By Jon Griffin Posted December 16, 2019
The identity management landscape is in a massive state of transformation. This morphing of the identity and access management (IAM) sector is mimicking the changes going on in the broader IT landscape. From cloud, to mobile, to heterogeneity, to security, IT organizations are under tremendous pressure to equip their end users with the best technology and systems available. As a result, many IT organizations are looking for best practices for their identity management implementation.
Proper Management of Modern IAM Infrastructure
Traditionally, the IAM infrastructure was quite simple: Microsoft® Active Directory® (AD). When organizations had virtually 100% Windows® infrastructure, and all of it hosted on-prem, AD made a great deal of sense. But, today’s modern IT environment is vastly different. Modern organizations leverage mixed platforms (Windows, Mac, Linux), cloud server infrastructure from AWS, web applications alongside on-prem solutions, physical and virtual data storage systems, and WiFi networks. In addition to that, their end users can be located anywhere in the world.
In light of this more complex IT landscape, IT admins can’t just take the legacy approach and have AD securely manage and control user access across their entire infrastructure. AD just wasn’t built for that, and it can’t connect to the majority of these new resources without costly and complex third-party help. Instead, IT organizations are searching for a new generation of identity management solutions and the best ways they can implement those solutions to accomplish their goals.
Identity Management Implementation Best Practices
Modern IT organizations with complex IT networks are following the identity management implementation best practices listed below. Their philosophy is to create and secure identities at the core, enable their end users to connect to their critical IT resources, and then increase efficiency and reduce costs. The implementation steps below follow this philosophy.
1. Create Secure Identities
Perhaps the most critical step in the entire identity management implementation process is to create and secure end user identities. This is generally done within an identity provider or directory service.
It’s imperative that IT admins ensure passwords are highly secure, multi-factor authentication (MFA) is turned on where possible, and end users are trained to keep their credentials secure. MFA is a powerful measure: It could’ve prevented an estimated 80% of organizational data breaches. Further, a core identity provider needs to leverage a wide range of authentication protocols, be secure, and be highly available. All this is necessary because the identities stored here will be leveraged to access virtually all IT resources.
Another component in securing identities is to break away from creating multiple mini-directories across the enterprise. IT organizations should avoid this because multiple directories will result in having multiple identities for an individual across an IT infrastructure. This can lead to poor security, extra work, and a lack of control over the environment.
2. Enable Access to Systems
In order to make end users productive, the next step in the identity management implementation process is to connect users to their laptops or desktop computers. Historically, this was fairly straightforward when the world was Windows-based, but with a mixed-platform environment, creating access to systems is now much more difficult.
A user’s system is their conduit to corporate data, applications, and servers. It’s incredibly vital to protect that endpoint. IT organizations might skip this step because Mac® and Linux® machines are difficult to integrate with Active Directory. The risks unmanaged systems present, however, make it a necessary step.
Consider the fact that 50% of people who find a lost USB drive will insert it into their computer, and 70% of those people won’t take any security precautions. This example highlights the importance of system management — if IT isn’t managing the systems, then the end users are.
Active Directory leveraged GPOs to manage security and configurations on Windows systems. This did wonders for security but only worked for Windows machines. However, a next generation cloud identity management platform can set policies on all three major platforms, providing additional security and control over all laptops and desktops.
3. Grant and Secure Access to the Network
Once a secure identity has been created and the user has their computing system, the next step is to give them secure access to the corporate network. Many organizations have completely shifted to the cloud with no on-prem IT resources, but many have not and still have on-prem file storage, applications, and servers. Even if there is very little on-prem, the corporate network is a more secure enclave where end users can access their remote resources. Granting access to the corporate network is a critical step not only in productivity but also in security. That’s why it’s the next step in the implementation of an identity management system.
4. Access Applications
Once a user has secure access to their machine and the internal network, it’s time to start provisioning applications. Generally, IT admins start with the core productivity applications such as G Suite™ and Office 365™. This is because email and productivity suites are the basic building blocks for most end users. It’s often what enables employees to do the majority of their work.
From there, access is usually granted to individual resources, and that can be through groups set up by department for larger organizations. For example, adding a new user to the marketing department group will provide them access to one set of applications, while a new user added to the engineering group will gain access to a completely different set of applications. Many cloud-forward organizations may simply use web applications, while others may have a mixture that requires IT admins to leverage a wide range of protocols to authenticate access and even provision access.
5. Provide Access to Data
The next stage in the identity management implementation process is to connect users to the various storage solutions in use. Most often, this includes cloud storage systems or on-prem file servers. Many organizations, while pushing to the cloud, have opted for cost-effective on-prem storage solutions such as Samba file servers or NAS appliances. If the organization works with large file sizes, shuttling those to the cloud and back can be painful. In these situations, the option for on-prem storage solutions may be more fitting. Ideally, end users leverage file servers to save data and files for business continuity and disaster recovery requirements. Providing easy access to storage solutions is an important step in the process.
6. Connect to Server Environment
While this step may be much higher on the list for technical personnel, it is critical to be able to securely connect personnel to the server infrastructure. Often this requires SSH key access versus passwords, so personnel will need to understand how to create their public-private key pair and place their public key on the servers. Usually, identity management systems will handle the public SSH key management function for end users and the servers to which they have access.
These steps may vary slightly by organization, but the general approach likely will not. It’s imperative that IT organizations set the foundation of their identity management strategy, and this means implementing a core identity provider that acts as a source of truth for all identities. This will increase security and ensure that mistakes in user access won’t be made, which greatly reduces the risk of compromises.
Identity Management In Your Organization
So, to recap, once the foundation has been put in place, you can begin implementing control and access over an end user’s core IT resources. You will typically want to start with systems and the network — and then, to round out the implementation process, you can add access to applications, files, and servers. Ideally, IT organizations are searching for a comprehensive identity management solution that can cover a large portion of their needs, starting with the core and working outward. If you would like to learn more about identity management implementation best practices, drop us a note. We would be happy to answer any questions you might have, and help you find a solution that works best for you.