members to work on other priority tasks rather than spending time checking attributes and managing clearances for individual users.  

Automated provisioning mitigates the challenges and interruptions generated by manually administering user accounts.

It also enhances security and compliance initiatives by permitting just enough access without enabling too much. Attribute-based access control (ABAC) facilitates this by providing users with permissions for applications and data based on the position they hold in the organisation, and withdrawing access that is no longer needed, reducing the risk of insider threats. 

The fundamental workflow for automated user provisioning involves assigning users to applications based on their roles. When a user is given a role, they are automatically generated in the application and provided access. No matter why access is no longer needed, permissions are revoked based on the organisation’s deprovisioning policies when a role is removed from the user.   

User provisioning solutions

In an increasingly complex environment, user provisioning solutions enable the enterprise to utilise a sophisticated, centralised tool to control user privileges to applications and data and support using the information in these solutions to automate many tasks like generating, changing, and cancelling user access throughout the account’s existence. This streamlines organisational infrastructure while empowering the company to grow and scale.  

A user provisioning solution: 

• Maintains available identity data on its infrastructure 
• Offers appropriate tools for administrators to specify access conditions 
• Provides a cost-effective method of securely modernising the employee lifecycle 
• Utilises automation in activities associated with identity administration 
• Safeguards data with enhanced enterprise security and authentication capabilities 
• Offers an exceptional user experience that enriches employee productivity 

Securing the enterprise with user provisioning

User provisioning enables the enterprise to properly provision and deprovision access to applications and data, reducing the risk of data breaches, which are expensive and can cause long-term negative repercussions for the organisation’s reputation. It also facilitates visibility across the enterprise for leadership teams.  

User provisioning tools use automation to generate, oversee, and control user access, simplifying administration and enabling better management of the enterprise’s identity and access management program. Robust and stable user provisioning processes and procedures with a solid implementation support many areas of the enterprise as it pivots in response to an ever-changing business climate. 

You might also be interested in:

eBook

Guide to securing digital identities

Article

What is identity and access management?

White paper

State of identity security: Healthcare

The post What is user provisioning? appeared first on SailPoint.

The post The state of Identity in Australia & New Zealand appeared first on SailPoint.

The user must first be identified and authenticated before being granted access to private information—which means the basics of an access control system include criteria and records for every time someone “enters” the system.

Depending on the type of organisation, the enterprise should consider a couple of broad ideas—what level of ownership it will have over the system, and how to decide which employees get access to what. There are many models, each with different benefits.

The most common types of access control systems

Mandatory access control (MAC)

The mandatory access control system provides the most restrictive protections, where the power to permit access falls entirely on system administrators. That means users cannot change permissions that deny or allow them entry into different areas, creating formidable security around sensitive information.

It even restricts the resource owner’s ability to grant access to anything listed in the system. Once an employee enters the system, they’re tagged with a unique connection of variable “tags”—like a digital security profile—that speaks to what level of access they have. So depending on what tags a user has, they will have limited access to resources based on the sensitivity of the information contained in it. This system is so shrewd, in fact, that it’s commonly used by government entities because of its commitment to confidentiality.

Discretionary access control (DAC)

A discretionary access control system, on the other hand, puts a little more control back into leadership’s hands. They determine who can access which resources, even if the system administrator created a hierarchy of files with certain permissions. All it takes is the right credentials to gain access.

The only disadvantage, of course, is giving the end-user control of security levels requires oversight. And since the system requires a more active role in managing permissions, it’s easy to let actions fall through the cracks. Where the MAC approach is rigid and low-effort, a DAC system is flexible and high-effort.

Role-based access control (RBAC)

Role-based access control attributes permissions to a user based on their business responsibilities. As the most common access control system, it determines access based on the user’s role in the company—ensuring lower-level employees aren’t gaining access to high-level information.

Access rights in this method are designed around a collection of variables that map back to the business—such as resources, needs, environment, job, location, and more. Many executives like this approach because it’s simple to group employees based on the kind of resources to which they need access. For example, someone in human resources does not need access to private marketing materials, and marketing employees don’t need access to employee salaries. RBAC provides a flexible model that increases visibility while maintaining protection against breaches and data leaks.

More detailed, hands-on access control

While there are some established practices in access control, technology has given us the opportunity for more customised approaches. Depending on how “hands-on” the enterprise wants to be, there are many ways to think about it.

Rule-based access control

As you might have guessed, this system grants permissions based on structured rules and policies. Largely context-based, when a user attempts to access a resource, the operating system checks the rules decided on in the “access control list” for that specific resource. Creating the rules, policies, and context adds some effort to the rollout. Additionally, this system will often be blended with the role-based approach we discussed earlier.

Attribute-based access control

Drilling down a level deeper, this type of system provides different dynamic and risk-intelligent control based on attributes given to a specific user. Think of these attributes as components of a user profile; together they define the user’s access. Once policies are set, they can use these attributes to read whether or not a user should have control. These attributes can also be obtained and imported from a separate database—like Salesforce, for example.

“Smarter,” more intuitive control systems

Some control systems transcend technology all together. These are the systems that operate on a deeper, more intuitive level.

Identity-based access control

The most simple, yet the most complex—identity-based control dictates whether a user is permitted access to a resource based on their individual visual or biometric identity. The user will then be denied or permitted access based on whether or not their identity can be matched with a name appearing on the access control list. One of the main benefits of this approach is providing more granular access to individuals in the system, as opposed to grouping employees manually. This is a very detailed, technology-driven approach that gives an abundance of control to the business owner.

History-based access control

Another “smart” solution is a history-based access control system. Based on past security actions, the system determines whether or not the user gains access to the resource they’re requesting. The system will then scrape that user’s history of activities—time between requests, content requested, which doors have been recently opened, etc. For example, if a user has a long history of working exclusively with secured accounting materials, a request to access next year’s marketing roadmap might be flagged in the system.

The future: AI-driven Identity Management

As access control moves into the future, the responsibility of managing the systems will continue to shift away from people and towards technology. Artificial Intelligence (AI) not only allows us to evaluate access permissions for users in real-time, but it’s also able to forecast the entire lifecycle of an employee. These solutions not only protect us from the “now,” they’re able to identify risks and compliance issues before they become serious. The enterprise no longer has to tightly monitor the complicated web of policies and access control lists, because AI simplifies visibility at a high level.

Wrapping Up

While access control has evolved from protecting physical documents in real buildings to cloud-based systems, the idea of protecting the enterprise’s resources is never going out of style. The smarter we get with technology, the more options we’re going to have. Understanding the variables that matter—things like organisation size, resource needs, employee locations—will help inform your decision.

Want to learn more about how we use technology and AI to recommend the right access model for you? Read more here.

You might also be interested in:

Special Report

State of identity, Report from the frontline

White Paper

Harnessing AI and machine learning to improve identity security

Article

What is identity security?

The post Types of access control systems appeared first on SailPoint.

Identity Governance and Administration (IGA), also known as identity security, is at the centre of IT operations, enabling and securing digital identities for all users, applications and data. It allows businesses to provide automated access to an ever-growing number of technology assets while managing potential security and compliance risks.

Identity Governance in Action
Learn how SailPoint’s identity platform helps enterprises enable their workforce by securing digital identities.

What Business Security Problems Does IGA Address?

Identity governance and administration can help your organisation effectively address today’s complex business challenges, balancing four critical objectives:

1. Reduce operational costs
2. Reduce risk and strengthen security
3. Improve compliance and audit performance
4. Deliver fast, efficient access to the business

Reduce operational costs

Identity governance and administration automates labour-intensive processes such as access certifications, access requests, password management and provisioning, which dramatically cut operational costs. With its business-friendly user interface, this can significantly reduce the time IT staff spends on administrative tasks, and empower users to independently request access, manage passwords and review access. And with access to dashboards and analytical tools, organisations have the information and metrics they need to strengthen internal controls and reduce risk.

Reduce Risk and Strengthen Security

Compromised identities caused by weak, stolen or default user credentials are a growing threat to organisations. Centralised visibility creates a single authoritative view of “who has access to what,” allowing authorised users to promptly detect inappropriate access, policy violations or weak controls that put organisations at risk. Identity governance solutions enable business and IT users to identify risky employee populations, policy violations and inappropriate access privileges and to remediate these risk factors.

Improve Compliance and Audit Performance

Identity governance and administrations allow organisations to verify that the right controls are in place to meet the security and privacy requirements of regulations like SOX, HIPAA and GDPR. They provide consistent business processes for managing passwords as well as reviewing, requesting and approving access, all underpinned by a common policy, role and risk model. With role-based access control, companies significantly reduce the cost of compliance, while managing risk and establishing repeatable practices for a more consistent, auditable and easier-to-manage access certification efforts.

Deliver Fast, Efficient Access to the Business.

By giving your users timely access to the resources they need to do their jobs, identity governance and administrations enables them to become productive more quickly – and to stay productive, no matter how much or how quickly their roles and responsibilities change. It also empowers business users to request access and manage passwords, reducing the workload on help desk and IT operations teams. And with automated policy enforcement, identity governance allows you to meet service level requirements without compromising security or compliance.

SailPoint’s Identity Governance and Administration Solutions

In March, we were recognised as the 2020 Gartner Peer Insights Customers’ choice for Identity Governance & Administration (IGA). This distinction recognises the vendors who are top-rated by their customers, based on a series of customer-submitted reviews.

When it comes to identity governance, no company is better suited to help you solve your unique security and compliance challenges. Learn how we can help you protect your sensitive data, wherever it lives.

Identity Governance in Action

$1 Million in Cost-Savings.
The Power to Seize Opportunities.

Learn More

Learn more about identity topics

• CIO Priorities
• Cloud Security
• General Data Protection Regulation (GDPR)
• Governing Access to Data Stored in Files
• Identity-as-a-Service
• Identity and Access Management
• Identity Governance
• Password Management
• Regulatory Compliance

Frequency Asked Questions (FAQ)

What’s Cloud Identity Governance?

Cloud-based identity governance offers the same security, compliance and automation delivered by traditional enterprise-class identity solutions, coupled with a lower total cost of ownership and faster deployment. Put simply, identity provides the power to make the cloud enterprise secure.

Cloud is transforming the way we work. Organisations must effectively address today’s complex business challenges, and today’s enterprise is becoming a cloud enterprise. While companies are becoming more comfortable with moving strategic and mission-critical applications into the cloud, it can feel overwhelming to consider solutions like identity as a service (SaaS). They often avoid identity governance because they believe they lack the budget, time or skilled identity resources required to implement it. However, these are no longer inhibitors to reaping the benefits of identity management.

For SailPoint, we remain entirely focused on identity governance whether on-premises or from the cloud. IdentityNow, our SaaS solution, is as powerful an identity governance solution as IdentityIQ, our solution deployed in the data centre.

Isn’t identity governance software only available on-premises?

While it’s true that the first identity governance solutions on the market were installed on-premises, today there are cloud-based options for identity governance as well. In fact, SailPoint IdentityNow provides access certifications, access request, provisioning, and password management as cloud-based services.

Can identity governance manage cloud applications?

Identity governance solutions provide rich connectivity options that enable unified management across cloud and on-premises resources. All identity governance capabilities, including access certification, access request, password management, and provisioning, are cross-domain, meaning they can be used for cloud and on-premises applications.

Does my company need identity governance, even though we aren’t subject to regulatory compliance?

Identity governance is a critical component of any security strategy. If a company does not have identity software in place, it puts them at serious risk of cyberattacks. Because hackers attempt to steal user credentials constantly, protecting identities is vital to keeping cyber thieves out of company systems. No matter what, you need identity governance to protect user accounts and privileges—and ensure effective access control.

Is IGA only for big businesses?

While it may seem regulation compliance is a challenge only for large, international companies, the truth is that regulations (e.g., GDPR or CCPA) affect every enterprise organisation, whatever their size or industry. No matter what, organisations need to strengthen access controls to their sensitive data and applications.

Does identity governance support HIPAA and compliance?

Identity governance helps ensure HIPAA compliance by:

• Applying artificial intelligence and predictive analytics to monitor and identify unusual access behaviour
• Consistently enforcing access policies and applying controls to all applications containing ePHI
• Locating and securing structured and unstructured ePHI regardless of where they’re stored
• Automating periodic reviews of user access rights

Our open cloud identity governance platform makes it easy for you to stay HIPAA-compliant, giving you visibility and access control for apps and data, for every user.

What’s the history of Identity Governance?

Identity governance originally emerged as a new category of identity management. It was driven by the requirements of new regulatory mandates such as the Sarbanes-Oxley Act (SOX) and the Health Insurance Portability and Accountability Act (HIPAA). Designed to improve transparency and manageability, identity governance gave organisations better visibility to identities and access privileges and better controls to detect and prevent inappropriate access.

In 2012, identity governance was recognised by Gartner as the fastest-growing sector of the identity management market. In its first Magic Quadrant focused on this market segment, Gartner stated that identity governance “is replacing user administration and provisioning as the new centre of gravity for IAM.” Gartner also estimated that growth rates for identity governance would exceed 35-40% per year, based on increased incidences of well-publicised insider theft and fraud.

As more and more customers deployed identity governance and provisioning solutions together, it became clear that the role, policy, and risk models provided by identity governance were foundational to provisioning and to compliance processes. At the same time, it became clear organisations needed centralised visibility over both on-premises and cloud applications, and data files across the organisation.

For more common FAQs, click here.

You might also be interested in:

Special Report

State of identity, Report from the frontline

Article

What is identity security?

Article

What is user provisioning?

The post What is Identity Governance and Administration (IGA)? appeared first on SailPoint.