IDENTITY AND DIRECTORY

Best Practice

Description

Ensure uniqueness of every human and non-human identity in your directory.

This is the DNA of your IAM program for every service and function you will support (provisioning, certs, privileged access, physical access, etc.)for on-prem (mainframe, AD, etc.) as well as all cloud providers (SaaS, CSP’s). A uniquely identifiable catalogue of entities is important and a must. If you are just starting your identity program, this is the best place to start. If you consider yourself advanced, but cannot account for every identity and associate it with an owner, this is a critical gap.

Read the blog to learn more
Proactively maintain current and accurate authoritative data for identities in accessible source repositories.

Authoritative sources for identities provide essential data to make informed decisions regarding user access, including what access to provision and when to enable/disable that access. Proper maintenance of this authoritative data requires defined lifecycle management processes for both employees and non-employees, regular validation and update of identity information, and storage of accurate data within a repository. The authoritative source can then be linked to automation, for example birthright provisioning/de-provisioning and attribute-based access control mechanisms.

Minimize Active Directory’s attack surface.

Lock down administrative access to the Active Directory service by implementing administrative tiering and secure administrative workstations, apply recommended policies and settings and scan regularly for misconfigurations – accidental or malicious – that potentially expose your forest to abuse or attack.

IDENTITY LIFECYCLE

Best Practice

Description

Implement automated feeds of all users (employee and non-employee) into your identity store at a desired frequency (daily, hourly, etc).

Automated feeds allows your organization to react to changes in the user life cycle at a frequency that strengthens your security posture. Consider utilizing batch, instead of real-time syncs, of your HR data. Adding a predecessor job that verifes the feed is within normal ranges of expected terminations, protects against the possibility of your HR system sending incorrect data possibly disabling a large number of personnel and disrupting the business.

Automated provisioning and de-provisioning should be implemented with the help of adjacent and applicable business processes.

Automation allows you to realize the full benefit of an IAM program with the goal of reducing the number of manual access changes managed through your Service Management application or other ad-hoc processes.

Why Identity Defined Security?
Background

READY TO MAKE AN IMPACT?

Let's work together to help everyone become more secure.