Skip main navigation

£199.99 £139.99 for one year of Unlimited learning. Offer ends on 28 February 2023 at 23:59 (UTC). T&Cs apply

Find out more

Trends and Common Issues

In this video, you will dive deeper into the topic of trends and learn about some of the common problems in IdAM, such as privilege creep.
So an Identity and Access Management infrastructure should address, as a minimum, the requirements of managing a user’s identity over its entire life cycle. And this has to be congruent in keeping with the business objectives, the policies, regulations and legislation. This includes the registration, the provisioning, the maintenance, the deletion, and any exigent circumstances along the way. One of the problems we see is privilege creep. This is the gradual accumulation of rights beyond what is absolutely necessary for an individual to undertake their role. The most common way that this occurs is when an employee changes responsibilities within an organization. And as they change, they are granted additional privileges, rather than having privileges, their old privileges, removed. So they can snowball privileges.
So this is a common problem in IT. It strongly links to role-based access control, where people end up accumulating, where a partial or hybrid model is implemented, and people can accumulate multiple roles. So this creates a two-fold security risk. Firstly, somebody with excessive privileges can be tempted to use those privileges inappropriately. Secondly, if somebody attacks that account and gains access to the account, it can become a problem for the organization. So if an account has excessive privileges launches a ransomware process, it can compromise far more data than it would otherwise. So how do we manage, how do we combat privilege creep? Well, access rights reviews are an important part of spotting problems in terms of rights allocations.
And again, rather than use a hybrid approach to role-based access control, what we should be doing is having a single role assigned to each user. If that individual changes role, then their role changes. They do not get granted additional roles. Privilege creep was behind many of the problems we saw at Enron in the States, the Barings Bank in the United Kingdom, and Ed Snowden, people gaining additional privileges that allowed them to do things that they shouldn’t. So our counter-measures are good governance, enforcing processes, access reviews, the appropriate use of mandatory access control, and role-based access control. Making sure that people are held accountable, we can hold them to account through thorough review, through audit information.
Very big area and the scope is massive, very difficult to find accounts that have marginally more privilege than they should have. So this is certainly something to focus on within your organization. Trends in identity and access management are important, partly just because of that rate of change that we’ve referenced. We’ve seen a huge increase over the past five years that continues in mobile computing. We have an increasingly agile workforce, with technologies that support that. So instead of focusing on our corporate network, now we’re trying to secure our information across a variety of networks. So our identity and access management system becomes stretched across corporate devices and also personal devices.
We also have a very rapidly developing technology stack around mobile, and we see that bring your own device piece starting to hit us, where prosumer devices, devices like tablets in the enterprise, personal devices, are becoming commonplace in the organization. Devices that were never intended to be corporate devices, like tablets that have a single user environment that don’t allow you to log in as multiple users, create a problem for us. How do we manage identities? When you log into most tablets, you log in with a pin code, and you are logged in as the default device user. We’re not differentiating our users, very hard to enforce accountability.
Where we can, if we’re using mobile device management, we can start to address this. And we have the ability to support, formally or not, bring your own device programmes. We can also look to try and control these devices through mobile device management. Are we going to approach this in that we allow access to things like our email services in a sandbox environment and we control the sandbox? Or are we going to try and secure the entire device through the use of mobile device management? Mobile device management lets us specify the type of identity and access management controls in place.
We can specify, as a minimum, that biometric is used or that a pin is installed on the device, and the minimum length of that pin.
Do be wary, though, with mobile device management: we can configure a setting, but it may not apply on all devices. Fairly consistently with Apple devices, the configuration is adopted, but because there are so few models. With Android, there are thousands of different implementations that vary. And so, if we specify a requirement to encrypt storage cards or to use biometric authentication, the effectiveness of those policies can vary. We also need to look at Cloud services, and we’ll be moving on to look at Cloud shortly within the course. But also, bring your own Cloud, we see users now starting to use their own email systems within the organization, technologies like Dropbox, Slack, that blur the line between home and work.
To what extent is this creating a problem for us? Can we protect our assets if they’re not held within our corporate repository? We also see increasingly bring your own ID as a service. So ID is a service externally, somebody else maintaining ID provision for us. Now we can do this at an enterprise level through the use, legitimately, of an ID provider, or we see increasingly the use of third party credentials through something like, through technologies like Open Authorization, OAUTH, where people log in to, potentially, your corporate services, your business services, using their Facebook profile or their Google account. So how we approach this depends very much on the type of requirement that we have.
If we’re looking at a customer, being able to log in with existing credentials might be a positive. It may lower the barrier to accessing our services. For our employees, this is probably less than ideal.

In this video, you will dive deeper into the topic of trends and learn about some of the common problems in IdAM, such as privilege creep.

Remember, at a minimum, identity and access management infrastructure should address the requirements of managing a user’s identity over its entire lifecycle. This must be congruent with the business objectives, policies, regulations, and legislation.

Reflect and share: What common problems have you experienced or anticipate you will experience? What could you do to address these? Share in the comments below.

This article is from the free online

Cyber Security Foundations: Reinforcing Identity and Access Management

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education