User Access and Privilege Management (UAP)

Increasing complexity of business transactions necessitates providing access to information assets to multiple entities and diverse sets of user groups. The wide spread use of information technology offers different means and methods for providing access to an information asset. A modern day organization, thus, characterizes itself with a number of users and user groups, with their respective business roles, seeking to get access to information assets for different purposes and through various means. The access requirements vary from providing access to endpoints to network, server systems, applications, data and databases, messaging systems, and so on. It entails providing access to external users — customers of an organization — for delivering business services and to internal users — those participate in executing different transactions on behalf of an organization. Business compulsions of the modern day demand an organization’s presence on all possible channels such as Internet, mobile, etc. to provide services to its customers. They require organizations to provide access to their fast expanding employee base that is spreading across different geographical locations and becoming more mobile. An organization’s boundary is increasingly getting extended to involve business partners and service providers and there is a genuine business need to provide access to the employees of these business partners and service providers to organization’s information assets. The compliance regulations are becoming more proactive in regulating businesses to provide assurances to the data subject. Identity, access and privilege management remain as an important element of compliance requirements with increasing thrust of compliance regulations to address the illegitimate access to information. On the other hand, IT infrastructure is becoming more complex with multiplicity of solutions, devices, products and tools and capabilities for user authentication, access, and privilege management. The overall map of available access points, business accesses required and users and user groups present, is becoming more granular and complex. The sensitivity and criticality of a particular information asset and business process adds to this complexity.

Although identity, access and privilege management is increasingly regarded as an instrument to serve business requirements, its fundamental role of ensuring security of information assets becomes more important with the rising complexity of the IT environment. It assures that only legitimate users are granted access through identification, and offers different ways to authenticate users based on sensitivity of the asset and process. It also offers a solution to manage the granularity and complexity of access maps through role management. It provides assurance to the users by providing secure methods for managing their credentials. It allows an organization to manage secure access to its resources. While doing so, it also tries to bring efficiency in the management of security. It offers a breadth of controls and process transparency for effective management of risks and compliance.
DSCI believes that User Access and Privilege Management (UAP) is an important discipline of security towards the goal of achieving data security. Organizations striving to use information technology to maximize their reach to expand the customer base, offer new ways for performing business transactions, managing business users and their access requirements and securing access to its information assets should focus on building competence in this discipline.

  • Identify and create a map of all types and variations used in the management of user identity, access and privilege by an organization
  • Evaluate how the authentication, authorization and auditing of users access to different asset types are managed. The type of assets can be Network devices, Applications, Server systems, Extended Infrastructure like Mobile, Wireless, Virtual & Storage Infrastructure, Endpoints, Structured and unstructured data
  • Evaluate how the identity, access and privilege management is aligned to business requirements
  • Identify the compliance norms that are specifying the requirements for user identification, authentication, authorization and access and privilege management. Evaluate the means and instruments used to comply with these norms
  • Evaluate how the users are identified? How user id is created? How the identity credentials are created? Consider different practices that are available for establishing user identity:
  • Evaluate the process of identity creation – How identity is assigned, communicated? How logs of the events are managed?
  • Evaluate how the identity data is managed – Central storage or Distributed storage
  • Evaluate the process of role creation in an organization.
  • Evaluate how the access to different types of resources is provided to the users. How access to network, operating system, application and database is managed?
  • Evaluate how the user access to resources and privileges is managed
  • Evaluate how the user roles, accesses and privileges are changed
  • Identify how the identification, authentication, authorization, access and privileges of external users are managed as against the internal users
  • Evaluate how users are authenticated. For each type of transaction or resource, create a map of solutions used for user authentication.
  • Evaluate how the process of user credentials sharing and access authorization is managed. Evaluate security measures adopted for the credential sharing process
  • Evaluate how the user passwords are managed
  • Evaluate how the workflow with respect to user access and privilege is managed
  • Identify how the services related to user access and privilege management are administered
  • Evaluate the efficiency of user access and privilege management processes.
  • Evaluate the effectiveness of user access and privilege management processes
  • Identify the solutions deployed for user identification, authentication, authorization and access and privilege management. The solutions that can be part of the solution group are Directory technologies, Identity verification and authentication, Identity management Access management, Auditing of identity, access and privilege management
  • Evaluate the architectural positioning of solutions deployed for user identification, authentication, and access and privilege management. Evaluate how these solutions are aligned to the enterprise architecture
  • Evaluate how the user education and training incorporates the elements on authentication, authorization and password security
  • Evaluate how an organization monitors, reports and reviews the policies designed for user identity and access management
  • Evaluate how the scope of user access and privilege management processes are extended to vendor owned and managed systems
  • Evaluate how the access to vendors, suppliers and guests are managed. Evaluate how the externally provisioned systems adhere to the access and privilege management policies
  • Evaluate how the access and privilege management policies are enforced on the mobile computing assets of an organization
  • Evaluate how the physical access management is integrated with the user access and privilege management
  • Evaluate how the user access and privilege management process are integrated with the other security processes such as monitoring and incident management, threat management, secure content management, etc.
  • Evaluate how information created by user access and privilege management processes is managed
  • A strategic roadmap for user access and privilege management can be defined with practices and solutions that are evolving in the market.
  • Ensure that there exists a comprehensive and dynamic visibility over the identity, authentication, roles and access patterns
  • Ensure that an appropriate mechanism is deployed for identification, authentication, and access management. This mechanism should address all types of users (external as well as Internal) and their access requirements
  • Ensure that the identity, access and privilege management processes are able to address the change in business circumstances such as expansion, new product or service launch, etc.
  • Ensure that the identity, access and privilege management processes are able to demonstrate conformity to compliance regulations
  • Ensure that there exists a mechanism to manage the user identities – Develop the user identity schemes, Assign the user ids to users based on their request, Manage the identity database, Support the change request for user identities, Support the audit requirements with respect to the identities
  • Ensure that there exists a mechanism for the management of roles.
  • Ensure that the policies for identity, access and privilege management are properly managed
  • Ensure that there exists a mechanism, which helps in administration of access to different resources of an organization such as Create, change and retire groups/roles at the target system level; Permit/Allow/Modify/Delete explicit access rights to individual users
  • Ensure that a mechanism exists for user provisioning
  • Ensure that provisioning and de-provisioning of the user access are managed within the norms of business and security
  • Ensure that the strength of authentication mechanism used is proportional to the sensitivity and criticality of the transaction and the target system.
  • Ensure that an organization has a complete understanding on the access points that would be encountered by the users in the operational life cycle. And, for each of these access points, there exists an enforceable business rule
  • Ensure that the principles of segregation of duties (SOD) are adhered to while provisioning the user access and granting access.
  • Ensure that any changes in the user roles, access and privileges go through a proper change management process
  • Ensure security in the process of sharing the credentials for user authentication
  • Ensure that there exists a mechanism for managing the user passwords. The key components of password management should be Password policy and standards, User guidelines for password setting, Password policy enforcement, Password setting and resetting processes, Password security measures, Privileges accounts’ password security
  • Ensure that identity, access and privilege management processes are efficiently managed
  • Ensure that the identity, access and privilege management processes are effectively managed
  • Ensure that all solutions that are deployed for identity, access and privilege management are derived out of well devised architecture. The identity and access management solutions are particularly significant to the enterprise architecture of an organization
  • Ensure that identity, access and privilege management solutions are capable of integrating with the IT service management processes of an organization.
  • Ensure that a significant level of efforts are dedicated to educate users for secure access to an organization’s resources and also for security of their access credentials such as passwords
  • Ensure that the scope of user access and privilege management function is extended to cover Access provided to visitors, Access provided to vendor and service provider’s employees, Externally provisioned applications and systems and Mobile computing devices
  • Ensure that there exists a mechanism for identity auditing that compiles information about identity-related event monitoring from the logs and work flows. This will help find the current state as against the defined policies and norms (gaps) and correlate with other security scenarios to identify a security issue or incident
  • Ensure that there exists a mechanism for monitoring and measuring the performance of the identity, access and privilege management.
  • Ensure that the user access and privilege management is integrated with physical access mechanisms in order to achieve the convergence between the two. The modern day security preparedness demands this converged approach.
  • Ensure that the identity, access and privilege management process are integrated with other security processes of an organization for enhanced accountability, transparency and improved protection.
  • Ensure that there exists a process for management of exceptions and non-compliances to the access and role management policies
  • Ensure that the information generated by Identity and Access Management solutions is managed effectively. With respect to each of the transactions, information such as associated user identities, their attributes and credentials, their roles and relationships contribute to the overall knowledge of an organization. This knowledge helps build future strategies for effective, transparent and efficient identity management of an organization’s human capital
  • Ensure that a significant level of collaboration exists between security, IT service management, HR and compliance management functions for effective management of the user identity and access
  • Comprehensive, granular and dynamic visibility over identity, authentication, access and privileges management reflects an organization’s understanding and efforts to keep the current information about all activities, processes, functions that fall under the identity, authentication, access and privileges management
  • Ability to support varied business requirements, scenarios and scalability reflects ability of the identity, authentication, access and privileges management to address the dynamism of business requirements
  • Adequacy and transparency of the controls reflects the effectiveness of the controls to address the security and assured behaviour of the systems
  • Policy management and enforcement reflects the capability of the policy management to address granularity and diversity of an organization’s requirements and its ability to enforce the policy elements
  • Coverage and extent of the program reflects the ability of identity, authentication, access and privileges management to extend its scope to all entities, systems, and assets
  • Responsiveness to user, business and operation’s requests reflects how swiftly the identity, access and privilege management systems address the business, user and operational requests
  • Maturity of the password management process reflects how optimally and efficiently the passwords process is managed
  • Compliance context and demonstration reflects the ability to ensure the functioning of operating environment within the compliance boundary and develop compliance demonstration capability
  • Administrative effectiveness and efficiency reflects the ability to manage the administrative processes effectively, transparently and optimally
  • Architectural positioning of solutions and their integration with enterprise architecture reflects how the solution components are positioned and their ability to support the objectives of enterprise goals
  • Integration with IT infrastructure management processes reflects the ability of the identity, access and privilege management processes to integrate with the IT infrastructure processes to achieve the satisfactory level of services delivered for user, business and operation’s requests
  • Optimization of resource and effort utilization reflects the ability to manage the user identities, access and privileges with optimal usage of resources and efforts
  • User convenience and experience reflect the ability of the processes to achieve user satisfaction in managing their identity, access and privileges and their individual service requests pertaining to identity, access and privilege management
  • Integration with other security processes reflects the ability of identity, access and privilege management to support overall security objectives of an organization

Please allow pop-up in your internet browser to download DSF


DSCI Security Framework