Category: General

3 Ways Automated Identity Lifecycle Management Makes Your Job Easier

Posted on by Stephanie Burns

Automation, automation, automation. As professionals, we all understand the general benefits of incorporating automation into our processes and procedures. But does the time and effort that is spent developing and deploying automation really improve cybersecurity outcomes? When it comes to Identity Lifecycle Management the answer is 100% yes, especially if you leverage an Identity Governance (IGA) Platform with easy to use drag and drop, customizable workflows.

What is the Identity Lifecycle?

Before we dive in, here’s a little refresh on Access Management 101. The Identity Lifecycle is the journey that a user’s identity goes through during its lifetime within an organization’s environment. Identities can be tied to specific end-users, such as employees, or digital entities such as devices or AI. The lifecycle of an identity begins the moment it is created, and it lasts through termination or deletion. Some important aspects of an identity’s lifecycle include when access is assigned, changes in credentials and authentication events. 
 
For example, Joy is a new Software Engineering Intern at Mega Corp. Her identity is created on her first day of work and she’s assigned all the relevant access she needs as a Software Engineering Intern. After just a few months, Joy is crushing her duties and is offered a full-time job at Mega Corp. With the change in role comes a new event in her identity lifecycle meaning Joy’s access needs to be updated. Joy is later assigned to a special project for a few months. This lifecycle event requires that her identity be granted temporary access to some systems outside of her standard role.

And so on and so forth. You get the gist. Every time Joy gets a change in title, or the scope of her work requires a change in access, an Identity Lifecycle event occurs. Now what happens at the end of an identity’s lifecycle? Well let’s return to our example employee Joy. After several successful years at Mega Corp., Joy accepts a job at another organization and her identity is fully deprovisioned, ensuring the now terminated Joy can’t access Mega Corp. systems and ending her identity’s journey through the lifecycle.

What is Identity Lifecycle Management?

Now that we’ve established what the Identity Lifecycle is, it’s easy to make the jump to Identity Lifecycle Management (LCM). LCM is the process of managing user identities and their evolving access privileges from day one through termination. 

For the sake of this example, know that Mega Corp. doesn’t currently use any automation for Identity Lifecycle Management. Every time Joy’s identity progresses through the lifecycle, a member of the cyber security or IT team has to rely on Joy’s manager to communicate that there’s been a change, in a timely fashion. Then that individual will spend multiple hours logging into every downstream application and manually updating entitlements. A truly mind-numbing task that eats up time and employee bandwidth. Manual provisioning and deprovisioning is also error prone and makes it difficult to maintain RBAC which can negatively impact future audit outcomes.

 What Does it Mean to Automate LCM?

While many organizations manually manage the identity lifecycle via access support requests, it’s possible to fully automate LCM through third-party software or on-prem solutions. This is done by connecting a tool or platform to your HR system and/or Active Directory so that changes within those sources of truth set off a cascade of actions within downstream applications. Rather than waiting to be informed of an event and then manually provisioning or de-provisioning, automated LCM handles the process on your behalf as soon as a change is made in a source of truth.

How Does Automated LCM Improve the Lives of Security and IT Professionals?

While you can, and many teams certainly do, manually manage the Identity Lifecycle this is a time consuming and frustrating process. It’s easy for teams to get buried under access requests or for managers to forget to inform IT and security admins about changes in employee roles or access needs. When processes breakdown within Identity Lifecycle Management it causes a ripple effect within your IT General and Application controls, making RBAC nearly impossible and leaving your organization more vulnerable than ever.

This is just one example of how cybersecurity practices impact successful business outcomes. LCM is an integral part of effective IT General and Application controls; it helps enforce principles of least privilege, maintains RBAC, enforces zero-trust, and much more. These are all very important practices for organizations that must comply with HIPPA, PCI, HiTrust and other regulatory requirements. If you organization is publicly traded, it’s even more essential that you comply with regulatory agencies or you could face massive fines, loss of revenue, or be delisted from the stock exchange.

Reason #1: Significantly Reduce Risk

In a recent study done by Beyond Identity, 83% of former employees said they still had access to company resources after termination. Whether this is from a disjointed offboarding process or a simple breakdown in communication, terminated employees who have access to your resources pose a major threat to your organization. Malicious terminations can lead to loss of IP, destruction of IT services, and failed audits. Automated lifecycle management ensures identities are deprovisioned the moment HR files the termination paperwork. 

It might not seem like a big deal that Sam from Dev. was terminated three weeks ago and still has access to some material applications… that is until Sam deletes every lambda, RDS, and backup and posts all of your product source code on GitHub for the entire internet to enjoy. Legal and GRC would have a field day if that were to happen.

Reason #2: Save Time Managing Access Requests

Manually managing access requests takes up hundreds of hours over the course of a year. If your organization has several hundred or thousands of employees it’s nigh impossible. By leveraging automation, it’s like you’ve hired an employee whose sole focus is keeping up with changes in access. Depending on the platform, you can use customizable workflows to automatically provision or deprovision identities based on their role, department, or whether the identity is tied to an employee, service account, or contractor. Some systems are even capable of highly-granular provisioning and deprovisioning.

Reason #3: Improve Audit Outcomes

We touched on this earlier, but automation goes a long way in ensuring the effectiveness of your IT General and Application Controls. Having an automated system in place that assures the right people have the right access at the right time improves audit outcomes and decreases the likelihood of deficiencies. As you know, cybersecurity best practices like least privilege and RBAC are essential to successful audit and compliance outcomes. But manual processes are error-prone and time-consuming, not to mention manually managing RBAC is a nigh impossible feat. Identity Lifecycle Management systems that use automation services like dynamic role mining ensure that RBAC is less likely to fall into disarray, role creep is contained, and least privilege is easily enforced. This translates to improves audit outcomes and a much improved business relationship with your GRC department.

Let’s Wrap This Up

Life as a security and IT professional is not easy. You’re pulled in a million different directions, your team is likely understaffed or under-resourced, and you’re constantly having to put out fires because end-users still can’t spot phishing attempts. If we could recommend one IGA practice that will significantly improve cybersecurity outcomes within your organization, it would be automation. Automating the Identity Lifecycle reduces risk, saves employee time and effort, and improves audit outcomes. It can even improve onboarding processes, lower IT operational costs, and positively impact business outcomes. 

When you’re ready to explore the ways that automated lifecycle management can transform your identity landscape our team is here to help! Get in touch and we’ll respond to you faster than you can say “NIST Cybersecurity Framework”.

How to Build A Mature IGA Program

Posted on by

Introduction

 

Identity Governance (IGA) is difficult. So difficult that 25% of material weaknesses reported to the NYSE and SEC are related to IT and Identity Governance. Most federal agencies have failed audits due to their IGA programs, including the Department of Defense’s 4 material weaknesses. 

Why is this? For many organizations that utilize manual practices, getting an accurate inventory of the identities within your application landscape and across your organization is a monumental feat. Without an IGA platform or automation, creating a comprehensive identity inventory is nearly impossible. Inventories can lose accuracy within days without automation tools that integrate with your HR or directory services.

If you’re feeling overwhelmed by trying to implement IGA within your organization, remember author Douglas Adams’s sage advice “don’t panic.” I was in your shoes just a few years ago. I understood the objectives of IGA, but I had no idea how to achieve them and where to start. But I used these challenges and frustrations to take a fresh, proactive approach to IGA. This guide will help outline a doable journey for all organizations – from defense contractors to small and medium enterprises (SMEs).

“How to Build a Mature IGA Program” breaks the monumental endeavor into a series of six bite sized projects to help you develop or improve your organization’s IGA.

  1. Build an inventory of your identities
  2. Establish key metrics
  3. Begin automation
  4. Expand the scope
  5. Roadmap to compliance
  6. Completion

Preface

 

Regardless of the maturity of your IGA program, when starting an IGA program, two questions inevitably come to mind, “how do I start, and where is the finish line?” Toss these questions out; they are rhetorical questions with no actionable answers. We need to focus on the three* questions a fully developed IGA program can answer:

  1. Who has access to what?
  2. When did they get that access?
  3. How did they get that access?
  4. Bonus question: Who had access to the ERP entitlement General Ledger – Post on Wednesday, February 9th, 2022, at 1:09 AM?

You are in good company if you are anxious after reading these three* questions. Most security teams struggle to answer these questions without investing millions of dollars in on-prem or SaaS IGA platforms and a full-time team of engineers. Affordable IGA Platforms exist, but if a paid solution isn’t an option, then the investment is some elbow grease, Googling, and reading the rest of this article.

Let’s start with Project 1: How to Create an Inventory of Your Identities.  

How To Create an Identity Inventory

Step 1: Create an Inventory

The foundation of a successful identity program is a complete and accurate listing of the identities in an environment. An identity is an employee, contractor, service account, or user that can access ANY IT system. Producing an inventory of identities sounds more complex than it actually is.

Collect your data
  • Ask HR for a list of all current and former users in a .CSV format. The export should include basic user information – email, name, manager, and start date.
  • Export a list of identities from applications that store many users. I cannot emphasize enough that you should focus on apps that store sizeable populations of users. If you include apps with less than 50% of your employee base, you will lose the forest for the trees.
    • You can use a PowerShell command, like the one below, to export the list of all users (regardless of active status):

Get-ADUser -Filter * | Export-CSV -Path .\allusers.csv

Combine your data

You should now have 2-3 CSVs full of identities and information about each identity. Because this is an inventory, we must consolidate the CSVs into a single file, also known as a Universal Identity Directory. Here is a python script to help you get started – IdentityInventory.py. Note: You can find it and the rest of the python scripts used in this article in this GitHub Repo.

At a high-level here’s how the script works:

CollectFileNames(): Prompts you for the number of files and their names. Returns a list named "fileNames"

csvEvaluation(file, identities): Processes the data in each CSV

main(): Instantiates our required dictionaries, establishes the headers, and writes the final JSON file and CSV.

 

Now we have an inventory. Well…we have the beginning of an inventory…but it’s a start! While it is (relatively) complete, it is not accurate. Luckily, achieving accuracy is not on your shoulders.

Step 2: Confirm Accuracy of Your Inventory

For our next step, you will run a User Review. A User Review is a high-level review used to confirm that the identities in your inventory are still employed and active. A User Access Review is more detailed and evaluates all users and the applications and entitlements they can access.

Performing a user review requires the assistance of the managers around your company. Managers are only tasked with verifying employees’ identities and contractors who report to them and that they still work for your company.

Generate the Review

To generate the user review for the managers, run the second python script found in the GitHub repo titled ManagerUserReview.py. It follows the same process as above but includes a function to generate a unique XLSX for each manager. The instructions to complete a review are as follows:

  1. Open the XLSX in Excel or Google Sheets
  2. Review each identity and document if an identity is:
    1. With the company
    2. On their team
    3. Reports to them
  3. Use the drop-down in Column I, “Manager Response (Drop Down),” for their responses
Collect Responses

You may need to help explain to managers why this project is so important. Feel free to choose any one of the reasons below:

  • This User Review saves (Insert your company’s name) money. This review can return thousands of dollars to your budget. Feel free to increase the number based on your company size.
    Orphaned accounts pose a significant security threat to organizations and are one of the main vectors of compromised data! Your assistance in this review directly improves our security posture!
    We must meet specific audit and compliance requirements to remain a company. We won’t pass these requirements without your help completing this User Review.
  • Do you want to keep your job? Maybe not this one.

Managers should be able to review their lists in a matter of minutes. However, if you are struggling to receive responses, I recommend employing the assistance of your manager or a security-minded executive to provide extra incentive.

Step 3: Clean Up

Once manager responses are collected, all that is left is to clean up the master list and the source applications, also known as sources of truth (aka a system of record). For HR cleanup items, e.g., users haven’t been terminated or manager updates, you should work with a member of your organization’s HR team to effect any required changes.

First

Combine all reviews into a single XLSX using the script in the GitHub repo titled UserReviewCombiner.py. Ensure that you follow the instructions in the readme.txt; otherwise, it will not run properly! You will have 1 XLSX with six pages.

  • Master – This is the master sheet of all every user and their reviewer’s response.
  • Conflicting Response – This indicates a user was reviewed by more than one manager, and the managers’ responses were not the same.
  • Employed – Indicates the manager believes the user is still employed.
  • Terminated – Indicates the user was terminated but is still active in your systems. This sheet requires immediate attention.
  • Changed Teams – This sheet means the employee has changed teams and requires an update in HR, AD, or another application.
  • Do Not Recognize – The assigned reviewer is not familiar with the user.
Second

Evaluate all identities that require cleanup in Conflicting Response, Terminated, Changed Teams, and Do Not Recognize. If the sheet looks accurate after review, continue to Step 3. If it looks off, do not continue.

  • Examples of anomalies to keep an eye for include the following: large swaths of users being denied by a single manager, users you recognize are marked as inactive, or columns are incomplete.
  • If anomalies are found, send the review back to the manager! Hasty decisions inevitably result in valid users being disabled.
Third

Double check Step 2. Some recommendations:

  • Verify the number of remaining identities lines up with the number of employees you know work for your company. If there is a discrepancy you need to take a second pass at manager responses. This step is especially important for identity governance. If your organization has 500 actual employees and the number of identities differs, that should be examined until the number of identities matches the employee count.
  • Ask your manager, supervisor, or coworker to review the list of identities listed in IdentitiesForRemediation.csv. It is prudent to proceed with an overabundance of caution.
Fourth

Once you are confident in the cleanup XLSX, copy the contents into a CSV titled “IdentitiesForRemediation.csv”. Now it’s time to automate the Active Directory cleanup using a PowerShell script that resembles the following

$Import-Csv “C:insert your path\IdentitiesForRemediation.csv” | ForEach-Object {
$Username = $.Username
Disable-ADAccount -Identity $Username}

Final Thoughts

 

Congratulations, you now have a (mostly) complete and (currently) accurate inventory of identities! You are officially ahead of most of the agencies of the federal government and hundreds of publicly traded companies.

You’ve done an incredible job making progress, but there is still more work to do. In part 2 of this series, you’ll learn how to establish foundational metrics used to evaluate the efficacy and success of IGA within your organization. These metrics will also provide justification for any future IGA purchasing decisions.

About The Author

Connor Borchgrevink is the Co-Founder and CEO of Clarity Security. Before founding Clarity, she spent over a decade working cybersecurity for Fortune 500 companies.