Month: October 2022

How to Build A Mature IGA Program

Posted on by

Introduction

 

Identity Governance (IGA) is difficult. So difficult that 25% of material weaknesses reported to the NYSE and SEC are related to IT and Identity Governance. Most federal agencies have failed audits due to their IGA programs, including the Department of Defense’s 4 material weaknesses. 

Why is this? For many organizations that utilize manual practices, getting an accurate inventory of the identities within your application landscape and across your organization is a monumental feat. Without an IGA platform or automation, creating a comprehensive identity inventory is nearly impossible. Inventories can lose accuracy within days without automation tools that integrate with your HR or directory services.

If you’re feeling overwhelmed by trying to implement IGA within your organization, remember author Douglas Adams’s sage advice “don’t panic.” I was in your shoes just a few years ago. I understood the objectives of IGA, but I had no idea how to achieve them and where to start. But I used these challenges and frustrations to take a fresh, proactive approach to IGA. This guide will help outline a doable journey for all organizations – from defense contractors to small and medium enterprises (SMEs).

“How to Build a Mature IGA Program” breaks the monumental endeavor into a series of six bite sized projects to help you develop or improve your organization’s IGA.

  1. Build an inventory of your identities
  2. Establish key metrics
  3. Begin automation
  4. Expand the scope
  5. Roadmap to compliance
  6. Completion

Preface

 

Regardless of the maturity of your IGA program, when starting an IGA program, two questions inevitably come to mind, “how do I start, and where is the finish line?” Toss these questions out; they are rhetorical questions with no actionable answers. We need to focus on the three* questions a fully developed IGA program can answer:

  1. Who has access to what?
  2. When did they get that access?
  3. How did they get that access?
  4. Bonus question: Who had access to the ERP entitlement General Ledger – Post on Wednesday, February 9th, 2022, at 1:09 AM?

You are in good company if you are anxious after reading these three* questions. Most security teams struggle to answer these questions without investing millions of dollars in on-prem or SaaS IGA platforms and a full-time team of engineers. Affordable IGA Platforms exist, but if a paid solution isn’t an option, then the investment is some elbow grease, Googling, and reading the rest of this article.

Let’s start with Project 1: How to Create an Inventory of Your Identities.  

How To Create an Identity Inventory

Step 1: Create an Inventory

The foundation of a successful identity program is a complete and accurate listing of the identities in an environment. An identity is an employee, contractor, service account, or user that can access ANY IT system. Producing an inventory of identities sounds more complex than it actually is.

Collect your data
  • Ask HR for a list of all current and former users in a .CSV format. The export should include basic user information – email, name, manager, and start date.
  • Export a list of identities from applications that store many users. I cannot emphasize enough that you should focus on apps that store sizeable populations of users. If you include apps with less than 50% of your employee base, you will lose the forest for the trees.
    • You can use a PowerShell command, like the one below, to export the list of all users (regardless of active status):

Get-ADUser -Filter * | Export-CSV -Path .\allusers.csv

Combine your data

You should now have 2-3 CSVs full of identities and information about each identity. Because this is an inventory, we must consolidate the CSVs into a single file, also known as a Universal Identity Directory. Here is a python script to help you get started – IdentityInventory.py. Note: You can find it and the rest of the python scripts used in this article in this GitHub Repo.

At a high-level here’s how the script works:

CollectFileNames(): Prompts you for the number of files and their names. Returns a list named "fileNames"

csvEvaluation(file, identities): Processes the data in each CSV

main(): Instantiates our required dictionaries, establishes the headers, and writes the final JSON file and CSV.

 

Now we have an inventory. Well…we have the beginning of an inventory…but it’s a start! While it is (relatively) complete, it is not accurate. Luckily, achieving accuracy is not on your shoulders.

Step 2: Confirm Accuracy of Your Inventory

For our next step, you will run a User Review. A User Review is a high-level review used to confirm that the identities in your inventory are still employed and active. A User Access Review is more detailed and evaluates all users and the applications and entitlements they can access.

Performing a user review requires the assistance of the managers around your company. Managers are only tasked with verifying employees’ identities and contractors who report to them and that they still work for your company.

Generate the Review

To generate the user review for the managers, run the second python script found in the GitHub repo titled ManagerUserReview.py. It follows the same process as above but includes a function to generate a unique XLSX for each manager. The instructions to complete a review are as follows:

  1. Open the XLSX in Excel or Google Sheets
  2. Review each identity and document if an identity is:
    1. With the company
    2. On their team
    3. Reports to them
  3. Use the drop-down in Column I, “Manager Response (Drop Down),” for their responses
Collect Responses

You may need to help explain to managers why this project is so important. Feel free to choose any one of the reasons below:

  • This User Review saves (Insert your company’s name) money. This review can return thousands of dollars to your budget. Feel free to increase the number based on your company size.
    Orphaned accounts pose a significant security threat to organizations and are one of the main vectors of compromised data! Your assistance in this review directly improves our security posture!
    We must meet specific audit and compliance requirements to remain a company. We won’t pass these requirements without your help completing this User Review.
  • Do you want to keep your job? Maybe not this one.

Managers should be able to review their lists in a matter of minutes. However, if you are struggling to receive responses, I recommend employing the assistance of your manager or a security-minded executive to provide extra incentive.

Step 3: Clean Up

Once manager responses are collected, all that is left is to clean up the master list and the source applications, also known as sources of truth (aka a system of record). For HR cleanup items, e.g., users haven’t been terminated or manager updates, you should work with a member of your organization’s HR team to effect any required changes.

First

Combine all reviews into a single XLSX using the script in the GitHub repo titled UserReviewCombiner.py. Ensure that you follow the instructions in the readme.txt; otherwise, it will not run properly! You will have 1 XLSX with six pages.

  • Master – This is the master sheet of all every user and their reviewer’s response.
  • Conflicting Response – This indicates a user was reviewed by more than one manager, and the managers’ responses were not the same.
  • Employed – Indicates the manager believes the user is still employed.
  • Terminated – Indicates the user was terminated but is still active in your systems. This sheet requires immediate attention.
  • Changed Teams – This sheet means the employee has changed teams and requires an update in HR, AD, or another application.
  • Do Not Recognize – The assigned reviewer is not familiar with the user.
Second

Evaluate all identities that require cleanup in Conflicting Response, Terminated, Changed Teams, and Do Not Recognize. If the sheet looks accurate after review, continue to Step 3. If it looks off, do not continue.

  • Examples of anomalies to keep an eye for include the following: large swaths of users being denied by a single manager, users you recognize are marked as inactive, or columns are incomplete.
  • If anomalies are found, send the review back to the manager! Hasty decisions inevitably result in valid users being disabled.
Third

Double check Step 2. Some recommendations:

  • Verify the number of remaining identities lines up with the number of employees you know work for your company. If there is a discrepancy you need to take a second pass at manager responses. This step is especially important for identity governance. If your organization has 500 actual employees and the number of identities differs, that should be examined until the number of identities matches the employee count.
  • Ask your manager, supervisor, or coworker to review the list of identities listed in IdentitiesForRemediation.csv. It is prudent to proceed with an overabundance of caution.
Fourth

Once you are confident in the cleanup XLSX, copy the contents into a CSV titled “IdentitiesForRemediation.csv”. Now it’s time to automate the Active Directory cleanup using a PowerShell script that resembles the following

$Import-Csv “C:insert your path\IdentitiesForRemediation.csv” | ForEach-Object {
$Username = $.Username
Disable-ADAccount -Identity $Username}

Final Thoughts

 

Congratulations, you now have a (mostly) complete and (currently) accurate inventory of identities! You are officially ahead of most of the agencies of the federal government and hundreds of publicly traded companies.

You’ve done an incredible job making progress, but there is still more work to do. In part 2 of this series, you’ll learn how to establish foundational metrics used to evaluate the efficacy and success of IGA within your organization. These metrics will also provide justification for any future IGA purchasing decisions.

About The Author

Connor Borchgrevink is the Co-Founder and CEO of Clarity Security. Before founding Clarity, she spent over a decade working cybersecurity for Fortune 500 companies.