What is Identity and Access Management?
Identity and access management (IAM) is a security discipline used to define and manage user identities and access privileges to various systems and applications across the IT infrastructure. It includes management of customer and employee identities and the identities of third-party vendors and partners who access the network. The four main primary functions of an IAM system or solution are:
- Provisioning of users
- Authentication of user identities
- Authorization of user access to resources
- De-provisioning of users
In simple terms, IAM acts as a gatekeeper who ensures that any user who tries to access the network is who they say they are (authentication) and is granted access to resources (authorization) based on their role or context of access.
AUTHENTICATION
Who are you?
Verify the user’s identity
AUTHORIZATION
What are you allowed to do?
Determine user permissions
Why is IAM Important?
Forrester estimates that 80% of data breaches have a connection to compromised privileged credentials, such as passwords, tokens, keys, and certificates. Identity and access management is a critical component of any enterprise security program because it creates a security layer between users and critical enterprise applications.
IAM systems enable the implementation of best practices like Single Sign-On (SSO) for credential management forcing users to generate stronger passwords and periodically change them. Multi-factor Authentication (MFA), a core component of IAM, ensures that user identities are confirmed beyond the initial password challenge. IAM can also mitigate the risk of insider threats by ensuring users – including privileged users and third-party vendors – have access to only those systems and applications needed to perform their tasks.
Overall, IAM provides a common platform to manage user identities for the entire organization and enforce access policies across operating platforms, applications, and devices. Advanced IAM solutions also enable organizations to track user activities, create reports about those activities, and enforce policies that aid in regulatory compliance.
Identity and Access Management in ERP Applications
Managing user authentication and authorization is highly complex as businesses operate in hybrid, multi-vendor ERP environments. Employees, contractors, and third-party users such as partners, and service providers need access to critical ERP systems to support business activities. These users access ERP from different locations, personal devices, and public or third-party service providers networks.
Enterprises look at IAM controls such as single sign-on, multi-factor authentication, and role-based access controls (RBAC) to grant ERP access. But these controls need custom code development and ongoing maintenance to integrate with ERP.
In addition, most MFA is limited to the log-in page, post which the user gets unchecked access to sensitive data and transactions, leading to fraud and increasing material weakness. Also, the traditional RBAC method of providing access is insufficient to protect ERP data and control high-value transaction execution in dynamic environments.
4 Key Technologies that Enable IAM
Identity and Access Management is implemented using a variety of security and authentication solutions. These solutions allow IT administrators to manage identities and enforce access policies without disrupting the workflow and ease of access.
Single Sign-On (SSO)
According to an analysis by OKTA, apps deployed by large firms across all industries worldwide have increased 68%, with an average of 129 apps per company by the end of 2018. Single Sign-On solutions enable ease of access by providing users with a single account for accessing all applications. SSO allows IT administrators to have centralized control over who has access to their systems, enforce stronger password policies, and increase overall productivity without compromising security.
Multi-factor Authentication (MFA)
Multi-factor Authentication (MFA) ensures that user identities are confirmed beyond the initial password challenge. MFA requires users to verify their identity using various methods like OTPs, voice calls, apps, fingerprints, etc. If a user’s credentials are stolen or compromised, MFA acts like the first line of defense against cybercriminals who want to gain access to corporate resources.
Role-Based Access Control
Once the user’s identity has been established, the second crucial step is to provide the user with relevant authorizations to access applications and data. Role-Based Access Control (RABC) relies on granting access to users based on assigned roles. Each role includes a set of authorizations that allow the user to access applications and perform specific functions. However, RBAC relies completely on user authentication to grant authorization. This significantly increases access risk because when a user’s credentials get compromised, the attacker will also have all the authorizations the user possesses.
Attribute-Based Access Control
Attribute-Based Access Control (ABAC) is an access authorization model that evaluates attributes rather than roles. These attributes include location, time range, days, security clearance level, IP address, etc. Based on the context of access, a user’s authorization level is de-escalated to prevent the user from accessing sensitive information or performing critical business transactions. ABAC is a preventative control that enhances security and mitigates the risk of both external attacks and insider threats.
Single Sign-On (SSO)
According to an analysis by OKTA, apps deployed by large firms across all industries worldwide have increased 68%, with an average of 129 apps per company by the end of 2018. Single Sign-On solutions enable ease of access by providing users with a single account for accessing all applications. SSO allows IT administrators to have centralized control over who has access to their systems, enforce stronger password policies, and increase overall productivity without compromising security.
Multi-factor Authentication (MFA)
Multi-factor Authentication (MFA) ensures that user identities are confirmed beyond the initial password challenge. MFA requires users to verify their identity using various methods like OTPs, voice calls, apps, fingerprints, etc. If a user’s credentials are stolen or compromised, MFA acts like the first line of defense against cybercriminals who want to gain access to corporate resources.
Role-Based Access Control
Once the user’s identity has been established, the second crucial step is to provide the user with relevant authorizations to access applications and data. Role-Based Access Control (RABC) relies on granting access to users based on assigned roles. Each role includes a set of authorizations that allow the user to access applications and perform specific functions. However, RBAC relies completely on user authentication to grant authorization. This significantly increases access risk because when a user’s credentials get compromised, the attacker will also have all the authorizations the user possesses.
Attribute-Based Access Control
Attribute-Based Access Control (ABAC) is an access authorization model that evaluates attributes rather than roles. These attributes include location, time range, days, security clearance level, IP address, etc. Based on the context of access, a user’s authorization level is de-escalated to prevent the user from accessing sensitive information or performing critical business transactions. ABAC is a preventative control that enhances security and mitigates the risk of both external attacks and insider threats.
IAM Challenges in Securing ERP Solutions
User Provisioning
When a new user is added or an existing user’s role needs to be modified, IT teams must manually search through hundreds or thousands of profiles to find the appropriate roles to assign the user. This process is time-consuming, error-prone, and frustrating. As a result, security admins end up granting users more access than needed which eventually causes segregation of duties conflicts and puts the organization at risk for potential fraud.
Appsian’s AI capabilities help read and analyze user roles, user attributes, authorizations, and usage log data (behavior analysis) from target systems (e.g., ERPs, HR, Active Directory, etc.) to provide recommendations. It has an integrated Natural-Language Processing (NLP) to identify urgent requests and prioritize them. In addition, the solution consolidates and approves non-risk access requests automatically and alerts if roles are assigned without following standard procedure.
Automated Access Certification
Compliance regulations like Sarbanes-Oxley require organizations to periodically re-certify user access. Access re-certification involves validating access rights within your systems and is essential to reduce business risk and enable organizations to be audit-ready. Usually, this is a daunting process prone to errors since IT auditors have to go through vast amounts of data manually.
Appsian automates the access certification process by grouping all low-risk authorizations into a single approval process, improving efficiency and bringing more focus on high-risk permissions. In addition, the solution provides a behavioral profile to determine the necessity of each authentication, brings in cost savings, and helps meet audit requirements.
Zero Trust Authentication
Traditional IAM solutions use role-based access control to govern access in static environments. It is also cumbersome to integrate MFA with ERP as it requires custom development and ongoing maintenance. Moreover, users’ resistance to authenticating multiple times can carelessly allow access when push notifications appear on their phones.
Appsian can enforce a Zero Trust policy that considers a user’s contextual attributes, including the access location, time of the request, and others, before establishing trust and granting access to data or transactions. The solution can force MFA challenges at page/component/field levels or even based on role/privileges. Additionally, the solution can enforce challenges as users move to different applications such as HCM, campus solutions, and more.
Emergency Access
Organizations need to grant developers and support teams temporary or firefighting access to the production environment for troubleshooting. This is a manual process where security teams review the request, grant the temporary access, and follow up multiple times to remove access once the project is complete. Failure to terminate the access or overprovisioning can lead to unnecessary risk and audit failures.
Appsian automates the emergency access process while meeting audit and security requirements. The role is automatically chosen based on the task and access revoked after the defined time frame expiration. In addition, audit-ready user activity reports are available for review at any time. Appsian also continuously monitors the production environment to flag any suspicious activity.
Continuous Control Monitoring
While users are monitored at the point of access, enterprises do not continuously monitor employees and third-party service providers to analyze SoD violations, master data modifications, and transaction-level activities. The common practice is to audit a random fraction of high-risk activities, which allows the majority of the strategic, financial, operational, contractual, credit, compliance, business continuity, and reputational risks to remain undetected across your ERP landscape.
Appsian helps provide real-time, context-based monitoring within your ERP applications at the access, transaction, and data level to enable you to be audit-ready. Additionally, the solution offers 100 percent monitoring 24/7, 365 days a year of high-risk activities carried out by employees and third-party users. This level of monitoring helps rapid detection of violations, reduce their impact and achieve a faster incident response.
User Provisioning
When a new user is added or an existing user’s role needs to be modified, IT teams must manually search through hundreds or thousands of profiles to find the appropriate roles to assign the user. This process is time-consuming, error-prone, and frustrating. As a result, security admins end up granting users more access than needed which eventually causes segregation of duties conflicts and puts the organization at risk for potential fraud.
Appsian’s AI capabilities help read and analyze user roles, user attributes, authorizations, and usage log data (behavior analysis) from target systems (e.g., ERPs, HR, Active Directory, etc.) to provide recommendations. It has an integrated Natural-Language Processing (NLP) to identify urgent requests and prioritize them. In addition, the solution consolidates and approves non-risk access requests automatically and alerts if roles are assigned without following standard procedure.
Automated Access Certification
Compliance regulations like Sarbanes-Oxley require organizations to periodically re-certify user access. Access re-certification involves validating access rights within your systems and is essential to reduce business risk and enable organizations to be audit-ready. Usually, this is a daunting process prone to errors since IT auditors have to go through vast amounts of data manually.
Appsian automates the access certification process by grouping all low-risk authorizations into a single approval process, improving efficiency and bringing more focus on high-risk permissions. In addition, the solution provides a behavioral profile to determine the necessity of each authentication, brings in cost savings, and helps meet audit requirements.
Zero Trust Authentication
Traditional IAM solutions use role-based access control to govern access in static environments. It is also cumbersome to integrate MFA with ERP as it requires custom development and ongoing maintenance. Moreover, users’ resistance to authenticating multiple times can carelessly allow access when push notifications appear on their phones.
Appsian can enforce a Zero Trust policy that considers a user’s contextual attributes, including the access location, time of the request, and others, before establishing trust and granting access to data or transactions. The solution can force MFA challenges at page/component/field levels or even based on role/privileges. Additionally, the solution can enforce challenges as users move to different applications such as HCM, campus solutions, and more.
Emergency Access
Organizations need to grant developers and support teams temporary or firefighting access to the production environment for troubleshooting. This is a manual process where security teams review the request, grant the temporary access, and follow up multiple times to remove access once the project is complete. Failure to terminate the access or overprovisioning can lead to unnecessary risk and audit failures.
Appsian automates the emergency access process while meeting audit and security requirements. The role is automatically chosen based on the task and access revoked after the defined time frame expiration. In addition, audit-ready user activity reports are available for review at any time. Appsian also continuously monitors the production environment to flag any suspicious activity.
Continuous Control Monitoring
While users are monitored at the point of access, enterprises do not continuously monitor employees and third-party service providers to analyze SoD violations, master data modifications, and transaction-level activities. The common practice is to audit a random fraction of high-risk activities, which allows the majority of the strategic, financial, operational, contractual, credit, compliance, business continuity, and reputational risks to remain undetected across your ERP landscape.
Appsian helps provide real-time, context-based monitoring within your ERP applications at the access, transaction, and data level to enable you to be audit-ready. Additionally, the solution offers 100 percent monitoring 24/7, 365 days a year of high-risk activities carried out by employees and third-party users. This level of monitoring helps rapid detection of violations, reduce their impact and achieve a faster incident response.
Secure Your ERP Access with Appsian
With thousands of users accessing your ERP applications from multiple locations, devices, and networks, Identity and Access Management plays a vital role in ensuring secure access to critical business data and applications like SAP, PeopleSoft, Oracle EBS, etc. Appsian integrates existing enterprise SSO and MFA solutions with ERP to provide a seamless user access experience.
Appsian’s ERP-focused IAM solution provides an additional layer of security with stepped-up MFA at page or data field level and can gate sensitive t-code execution. Additionally, Appsian’s attribute-based access controls reduce data exposure and business risk based on device, geolocation, and time to significantly reduce the data exposure and business risk.
